Compliance Guide

ISO 27001:2022 Transition: What's Changed and How to Migrate from the 2013 Version

The ISO 27001:2022 transition deadline has passed but many organisations are mid-migration. A practical guide to the new Annex A controls and what recertification now requires.

ISO 27001:2022 Transition: What’s Changed and How to Migrate from the 2013 Version

The ISO 27001:2013 to 2022 transition deadline was 31 October 2025. It has passed. Most of the public guidance still reads as though organisations are preparing for it, which is no longer useful for the single largest group of readers searching this topic today: organisations whose 2013 certificate has now lapsed and who need to understand what the recertification path actually looks like.

This guide treats the deadline as historical fact and focuses on two audiences. The first is organisations still mid-transition whose audit was delayed or failed and who need to understand their options. The second — and larger — is organisations that missed the deadline entirely and must now recertify from scratch against ISO 27001:2022. Both groups need the same underlying knowledge of what changed in the 2022 revision and why the 2022 control set is meaningfully harder to implement than the 2013 version it replaced.

The transition deadline, in one paragraph

The International Accreditation Forum set a three-year transition window beginning 31 October 2022. Transition audits had to be completed by 31 July 2025 to allow certification bodies time to issue updated certificates. All ISO 27001:2013 certificates expired or were withdrawn by 31 October 2025. New initial certifications stopped being issued against the 2013 version from 1 May 2024. After 31 October 2025, any certificate referencing the 2013 standard is invalid. If yours is, the only route back to certification is full recertification against ISO 27001:2022 — a Stage 1 plus Stage 2 audit, not a transition audit.

The practical difference between transition and recertification matters. A transition audit could be folded into a scheduled surveillance visit for roughly half an auditor day of additional time, or into a recertification audit for about one additional day. A full recertification requires the complete Stage 1 documentation review and Stage 2 implementation audit, typically three to ten auditor days depending on scope and organisation size. The cost differential is significant — usually two to four times the transition cost.

What actually changed in ISO 27001:2022

The core management system clauses (4 through 10) received relatively modest updates. Context and scope received more explicit treatment of interested parties. Clause 6.3 introduced formal requirements for managed changes to the ISMS. Clause 6.1.3 notes were editorially revised to remove ambiguity. Throughout, the document refers to itself as “this document” rather than “this standard.” Useful housekeeping, but none of this is the reason the transition has been hard.

The reason is Annex A. The control set was entirely restructured.

The Annex A restructuring

The 2013 version had 114 controls organised into 14 domains (A.5 through A.18). The 2022 version has 93 controls organised into four themes:

  • A.5 Organisational controls (37 controls)
  • A.6 People controls (8 controls)
  • A.7 Physical controls (14 controls)
  • A.8 Technological controls (34 controls)

The control count went down — 114 to 93 — but the underlying surface area went up. Of the 2022 controls, 58 are updates of existing 2013 controls, 24 are merged from multiple 2013 controls, and 11 are entirely new. Those 11 new controls are the operational heart of why this transition has been genuinely difficult for many organisations:

  1. A.5.7 Threat intelligence
  2. A.5.23 Information security for use of cloud services
  3. A.5.30 ICT readiness for business continuity
  4. A.7.4 Physical security monitoring
  5. A.8.9 Configuration management
  6. A.8.10 Information deletion
  7. A.8.11 Data masking
  8. A.8.12 Data leakage prevention
  9. A.8.16 Monitoring activities
  10. A.8.23 Web filtering
  11. A.8.28 Secure coding

None of these are surprising in 2026. Most organisations should be doing them anyway. But each one requires documented policies, implementation evidence, and — crucially — evidence of effectiveness over time. You cannot pass an audit on a configuration management control you enabled last week. You need recorded change history, exception handling, and review evidence going back at least a surveillance cycle.

The 2022 controls also introduce attributes and purposes for each control, replacing the objective groupings used in 2013. This is structural rather than operational, but it does change how the Statement of Applicability is written and justified.

The control landscape at a glance

ISO 27001:2013ISO 27001:2022
114 controls93 controls
14 domains (A.5–A.18)4 themes (A.5–A.8)
Domain-grouped objectivesPer-control attributes and purposes
Control objectives for control groupsPurpose statements per individual control
No explicit threat intelligence controlA.5.7 Threat intelligence
Cloud controls dispersedA.5.23 Information security for use of cloud services
Data leakage implicitA.8.12 DLP as explicit control
Data masking absentA.8.11 Data masking
Monitoring scattered across domainsA.8.16 Consolidated monitoring
Secure development addressed looselyA.8.28 Secure coding

The consolidation is deceptive. A 2013-certified organisation looking at the numeric reduction might assume this is a lighter regime. It is not. The 2022 standard is harder because it codifies controls that the 2013 version left implicit, and the surveillance cycle punishes organisations whose implementation is thin.

If your certificate has lapsed: the recertification path

If you missed the transition deadline, the transition audit is no longer an option. You need a full recertification. Here is what that looks like in practice.

Contact your certification body immediately. Some bodies offer expedited recertification pathways, but availability varies and notified body capacity is still recovering from the transition wave. The sooner you re-engage, the sooner you get on the schedule. If your previous certification body is unavailable or uncompetitive on timing, you can move to a different accredited body — there is no continuity requirement.

Commission a full gap analysis against ISO 27001:2022. This is the single most important step. An accredited consultant or your certification body’s advisory arm can perform this. Expect two to six weeks depending on scope. The output should be a prioritised action plan with effort estimates, not just a checklist.

Update your Statement of Applicability against the 2022 Annex A. This is where most organisations spend the largest block of time. Every 2022 control needs a documented justification for inclusion or exclusion, a reference to the implementation evidence, and — where controls are new — a plan for establishing the evidence base.

Implement the 11 new controls and any 2022 updates to existing controls. Where implementation evidence is thin, you cannot simply claim compliance; auditors will test it. Build the evidence base over a minimum of three months before scheduling the Stage 2 audit.

Conduct an internal audit and management review against the 2022 standard. This is a requirement, not an optional step. The internal audit programme itself needs to be updated to audit against 2022 controls rather than 2013 domains.

Schedule Stage 1 and Stage 2 audits. Stage 1 is documentation review — the certification body verifies that your ISMS design meets 2022 requirements. Stage 2 is the implementation audit. Typical gap between Stage 1 and Stage 2 is four to eight weeks to allow remediation of any Stage 1 findings.

Realistic timeline from engagement to certificate issuance: five to nine months. Budget accordingly. Organisations that attempt to compress this into three months generally fail Stage 1 or get a certificate with significant nonconformities carried forward.

If you are still mid-transition: where you actually are

A smaller group of organisations had their transition audit scheduled before 31 July 2025 but the audit was delayed, failed, or produced major nonconformities that required corrective action extending past 31 October 2025. Speak to your certification body about your specific situation — some bodies have offered continuity arrangements for organisations caught in this window, others have required reversion to full recertification.

If your transition audit is still formally open and you are in corrective action, the priority is to close all nonconformities before the certification body withdraws the audit. If the audit has been withdrawn, you are in the same position as organisations that missed the deadline entirely — full recertification is required.

The 11 new controls, practical implementation

The 11 new controls are where transition and recertification audits bite hardest. Brief practical notes on each:

A.5.7 Threat intelligence. Requires a documented process for collecting, analysing and using threat intelligence relevant to your information security. External feeds alone are insufficient; auditors expect evidence that intelligence is tasked, triaged, and actioned. Commercial TI feeds (Recorded Future, Mandiant, CrowdStrike Falcon Intelligence) or sector ISACs are common sources. Free sources (CISA advisories, NCSC threat reports, vendor advisories) are acceptable if you can demonstrate they are operationalised.

A.5.23 Information security for use of cloud services. Requires documented cloud service acquisition, use and exit processes. This is where compliance platforms and cloud posture tools converge. Most organisations find they have the cloud configuration but not the documented governance wrapper.

A.5.30 ICT readiness for business continuity. Requires ICT-specific continuity planning integrated with the broader BCP. RTO/RPO targets per critical system, tested recovery procedures, documented dependencies. Tabletop exercises are expected evidence.

A.7.4 Physical security monitoring. Requires monitoring of physical premises for unauthorised access. CCTV coverage of secure areas, access card audit trails, intrusion detection. For fully remote or cloud-native organisations, the scope is narrow but still needs explicit treatment in the SoA.

A.8.9 Configuration management. Documented standard configurations, change control, and monitoring of deviation. Most organisations have technical configuration management through their endpoint and infrastructure tools; the gap is usually the documented policy and review cycle.

A.8.10 Information deletion. Documented procedures for secure deletion of information when no longer required, including cloud-hosted data. Retention schedules, deletion triggers, evidence of execution. GDPR and DPIA work typically provides the foundation here.

A.8.11 Data masking. Techniques to hide or obfuscate personal or sensitive data in non-production environments. Tokenisation, pseudonymisation, synthetic data. Implementation depends heavily on your data landscape, but the SoA needs to show the approach.

A.8.12 Data leakage prevention. DLP controls for data at rest, in use, and in transit. This does not require a dedicated DLP platform for every organisation, but it does require a documented approach. Microsoft Purview, Symantec DLP, Netskope, and Forcepoint are common enterprise tools; email DLP via Microsoft 365 or Google Workspace is often sufficient for smaller scopes.

A.8.16 Monitoring activities. Continuous monitoring for anomalous behaviour and security events. SIEM coverage, log retention, alert triage processes. This often overlaps significantly with SOC 2 CC7.2 requirements.

A.8.23 Web filtering. Controls on web access to prevent access to malicious content. Secure web gateway, DNS filtering (Cloudflare Gateway, Cisco Umbrella, Zscaler), or endpoint-based controls.

A.8.28 Secure coding. Requires secure coding principles applied throughout the software development lifecycle. Relevant only if you develop software, but if you do, this is a meaningful uplift. OWASP ASVS, SAST tooling (Snyk Code, Checkmarx, SonarQube), secure code review processes, developer training.

Integrated management systems: one small upside

If you maintain integrated management systems combining ISO 27001 with ISO 9001, ISO 22301, ISO 20000, or ISO 42001, the 2022 revision aligns more closely with the Harmonised Structure. Common clauses (context, leadership, planning, support, operation, performance evaluation, improvement) now use more consistent language across standards. This actually simplifies integration once you are through the transition — though it doesn’t help the transition itself.

ISO 42001, the AI management system standard, is worth specific attention. Organisations building AI governance programmes for EU AI Act compliance are increasingly treating ISO 42001 as the structural complement to ISO 27001:2022 — 27001 covers information security, 42001 covers AI management, and the two share the Harmonised Structure.

Where ISO 27001:2022 fits alongside SOC 2 and NIS2

For organisations running multiple compliance programmes, the 2022 Annex A restructuring makes the overlap with other frameworks clearer.

SOC 2’s Common Criteria map cleanly to the 2022 A.5 and A.8 control themes. If you are already running a SOC 2 Type II programme on Vanta, Drata or Secureframe, the evidence base for 60–70% of the 2022 Annex A requirements is already established; platforms now ship with explicit 27001:2022 mappings rather than the 2013 mappings they launched with.

NIS2 Article 21’s 10 minimum measures overlap significantly with the 2022 Annex A. Incident handling, supply chain security, access control, cryptography, and multi-factor authentication appear in both. The NIS2 compliance checklist for UK and EU businesses sets out the full mapping. Organisations building both programmes should use the 2022 Annex A as the implementation spine and evidence NIS2 through the same control set where possible.

The honest assessment of ISO 27001:2022

The 2022 revision is a better standard than the 2013 version. The control set reflects how security actually works in cloud-first, distributed organisations. The Harmonised Structure alignment simplifies integrated management systems. The explicit treatment of threat intelligence, cloud services, and DLP forces conversations that 2013-certified organisations often dodged.

It is also harder to implement and harder to evidence, particularly for organisations whose 2013 certification was thinly implemented. Teams that treated 27001 as a paperwork exercise have found the 2022 transition genuinely painful. Teams that treated 27001 as the backbone of a real ISMS have found it an uplift rather than a rebuild.

If you are approaching recertification, the worst thing you can do is treat the 2022 controls as a checklist. The 11 new controls work as an integrated security programme or they work badly. Threat intelligence that doesn’t feed monitoring doesn’t pass audit. Configuration management without change control evidence doesn’t pass audit. Data leakage prevention as a bullet point in the SoA without operational controls behind it doesn’t pass audit.

Budget for five to nine months, use an accredited consultant for the gap analysis, and do not schedule Stage 2 until you have at least three months of implementation evidence for the new controls. The recertification path is longer and more expensive than the transition would have been — but it is the only path available now.

Frequently asked questions

Is ISO 27001:2013 still valid in 2026? No. All ISO 27001:2013 certificates expired or were withdrawn no later than 31 October 2025. Any certificate referencing the 2013 standard is invalid.

Can I still do a transition audit instead of a full recertification? No. The transition window closed on 31 July 2025 for audit completion. Post-31 October 2025, organisations certified against 2013 must undergo full Stage 1 and Stage 2 recertification audits against 2022.

How long does full recertification take? Typically five to nine months from engagement to certificate issuance. Gap analysis takes two to six weeks; implementation of new controls and evidence-building takes three to six months; Stage 1 and Stage 2 audits take a further two to three months including the remediation window between stages.

What are the 11 new controls in ISO 27001:2022? Threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28).

How does ISO 27001:2022 compare to the 2013 version in control count? The 2013 version had 114 controls in 14 domains. The 2022 version has 93 controls organised into 4 themes (organisational, people, physical, technological). Of the 93 controls, 11 are new, 24 are merged from 2013 controls, and 58 are updated versions of 2013 controls.

Do compliance platforms like Vanta and Drata support ISO 27001:2022? Yes. All major compliance automation platforms now ship with explicit ISO 27001:2022 mappings and evidence collection frameworks. Platforms that launched against the 2013 version have fully migrated. If you are using a compliance platform and it still references 2013 control numbering, speak to your account manager.

Can a surveillance audit cover the transition retrospectively? No. Surveillance audits against the 2013 standard cannot be conducted after 31 October 2025. Any surveillance activity from that date must be against the 2022 standard on a valid certificate. If you have no valid certificate, you need recertification, not surveillance.

How does ISO 27001:2022 interact with ISO 42001 for AI governance? ISO 42001 is structurally complementary to ISO 27001:2022 under the Harmonised Structure. Organisations building AI management systems for EU AI Act alignment typically use 42001 as the AI-specific governance layer on top of a 27001:2022 ISMS. Shared clauses simplify integration; AI-specific risks sit in 42001’s control set rather than 27001’s Annex A.