ISO/IEC 27001:2022 Release Date & 2013 Certificate Expiry

ISO/IEC 27001:2022 official release date was October 25, 2022 — marking the update of the international information security management standard.

ISO/IEC 27001:2022 was officially released on October 25, 2022, replacing the older 2013 version. This update reflects the latest information security challenges and brings the standard in line with ISO/IEC 27002:2022.

When Does ISO/IEC 27001:2013 Expire?

According to the official ISO timeline:

  • Certificates under ISO/IEC 27001:2013 are valid until October 30, 2025.
  • After this date, all certificates based on the 2013 version will expire or be withdrawn.
  • Organizations must upgrade to the ISO/IEC 27001:2022 version before the deadline.

How to Transition to the 2022 Version

Certification bodies allow the following methods for transitioning:

  • Regular surveillance audit
  • Scheduled recertification audit
  • A special audit upon request

Your transition method depends on your existing certification cycle.

What Changed in ISO/IEC 27001:2022?

The 2022 update includes:

  • 93 controls, down from 114 in the previous version
  • Controls are grouped into four categories:
    • Organizational
    • People
    • Physical
    • Technological
  • Improved terminology and alignment with ISO/IEC 27002:2022

 

What Should Organizations Do?

  • Review the changes in ISO/IEC 27001:2022, especially Annex A
  • Assess your ISMS to identify necessary updates
  • Coordinate with your certification body to schedule the audit
  • Complete the transition before October 2025

What Happens If You Miss the Deadline?

  • Your certificate will be cancelled or invalidated
  • You may face compliance risks
  • Business relationships and trust with partners could be affected

Why Early Transition Is Better

  • Certification bodies may face high audit demand close to the deadline
  • Early transition shows commitment to security
  • Your internal processes stay aligned with current global standards

Need Support?

Contact your certification provider for guidance on transitioning, planning audits, and updating documents. Many also offer ISO/IEC 27001:2022 training and toolkits. If you’re seeking expert assistance in managing change, connect with our team of risk professionals, who specialize in ISO standards, compliance audits, and security frameworks.

 

FAQs

 

When was ISO/IEC 27001:2022 released?

ISO/IEC 27001:2022 was officially published on October 25, 2022. This marked the first major revision of the standard since the 2013 version. The update was designed to align with today’s complex cybersecurity environment, offering better control categorization and clearer terminology. It also complements the ISO/IEC 27002:2022 guidelines released earlier in February 2022.

Until when is ISO/IEC 27001:2013 valid?

Organizations holding ISO/IEC 27001:2013 certifications have until October 30, 2025, to complete the transition. After this date, all certificates based on the 2013 version will either be withdrawn or expire automatically. This means any organization that has not transitioned by that deadline will lose their certified status, potentially affecting compliance and client trust.

How can I upgrade to the ISO/IEC 27001:2022 version?


Upgrading to ISO/IEC 27001:2022 can be done through one of the following audit types:

  • A surveillance audit, which is part of the routine check-ups by your certification body
  • A recertification audit, typically conducted at the end of a certification cycle
  • A special audit, requested specifically to evaluate conformance with the updated standard

Before initiating the upgrade, you should perform a gap analysis, update your ISMS documentation, retrain staff where necessary, and revise internal policies to reflect the 2022 requirements.

What are the major changes in Annex A?

Annex A in the 2022 version contains 93 controls, down from 114 in the 2013 version. These controls are now grouped into four thematic domains:

  • Organizational (37 controls)
  • People (8 controls)
  • Physical (14 controls)
  • Technological (34 controls)

Several new controls have also been introduced, including Threat Intelligence, Cloud Services Usage, Data Masking, and Secure Coding. This structure improves clarity, removes redundancy, and better aligns with modern risk environments.

What happens if I don’t upgrade by October 30, 2025?

If you fail to transition to ISO/IEC 27001:2022 by the deadline, your certification under the 2013 version will no longer be valid. This may lead to:

  • Loss of client contracts that require active ISO certification
  • Legal or regulatory compliance issues, especially in sectors like finance, healthcare, and government
  • Reputational damage, making it harder to attract new clients or business partners
  • Increased costs later if you must start the certification process from scratch

Proactive planning and early implementation are the best ways to avoid disruptions.

Zuhair Malik

Content producer, developer and manager at Risk Professionals. Enthusiastic and prospective Machine Learning engineer.
Contact Us
Quick Links
Social Media
Facebook X-twitter Instagram Linkedin

Follow our social media for the latest updates in the space and to be notified about promotions.

© 2025 Risk Professionals. All rights reserved.

Social Chat is free, download and try it now here!