Blog
Compliance
ISO 27001
April 5, 2026
Approx 4 min read

ISO 27001:2022 Transition: What to Do If You Missed the Deadline

The ISO 27001:2022 transition deadline passed on 31 October 2025. If your organisation was certified under the 2013 version and did not complete the transition in time, your certification is now invalid.

This is a live commercial problem. ISO 27001 certification is often a prerequisite for enterprise contracts, public sector tenders, and regulated industry procurement. A lapsed certificate can stall deals, trigger contract review clauses, and exclude you from opportunities before a commercial conversation begins.

Here is where things stand and what your options are.

What happened at the ISO 27001:2022 transition deadline

The International Accreditation Forum mandated that all ISO 27001:2013 certifications must transition to the 2022 standard by 31 October 2025. After that date, certification bodies stopped issuing 2013 certificates, and all remaining 2013 certifications were formally withdrawn.

Organisations that completed a transition audit before the deadline received an ISO 27001:2022 certificate with minimal disruption. Those that did not now face a gap in certification and will need to go through full recertification, a more demanding and expensive process than a transition audit.

What changed between ISO 27001:2013 and ISO 27001:2022

The 2022 revision was not a wholesale rewrite, but it introduced meaningful updates that reflect how organisations operate today.

The most visible change is in Annex A. The control set has been restructured from 114 controls across 14 categories to 93 controls grouped under four themes: organisational, people, physical, and technological. Eleven controls are entirely new, covering areas including threat intelligence, cloud security, data masking, and monitoring activities.

The management system clauses (4 through 10) have also been refined. Clause 4.2 now requires organisations to understand the expectations of interested parties in more detail. Clause 6.3 introduces a formal requirement for managing changes to the ISMS in a structured way. These are not dramatic shifts, but they require updated documentation and, in some cases, revised processes.

The broader intent of the revision is to bring the standard in line with current security realities: cloud-first environments, remote working, and supply chain dependencies that most organisations now deal with daily.

The path to ISO 27001:2022 recertification

You do not need to start from zero. If your organisation had a functioning ISMS under the 2013 standard, much of that work still applies. The gap between your existing system and the 2022 requirements may be smaller than you expect.

Run a gap assessment. Compare your current ISMS against the 2022 requirements and identify where updates are needed. Focus on the 11 new Annex A controls, the changes to the Statement of Applicability, and any process gaps in how you manage changes to your ISMS.

Update your documentation. Your risk assessment, Statement of Applicability, and supporting policies will need revising to reflect the new control structure and any additional controls you are implementing.

Engage a certification body. Since you will be going through full recertification rather than a transition audit, you will need to schedule a Stage 1 and Stage 2 audit. Build in enough lead time for the certification body to review your updated ISMS and for your team to address any findings before the final assessment.

Prioritise the new controls. The 11 new controls in Annex A include areas that many organisations have not formally addressed: threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Not all will apply to every organisation, but you will need to document a clear rationale for any you exclude.

Why ISO 27001 certification matters beyond the audit

ISO 27001 certification functions as commercial currency. Enterprise buyers use it as a qualifying criterion in procurement. Regulated industries reference it as evidence of security maturity. And as supply chain security requirements tighten with the Cyber Security and Resilience Bill and NCSC guidance, having a recognised ISMS framework in place makes due diligence faster and more straightforward for both sides.

The process of building and maintaining an ISMS also has operational value. It forces an organisation to map its information assets, assess its risks, document its controls, and review them regularly. That discipline is how you identify weaknesses before they become incidents.

How Naq helps with ISO 27001:2022

Naq's platform automates a significant portion of the work involved in building and maintaining an ISO 27001-compliant ISMS. That includes automated risk assessments, policy generation, evidence collection across more than 300 integrations, and continuous control monitoring.

For organisations that also need to manage GDPR, Cyber Essentials, or sector-specific frameworks alongside ISO 27001, the platform maps controls and evidence across overlapping standards. Work done for one framework counts towards others, removing duplication and reducing the total compliance workload.

Naq does not replace the need for a certification audit. It reduces the manual effort involved in reaching and maintaining audit readiness. Support is available from CISSP and ISO 27001-certified professionals throughout the process.

If your ISO 27001 certification has lapsed and you need to get back on track, or if you are pursuing certification for the first time, book a demo to see how Naq can help.

Written by
The Naq Team
Share
Share
Compliance
DCB 0129
NHS DSPT
NHS DTAC
5 Minutes with Isla Health
May 1, 2024
Compliance
Cyber Essentials
NHS DSPT
The Role of Cyber Essentials in Achieving NHS DSPT Compliance
February 25, 2024
Compliance
DORA Compliance 2026: What UK Financial Services Firms Need to Know
April 5, 2026
Compliance
Cyber Essentials
NHS DSPT
ISO 27001
Scaling Responsibly: Managing Risk & Compliance in Technology-Enabled Care
April 22, 2025
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy