The October 2025 deadline has passed. Certification bodies are reporting non-conformities for unmigrated organizations.
The three-year transition window from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 closed on 31 October 2025. Certificates issued against the 2013 version are now formally invalid, and certification bodies have begun raising major non-conformities — or in some cases withdrawing certificates entirely — during 2026 surveillance and recertification visits.
What changed in 2022
- Annex A controls restructured from 114 to 93, organized into four themes.
- Eleven new controls introduced, including threat intelligence, cloud security, secure coding and data masking.
- Stronger emphasis on information security in supplier relationships and ICT readiness for business continuity.
Common findings in 2026 audits
Auditors are reporting consistent patterns of non-conformity among late transitioners:
- Statement of Applicability not updated to the new Annex A structure.
- Threat intelligence control (A.5.7) implemented superficially with no defined sources or review cadence.
- Cloud security control (A.5.23) missing tenant-specific configuration evidence.
- Secure coding control (A.8.28) without measurable developer training records.
Recovering from a lapsed certificate
Organizations whose certificates were withdrawn typically need a full re-certification audit rather than a continuation. Plan for a 3–6 month recovery window depending on certification body availability and the maturity of your existing ISMS.
MEGADEMİ's ISO/IEC 27001:2022 Lead Auditor and Lead Implementer courses include a dedicated transition module covering each new control with worked audit evidence examples.
