ISO 27001:2022 vs 2013: what changed, and the deadline that's now passed
What the 2022 revision of ISO/IEC 27001 changed: a restructured Annex A with 93 controls and 11 new ones, and the 31 October 2025 transition deadline that retired the 2013 certificates.
If your information security management system (ISMS) still points at ISO/IEC 27001:2013, this is the article to read first. The 2022 revision is now the only version certificates are issued against, and the window to transition has closed.
The deadline has passed
ISO/IEC 27001:2022 was published in October 2022, which started a three-year transition period. That period ended on 31 October 2025. After that date, ISO 27001:2013 certificates are no longer valid, and any organisation that has not transitioned has lost its certified status. New (first-time) certifications have been issued only against the 2022 version since 2024.
The practical effect: "we're ISO 27001 certified" now means 2022. If a customer, regulator or procurement team asks for evidence, a 2013 certificate no longer carries weight.
What actually changed
The management-system clauses (4 to 10) are largely the same. The visible change is Annex A, which was realigned to mirror ISO/IEC 27002:2022:
- From 114 controls to 93. Some controls were merged, a few were retired, and the set was tightened.
- From 14 domains to 4 themes: Organizational, People, Physical and Technological.
- 11 new controls were introduced, reflecting how security has moved on, including: threat intelligence, information security for use of cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
None of this changes the spirit of ISO 27001 — it's still a risk-driven management system — but it does change your Statement of Applicability, your control mapping and, in many cases, the controls you operate.
What it means in practice
- Re-map your controls to the 93-control Annex A and update your Statement of Applicability with justified inclusions and exclusions.
- Assess the 11 new controls against your risk treatment — several (cloud, ICT readiness for continuity, data leakage) are areas most organisations had only partially covered.
- Reuse the evidence you already hold. Most of your existing evidence still applies; the work is in re-mapping it to the new structure, not re-collecting it.
Running ISO 27001 as a living management system — where the Statement of Applicability, controls and evidence stay current together — is what makes a transition like this an update rather than a project.