There are twelve months left. On 31 October 2025, every ISO 27001:2013 certificate in the world becomes invalid. Certification bodies will not issue transition or recertification audits against the old standard after that date. Clients, procurement teams, and regulators who require ISO 27001 certification will require the 2022 version.

Twelve months sounds like enough time. For many organisations, it is — if they start now. For organisations that have been planning to “get to it soon” for the past two years, it is not as comfortable as it looks. Here is why, and here is what you need to do.

The Certification Body Bottleneck Is Real

Every organisation holding an ISO 27001:2013 certificate needs a transition audit before October 2025. The number of UKAS-accredited and internationally-recognised certification bodies has not expanded to match this demand. Audit diaries are filling up. Some bodies are already quoting Q3 2025 availability for transition audits.

If you are not already in conversation with your certification body about transition scheduling, your first action this week is to make that call. Find out what their transition audit process looks like, what they need from you before scheduling, and what the earliest available window is. The answer may reshape your implementation timeline significantly.

Where Most Organisations Are Right Now

Based on our work with clients throughout 2024, organisations fall into roughly three groups at this point in the transition window:

Group 1: Transitioned or in final stages. These organisations started their transition in 2022 or 2023, have updated their ISMS, completed their internal audit, and have either already been audited or have a transition audit scheduled. They are in good shape.

Group 2: In progress but behind schedule. These organisations know what needs to happen and have done some of the work — perhaps updated documentation, started gap analysis — but have not completed the implementation or scheduled the audit. They have time, but the margin for delay is gone.

Group 3: Have not started. These organisations are still operating on their 2013 ISMS and have not formally begun the transition. For this group, twelve months is tight. Not impossible, but tight — and it requires an immediate, structured programme with external support.

Wherever you are in this spectrum, the question is the same: what needs to happen in the next twelve months, and in what order?

The 12-Month Action Plan

November–December 2024: Complete your gap analysis and contact your certification body.
If you have not done a formal gap analysis against ISO 27001:2022, do it now. Map your existing controls to the new Annex A, identify the gaps, and produce a written action plan. Simultaneously, contact your certification body to understand scheduling availability and their specific transition process. Do not wait until your gap analysis is finished to start this conversation.

January–March 2025: Implement outstanding controls and update documentation.
Address the gaps identified in your analysis. For most organisations with a functioning 2013 ISMS, the primary work is implementing the new controls — particularly the eleven that did not exist in the old standard — and updating the Statement of Applicability to reference ISO 27001:2022 and document justifications for all 93 controls.

March–May 2025: Conduct your internal audit against the 2022 standard.
Your internal audit must be scoped against ISO 27001:2022 — not the 2013 version. This audit should identify any remaining non-conformities, which then need to be addressed through corrective action before your transition audit. Allow time for the corrective action cycle: finding, root cause analysis, remediation, verification.

April–May 2025: Hold your management review.
Conduct a management review that covers the ISMS transition, the internal audit findings, the corrective actions raised and closed, and the updated risk register. Document the minutes thoroughly. This is evidence your certification auditor will examine.

June–September 2025: Transition audit.
This is your target window for the certification body audit. A September 2025 transition audit gives you a reasonable buffer before the October 31 deadline. An October 2025 audit leaves no room for any findings that require remediation before the deadline.

Any organisation attempting to complete all of the above between September and October 2025 is taking on significant risk. The timeline assumes that preparation is complete, that the internal audit is clean or close to clean, and that no significant rework is required. That is a lot to assume.

The Specific Things Transition Auditors Focus On

Based on feedback from transition audits already completed in 2024, the areas receiving the most scrutiny are:

Organisations that have a clear, current SoA, a risk assessment that has been reviewed in the past six months, and documented evidence of the new controls operating will pass. Organisations that have updated their documents but not their practices will not.

What Happens If You Miss the Deadline

Your certificate lapses. That means your ISO 27001 certification is no longer valid. Clients that require a current certificate will be informed. Tender processes that require ISO 27001:2022 will exclude you. Customers conducting supplier due diligence will see an expired certificate.

Recovering from a lapsed certificate requires a full initial certification process — not a transition. The transition pathway closes with the deadline.

At Bitsecura, we are currently working with organisations at every stage of the transition. If you are in Group 2 or Group 3 and you need a clear-eyed assessment of what it will take to make the October 2025 deadline, that is a conversation we are equipped to have right now.

Get in touch here. No process, no proposal — just an honest conversation about where you stand and what needs to happen.


Bitsecura provides ISO 27001 implementation, internal audit, and ISMS maintenance services. Learn more about our ISO 27001 services.