If you are currently certified to ISO 27001:2013, you have a hard deadline coming. On 31 October 2025, all ISO 27001:2013 certificates will cease to be valid. Accreditation bodies worldwide will no longer recognise them, and any client, tender process, or procurement checklist that asks for ISO 27001 certification will effectively require the 2022 version.
We are now past the halfway point of the transition window. That still sounds comfortable — until you factor in audit scheduling lead times, internal implementation work, and the fact that certification bodies are not scaling their auditor pools to match the wave of organisations that will all need transition audits in 2024 and 2025. The organisations that plan now will transition cleanly. The ones that wait until 2025 will be competing for audit slots.
Here is a practical, stage-by-stage roadmap.
Stage 1: Gap Analysis (Weeks 1–4)
Before you can plan a transition, you need to know where you currently stand. A structured gap analysis compares your existing ISMS — specifically your implemented controls and your Statement of Applicability — against the requirements of ISO 27001:2022.
The key areas to assess:
- Which of the 11 new Annex A controls apply to your organisation?
- How do your existing controls map to the restructured 2022 control set?
- Does your SoA reference the 2022 standard and its four-category structure?
- Are there any Clause 6 or Clause 9 requirements that need updating (risk assessment methodology, management review format, internal audit scope)?
The output of this stage is a written gap report with a prioritised list of actions. Without this, you are working blind.
Stage 2: Update Your Statement of Applicability (Weeks 4–8)
The SoA is the document that will receive the most scrutiny from your transition auditor. It needs to reference ISO 27001:2022 (not the 2013 version), list all 93 Annex A controls, state whether each is applicable or not, justify the decision, and indicate implementation status.
For most organisations, this means revisiting every control in the old SoA, mapping it to the restructured 2022 framework, and adding the 11 new controls with either implementation plans or documented exclusion justifications. This takes longer than most people expect — particularly for organisations with complex control environments or limited internal documentation.
Stage 3: Address the Gaps (Weeks 6–16)
Once you know what is missing or needs updating, implement it. For the majority of organisations, this will centre on the new controls — particularly the ones that require technical implementation (data masking, web filtering, configuration management, monitoring activities) rather than just documentation updates.
Prioritise by risk. If threat intelligence (A.5.7) or cloud service security (A.5.23) are directly relevant to your risk profile, tackle those first. Controls that primarily require policy updates can be addressed in parallel with technical implementations.
Do not underestimate the people controls. Training completion records, onboarding security briefings, and offboarding procedures are consistently under-evidenced at audit. If your HR processes have not been aligned with your ISMS, this is the stage to fix it.
Stage 4: Update Your Risk Assessment (Weeks 8–12)
Your risk assessment underpins the entire ISMS. If new controls have been introduced or existing controls modified, your risk treatment plan should reflect those changes. Run a formal review of your risk register against the updated control landscape and document the outcome. If you have not updated your risk assessment since your last certification audit, this is also a good opportunity to ensure it reflects your current asset and threat environment — not the one that existed two years ago.
Stage 5: Internal Audit Against the 2022 Standard (Weeks 14–18)
Before your transition audit, you need to complete an internal audit specifically scoped against ISO 27001:2022. This is not the same as your previous internal audit — the scope references the 2022 standard, the 2022 Annex A control set, and the updated SoA. The audit should produce a formal report identifying any non-conformities or observations, along with a corrective action plan.
If your internal audit function is internal, ensure the auditor has been updated on the 2022 requirements. If you use an external provider for internal audits, confirm they are auditing against the 2022 standard, not the 2013 version.
Stage 6: Management Review and Corrective Actions (Weeks 16–20)
Hold a management review that covers the transition progress, internal audit findings, and any open corrective actions. Document the minutes and decisions. This is a standard ISO 27001 requirement but is especially important in a transition cycle — your auditor will want to see that leadership has formally reviewed and signed off on the transition readiness.
Stage 7: Transition Audit with Your Certification Body (Weeks 18–24+)
Contact your certification body now to understand their transition audit process and availability. Some bodies perform transition at the next scheduled surveillance audit; others require a separate audit. Availability is already tightening in some regions. The earlier you book, the more control you have over timing.
At the audit itself, expect focus on: the updated SoA, evidence that the 11 new controls have been considered and implemented or justified, updated risk assessment documentation, and the internal audit report and management review minutes.
The Honest Timeline
For an organisation that already has a functioning ISO 27001:2013 ISMS, a well-managed transition typically takes four to six months of active work. For organisations whose ISMS has drifted — policies not reviewed, controls not evidenced, internal audits missed — budget six to nine months and address the underlying maintenance issues at the same time.
Starting now, in mid-2023, gives you comfortable time. Starting in early 2025 does not.
Bitsecura manages ISO 27001:2022 transitions end-to-end — from gap analysis through to internal audit and certification audit readiness. Our Lead Implementers have navigated transitions across multiple sectors. We will tell you what your specific transition requires, how long it will take, and what needs to happen in what order.
If you want that conversation now, contact us here. No commitment, no sales process — just a straight assessment of where you stand.
Bitsecura provides ISO 27001 implementation, internal audit, and ISMS maintenance services. Learn more about our ISO 27001 services.