The transition deadline for ISO/IEC 27001:2013 has passed. As of October 31, 2025, all ISO 27001:2013 certificates are no longer valid and if your organization has not yet completed the transition to ISO/IEC 27001:2022, you are now operating without a recognized certification. That means real exposure: audit failures, contractual breaches with customers who require valid ISO 27001 certification, and reputational risk with prospects who ask for it during due diligence.
The shift to ISO/IEC 27001:2022 isn’t just a routine update. It’s a direct response to today’s real-world threats cloud breaches, remote work risks, and supply chain attacks. The control structure has been streamlined, 11 new controls introduced, and a more risk-adaptive approach is now the standard expectation for certification bodies and auditors alike.
This guide gives you a tactical breakdown of ISO 27001:2013 vs ISO 27001:2022, with clear side-by-side comparisons, mapping tables, and a practical recovery plan if you’re behind. Whether you’re mid-transition or haven’t started yet, this is your playbook for getting back on track.
- Core Differences
ISO 27001:2022 simplifies Annex A β reducing 114 controls to 93, grouped into 4 themes. It drops the 14-domain structure and introduces control attributes for easier mapping, filtering, and risk alignment. - Whatβs New in ISO 27001:2022
The 2022 update introduced 11 new controls, including threat intelligence, cloud services security, data masking, and physical security monitoring, while consolidating and restructuring many existing ones. - Mandatory Transition Deadline
All ISO 27001:2013 certifications expire on October 31, 2025. Failure to transition on time means non-compliance, audit failure, and lost contracts.
What is ISO 27001:2013?
ISO/IEC 27001:2013 is the earlier version of the global standard for information security management systems (ISMS), featuring 114 controls grouped into 14 domains to help businesses manage and protect sensitive information.
What is ISO 27001:2022?
ISO/IEC 27001:2022 is the latest update to the ISMS standard, introducing 93 streamlined controls across 4 themes. It reflects modern cybersecurity threats and promotes a more risk-adaptive, scalable, and efficient compliance framework.
Why was ISO 27001 updated in 2022?
ISO/IEC 27001:2022 was introduced to keep pace with modern cybersecurity risks and evolving business models. The 2013 version, although robust, didnβt reflect newer threats, such as cloud misconfigurations, supply chain attacks, or remote workforce challenges.
Here are the primary reasons why the update was necessary:
- To tackle new threats and technologies: The 2022 version addresses evolving risks like supply chain vulnerabilities, data masking, and secure coding practices. The 2013 framework doesnβt exactly cover these.
- To restructure and simplify controls: Annex A now lists 93 controls, down from 114. Redundant controls were merged or rewritten. The updated format is easier to apply across teams, especially for small businesses.
- To introduce control themes and attributes: The original 14 control domains are replaced by four themes: Organizational, People, Physical, and Technological. Each control now includes attributes, such as control type or security objective. This makes them easier to sort and implement based on risk.
- To enable risk-based implementation: The framework now supports tailored control selection based on business context, not a checklist approach. This gives your business more flexibility while staying audit-ready.
ISO 27001:2013 vs ISO 27001:2022: Whatβs changed?
To make it easier for you to understand the key differences, hereβs a simple table to quickly grasp them:
| Component | ISO 27001:2013 | ISO 27001:2022 | What Changed |
| Publication Date | October 2013 | October 2022 | Latest update after 9 years |
| Clauses 4β10 | Unchanged since 2013 | Minor language updates for clarity | Intent stays the same, better phrasing |
| Annex A Controls | 114 controls across 14 domains | 93 controls grouped under 4 themes | Controls consolidated and renamed |
| New Controls | Not present | 11 new controls added | Includes threat intelligence, physical monitoring, and others |
| Control Grouping | 14 control domains (e.g., HR security, communications) | 4 control themes: Organizational, People, Physical, Technological | Simplified structure improves usability |
| Control Attributes | Not defined | Introduced five attributes (e.g., control type, security property) | Enables control filtering and mapping |
| Mapping Table | Informal mapping in some guides | Formal mapping is available in ISO/IEC 27002:2022 | Aids smoother transition |
| Risk Treatment Approach | Prescriptive focus on selecting controls | More contextual and risk-based | Supports tailored implementations |
| Certification Impact | Organizations are certified to the 2013 version | 2013 certification wonβt be valid after 31st October, 2025, and businesses must transition to the 2022 version before then | Deadline defined by IAF (MD 26:2023) |
Mapping controls of ISO 27001:2013 with the 2022 version
Why is this mapping important for you?
Mapping between ISO 27001:2013 and 2022 versions is important because it helps you understand the changes in requirements, align existing Information Security Management Systems (ISMS) with the updated standard, and ensure ongoing compliance.
To make the transition easier for your business, ISO/IEC 27002:2022 provides a detailed mapping table that links each control in Annex A of ISO 27001:2013 to its counterpart (or merged equivalent) in ISO 27001:2022.
Most controls do retain their core intent, so itβs not like you need to completely revise them. A majority of them were simply renamed, merged, or restructured to reflect a modern security context.
| 2013 Control (ISO/IEC 27001:2013) | 2022 Equivalent (ISO/IEC 27001:2022) | Change Type |
| A.12.6.1: Management of technical vulnerabilities | 8.8: Management of technical vulnerabilities | Retained (renumbered) |
| A.18.2.3: Technical compliance review | 5.36: Compliance with policies and standards for information security | Consolidated |
| A.10.1.1: Policy on use of cryptographic controls | 8.24: Use of cryptography | Retained (renamed) |
| A.13.2.3: Electronic messaging | 8.23: Information transfer | Merged under broader control |
| A.14.2.1: Secure development policy | 8.25: Secure development lifecycle | Reworded to fit secure coding lifecycle |
| New | 5.7: Threat intelligence | New control |
| New | 5.23: Information security for use of cloud services | New control |
| New | 7.4: Physical security monitoring | New control |
You can purchase the entire official mapping here.
Transition timeline for ISO 27001:2022
While we have already mentioned this in brief, hereβs a detailed table that goes over the timeline for the important events in the context of the transition:
Key dates
| Milestone | Date | What It Means |
|---|---|---|
| Standard Published | October 25, 2022 | ISO/IEC 27001:2022 was officially released by ISO |
| Transition Period Begins | October 31, 2022 | Certification bodies begin offering audits for the 2022 version |
| Transition Deadline | October 31, 2025 | All ISO 27001:2013 certificates expire. No exceptions after this date |
To maintain a valid certification status, organizations needed to complete their transition audit before the October 31, 2025, deadline. If you have already transitioned, your certification body will have handled this during a surveillance audit, recertification cycle, or as a standalone transition audit, depending on where you were in your audit schedule. If you missed the deadline, you will need to undergo a full certification audit under the 2022 version to requalify.
Note for SMBs: If you are a small business with a one or two-man compliance team, it can be detrimental to delay the transition. Transitioning too close to the deadline may create scheduling bottlenecks with auditors and will result in significant non-conformities.Β
Still behind on ISO 27001:2022? Take the faster path back to audit readiness.
βThe Sprinto team was approachable and provided a clear understanding of the platform, expectations, scope of work, and how we could meet our compliance goals together. Most importantly, Sprinto gave us confidence to meet our deadlines.β ~ Prabagaran Loganathan, Senior Manager of Information Systems, Position2
See how Sprinto helps teams map gaps, organize evidence, and move toward ISO 27001:2022 with clarity. Book a demo.
How to prepare for the ISO 27001:2022 transition
Don’t look at this transition as a simple control update that’s an additional hassle for your compliance team, it is also an opportunity to strengthen your management system and clean up audit inefficiencies. Here are the practical steps to approach it effectively:
1. Perform a gap assessment
The first step to facilitating a transition is to look at how your current ISMS stacks up against ISO 27001:2022. This involves reviewing your existing controls, documentation, and processes against the new Annex A structure and revised clauses.
The goal is to pinpoint whatβs missing, outdated, or needs realignment, so you can create a clear action plan for a smooth transition.
- Use a mapping tool or checklist to track whatβs missing.
- Focus on the 11 new controls and the ones that have been merged.
- Review control ownership, automation gaps, and documentation maturity.
Download the ISO 27001 gap analysis template
2. Update your risk assessment
To comply with ISO 27001:2022, you must reassess your risks in light of new threats and technologies. This step ensures your controls are relevant and your SoA reflects the updated framework.
- Identify new threats like supply chain risk, threat intelligence needs, and cloud misconfigurations
- Update your Statement of Applicability (SoA) to align with the new control structure
3. Revise your policies and procedures
Policy documents must evolve with your controls. The new framework brings additions like data masking and cloud service governance, which must reflect in SOPs, policies, and training material.
- Review which policies need version control updates
- Update training materials for affected teams
- Record change logs and version histories for audit traceability
4. Train your internal teams
The success of your transition hinges on cross-functional alignment. Teams must know not just whatβs changed, but how it affects their workflows and responsibilities. Furthermore, use this training phase to reinforce a compliance-first culture and clarify audit expectations
- Schedule short, focused training sessions
- Highlight whatβs different in day-to-day operations
- Make new control owners accountable
5. Make a solid transition plan
Coordinate early with your certification body. Most of them will offer you transition audits bundled with scheduled surveillance or recertification cycles. A few things you need to do apart from getting that plan include:
- Deciding on whether you want a standalone or integrated audit
- Allocating a budget for remediation in case any gaps are discovered
6. Conduct an internal audit against the 2022 standard
Before your transition audit with the certification body, you must conduct an internal audit to verify that your updated ISMS conforms to ISO 27001:2022 requirements. This is not just a documentation check; it involves testing whether controls are implemented and operating as intended under the new structure. Findings from the internal audit should be documented, assigned for remediation, and closed before the external audit begins. Skipping this step is one of the most common reasons organizations encounter unexpected nonconformities during certification.
7. Complete a management review
ISO 27001 Clause 9.3 requires senior management to formally review the ISMS before the transition audit. This review should assess ISMS performance against the updated 2022 requirements, address any nonconformities surfaced during the internal audit, confirm resource allocation, and document decisions and actions. A management review is not a formality; auditors will look for evidence that leadership has actively reviewed and taken ownership of the updated ISMS. Without it, your transition audit readiness is not credible, regardless of how well your controls are documented.
8. Document everything, no exceptions
Auditors will expect a clear trail of transition activities. Keep records of training sessions, policy revisions, updated risk assessments, and SoA changes. Try maintaining these in a separate folder that you can use internally and share with the auditors.
βSprinto ensured we were audit-ready on time, which was crucial since delays would have been costly. It was our first compliance audit, yet we encountered no bottlenecks or surprises.β ~ Prabagaran Loganathan, Senior Manager of Information Systems, Position2
Book a demo to see how Sprinto helps teams stay on track from remediation through audit.
Downloadable resources to start your ISO 27001 2022 process
Now that we have the theory out of the way, here are some practical resources to help your team accelerate the ISO 27001:2022 transition. You can use these to assess gaps and documentation and prepare for your next audit.
ISO 27001:2022 mapping table
What it is: Official control mapping between ISO 27001:2013 and 2022 versions (Annex B of ISO/IEC 27002:2022).
Where to find it:
Gap assessment checklist (ISO 27001:2022)
What it is: A downloadable worksheet to identify compliance gaps against the new 2022 control structure.
Download from:
ISO 27001:2022 transition guide
What it is: A step-by-step transition roadmap tailored for compliance managers.
Available at:
Plug and play ISO 27001:2022 with Sprinto
Sprinto is an Autonomous Trust Platform that supports the full ISO 27001:2022 transition from gap assessment and control mapping through to evidence collection, internal audit preparation, and ongoing surveillance monitoring.
If you are already certified to ISO 27001:2013, Sprinto can help you efficiently align your existing ISMS with the 2022 requirements, without draining leadership time or creating compliance chaos.
After certification, the platform helps you maintain audit readiness, operate the ISMS more efficiently over time, and expand scope as your business grows.
Looking for a more structured path to ISO 27001:2022 certification?
Frequently Asked Questions
ISO/IEC 27001:2013 is the older version of the globally recognized standard for Information Security Management Systems (ISMS). It outlines requirements for establishing, implementing, maintaining, and improving information security β with 114 controls grouped under 14 domains in Annex A.
ISO/IEC 27001:2022 is the updated version of the standard, released to address modern cybersecurity risks. It retains the core management clauses but overhauls Annex A by introducing 93 streamlined controls, 11 new additions, and a new structure grouped into four themes: Organizational, People, Physical, and Technological.
ISO/IEC 27002 is a companion standard that provides detailed implementation guidance for the controls listed in ISO 27001 Annex A. It plays a critical role in helping organizations interpret, implement, and map controls effectively β especially useful when transitioning from the 2013 to the 2022 version.
The 2022 version includes 93 controls, down from 114 in the 2013 edition. These are grouped under four themes and enhanced with attributes for better filtering, selection, and alignment with business risks.
The ISO 27001:2022 update is more than a version bump β itβs a response to modern threats and a shift toward smarter, risk-based compliance. If you’re still referencing the 2013 standard, youβre already behind. Hereβs what changed:
Key Differences β ISO 27001:2013 vs ISO 27001:2022
-> Core Clauses (4β10): Largely unchanged β same ISMS backbone
-> Annex A Controls: Reduced from 114 to 93 β cleaner, more relevant
-> Control Themes: 14 domains merged into 4 β Organizational, People, Physical, Technological
-> New Controls: 11 additions β e.g., threat intelligence, cloud services
-> Attributes Introduced: Controls now tagged by purpose, type, and more
Start with a gap assessment against the 2022 control structure. Update your risk assessment, Statement of Applicability, and policies to reflect the new requirements. Conduct an internal audit and complete a management review before engaging your certification body. Train teams, document every step, and engage your certification body as soon as possible. The October 31, 2025, deadline has passed, so if you haven’t transitioned yet, a full certification audit under the 2022 version will be required.
No, you can simply transition during a scheduled surveillance or recertification audit, or request a standalone transition audit.
ISO 27001 is risk-based, so you include controls based on your threat landscape and risk treatment plan. So, they would be mandatory only if they apply to you. But you should explain the reasoning in your Statement of Applicability.
The October 31, 2025, deadline has now passed. If your organization has not completed the transition, your ISO 27001:2013 certificate is no longer valid. To requalify, you will need to undergo a full certification audit under ISO 27001:2022; not just a transition audit. This typically takes longer and costs more than a planned transition would have. The priority now is to engage your certification body and begin the process as soon as possible to minimize the period of operating without a valid certification.
Author
Pansy
Pansy is an ISC2 Certified in Cybersecurity content marketer with a background in Computer Science engineering. Lately, she has been exploring the world of marketing through the lens of GRC (Governance, risk & compliance) with Sprinto. When she’s not working, she’s either deeply engrossed in political fiction or honing her culinary skills. You may also find her sunbathing on a beach or hiking through a dense forest.
Reviewer
Sonali Samantaray
Sonali Samantaray is a Senior Solutions Architect at Sprinto with deep expertise in SaaS presales, consulting, and cybersecurity compliance. A certified PCI QSA, 3DS QSA, and ISO 27001 Lead Auditor and Implementer, she helps organizations untangle complex security frameworks and build audit-ready environments with confidence.Go beyond the surface and uncover the governance, risk, and compliance insights that actually matter.
Win digital goodies for boardroom success
Explore more ISO 27001 articles
ISO 27001 Overview & Requirements
ISO 27001 vs Other Frameworks
ISO 27001 Audit & Certification Process
ISO 27001 Management & Assessment
ISO 27001 Implementation & Automation
ISO 27001 Industry-Specific Applications
research & insights curated to help you earn a seat at the table.
