Updated:
June 21, 2026
ISO 27001:2022 Deadline Puts Legacy Certificates At Risk
The ISO 27001:2022 transition deadline has left organizations with old ISO 27001:2013 certificates exposed to certificate withdrawal, lost assurance claims, and customer contract risk after the global transition period closed on October 31, 2025. The latest confirmed post-deadline accreditation development came on January 1, 2026, when Global Accreditation Cooperation Incorporated began operations and took over international accreditation functions previously handled by IAF and ILAC.
What Is The ISO 27001:2022 Transition Deadline And Why Does It Matter Now?
The ISO 27001:2022 transition deadline is the final date for organizations certified under ISO 27001:2013 to move to the 2022 edition of the information security management standard. The deadline matters now because non-transitioned ISO 27001:2013 certificates were required to expire or be withdrawn after October 31, 2025.
ISO says ISO/IEC 27001 defines requirements for an information security management system, or ISMS, and applies to companies of any size and sector. Certification is voluntary, but customers, regulators, procurement teams, insurers, and partners often use it as evidence that a security program is formally managed.
The issue is not a new law or government fine. It is a certification validity problem. Organizations that still present an ISO 27001:2013 certificate as current after the deadline may face customer due-diligence failures, contract disputes, supplier reviews, and reputational damage.
What Is The Full ISO 27001:2022 Timeline From 2022 To 2026?
ISO published ISO/IEC 27001:2022 on October 25, 2022, replacing ISO/IEC 27001:2013. IAF MD 26:2023 set a 36-month transition period, required new certification and recertification audits to move to the 2022 edition by April 30, 2024, and required certified-client transitions by October 31, 2025.
UKAS issued transition guidance on December 19, 2022. IAF issued MD 26:2023 Issue 2 on February 15, 2023, with immediate application. Accreditation bodies had to be ready to assess ISO 27001:2022 by April 30, 2023, and accreditation-body transitions of certification bodies were due by October 31, 2023.
The next key date was April 30, 2024, when certification bodies were required to begin initial certification and recertification only to ISO 27001:2022. The final client deadline was October 31, 2025. On January 1, 2026, Global Accreditation Cooperation Incorporated launched as the successor international accreditation organization for IAF and ILAC functions.
What Changed In ISO 27001:2022 Compared With ISO 27001:2013?
ISO 27001:2022 changed the ISMS standard mainly through an updated Annex A control set, revised wording, a new planning-for-changes clause, and closer consistency with ISO’s management-system structure. IAF said the core impact need not be significant for organizations that already operated a mature ISMS.
IAF MD 26:2023 says ISO 27002:2022 reduced the reference control set from 114 controls in 14 clauses to 93 controls in 4 clauses. It said 11 controls were new, 24 were merged from existing controls, and 58 were updated.
The transition audit had to review the organization’s gap analysis, updated Statement of Applicability, risk treatment plan changes where applicable, and implementation of new or changed information security controls. IAF said a transition audit could occur during a surveillance audit, recertification audit, or separate audit.
Which Organizations Are Affected By The ISO 27001:2022 Transition Deadline?
The ISO 27001:2022 transition deadline affects organizations that held accredited ISO 27001:2013 certificates and had not completed transition before October 31, 2025. The affected group spans SaaS providers, cloud firms, fintech companies, healthcare vendors, manufacturers, data centers, professional services firms, and suppliers using ISO 27001 in procurement.
The transition does not apply only to technology firms. ISO says the standard is suitable for companies of any size and from all sectors. The practical exposure is highest where customer contracts, vendor risk programs, public tenders, or regulated-sector procurement require a valid accredited ISO 27001 certificate.
ISO Survey materials show ISO certification is tracked globally, and ISO says from 2025 onward the survey is compiled from anonymized, aggregated data in IAF CertSearch. A 2024 ISO Survey infographic reported 96,709 ISO/IEC 27001:2013 and 27001:2022 certificates covering 179,877 sites, showing the broad commercial footprint of the standard.
What Happens To ISO 27001:2013 Certificates After October 31, 2025?
ISO 27001:2013 certificates that were not transitioned by October 31, 2025, had to expire or be withdrawn at the end of the transition period. SGS said certificates issued or reissued against the 2013 edition during the transition period carried October 31, 2025, as their expiration date, not the usual 3-year validity.
SGS said organizations with expired ISO 27001:2013 certification after the transition period would be treated as new clients and subject to a full initial audit. That means a missed transition can turn a controlled migration into a heavier certification project.
The legal consequence depends on contract language and claims made to customers. ISO itself does not fine organizations. Certification bodies control certificate status, customers control supplier acceptance, and contract terms determine whether an expired certificate creates a breach or remediation duty.
What Should Companies Do After Missing The ISO 27001:2022 Deadline?
Companies that missed the ISO 27001:2022 deadline should stop relying on ISO 27001:2013 as a current certification claim and begin a certification recovery process against the 2022 edition. The immediate work is a gap analysis, Statement of Applicability update, risk treatment review, internal audit, management review, and certification-body engagement.
Security and compliance teams should map old Annex A controls to the 93-control structure, review the 11 new controls, update policies, test evidence, and prepare audit records. Common focus areas include threat intelligence, cloud service use, ICT readiness for business continuity, data masking, data leakage prevention, monitoring activity, and secure coding.
Procurement teams should notify customers where contracts require an active certificate. Legal teams should review security warranty language, supplier questionnaires, renewal clauses, and representations made in sales documents. A false or stale certification claim can create a commercial problem even without a regulator.
How Did Certification Bodies And Industry Respond To ISO 27001:2022?
Certification bodies responded to ISO 27001:2022 with transition bulletins, audit cutoffs, special transition audits, and client warnings before the October 31, 2025 deadline. UKAS, SGS, BSI, LRQA, Coalfire, and other certification-sector organizations published guidance urging clients to schedule transition work before auditor availability became a bottleneck.
BSI said all organizations had to transition by October 31, 2025. SGS said it would not conduct initial or recertification audits to the old standard after April 30, 2024. IAF required certification bodies to communicate timelines, audit approaches, and consequences to clients.
Industry reaction was practical rather than political. Many organizations treated the update as an ISMS documentation and control-mapping project, while smaller teams faced pressure from limited audit slots, internal-resource constraints, and customer deadlines.
What Are The Business Costs And Legal Risks Of Losing ISO 27001 Certification?
The main business costs of losing ISO 27001 certification are lost bids, delayed renewals, failed supplier reviews, higher audit costs, and customer trust damage. The legal risk depends on whether the organization promised to maintain a valid certificate in contracts, regulatory filings, cyber insurance materials, or procurement documents.
A lapsed certificate can affect revenue faster than it affects security posture. Many customers use ISO 27001 as a procurement gate, especially in SaaS, managed services, cloud hosting, financial technology, healthcare data handling, and government supply chains.
Organizations may incur full initial-audit costs after the deadline instead of transition-audit costs. IAF required at least 0.5 additional auditor day for a transition audit during recertification and at least 1.0 additional auditor day during surveillance or a separate transition audit. A missed deadline can require a broader audit path.
What Regulator Or Court Actions Are Tied To ISO 27001:2022?
No specific court ruling or government enforcement action was found that directly penalized organizations for missing the ISO 27001:2022 transition deadline. The transition was governed through ISO publication, IAF mandatory transition rules, accreditation bodies, and accredited certification bodies rather than through a national statute.
Government and regulator relevance comes through reliance on accredited certification. Global ACI said accredited conformity assessment results and certificates must be trusted and accepted across borders. ISO says ISO does not perform certification, and organizations seeking certification must use independent certification bodies.
The unresolved legal exposure comes from downstream use. A company that claims current ISO 27001 certification after its 2013 certificate expired can face customer, procurement, insurance, or contractual consequences based on the specific representation and governing agreement.
What Questions Remain After The ISO 27001:2022 Transition Deadline?
The main open questions after the ISO 27001:2022 deadline involve how quickly customers will reject old certificates, how certification bodies will handle late applicants, and how organizations will verify supplier certificates through IAF CertSearch and Global ACI structures during 2026 procurement cycles.
Another unresolved issue is market consistency. Some customers may accept a remediation plan or scheduled audit date, while others may require a valid ISO 27001:2022 certificate before renewal, onboarding, or payment processing. That inconsistency creates risk for vendors selling into large enterprises.
The broader significance is clear. ISO 27001:2022 makes information-security assurance more current with cloud use, supplier risk, threat intelligence, data leakage, secure coding, and business continuity needs. Legacy certificates no longer provide the same market signal.
How Bright Defense Helps Organizations Maintain ISO 27001:2022 Certification
Bright Defense helps organizations achieve and maintain ISO 27001:2022 certification through ISO 27001 consulting, continuous compliance, internal audits, vCISO guidance, and security assessments. Our ISO 27001 Lead Auditors work with teams to build and operate an effective Information Security Management System (ISMS), prepare for certification audits, and maintain ongoing compliance.
For organizations pursuing ISO 27001, Bright Defense can perform gap assessments, conduct internal audits, support risk assessments, develop policies and documentation, manage evidence collection, review security controls, and prepare teams for certification audits. The result is a structured compliance program that helps organizations demonstrate a mature security posture while maintaining audit readiness throughout the year.
Sources Cited In This ISO 27001:2022 Report
- ISO — ISO/IEC 27001:2022 Information Security Management Systems (Accessed June 18, 2026)
https://www.iso.org/standard/27001 - ISO — ISO/IEC 27001: What’s New In IT Security? (October 2022)
https://www.iso.org/contents/news/2022/10/new-iso-iec-27001.html - IAF — IAF MD 26:2023 Issue 2, Transition Requirements For ISO/IEC 27001:2022 (February 15, 2023)
https://iaf.nu/iaf_system/uploads/documents/IAF_MD26_Issue_2_15012023.pdf - UKAS — Technical Bulletin: Transition Arrangements For ISO/IEC 27001:2022 (December 19, 2022)
https://www.ukas.com/wp-content/uploads/2022/12/2022.12.19-Technical-Bulletin-Transition-to-ISO-IEC-27001-2022.pdf - SGS — ISO/IEC 27001 Transition: What You Should Know (May 9, 2024)
https://www.sgs.com/en-us/news/2024/05/iso-iec-27001-transition-what-you-should-know - BSI — ISO/IEC 27001:2022 Transition Timeline (Accessed June 18, 2026)
https://www.bsigroup.com/globalassets/localfiles/en-nz/ISO%2027001/documents/27001%20Resources/iso-27001-timeline.pdf - BSI — Transition To The ISO/IEC 27001:2022 Standard (Accessed June 18, 2026)
https://www.bsigroup.com/en-GB/insights-and-media/insights/blogs/transition-to-the-iso-iec-27001-2022-standard/ - LRQA — Preparing For ISO 27001:2022 Transition Before The October 2025 Deadline (Accessed June 18, 2026)
https://www.lrqa.com/en-us/insights/articles/preparing-for-iso-270012022-transition-by-october-2025/ - Coalfire — Only 21 Days To The ISO 27001:2013 Expiration Deadline (October 2025)
https://coalfire.com/the-coalfire-blog/only-21-days-to-the-iso-270012013-expiration-deadline - ISO — The ISO Survey (Accessed June 18, 2026)
https://www.iso.org/the-iso-survey.html - IAF CertSearch — ISO Survey Powered By IAF CertSearch (Accessed June 18, 2026)
https://iafcertsearch.org/services/iso-survey - Global ACI — Global Accreditation Cooperation Incorporated Launch Unifies International Accreditation Organisations And Strengthens Worldwide Trust (January 1, 2026)
https://iaf.nu/en/news/global-accreditation-cooperation-incorporated-launch-unifies-international-accreditation-organisations-and-strengthens-worldwide-trust/ - GlobalSTD — ISO Survey 2024 Infographic (October 2025)
https://www.globalstd.com/wp-content/uploads/2025/10/Infografia-ISO-Survey-2024_EN.pdf
Major Outlet Note — Reuters, AP, Bloomberg, Financial Times, Wall Street Journal, BBC, and similar general-news sources did not appear to have dedicated coverage of this ISO 27001:2022 transition deadline in the available search results. The report therefore relies on ISO, IAF, accreditation bodies, certification bodies, and certification-sector sources.
Get In Touch
