In All Posts

New ISO/IEC 27001: 2022 will replace its previous edition, which will cease to be valid on 31/10/2025

ISO 27001:2022 “Information security, cybersecurity and privacy protection — Information security management systems — Requirements” was released in October 2022 and is set to replace ISO 27001:2013 via a three year transition period. All organizations that wish to remain certified to ISO 27001 will need to transition to the 2022 revision of the standard within the set transition period which is expected to end in Oct 2025.

CPG goal is to maintain a clear transition approach that is easy for our clients to comprehend and apply. Our aim is to provide organizations with the guidance and tools to make the transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 as smooth as possible.

The overall allowable transition period is expected to be three years (i.e. from October 2022 through October 2025).

During that period both versions of the ISO 27001 standard remain valid and audits to either version of the standard may be conducted subject to the rules noted below, but plans should be made for an organization’s transition to fully occur prior to the transition period ending.


  • 25th October 2022  ISO/IEC 27001:2022 3rd edition – Release date
  • 31st October 2022 – Transition period begins
  • 1st May 2024 – All initial (new) certifications should be to the 27001:2022 edition after this date and all recertification audits are recommended to utilize the 27001:2022 edition after this date.
  • CPG will continue to accept applications for certification and issue new certificates against the 27001:2013 standard until this date.
  • 31st July 2025 – All transition audits should be conducted by this date.
  • 31st October 2025 – Transition period ends
    Certificates for ISO/IEC 27001:2013 will no longer be valid after this date.

Transition Man-days Requirement

For Surveillance upgrade audit minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit.

For Re-certification audit minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit.

During the transition period, already certified organisations can choose to make the transition to the new standard:

  • during a surveillance audit
  • during a recertification audit
  • In-between to programmed audits, programming an extra audit.

What action should be taken to prepare for the transition to the new standard? 

Familiarise with the standard contents and perform a gap analysis between new requirements and current organisation’s systems procedures;

Carry out training for interested personnel to prepare them understanding the main changes;

Assess the implementation effectiveness through internal audits, and define further actions if necessary.

Plan the implementation of all necessary changes to the Information security management system;

Get in contact with the CPG, in order to program the transition audit;


Possible outcomes of the transition audit: 

 Positive outcome: issuing a certificate of conformity to the new standard.

Negative outcome: if conformity to the previous edition of the standard remains, the organisation can maintain its old certification with an expiry date limited to the end of the transition period

Already certified with another company and want to switch to CPG

If you have an ISO/IEC 27001-: 2013 certification issued under accreditation, you must first request the transfer of the certificate to CPG. You can request and transfer the certificate to ISO/IEC 27001: 2022 no later than 31st July 2025

Recent Posts