ReadSafety.com

ISO 27001 Questions, Answered

What is the latest version of ISO 27001?

Quick answer

The current edition is ISO/IEC 27001:2022, published in October 2022 and updated by the 2024 climate amendment. The transition from the 2013 edition ended on 31 October 2025, so all ISO 27001:2013 certificates are now invalid. If you or a supplier still hold a 2013-edition certificate, it has expired regardless of its printed dates.

The current state, precisely

ISO/IEC 27001:2022 replaced the 2013 edition with modest changes to the management system clauses (notably planned changes to the ISMS, clearer process criteria in operation) and a substantial reorganization of Annex A: 93 controls in four themes replacing 114 controls in 14 domains, with 11 genuinely new controls including threat intelligence, cloud service security, data leakage prevention, web filtering, and secure coding. The 2024 amendment added climate change consideration to clauses 4.1 and 4.2, as across all ISO management standards.

Key factThe transition deadline of 31 October 2025 was a hard stop set by the accreditation system: certification bodies were required to withdraw or expire all remaining 2013-edition certificates by that date. In supplier due diligence today, a 2013 certificate equals no certificate. Check the edition line on every certificate you rely on, including your own.

What the 2022 changes mean in operation

  • Your SoA speaks 2022. Statements of Applicability must address the 93-control structure; SoAs still organized around the old 14 domains signal an un-transitioned system.
  • The new controls have teeth. Threat intelligence, DLP, configuration management, and secure coding are audited as operating processes, not tool purchases. These are where post-transition audits now concentrate findings.
  • Attributes enable mapping. Each 2022 control carries attributes (control type, properties, cybersecurity concepts) that make mapping to SOC 2, NIST, and customer questionnaires far cleaner, a quiet but real efficiency gain.

What is coming next

ISO standards run on systematic review cycles, and the 27000 family evolves continuously around the core standard: ISO 27002 (control guidance), ISO 27005 (risk management), and ISO 27701 (privacy) have all been revised recently, and further family updates are always in the committee pipeline. For the certifiable requirements themselves, ISO/IEC 27001:2022 as amended is the text, and any future edition will arrive with a multi-year transition. Track status through management review and confirm the authoritative current state on iso.org rather than vendor blogs.

For new implementers

Build directly to ISO/IEC 27001:2022 including the climate amendment; there is nothing newer to wait for and nothing older worth borrowing. If you inherit templates or a consultant's pack, check the Annex A numbering first: material still citing A.12 or 14 domains predates 2022 and will cost you rework at Stage 1.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 27001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC