Missed the ISO 27001:2022 Deadline? The Recertification Path After 31 October 2025

If your ISO/IEC 27001:2013 certificate was not transitioned to the 2022 version before 31 October 2025, the situation has changed in a specific and consequential way: the certificate is no longer valid, and you cannot simply renew it. The intent has shifted from transition to remediation — and the path back is longer than most teams expect.

This guide explains exactly what a missed deadline means, the recertification path, and how to rebuild efficiently — particularly for organisations in Qatar and KSA that run ISO 27001 alongside ISO 22301 and regulatory frameworks like SAMA BCM.

What 31 October 2025 actually changed

ISO/IEC 27001:2013 certificates entered a three-year transition grace period after the 2022 version was published. That period closed on 31 October 2025. After that date:

After 31 October 2025 the intent shifted from transition to remediation: a lapsed 2013 certificate isn't renewed — the organisation re-enters as a new client and undergoes a full initial audit against ISO 27001:2022.

A lapsed 2013 certificate is invalid. Only ISO 27001:2022 certifications are recognised.
You are treated as a new client. An organisation whose certificate expired is not "renewing" — certification bodies treat it as a fresh engagement.
A full initial audit is required. That means the complete Stage 1 (readiness/documentation review) and Stage 2 (implementation audit) cycle, not a lightweight transition audit.

What changed in ISO 27001:2022 (the gap you're now closing)

If you never completed the transition, you also never closed the 2013-to-2022 gap. The substantive changes:

Annex A restructured. Controls dropped from 114 to 93, regrouped under four themes — Organisational, People, Physical and Technological.
Eleven new controls. These are genuinely new (covering areas such as threat intelligence, information security for cloud services, ICT readiness for business continuity, data leakage prevention, secure coding and configuration management). Expect real gaps here, not relabelling.
Same management-system clauses, refined. Clauses 4–10 are largely consistent with 2013, with refinements aligned to the harmonised structure.

The new control "ICT readiness for business continuity" is worth flagging for this audience: it pulls continuity directly into the ISMS, which is exactly where ISO 27001 and ISO 22301 stop being separate projects.

The recertification path, step by step

1
Gap assessment against 2022
Map your existing controls to the 93 controls and four themes, and identify the 11 new controls you've never implemented. This is the foundation — it scopes everything that follows.
2
Close the control gaps
Implement the missing controls and produce the evidence (policies, records, logs) that they operate. The new controls around cloud, threat intelligence and continuity usually need the most work.
3
Run the ISMS long enough to generate evidence
A full initial audit expects to see the management system operating — internal audits, a management review, risk treatment in action. You cannot evidence a system that started last week.
4
Book Stage 1 and Stage 2 early
Auditor availability is constrained, and you need the full two-stage cycle. Book ahead; don't assume a quick slot.
5
Certify and re-enter the surveillance cycle
Once certified to 2022, you re-enter the normal three-year cycle with annual surveillance audits.

Rebuild once: the integrated-management-system advantage

For most organisations in Qatar and KSA, ISO 27001 doesn't stand alone. It sits alongside ISO 22301 business continuity and, for financial institutions, SAMA BCM and the NCA ECC cybersecurity controls. The expensive mistake is rebuilding each in its own silo.

The new 2022 control for ICT readiness for business continuity is the bridge: the evidence that satisfies it — recovery objectives, tested recovery procedures, dependency maps — is the same evidence a BIA and a BCMS already produce. Run one maintained evidence base and it serves both the ISMS and the BCMS, halving the surveillance burden.

The cheapest ISO 27001:2022 rebuild is the one that reuses the continuity evidence you already maintain for ISO 22301 — build the system once, certify it twice.

Frequently asked questions

Can I still just do a transition audit?

No. The transition window closed on 31 October 2025. A lapsed ISO 27001:2013 certificate cannot be transitioned — you are treated as a new client and require a full initial audit (Stage 1 and Stage 2) against ISO 27001:2022.

How long does recertification take?

Plan for months, not weeks. You need to close the control gaps (especially the 11 new controls), run the ISMS long enough to generate audit evidence, and book a full two-stage audit against constrained auditor availability.

Is the 2022 version a big change from 2013?

The management-system clauses are largely consistent, but Annex A is restructured to 93 controls under four themes with 11 genuinely new controls. Those new controls — cloud, threat intelligence, ICT readiness for continuity — are where most of the real work is.

Where to start

If your certificate has lapsed, the first ninety days:

Run the gap assessment against the 93 controls and four themes — you can't plan a rebuild you haven't scoped.
Prioritise the 11 new controls — they're the gaps you definitely have.
Stand up the management system early so it has run-time before the audit.
Integrate with your BCMS — reuse continuity evidence to satisfy the ICT-readiness control rather than building it twice.

For the continuity half of that integrated build, see the ISO 22301 implementation guide and the BCM software for KSA overview. For the framework landscape, the ISO 22301 framework page shows how the standards fit together.

A missed deadline is a setback, not a dead end — but treat it as the full rebuild it is, and reuse everything your continuity programme already produces.