What is the Gap-to-Certified lifecycle?

It is our proprietary methodology that takes companies from their current security posture to full certification (TISAX, ISO27001) by identifying gaps, implementing controls, and supporting the final audit.

Do you offer outsourced CISO roles?

Yes, we provide outsourced CISO, DPO, and ISMS Manager roles to help organizations maintain compliance without the overhead of full-time executive hires.

How long does TISAX labeling usually take?

The timeline varies based on maturity, but typically ranges from 4 to 9 months including gap analysis, implementation, and the final assessment audit.

Picking Up After the ISO 27001:2022 Transition Deadline: A Practical Path Back to Certification

TL;DR: The transition window from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 closed on October 31, 2025. All 2013 certificates expired on that date. Organisations that did not complete the move are not in a transition position anymore — they need to plan a full new certification against the 2022 standard. This piece walks through what changes, what doesn't, what the 11 new controls actually require, and a 90-day re-entry plan our team uses with mid-market clients in the same position.

The transition window from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 closed at the end of October 2025. For organisations that completed the move before that date, the conversation is now about maintaining the 2022 ISMS through surveillance audits. For organisations that didn't, the conversation is different — and quieter than it should be, because most discussions about ISO 27001:2022 have moved past the deadline as if everyone made it.

In our practice this year, a meaningful share of inbound conversations begin with the same admission: the 2013 certificate lapsed on October 31, the customer questionnaires are starting to ask about active certification, and the internal plan to "get back on track" hasn't been written yet. If that's the position you're reading this from, the path forward is structured. None of the steps are surprising; the sequence and the timeline matter.

What actually happened on October 31, 2025

The transition rules published by the International Accreditation Forum and reinforced by accredited certification bodies were unambiguous: October 31, 2025 was the last day on which an ISO/IEC 27001:2013 certificate could remain valid. The day after, every 2013 certificate expired by design. There is no extension mechanism. There is no remediation path that restores the 2013 cert.

What does still exist is the option to certify against ISO/IEC 27001:2022. That is now a new certification rather than a transition. Operationally, that distinction matters: a transition audit assumes the underlying ISMS is in place and tests the delta. A new certification runs the full Stage 1 (documentation review) and Stage 2 (implementation audit) sequence. The audit body treats the engagement as initial certification, not recertification — even if your ISMS has been operating for years.

What it means in operational terms

The immediate consequences for organisations carrying an expired 2013 certificate fall into four buckets that we see consistently in client conversations:

Customer-facing impact. B2B customers who included ISO 27001 in their vendor security requirements will eventually check. Some are checking now. Most contracts include a "maintain certification" clause; some include audit-rights clauses that activate when certification lapses. The practical exposure is often less than feared — customers usually want a credible plan rather than an immediate replacement vendor — but the exposure depends on which customers and which contracts.

RFP and procurement impact. New RFPs that ask for ISO 27001 evidence become harder to answer truthfully. "Certification in progress" is a defensible answer if the work is genuinely in progress, with a target audit date. It is not defensible indefinitely. In our recent engagements with mid-market clients, the operational window where "in progress" reads as credible to procurement is approximately 6 to 9 months from the date a serious re-certification plan begins.

Cyber insurance impact. Insurance renewals increasingly ask whether ISO 27001 (or comparable) certification is current. A lapsed cert is not necessarily a renewal blocker, but it changes the underwriting conversation. Most underwriters will accept evidence of a re-certification programme in flight; few will accept silence.

Audit-body impact. If you were working with a specific accredited certification body before lapse, the relationship typically continues but the engagement type changes. Some clients use the lapse moment to reconsider the audit-body choice; that is a separate decision worth thinking through but not one that should delay the work.

What "starting over" looks like under the 2022 standard

The version of the standard you are certifying against is meaningfully different from the 2013 baseline. The headline changes:

Annex A controls dropped from 114 to 93, reorganised under four themes: Organisational, People, Physical, and Technological.
24 controls have been merged from existing 2013 items. The substance overlaps; the structure is new.
58 controls have been updated with revised language and, in many cases, broader scope.
11 controls are net-new — meaning they did not exist in any form under the 2013 standard.
New clause 6.3 (Planning for changes) requires the ISMS to plan changes systematically rather than reactively.
Revised requirement 4.2(c) requires the needs and expectations of interested parties to be addressed through the ISMS, not just identified.

The cumulative effect on documentation is significant. The control structure of the Statement of Applicability has changed entirely. Policies and procedures that referenced 2013-era control numbering need to be retired or restructured. The risk treatment plan needs to be reconstructed against the new control catalogue. None of this is conceptually difficult; the work volume is real.

The controls and clauses where late-starting organisations get stuck

In our gap analyses for clients restarting against the 2022 standard, four clusters consistently surface as the slowest to close.

The 11 new controls — operationally, not just on paper

The 11 net-new controls are easy to list and harder to evidence:

5.7 Threat intelligence — a documented process for collecting, analysing, and acting on threat information relevant to the organisation. Most clients have feeds; few have the documented analysis process the auditor expects.
5.23 Information security for use of cloud services — explicit cloud-security policy with provider-specific risk consideration. SaaS sprawl makes this harder than the wording suggests.
5.30 ICT readiness for business continuity — distinct from general business continuity. Specifically tests whether ICT services can be recovered to support business continuity in incident conditions.
7.4 Physical security monitoring — documented monitoring of physical perimeter, with logged review. The "documented review" element is where most evidence trails are thin.
8.9 Configuration management — system configurations defined, maintained, monitored, and reviewed. Modern infrastructure-as-code estates often have the substance but not the auditor-facing documentation.
8.10 Information deletion — when and how information is deleted, including in third-party hands. The third-party side is where most gaps live.
8.11 Data masking — where used, must be documented; where appropriate, must be considered. Frequently overlooked in test environments and analytics pipelines.
8.12 Data leakage prevention — DLP capability appropriate to the data sensitivity. Both technical controls and the policy framing matter.
8.16 Monitoring activities — networks, systems, and applications monitored for anomalous behaviour, with documented response procedures.
8.23 Web filtering — managed access to external websites to reduce exposure to malicious content.
8.28 Secure coding — secure coding principles applied during software development lifecycle.

The audit pattern we see: organisations adopt the 2022 control set in the SoA, but the underlying procedures and evidence trails are still organised against 2013 controls. The audit conversation surfaces the mismatch quickly.

The SoA — still the most common audit-finding source

Our TISAX® and ISO 27001 experts help European automotive suppliers achieve compliance with 95 days.

Free Gap Assessment

The Statement of Applicability remains the single most common location for ISO 27001:2022 audit findings, just as it was under 2013. The reasons compound under the new standard:

The applicable / non-applicable status of each of 93 controls now needs justification (some justifications carry over; many need fresh language).
Implementation status for the 11 new controls is harder to assert credibly without underlying procedure documents that already reflect 2022 framing.
The link between the SoA and the risk treatment plan needs to be tight; auditors increasingly trace claims in the SoA back to risk decisions, and the trail is often broken.

Across the ISO 27001:2022 engagements we run, the SoA is the first document we rewrite far more often than not.

Clause 6.3 — planning changes systematically

The new clause 6.3 requires that changes to the ISMS be planned. In practice, this means the change-management process for the ISMS itself needs to be documented and evidenced. Most organisations have change management for IT systems; few have it for the ISMS as a managed entity. The first audit interview typically surfaces the absence.

Clause 4.2(c) — interested parties addressed through the ISMS

The 2013 standard required identification of interested parties and their requirements. The 2022 revision goes further: those requirements must be addressed through the ISMS. The auditor will trace a sampling of requirements (e.g., a customer's contractual security obligation) into the ISMS to verify it is operationally honoured. The thin evidence here is usually the trace itself, not the underlying control.

Re-entering the certification cycle is structured work, not heroic work. Book a free gap assessment and we will walk through where your current ISMS stands against the 2022 standard and how much work sits between where you are and a credible Stage 1 audit date.

A 90-day re-entry plan

The 95-day cadence we use for TISAX® preparation maps cleanly onto an ISO/IEC 27001:2022 re-certification engagement, with adjustments for the specific control set. For an organisation whose 2013 ISMS was reasonably mature, the path is structured across four phases.

Phase 1: Gap analysis against 2022 (weeks 1–2). A control-by-control mapping of existing ISMS documentation and evidence against the 93 controls and updated clauses. Output: prioritised gap list, effort estimates, and a credible target Stage 1 audit window.

Phase 2: Documentation update (weeks 3–6). Restructure the SoA against the 2022 control catalogue. Rewrite policies and procedures affected by the new controls. Update the risk treatment plan to reflect the 2022 control IDs. Document the ISMS change-management process for clause 6.3 evidence.

Phase 3: Operational implementation (weeks 5–10). Close the operational gaps surfaced in Phase 1. The most common items: documented threat intelligence process (5.7), explicit cloud security policy with provider-specific assessment (5.23), monitoring-with-response procedures (8.16), DLP appropriate to sensitivity (8.12), and the evidence trail for tested ICT business continuity (5.30). Implementation often runs in parallel with documentation.

Phase 4: Stage 1 readiness and internal audit (weeks 11–13). Internal audit against the 2022 standard, gap remediation from the internal audit, evidence binder preparation, and Stage 1 documentation submission to the certification body.

Stage 2 typically follows Stage 1 by four to eight weeks depending on the certification body's calendar and any findings from Stage 1. The full path — from project start to Stage 2 closing meeting — is realistic in 5 to 7 months for an organisation with a sound 2013 baseline. Faster is possible but unusual.

Communication while the work is in flight

The piece of this that most clients underestimate is the stakeholder conversation. The instinct is to wait until certification is restored before saying anything. In our experience the cleaner approach is the opposite:

Customers with active "maintain certification" clauses: a single proactive email confirming the re-certification programme, its target date, and the contact for questions. This is almost always received better than silence followed by a procurement-side discovery.
Insurance underwriters: include the re-certification programme in the next renewal submission with the project plan attached. Underwriters reward clarity.
Internal management: clear timeline, clear budget, clear ownership. Treating the lapse as a project rather than an embarrassment unblocks the work.

We have not seen a case where transparent communication accelerated a customer's decision to replace a vendor. We have seen several cases where silence did.

Common questions about restarting ISO/IEC 27001:2022 certification

Q: Can we get the 2013 certificate reinstated? No. The October 31, 2025 deadline was an accredited-bodies-wide cutoff. The 2013 standard has been withdrawn and no accredited body will issue or extend a 2013 certificate.

Q: Do we have to start completely from scratch with a new certification body? No. Most clients continue with their existing audit body. The engagement type changes — from a planned transition audit to an initial certification — but the body relationship usually persists.

Q: How long does the full re-entry typically take? Five to seven months from project start to Stage 2 closing meeting for a mid-market organisation with a reasonably mature 2013 ISMS. Longer if the 2013 ISMS was light on documentation or if the 11 new controls require substantial operational change.

Q: Will our existing ISMS documentation carry over? Partially. Risk register, asset inventory, business continuity plans, incident response procedures — these largely carry over with revisions. The Statement of Applicability and any policy that referenced 2013 control numbering need substantial rework. Plan for both.

Q: Should we wait for the next revision of the standard before restarting? No. There is no announced revision timeline that would justify the wait. The standard is current; the work to do is current.

Q: What is the single most important thing to get right early? The Statement of Applicability. It anchors the rest of the documentation, signals to the auditor how seriously the 2022 control set has been internalised, and is the most commonly faulted document in our gap analyses.

How ITIS-Secure helps organisations re-enter ISO 27001 certification

Our preparation methodology is built for organisations facing certification deadlines with a working ISMS that needs structured uplift. We run gap analyses against the 2022 control set, restructure SoA and policy documentation to match auditor expectations, close the operational gaps surfaced by the 11 new controls, and stand alongside our clients through Stage 1 and Stage 2 audits.

The 90-day path above is the structure of a typical re-entry engagement. The audit body certifies; our work is to get you ready so Stage 2 passes on the first attempt.

If your ISO 27001:2013 certificate has lapsed and the path back to active certification has not been mapped, the gap assessment is the first step. It is free, takes less than a day, and gives you a clear picture of where your ISMS stands against the 2022 standard and what timeline is realistic.

Book Free Gap Assessment →

No commitment required · GDPR compliant · Strategy confirmed via secure link

TISAX® is a registered trademark of ENX Association. VDA® is a registered trademark of Verband der Automobilindustrie e.V. ITIS-Secure is an independent preparation firm; certification is issued by accredited audit bodies.