This article is meant to provide guidance on which version of ISO 27001 you should pursue. You can always reach out to us to discuss in further detail.

For customers who currently hold a 2013 certification and have an established relationship with a Certification Body

We recommend working with your Certification Body to determine a timeline to move to the 2022 version. Companies with existing certifications against the 2013 version have until October 30, 2025 to transition to the 2022 version.

For customers currently not certified against the 2013 version and who have NOT started the process of implementing an ISO 27001 program.

We recommend starting with the 2022 version given that no new certifications against the 2013 version can be issued after April 30, 2024.

If you have a business need to pursue the 2013 version on a short timeline, we recommend establishing a relationship with a Certification Body and working with them to establish a timeline that allows you to be certified before the deadline.

For customers currently not certified against the 2013 version and are in process of implementing an ISO 27001 program.

We recommend establishing a relationship with a Certification Body to see if a timeline can be established to certify against the 2013 version. All elements of the 2013 version are covered in the 2022 version, so you’ll be able to take credit for the work you’ve done up to this point even if you need to switch to the 2022 version.

*NOTE - While you can certify against the 2013 version up until April 30, 2024, all 2013 certifications will expire on October 30, 2025. ISO 27001 certifications normally expire after three years, but due to the transition period guidance, a 2013 certification will expire before the standard three-year expiration period.

Key Dates