Two years ago, The International Organization for Standardization (ISO) published a long-awaited update to their primary cybersecurity framework, ISO 27001. The previous version, ISO 27001:2013, was nearly a decade old and in need of a refresh. The new version, ISO 27001:2022, is currently the version in effect.
As part of the roll-out of ISO 27001:2022, companies were given instructions on how to transition to the new version from the 2013 version. This transition is an important part of maintaining compliance. Businesses that were not yet certified would need to pursue ISO 27001:2022; those that were already certified would need to transition to the new version for their next recertification.
The deadline for this is three years after the publication of the 2022 version of ISO 27001. That deadline, set for October 25, 2025, is less than a year away. As this deadline looms, companies are starting to pay more attention – the ones that weren’t proactive about it – and are facing the risk of an expired certification.
BLUF - Bottom Line Up Front
In 2022, ISO 27001 received a major update, replacing the 2013 version. Companies must transition to this new version by October 25, 2025, to avoid expired certifications. Key steps to maintain certification include performing regular audits, keeping leadership involved, adapting to new requirements, maintaining an ISMS, ensuring team continuity, and using centralized documentation. Failing to transition or maintain certification can lead to client trust issues, contract losses, and regulatory non-compliance.
ISO 27001 Certification, Recertification, and Expiration
When a company becomes ISO 27001 certified, that certification comes with certain requirements.
First among those requirements is that the company performs ongoing security audits, both internal and external. Internal audits must be performed at least once per year, though the firm is free to perform more if they want to be more proactive about compliance. External audits need to be performed at the time of certification, and every three years after.
This is the process of certification and recertification. If a company doesn’t perform an external audit after three years, it won’t be able to recertify for ISO 27001 and will lose that certification. Certification automatically expires every three years, and the audit must be passed to recertify.
What does this have to do with the update from ISO 27001 2013 to 2022?
The goal of the deadline for ISO 27001 transition is to allow time for companies to update to the new framework of ISO 27001. The transition is no easy task. Three years are allotted to maintain 2013 compliance and work on 2022 compliance at the same time.
The issue that is slowly cropping up is that some businesses, especially those with disengaged management or who aren’t paying attention to the certification changes, are being blindsided by a vastly changed process. While the goals and core functions of ISO 27001 have not changed, the details have, and those details take a lot of time, money, and effort to sort out. With less than a year to the deadline, many companies are starting to feel the time pressure.
There was also some overlap with ISO 27001:2013 certifications being issued after the publication of ISO 27001:2022. 2013 certifications were issued up to April 30, 2024, to account for companies that were most of the way through the process when the changes were published. This has caused many businesses who think their certifications last three years to realize that their outdated certification has a much shorter shelf life than expected. These businesses have less than two years to transition fully from 2013 to 2022.
What can Cause an ISO 27001 Certification to Expire?
At the absolute maximum, ISO 27001 certifications last for three years. If you do all else right, your certification will still expire at this point if you don’t take steps to renew it. Those steps are primarily focused on passing a rigorous external audit, just like you pass when you initially achieve certification. If those audits are passed, your certification can continue unabated for a very long time.
Within those three years, there are a lot of reasons why you might lose your certification or have it expire.
The most important right now is the aforementioned transition date for ISO 27001:2022. You only have 11 months (as of this writing) to make the transition and pass your certification audit.
Failing your three-year recertification audit is also cause for losing your certification. Further, your internal audits need to be reported, and you need to make changes and adapt proactively to make sure you don’t have your certification revoked due to that failure.
In some cases, if your business experiences a data breach or other intrusion, and an investigation finds that you weren’t properly adhering to ISO 27001 standards (or were actively lying about doing so), then you can have your certification revoked as well. Not every breach results in this, of course. Cybersecurity attacks and other data breaches can occur for reasons that are completely outside of your ability to control, including supply chain attacks and vendor attacks.
What Happens if Your ISO 27001 Certification Expires?
The expiration of ISO certification does not immediately mean that your company is no longer secure, necessarily.
Building and maintaining an ISMS, which is the key goal of ISO 27001, is a proactive and ongoing way to ensure security for information and systems for a business. You can certainly continue to maintain your ISMS without maintaining certification. Given the cost of audits, there are businesses that let their certification lapse due to the expense, even if they strive to maintain their certification.
When your ISO 27001 certification expires, what actually happens?
First, you lose the actual credentials of certification. Lists made of ISO-certified businesses will remove you from the roster. You will need to remove the mention of being ISO 27001 certified from your website and ad copy, and anywhere else you publish it. While this is busy work, it’s not necessarily damaging.
Second, you potentially lose client trust. If your clients or customers worked with you in part or in whole because of your ISO 27001 compliance, letting your compliance lapse can make them think you’re no longer secure, even if you are. This has the potential to damage your reputation, and can lose you customers or clients. These can feed back and cause a breach of the trust thermocline and a sudden collapse.
Third, you can lose insight, resources, validation, and assurance that you’re still secure. Part of the goal of ISO 27001 is to enforce industry-wide and global standardization for security. It’s common for businesses to think they’re secure because they don’t know what they don’t know; external validators help find those holes. This won’t happen immediately, but the longer you go without certification, the more likely you are to miss out on something and end up less secure.
Fourth, and more severe than the previous three, is that you can start to lose contracts. While ISO 27001 is not technically mandatory, it’s often mandated by industry regulations or specific contracts, especially non-US governmental contracts. If you let your certification lapse, there’s a good chance you’ll be forced to either recertify or lose your contract.
Fifth and finally, you may become non-compliant with industry regulations. If this happens, you face many penalties, from loss of contracts to fines to removal of licenses to operate and more. The exact details vary by industry and region.
How to Prevent Losing Your ISO 27001 Certification
Whether you’re currently certified under 2013 and need to transition to 2022, or you’re already on 2022 and need to maintain it, or you have never achieved certification before and want to achieve it now, you have roughly the same set of goals and considerations. How do you maintain ISO 27001 certification and avoid the risk of losing it?
Make sure administrative buy-in is maintained.
One of the biggest challenges with ISO 27001 is the expense and ongoing responsibility it places on an organization. In many cases, while it can be possible to convince executives and directors of the importance of achieving ISO 27001 certification, their interest can drop off over time. This goes doubly so if you don’t immediately have lucrative contracts lined up that were only achievable once you had certification. It’s even more prominent when they realize that ISO 27001 is not entirely a one-time thing and that there are ongoing expenses that need to be accounted for as you go.
Therefore, one of the most important things you can do is make sure your leadership is fully onboard with maintaining ISO 27001 compliance. Letting it lapse otherwise simply means a huge waste of time and money.
Be proactive with internal audits.
ISO 27001 requires that you perform an internal audit at least once per year when you’re working to maintain compliance. Some businesses treat this as good enough, but others recognize that it’s the bare minimum necessary to maintain your certification.
Your best bet is to consider internal audits as often as quarterly, depending on the scope and scale of the audit. Even just a rigorous annual audit and less rigorous quarterly audits can help a lot. That way, you can make sure you’re more adaptable to ongoing threats and the overall security environment, so there’s always less to do when the major audits come through.
Make sure you’re familiar with changes from 2013 to 2022.
If you’re one of the businesses still riding on an ISO 27001:2013 certification, one of the most important things you need to do is prepare for the transition. Whether you’re using checklists, hiring external consultants, or using automation software, it’s important to make sure you’re adapting to the changes between the two versions of 27001.
Make no mistake; while the bulk of ISO 27001 is the same, a lot of critical changes have been made so it’s still going to be a lot of work to maintain.
Actively maintain your ISMS.
Your ISMS is the beating heart of your certification. Without it, you have a static security posture. You need to make sure the dynamic aspects of ISO 27001 are well-implemented and maintained on an ongoing basis. That means making sure your security systems are kept up to date, your software and hardware are secured, your information is controlled, and more.
The threat environment is rapidly evolving and larger and larger attacks happen every year. There’s no way to relax in this kind of environment without falling behind and losing out. It’s often much harder to get a new certification than to maintain an existing one, as well.
Maintain continuity within your security and compliance teams.
One of the biggest risks in ISO 27001 compliance is continuity. Within your security and compliance teams specifically and throughout your organization as a whole. Businesses are living things, and employees come and go. It’s easy for someone to leave, and the person who fills their shoes doesn’t know as much about what they need to be doing or misses critical details. Similarly, cutting roles and rolling responsibilities onto individuals can leave certain elements slipping through the cracks.
Make sure that part of your ongoing process is to make sure there’s continuity in who is responsible for your ISMS and your compliance as a whole, and that they know they are, and are able to handle that role.
Maintain effective employee training, onboarding, and offboarding processes.
Related to the previous point, the single biggest source of gaps in security in any organization is its people. A huge part of ISO 27001 focuses on personnel training and security.
Again, since businesses have turnover, you need to ensure proper security throughout that process. When you pick up a new employee, they need appropriate training. Training is also an ongoing thing, not a one-time experience. And, when you offboard an employee, you need processes in place to ensure things are handled appropriately, disabling their account access, for example, so they can’t access data once they’re gone.
Make use of centralized documentation and collaboration tools.
One of the best things you can do for ongoing compliance is maintain your documentation in a centralized and collaborative tool. This way, your whole team can work together to maintain compliance, and all of your documentation is kept in one place for when auditors come looking for it.
Fortunately, that’s a big part of what we designed the Ignyte Platform to do. If you want to see how it can help you with ISO 27001, both in the transition and in ongoing compliance, just book a demo today.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.