The old ISO 27001:2013 certificate is dead: the transition window closed on 31 October 2025

The three-year window to move from ISO 27001:2013 to the 2022 edition closed on 31 October 2025, so a 2013 certificate held into 2026 is no longer valid. The 2022 standard reworked Annex A from 114 controls to 93 in four categories and added modern ones like threat intelligence, cloud security and secure coding. If your certificate lapsed, recertifying means a fresh initial audit rather than the lighter transition assessment, which changes the budget line for anyone pricing readiness this year.

ISO/IEC 27001:2022 replaced the 2013 edition, and certification bodies were given a three-year window to move every certified organization across. That window closed on 31 October 2025. So the practical situation in 2026 is simple: a certificate that still cites the 2013 standard has expired, and it no longer counts as an active ISO 27001 certification when a customer or auditor asks for proof.

What actually changed in the 2022 edition

The management-system core of ISO 27001 stayed close to the 2013 version; the visible change is Annex A, the list of security controls. The 2022 edition condensed the controls from 114 to 93 and restructured them into four categories rather than the old fourteen clause groups: organizational, people, physical and technological. Fewer controls does not mean less work, because part of the reduction is merging overlapping items, and the update also added controls that the 2013 list never had.

  • New controls cover current risks the 2013 list predated: threat intelligence, information security for the use of cloud services, ICT readiness for business continuity, and physical security monitoring.
  • Others formalize practices most teams already run: configuration management, information deletion, data masking, data leakage prevention, web filtering and secure coding.
  • Because the numbering and grouping changed, the statement of applicability and much of the control-mapping evidence had to be redone, not just relabelled.

Why a lapsed certificate is more expensive than a timely transition

The organizations that transitioned before the deadline did it through a transition assessment, usually folded into a scheduled surveillance or recertification audit, so the incremental cost was small. A certificate that was allowed to expire does not get that path. Once it has lapsed, there is nothing valid left to transition, so getting certified again means a fresh initial certification: a full Stage 1 and Stage 2 audit against the 2022 standard, priced like a first-time certification rather than a top-up. For anyone budgeting security compliance in 2026, that is the line that moved.

What this means if you are pricing readiness now

If you already hold a current 2022 certificate, nothing here is new work. If you are certifying for the first time, you simply build against the 93-control 2022 set from the start. The group to watch is anyone who assumed a 2013 certificate was still doing its job: it is not, and the cost of getting back to certified is closer to starting over than to renewing. Our free readiness cost estimator prices the audit, tooling and internal-time pieces against the current standard so you can put a real number on it before you commit, and the deeper guide on what SOC 2 and ISO 27001 actually cost a startup walks the same trade in full.

Put it to work on your own case

The free tool below turns this into a result for your situation, in your browser, with no signup.

Estimate your ISO 27001 readiness cost

More updates

Stripe now sells its own merchant of record, Managed Payments, at 3.5% on top of processing

Stripe now offers Managed Payments, its own merchant-of-record option, introduced in a 25 February 2026 release. Stripe becomes the seller of record for your digital products and takes on indirect tax (VAT, sales tax, GST) in more than 80 countries, plus fraud, disputes and buyer support, for a fee of 3.5% per successful transaction on top of the normal processing fee. That puts it in the same rough band as Paddle and Lemon Squeezy, and it can be switched on per transaction without moving to a separate platform.

Framer retired its Scale plan and cut editor seats to a flat $20 in its 2026 billing overhaul

Framer moved to a new billing system on 27 May 2026. It retired the $100-a-month Scale plan, leaving Basic at $10 and Pro at $30 as the two paid site plans, and made a full editor seat a flat $20 across every plan, down from $40 on the higher tiers. A new Content Editor seat costs $10 and gives content-only teammates CMS access without a full design seat. For a small team the per-seat line, not the plan price, is where most of the cost sits, so this shifts the real math.

Belgium caps the employer dismissal notice at 52 weeks, but only for contracts signed from 1 July 2026

A law adopted in May 2026 puts a 52-week ceiling on the statutory notice an employer must give when it dismisses someone. It applies only to contracts that start on or after 1 July 2026. Anyone hired before that keeps the old schedule, which has no ceiling and can run well past a year for long-tenured staff.