ISO 27001:2013 to 2022 Transition Cost: What the Re-Mapping Adds
The ISO 27001:2013 to ISO 27001:2022 transition typically costs $5,000 to $25,000 depending on company size, scope, and how much of the 11 new controls work is genuinely new vs already in place under the 2013 framework. The mandatory transition deadline was 31 October 2025 per IAF MD 26; all valid 2026 certificates should be against the 2022 standard. This page is for organisations either completing late transitions, re-certifying after a 2013-version certificate lapse, or planning future budget against the transition work for a fresh-certificate context. Here is the honest read on the re-mapping cost, the new-control implementation work, and the audit logistics.
Updated May 2026
The October 2025 deadline and what it means now
The International Accreditation Forum published IAF MD 26 in February 2022 setting a three-year transition window from the 2013 version of ISO/IEC 27001 to the 2022 version. The window opened on 31 October 2022 (publication of the 2022 standard) and closed on 31 October 2025. Certificates issued under the 2013 version after October 2025 were no longer valid; accredited certification bodies were required to either complete a transition audit before that date or withdraw the 2013 certificate.
For 2026, the implication is that any organisation still operating against the 2013 framework is uncertified, regardless of whether the original 2013 certificate physically expired or was withdrawn. To regain certification, the organisation needs a fresh-certificate engagement against the 2022 standard: Stage 1 and Stage 2 audit by an accredited CB, ISMS scope documentation against the 2022 structure, Statement of Applicability mapped to the 93 Annex A controls in 4 themes, and evidence of the 11 new controls being implemented and operating.
For organisations that completed the transition before the October 2025 deadline, the work is done; this page is informational context for the framework structure and for budget planning on the next certification cycle. Many transition implementations created technical debt that surfaces at year-2 or year-3 surveillance audits: hasty Statement of Applicability re-mappings that did not fully integrate the new controls, paperwork-only adoption of controls like data leakage prevention or web filtering that were not actually operationalised, and incomplete documentation of the threat intelligence and cloud-security controls. Organisations completing year-2 surveillance audits in 2026 should expect auditor scrutiny on these areas.
The structural change: 114 controls in 14 clauses to 93 controls in 4 themes
The headline structural change is the consolidation of Annex A from 114 controls in 14 clauses (A.5 through A.18) to 93 controls in 4 themes (A.5 Organisational, A.6 People, A.7 Physical, A.8 Technological). The 4-theme structure is meant to make the control catalog more navigable and to align with how organisations actually think about security controls. The mapping from the 2013 controls to the 2022 controls is many-to-one: some 2013 controls were merged (e.g. several physical and environmental security controls combined into single 2022 controls), some were split for clarity, and 11 are entirely new.
The Statement of Applicability re-mapping work is the most predictable transition cost. For an organisation with a well-structured 2013 SoA, the re-mapping is typically 5 to 15 hours of analyst time: walk through each 2013 control, identify the equivalent 2022 control(s), confirm or update the applicability assessment, update the implementation evidence reference. For an organisation with a poorly structured 2013 SoA (e.g. inherited from a consultant template without local customisation), the re-mapping work expands to 15 to 30 hours because the underlying applicability rationale has to be re-examined for each control.
The ISMS clauses (clauses 4 through 10) were updated in 2022 for alignment with the Annex SL high-level structure used across modern ISO management-system standards. The changes are largely editorial; the substantive requirements are essentially the same as the 2013 version. ISMS process documentation typically does not need substantial re-work for the transition; minor cross-reference updates to the new clause numbers cover most of the documentation impact.
The 11 new controls and implementation cost
Cost ranges reflect the spread between organisations where the control is already substantively in place under the 2013 framework (no incremental cost) and organisations where the control requires new tooling or process build.
| New control | 2022 ref | Implementation cost range | Typical existing coverage |
|---|---|---|---|
| Threat intelligence | A.5.7 | $0-$8,000 | Often in place via SIEM / CrowdStrike Falcon / commercial threat feed |
| Information security for cloud services | A.5.23 | $0-$5,000 | In place for cloud-native SaaS via supplier-management process |
| ICT readiness for business continuity | A.5.30 | $0-$6,000 | In place if BCM programme already documented |
| Physical security monitoring | A.7.4 | $0-$10,000 | In place for organisations with physical premises; remote-only orgs can scope-out |
| Configuration management | A.8.9 | $0-$7,000 | In place via IaC tools (Terraform, Ansible, CloudFormation) |
| Information deletion | A.8.10 | $0-$8,000 | In place for GDPR-compliant organisations |
| Data masking | A.8.11 | $0-$15,000 | Often new for cloud SaaS; may need DLP tooling or schema work |
| Data leakage prevention | A.8.12 | $0-$25,000 | Most often genuinely new; DLP tooling like Forcepoint, Symantec, Microsoft Purview |
| Monitoring activities | A.8.16 | $0-$8,000 | In place via existing SIEM / log management |
| Web filtering | A.8.23 | $0-$6,000 | In place via existing endpoint protection or secure web gateway |
| Secure coding | A.8.28 | $0-$10,000 | In place for orgs with SAST / DAST tooling and secure-coding training |
Cumulative new-control cost typically lands $5,000 to $25,000 for organisations needing meaningful incremental implementation; $0 to $5,000 for organisations where most controls are already substantively in place under 2013.
Transition audit logistics
The transition audit is conducted by your existing accredited certification body and verifies (a) that the Statement of Applicability has been re-mapped to the 2022 structure, (b) that the 11 new controls have been implemented and are operating where applicable to your risk profile, and (c) that the ISMS continues to operate against the updated clause requirements. The transition audit is typically 0.5 to 1.5 audit days additional to a scheduled surveillance audit; the certification body adds the transition audit work onto the surveillance visit and charges for the additional day.
For organisations whose 2013 certificate expired without a transition audit completed, the situation is different: no "transition" is possible because there is no current certificate to transition. The path is a fresh-certificate engagement against the 2022 standard. The fresh-certificate work prices at the standard Stage 1 + Stage 2 audit fee for the organisation's size, not at the transition-audit incremental fee. For a 100-person SaaS, the fresh-certificate cost is $25,000 to $50,000 at a mid-tier CB, vs $5,000 to $12,000 for a transition audit that would have been completed alongside surveillance.
The honest read for late-transition cases: re-certification is materially more expensive than transition would have been. The lesson for organisations watching future standards updates (the next ISO/IEC 27001 cycle will eventually produce a 2027 or 2028 update with a similar three-year transition window) is to schedule the transition audit work proactively against a surveillance audit, not to wait until the deadline.
Transition cost by size
| Size | SoA re-mapping | New controls implementation | Transition audit fee | Total transition cost |
|---|---|---|---|---|
| Small (10-50) | $500-$1,500 | $0-$8,000 | $1,500-$3,000 | $2,000-$12,500 |
| Mid (50-200) | $1,000-$3,000 | $3,000-$15,000 | $2,000-$4,500 | $6,000-$22,500 |
| Large (200-500) | $2,000-$4,500 | $5,000-$20,000 | $3,000-$6,000 | $10,000-$30,500 |
| Enterprise (500+) | $3,000-$8,000 | $10,000-$30,000 | $4,500-$9,000 | $17,500-$47,000 |
Future-proofing for the next standards cycle
ISO/IEC standards are typically reviewed on a 5 to 7 year cycle. The 2022 version of ISO 27001 will likely be reviewed and potentially updated around 2027 to 2029. Organisations should expect a similar mandatory transition window (typically three years) when the next update is published. The lessons from the 2013-to-2022 transition that should inform future planning include: build SoA documentation as a re-mappable structure (clear control rationale, modular evidence references) rather than as a flat template, schedule transition work proactively against surveillance audits rather than waiting for the deadline, and budget a per-cycle transition contingency of $5,000 to $25,000 depending on company size.
For organisations adopting compliance platforms (Vanta, Drata, Secureframe, Sprinto), the platforms typically handle the transition re-mapping automatically when the standard updates. The platform-led approach to transition is materially cheaper than the manual approach because the platform vendor absorbs the re-mapping engineering work and surfaces only the customer-specific implementation gaps. For organisations on platforms, the future-standards-cycle cost is closer to the platform's annual subscription plus the incremental new-control implementation work, materially less than the full SoA re-mapping cost an unplatform-led organisation faces.