What happened?
The ISO/IEC 27001:2022 transition period has ended. Certification bodies had previously reminded organisations that ISO/IEC 27001:2013 certificates would need to be transitioned by 31 October 2025. After that point, organisations still relying on the 2013 edition may face certificate validity, customer assurance, and contract-compliance issues.
Why it matters
ISO 27001 is often used as evidence that an organisation has a structured information security management system. The 2022 edition also aligns more closely with the updated ISO/IEC 27002 control set, so clients and auditors may expect clearer evidence around control selection, risk treatment, and the Statement of Applicability.
Practical checks
- Confirm your certificate edition, expiry date, scope, and accreditation status.
- Review whether the 2022 Annex A control set has been mapped into your risk treatment process.
- Check whether policies, internal audits, management reviews, and security objectives reference the current edition.
- Prepare customer-facing evidence for procurement, vendor-risk, and tender requests.
For Malaysian organisations, this is a good time to treat ISO 27001 as an operating system for security governance, not just a certificate renewal exercise.