ISO 27001:2022 Transition: What Changed, What It Costs, and How to Catch Up Fast
ISO 27001:2022 Transition: The Deadline Passed. Now What?
The ISO 27001:2022 transition deadline came and went on October 31, 2025. If your organization is still certified under the 2013 version, your certificate is no longer valid. That is not a technicality. It means your compliance proof - the document you hand to clients, insurers, and regulators - no longer holds weight. According to Marsh McLennan, 67% of vendors lost contracts in 2024 specifically because they could not prove current compliance. Not because they were breached. Not because they failed an audit. Because the paperwork was wrong. If you are an SMB owner reading this and wondering whether it actually matters, consider that your competitors who did transition are now the safer bet for any procurement team running a vendor risk assessment. The clock is not ticking anymore. It already stopped.
If you are unsure where you stand, take the ISO 27001 readiness quiz - it takes two minutes and gives you a clear picture.
What Actually Changed in ISO 27001:2022?
The 2022 revision is not a complete overhaul. The core management system requirements in Clauses 4 through 10 remain largely the same. The real changes live in Annex A, which was restructured from 14 control categories down to 4 themes: Organizational, People, Physical, and Technological. The total number of controls dropped from 114 to 93. That sounds simpler, but 11 entirely new controls were added - and they reflect how threats actually work in 2026. New controls include threat intelligence, data masking, monitoring activities, information security for cloud services, ICT readiness for business continuity, and secure development lifecycle requirements. The standard also now explicitly requires organizations to define processes for managing changes and to maintain awareness of interested parties' expectations. If your information security management system was built around the 2013 structure, the mapping is not one-to-one. It requires deliberate work.
Why Should SMBs Care About Recertification Now?
Because the market will enforce what regulators have not yet. The average cyber insurance claim now costs $345,000 (Atlantic Digital), and 41% of cyber insurance applications get denied on first submission (MoneyGeek). Insurers are tightening requirements every quarter, and a lapsed ISO 27001 certificate sends one clear signal: this organization is not managing its risk. Beyond insurance, there is the supply chain reality. If you sell to enterprises, government agencies, or regulated industries, your ISO 27001 certification is a gating requirement - not a nice-to-have. Losing it means losing pipeline. And the threat landscape is not getting friendlier. One in three SMBs was hit by a cyberattack in 2024 (BizTech Magazine), and cyberattacks rose 49% in the first half of 2025 (Identity Week). If you want to understand the full cost of falling behind on compliance, the numbers are worse than most owners expect.
What Does the Recertification Process Look Like?
Recertification under ISO 27001:2022 is not just renewing a document. It is a structured process with real work behind it. Here is what it typically involves: First, a gap analysis comparing your current controls and documentation against the 2022 requirements. Second, updating your Statement of Applicability to reflect the new Annex A structure. Third, implementing any new controls you are missing - threat intelligence, cloud security, monitoring activities, and others. Fourth, updating your risk assessment to align with the revised control set. Fifth, conducting an internal audit against the 2022 standard. Sixth, a management review. And finally, your Stage 1 and Stage 2 certification audits with an accredited body. For most SMBs doing this manually or with consultants, the process takes 6 to 12 months and costs between 15,000 and 50,000 EUR depending on scope. That timeline is the real problem. Every month you spend transitioning is a month your certificate stays invalid.
How Does This Overlap with NIS2 and Other Frameworks?
If you are operating in the EU, there is a good chance NIS2 applies to you - and many businesses don't even realize it yet. NIS2 affects 28,700 additional companies in Germany alone, including 6,200 micro and small enterprises. In France, 64% of SMBs do not even know what NIS2 is. The good news is that ISO 27001:2022 and NIS2 share significant overlap. The new ISO controls around incident management, threat intelligence, and business continuity map directly to NIS2 requirements. If you get your ISO 27001:2022 transition right, you cover roughly 70% of the NIS2 groundwork at the same time. That is not an accident - the European standard bodies designed it that way. The practical implication: do not treat these as separate compliance projects. You can check whether NIS2 applies to your business in under three minutes.
What Does It Cost: Traditional Approach vs. AI-Assisted?
Here is where the math matters. The traditional path to ISO 27001:2022 recertification involves consultants, manual documentation, and months of back-and-forth. The AI-assisted path compresses the timeline by automating the gap analysis, generating documentation templates mapped to your actual infrastructure, and continuously monitoring control effectiveness.
| Traditional Consultant | Compliance Platform (Vanta/Drata) | Fusion AI | |
|---|---|---|---|
| Gap analysis | 2-4 weeks, manual | Automated, generic templates | Automated, mapped to your infrastructure |
| Documentation | Manual creation, 4-8 weeks | Template-based, self-service | Generated from live system data |
| Timeline to audit-ready | 6-12 months | 3-6 months | 30 days |
| Ongoing monitoring | Periodic reviews | Dashboard alerts | Continuous, with automated remediation |
| Annual cost | 15,000-50,000 EUR | 7,500-50,000 EUR/year | From 47 EUR/user/month |
| IT management included | No | No | Yes - compliance is a byproduct |
The difference is not just speed. Platforms like Vanta and Drata give you a compliance dashboard, but they do not manage your IT. You still need a separate MSP at 100-250 EUR/user/month to handle the infrastructure that compliance depends on. With Fusion AI, your compliance is the natural byproduct of good IT management. Use the IT cost calculator to see what you are actually spending today across tools, MSPs, and compliance.
How Does AI-Assisted Gap Analysis Actually Work?
Forget vague promises about automation. Here is what actually happens. When you connect your infrastructure to Fusion AI - which takes about 45 minutes - the system maps your existing controls against the ISO 27001:2022 Annex A requirements. Within 48 hours, you have a first report showing exactly where you comply, where you have partial coverage, and where you have gaps. No consultant needed for that initial assessment. The system then generates your Statement of Applicability, risk treatment plan, and supporting documentation based on your actual infrastructure state - not generic templates. New controls like threat intelligence and monitoring activities are addressed through the platform's built-in capabilities rather than bolted-on processes. The internal audit preparation happens continuously as the system tracks control effectiveness in real time. This is how you go from "lapsed certificate" to "audit-ready" in 30 days instead of 12 months.
What About the Controls You Already Have?
Most SMBs are not starting from zero. If you had a valid ISO 27001:2013 certificate, you already have foundational controls in place - access management, incident response, backup procedures, and others. The transition is about restructuring what you have and filling the gaps. The 11 new controls in ISO 27001:2022 are specific, but many map to things you are probably already doing informally. Threat intelligence? You read about breaches in your industry. Monitoring activities? You check your logs sometimes. The standard just requires you to formalize these into documented, repeatable processes with clear ownership. Before you start the transition, make sure your foundational cybersecurity controls are solid. The worst outcome is spending months on recertification paperwork while leaving basic security hygiene unfinished. Fix the foundation first, then build the compliance documentation on top.
What Happens If You Do Nothing?
Let us be direct. If you do not transition to ISO 27001:2022, three things happen. First, you lose contracts. Procurement teams and enterprise clients will require current certification, and "we are in the process of transitioning" only works for so long. Second, your cyber insurance becomes harder to get and more expensive. That 41% first-submission denial rate climbs higher when your compliance documentation is out of date. Third, you fall behind on regulatory requirements that are coming whether you are ready or not - NIS2, the UK Cyber Security and Resilience Bill, and sector-specific mandates. The M&S, Co-op, and Harrods breaches in 2025, with a combined impact exceeding 300 million GBP, proved that no organization is too established to be hit. The question is not whether you need current certification. It is whether you can afford the consequences of not having it while you wait.
Ready to Close the Gap?
Your ISO 27001:2013 certificate expired. The 2022 standard is the new baseline. Every week you wait is another week your compliance proof is invalid, your insurance position weakens, and your competitors gain ground.
Here is what you can do right now:
1. Get a baseline. Run the free security scan to see exactly where your infrastructure stands against ISO 27001:2022 requirements. It takes minutes, not months.
2. Understand your gaps. The scan produces a clear report - no jargon, no sales pitch, just a factual assessment of what you have and what you need.
3. Move fast. First report in 48 hours. Full compliance readiness in 30 days. Not 12 months. Not 6 months. Thirty days.
The businesses that sleep at night are the ones that stopped treating compliance as a project and started treating it as a system. Start your free trial and see what that looks like.