ISO 27001:2022 Transition in Germany: What the October 2025 Deadline Means in 2026

The transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 ended on 31 October 2025 under the IAF resolution governing accredited certification bodies worldwide. From 1 November 2025, certificates issued against the 2013 edition are no longer valid, and German DAkkS-accredited bodies treat them as withdrawn. Organisations that completed the migration audit by the deadline carry a valid certificate against the new edition; those that did not must now run a fresh initial certification cycle, which typically adds three to six months and a recognisable cost premium compared with the original transition path.

This article addresses the post-deadline situation in 2026. It explains what changed substantively between the two editions, why the consolidation from 114 to 93 Annex A controls is not a simplification, how German auditors interpret the new theme-based structure, and how the ISMS work intersects with NIS-2 and DORA, which both reached enforcement maturity in 2026. CIVAC is a compliance platform and Officer-as-a-Service. License the workspace for your internal officers, or have our officers appointed. In either model, you receive a controlled migration path, the 93 control mappings, and an audit trail that satisfies German accreditation expectations without the manual reconstruction of evidence that delayed many organisations through 2025.

The 2022 edition retained the main clauses 4 through 10 of the ISO management system structure but restructured Annex A. The previous 114 controls in 14 sections (A.5 through A.18) are now 93 controls grouped under four themes: A.5 Organisational (37 controls), A.6 People (8 controls), A.7 Physical (14 controls), and A.8 Technological (34 controls). Eleven controls are entirely new, including A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding. Twenty-four controls are merged from prior controls and 58 were renamed.

Risk treatment moves closer to a measured outcome view. Clause 6.1.3 now explicitly requires that the Statement of Applicability identifies whether each control is implemented, justifies inclusion or exclusion, and references the source of the control set. ISO/IEC 27002:2022 was published earlier in 2022 and provides the implementation guidance, including five attributes per control (control type, information security properties, cybersecurity concepts, operational capabilities, security domains) that auditors increasingly use to test whether the SoA reflects real coverage. The CIVAC workspace maps every information security officer task to these attributes and surfaces gaps before the certification body does. The change is not cosmetic: certification bodies report that the 2022 audit takes 10 to 20 per cent longer on average than the 2013 equivalent, because the four-attribute coverage test is more rigorous and the new SoA expectations require deeper sampling of evidence across the asset estate.

The IAF MD 26 resolution stated that any certificate issued against ISO/IEC 27001:2013 ceased to be valid after 31 October 2025. The Deutsche Akkreditierungsstelle (DAkkS) implemented this position in its guidance to German certification bodies. From 1 November 2025, certificate registers maintained by DAkkS-accredited bodies show 2013-based certificates as expired. Organisations that retained the old certificate on their website, in tender documents, or in supplier portals after that date risk findings under unfair competition law (UWG § 5) and contractual misrepresentation, in addition to losing the ISMS-related procurement advantage.

Recovery from a missed deadline is not a transition audit but a new initial certification: a Stage 1 readiness review followed by a Stage 2 main audit, with the SoA, risk treatment plan, and management review evidence assessed as if for the first time. The cost premium ranges from 15 to 35 per cent compared with a timely migration, and lead times have stretched into Q2 2026 because certification bodies allocated capacity to organisations that planned ahead. Procurement processes in regulated sectors (banking, healthcare, public sector) frequently require a valid ISO 27001 certificate as a prerequisite for tender participation, which means the loss of certification often translates directly into lost revenue. CIVAC supports recovery projects by sequencing the SoA reconstruction, gap analysis against the 93 controls, and management review evidence within an integrated workspace cadence. Insurance considerations have also shifted: cyber insurers in Germany increasingly request a current ISO 27001:2022 certificate as part of underwriting, and an expired 2013 certificate triggers a re-rating event that can raise premiums or narrow coverage. The reputational cost of an expired certificate in vendor due diligence is harder to quantify but no less real.

Accredited German certification bodies (TUEV, DEKRA, DQS, BSI-aligned providers) have aligned their audit checklists with the four-theme structure and the five attribute dimensions of ISO/IEC 27002:2022. Audit teams now test SoA entries by sampling: for a randomly selected control, the lead auditor asks for the policy, the procedure, the evidence of operation, and the management review minutes that confirm the control was assessed. This four-layer test is more rigorous than the typical 2013-era audit, where policy and procedure often sufficed. Where the 2013 audit might have asked whether a backup policy existed, the 2022 audit asks how often a restore test was performed, what the recovery time objective was, whether the result was reviewed, and how exceptions were handled.

The 11 new controls receive particular attention. A.5.7 Threat intelligence requires demonstrable consumption of threat feeds, with evidence of how the intelligence influenced risk assessments. A.5.30 ICT readiness for business continuity requires a tested recovery plan and an RTO/RPO that has been validated, not just defined. A.8.9 Configuration management requires a configuration baseline with deviation detection. CIVAC pre-populates the workspace with templates for each of these 11 controls, including the evidence types German auditors typically request. The auditor calls, the evidence is ready. Other compliance practitioners run their ISMS as a filing cabinet. We run it as software. The shift is most visible during certification body sampling rounds, where auditors compare evidence retrieved from different control owners to test for consistency. A workspace that returns the same evidence regardless of which control owner is asked tends to score better in subjective auditor sections that influence future surveillance preparation effort and the depth of sampling at recertification.

The German NIS-2 implementation (NIS-2-Umsetzungsgesetz, effective in 2026 after a delayed legislative path) requires essential and important entities to maintain risk management measures covering policies on risk analysis, incident handling, business continuity, supply chain security, vulnerability handling and disclosure, cryptography, access control, and asset management. Each of these maps directly to clauses in ISO/IEC 27002:2022. A well-maintained ISO 27001:2022 ISMS therefore provides approximately 70 to 80 per cent of the documentary substance NIS-2 audits require. The remaining 20 to 30 per cent covers the 24-hour early warning and 72-hour follow-up notification obligations to the BSI, which sit outside Annex A and require dedicated workflows.

DORA (Digital Operational Resilience Act, effective for financial entities from 17 January 2025) introduced an additional layer for banks, insurers, investment firms, and ICT third-party service providers in the financial sector. ISO 27001:2022 covers a substantial part of DORA Article 6 (ICT risk management framework), but the operational resilience testing and threat-led penetration testing (TLPT) requirements of DORA Articles 24 to 27 demand additional evidence beyond the ISMS scope. The CIVAC workspace runs all three frameworks (ISO 27001:2022, NIS-2, DORA) on a single asset and control register, so an evidence item created for one obligation is automatically referenced by the others. The workspace maintains 25 officer roles and 490 audit templates, including specific German-language NIS-2 reporting templates that link to the corresponding ISO control. License the workspace for your internal officers, or have our officers appointed; both modes share the same control register, so a switch between models does not break the evidence trail. The same approach handles ISO 27002:2022 attribute reporting for organisations that publish a public assurance statement to customers or regulators.

Clause 6.1.3(d) of ISO/IEC 27001:2022 requires the Statement of Applicability to identify the controls determined as necessary, justify inclusions, and justify exclusions. The SoA must reference both Annex A and any additional control sets used. In practice, German auditors test the SoA against three documents: the risk treatment plan, the risk register, and the management review output. If a control is marked as implemented in the SoA but the risk register shows a residual risk above the organisation's risk appetite, the auditor raises a non-conformity for inconsistency. If the management review did not address the SoA, the auditor raises a major non-conformity for clause 9.3 (management review).

The risk treatment plan in the 2022 edition must explicitly tie risk treatment options (modify, retain, avoid, share) to specific Annex A controls or other control sources. The plan should include owner, target completion date, and verification method for each treatment. Many 2013-era organisations carried over loose risk treatment plans that did not pass the 2022 audit scrutiny. CIVAC structures the SoA, risk register, and risk treatment plan as linked artefacts in the workspace; changing one updates the version history of the others, and the management review template surfaces inconsistencies before the auditor sees them. Bestellurkunde, unterschrieben, abgelegt, belegbar applies here in English equivalent: appointment letter, signed, filed, evidenced. For organisations that maintained the 2013-style SoA as a spreadsheet, the migration revealed how much of the supporting narrative had been carried implicitly in the heads of long-serving officers. The 2022 audit forces this implicit knowledge into recorded artefacts, which is uncomfortable in the short term but durable in the long term.

Certification body capacity in Germany was overstretched between July 2024 and October 2025 as approximately 22,000 ISO 27001 certified organisations migrated. Bodies prioritised existing clients with planned audits and turned away short-notice new entrants. In 2026, capacity has loosened, but lead times for initial certification remain four to seven months from contract signing to certificate issuance. For organisations that lost certification on 1 November 2025, a realistic timeline reads as follows: month one, gap analysis and SoA reconstruction; months two and three, control implementation and evidence build-up; month four, Stage 1 readiness review; month five, internal audit and management review; month six, Stage 2 certification audit; month seven, certificate decision and issuance.

Cost-wise, a small organisation (fewer than 50 employees, single site) faces fees between 12,000 and 22,000 euro for the full cycle, including external consulting at typical German market rates. Medium organisations (50 to 250 employees, multiple sites) range between 22,000 and 60,000 euro. Large organisations and federated structures often exceed 100,000 euro. CIVAC reduces the consulting burden by providing pre-built templates for all 93 controls, a workspace that consolidates evidence across audits, and an Officer-as-a-Service option that places a qualified information security officer with a service-level agreement of two working days for appointment, against industry norms of two to six weeks. License the workspace for your internal officers, or have our officers appointed. The economic case for the platform model becomes evident from the second internal audit onwards, when the marginal cost of evidence retrieval approaches zero. For a comparison view, see our FAQ on officer engagement models.

Clause 9.2 (internal audit) and clause 9.3 (management review) saw small but consequential edits. The internal audit programme must now demonstrate independence and impartiality with documented evidence, not just a declaration. Self-audits by control owners are unacceptable. The management review must address performance against information security objectives, results of risk assessments and risk treatment status, fulfilment of information security requirements, feedback from interested parties, and opportunities for improvement. The 2022 edition added explicit reference to changes in the needs and expectations of interested parties, which auditors test by asking who the interested parties are, when they were last reviewed, and what changes have been recorded.

Continual improvement (clause 10) now expects organisations to demonstrate effectiveness of corrective actions through trend analysis. A single corrective action that closes a non-conformity is insufficient if similar non-conformities recur in subsequent audits. The auditor looks for root cause analysis, systemic preventive actions, and measurable reduction in repeat findings. CIVAC tracks corrective actions through the workspace with root cause categories, trending across audit cycles, and automated reminders for verification of effectiveness. The audit calls, the evidence is ready. This is the discipline that separates a certified ISMS from a certifiable ISMS, and the difference is visible in the subjective auditor report sections that influence rebooking and confidence scoring for future surveillance visits. Management reviews that occur only once a year tend to surface aged data; CIVAC supports quarterly review cadences with light data preparation, which spreads the workload and gives the senior management team a more current view of information security risk.

The 2022 edition tightens supplier and cloud controls. A.5.19 covers information security in supplier relationships, A.5.20 covers addressing information security within supplier agreements, A.5.21 covers managing information security in the ICT supply chain (new in 2022), A.5.22 covers monitoring, review, and change management of supplier services, and A.5.23 covers information security for use of cloud services (new in 2022). German auditors increasingly request a supplier register that maps each supplier to the data classification it handles, the controls in the supplier agreement, the most recent assessment date, and the remediation status of any findings. A supplier register that lists vendors but not the controls applicable to each is now treated as incomplete.

Cloud-specific controls under A.5.23 require organisations to define exit strategies, data residency requirements, and shared responsibility models with cloud providers. For German organisations using hyperscaler cloud, this typically includes documenting the EU data residency status, the standard contractual clauses or adequacy mechanism for any cross-border transfer, and the cloud provider's most recent ISO 27001, ISO 27017, or SOC 2 Type II reports. CIVAC's workspace supports an EU data residency model and integrates supplier and cloud evidence in a single register that the auditor can query directly. Migration projects often discover that a cloud provider listed in the SoA was never formally assessed under the supplier control set; the 2022 audit catches this gap with high probability, especially when sub-processors are involved. The same register supports BSI C5:2020 attestations and GDPR Art. 28 processor agreements, which converge on similar evidence types and benefit from a single source of truth rather than parallel files maintained by different teams.

For organisations that completed the transition before 31 October 2025, the priority in 2026 is to embed the new control structure operationally and prepare for the first surveillance audit under the 2022 edition. The surveillance audit typically focuses on the 11 new controls, the SoA consistency, and corrective actions from the transition audit. Use the months between surveillance audits to consolidate evidence and reduce the manual effort required at the next checkpoint. For organisations that missed the deadline, the priority is a realistic recovery plan that books certification body capacity early in Q2 2026 and aligns internal resources to the seven-month timeline outlined above.

CIVAC is a compliance platform and Officer-as-a-Service. License the workspace for your internal information security officer, or have our officers appointed. The workspace consolidates the SoA, risk register, control evidence, internal audit programme, management review, supplier register, and cloud assessments in a single audit-trail-enforced environment. From reading to engagement: write to info@civac.de or use the contact form. We clarify scope, target certification window, and service level in a 30-minute conversation and send a contract proposal with a transparent statement of work the following working day. Audit-ready, documented, ISO 27001:2022 evidenced. The next certification body call will not catch you unprepared, because the work between calls is the work that decides the outcome. Whether you are aiming for first-time certification, recovering from a missed deadline, or preparing the second surveillance audit under the 2022 edition, the structural choices made now will shape audit effort for the next three years and the rate at which the ISMS continues to deliver value beyond the certificate on the wall.