October 31, 2025 is the hard deadline for all ISO/IEC 27001:2013 certificates to transition to ISO/IEC 27001:2022 as set by the International Accreditation Forum Resolution 2022-19. After that date, any certificate still issued against the 2013 edition becomes invalid and will be withdrawn by the accredited certification body. With only weeks remaining as of mid-October 2025, the scramble to produce evidence against the new Annex A control set and the revised main-clause requirements is well underway. This article walks through the structural changes, the mapping to the 93 controls in Annex A organised into the four themes of ISO/IEC 27002:2022, and the specific supply chain controls that auditors are now scrutinising in Stage 2 audits.
What Changed Between ISO 27001:2013 and ISO 27001:2022?
ISO/IEC 27001:2022, published on October 25, 2022, reduced Annex A from 114 controls in 14 clauses to 93 controls grouped into four themes: Organizational (37), People (8), Physical (14), and Technological (34). Eleven controls are genuinely new, 24 were merged from previous controls, 58 were renamed or updated, and one was split. Main clauses 4 through 10 received minor but significant changes: Clause 6.1.3 Risk Treatment now requires the Statement of Applicability to reference each Annex A control and justify inclusion or exclusion, Clause 6.2 requires planning for information security objectives with concrete "how" elements, and Clause 6.3 was added to cover planning of changes. ISO 27001:2022 is the normative standard; the revised ISO/IEC 27002:2022 is the control implementation guidance.
Which New Annex A Controls Matter Most for Software Supply Chain?
Several of the 11 net-new controls target software supply chain directly or indirectly: 5.7 Threat intelligence, 5.23 Information security for use of cloud services, 5.30 ICT readiness for business continuity, 8.9 Configuration management, 8.10 Information deletion, 8.12 Data leakage prevention, 8.16 Monitoring activities, 8.22 Web filtering, 8.23 Web filtering is sometimes grouped with 8.22 depending on source, 8.28 Secure coding, and 8.30 Outsourced development. Control 8.28 Secure coding explicitly references SBOMs and component inventory as implementation guidance in ISO/IEC 27002:2022 clause 8.28, and 8.30 Outsourced development ties secure coding to contracted development work in the supply chain.
How Do Supplier Controls 5.19 Through 5.23 Flow Through to Software?
Controls 5.19 "Information security in supplier relationships," 5.20 "Addressing information security within supplier agreements," 5.21 "Managing information security in the ICT supply chain," 5.22 "Monitoring, review and change management of supplier services," and 5.23 "Information security for use of cloud services" together constitute the ISMS supply chain spine. Control 5.21 is new branding of the 2013 control with sharpened language on the ICT supply chain specifically — including hardware, software, and services — and is often where auditors demand SBOM evidence for purchased commercial software, not just for open-source components. The Statement of Applicability should cite SBOM generation and vulnerability management as implementing controls for 5.21.
When Exactly Is the October 31, 2025 Deadline and What Happens at Midnight?
The IAF Resolution 2022-19 set a three-year transition period ending October 31, 2025, and the IAF has publicly confirmed that the deadline will not be extended. Certification bodies have generally stopped accepting new transition audits after August 2025 because of the cycle time required to complete findings and close out nonconformities. Certificates still showing ISO/IEC 27001:2013 on November 1, 2025 are considered withdrawn by the accreditation bodies — IAS, ANAB, UKAS, JAS-ANZ, and others. Organisations with withdrawn certificates cannot re-claim ISO 27001 status without a full Stage 1 and Stage 2 reassessment against the 2022 edition.
What Evidence Do Stage 2 Auditors Expect for Software Controls?
Auditors performing Stage 2 transition audits are asking for the following artifacts at a minimum: an updated Statement of Applicability referencing all 93 Annex A controls; evidence of an SBOM or equivalent inventory for systems in the ISMS scope; a secure coding policy that references 8.28 and ties to developer training; evidence that threat intelligence (5.7) is operationalised (not just subscribed); a cloud security register supporting 5.23; and a configuration management baseline supporting 8.9. For 5.21, auditors increasingly ask for a sample vendor's SBOM and the process used to ingest and review it. Nonconformities are almost always raised when the SoA references a control but no supporting evidence connects control text to operation.
How Do ISO 27001:2022 and Other Regimes Interact?
ISO 27001:2022 is widely used as the baseline for SOC 2 Trust Services Criteria, HITRUST CSF v11, and emerging DORA RTS implementations. The EU Cyber Resilience Act's essential requirements at Annex I map cleanly to Annex A controls 5.21, 8.28, and 8.30, and BSI TR-03183 in Germany explicitly references ISO/IEC 27001:2022 and ISO/IEC 5962 (SPDX) together. Many regulated entities use ISO 27001:2022 as the ISMS certification evidence and add sector overlays — APRA CPS 234 in Australia, OSFI B-13 in Canada, PRA SS1/21 in the UK — on top of it. The revised Annex A reduces the "double work" by harmonising the control wording across these frameworks.
How Safeguard Helps
Safeguard generates the SBOM artifacts that satisfy controls 5.21 and 8.28 and maintains them across every build so the ISMS scope stays auditable between surveillance visits. Griffin AI reachability analysis operationalises control 5.7 Threat intelligence by connecting CVE feeds to the components your organisation actually runs, turning generic advisories into concrete tickets. TPRM workflows track supplier assurance against 5.19-5.23 with evidence timestamps that stand up to Stage 2 scrutiny, and policy gates enforce 8.25-8.28 at the pipeline level with build-breaking thresholds. Compliance mapping across ISO 27001:2022, SOC 2, HITRUST, NIST CSF 2.0, and DORA lets you export a single evidence pack and answer the auditor's questions in hours, not weeks.