ISO 27001:2013 has expired. What charities need to know, and what you need to do.

This year’s halloween was particularly scary for some in the world of security. Like all the scariest things, this one has crept up on the software industry very quietly and is now lurking in the shadows.

Hold on a minute, what is ISO 27001?

ISO 27001 (pronounced “eye-so twenty-seven-thousand and one”, for the uninitiated) is the most highly regarded global standard for information security. Having ISO 27001 certification is one of the best ways to demonstrate that organisations like Beacon adheres to comprehensive and modern security practices. Certification requires an extensive audit of an organisation to determine satisfactory compliance with the standard. ISO 27001 was first introduced in 2005 and has been revised several times since then to keep up with modern technology threats.

The previous version of ISO 27001 was published back in 2013 (designated ISO 27001:2013). At the risk of making you feel old, dear reader, this was before AI was everywhere, before "Bitcoin" was a household term, Blurred Lines and Get Lucky were topping the charts, and Disney had just given us "Frozen". An update was needed to the old standard, and a revised version was published in 2022 (designated ISO 27001:2022).

ISO 27001:2013 was withdrawn in October 2022, when the new standard (ISO 27001:2022) was published, and everyone was given 3 years to update themselves. That deadline has come and gone: and on the 31st of October 2025 all of the old ISO 27001:2013 certificates expired.

So, what does this mean?

Well, in a nutshell, all ISO 27001:2013 certificates are no longer valid. Organisations with an ISO 27001:2013 certificate, do not have ISO 27001.

For charities that expect (or rely upon) their suppliers to have ISO 27001 this is a big deal.  It’s the standard way to establish that a software product can be trusted to be secure.

Many organisations (including Beacon) rely on ISO 27001 to provide assurances about data security and to demonstrate compliance with best practices.  We’ve reviewed all of our vendors to make sure that they are up to date, or that they can provide other security certifications.

What should you do right now?

You should review the ISO 27001 certificates for all of the vendors.  When evaluating an ISO 27001 certificate there are two things you should look for to make sure you can trust it:

1. Is it ISO 27001:2022? The certificate will clearly state which version it is. ISO 27001:2013 is no longer valid and you shouldn’t accept it.
2. Are the auditors UKAS accredited? It’s how you can tell that the audit was carried out to the required UK government standard.  Look for the UKAS logo with a crown and a tick.

If your vendor does not have a valid ISO 27001:2022 certificate, you should be asking difficult questions as to why they’re not keeping up to date, and you should not trust their security position.  Similarly, without an audit from a UKAS accredited auditor, there is no complete compliance chain back to the UK government.  Typically, a UKAS accredited auditor would not issue a certificate for an old standard anyway.

Worst case doom and gloom scenario: If there’s a data breach and the ICO want to know what steps you took to make sure your suppliers are secure, accepting expired security certifications won’t reflect well on you!  ISO 27001 audits are required every year, so there’s really no excuse for your suppliers not being up to date.

Check your suppliers’ certificates now, so you don’t get an unexpected fright later.

Note: Before you ask, of course Beacon has ISO 27001:2022 and our auditors are UKAS accredited. Otherwise I’d look like a bit of a plonker.

Find out more about how Beacon keeps your data secure on our Trust page.