ISO/IEC 27000:2026 Almost Out: What Actually Changes (Spoiler: Less Than They'll Tell You)

Every time a standard's number changes, the same scene plays out: emails from vendors, «urgent» webinars, the feeling your certificate expired overnight. ISO/IEC 27000:2026 is nearly out, and the script will repeat. The short version: if you are certified to ISO/IEC 27001, you have to do nothing. The useful version is understanding why — and it all comes down to a distinction almost nobody explains.
The fact: the sixth edition is almost out
ISO/IEC 27000 has reached its sixth edition, listed by ISO as 2026-07. As of 7 July 2026, however, the official status on the ISO page is still «under publication» (stage 60.00): the text is in the final steps of the publication process — it does not mean a certification transition is already open.
The substance, either way, does not change. ISO/IEC 27000 is the «umbrella» document of the information security standards family — the 27k series — the one explaining concepts, principles and relationships among the other standards. It has historically been offered free by ISO and, above all, is not a certifiable standard.
The distinction almost nobody makes: 27000 is not 27001
This is where all the confusion starts. In the 27k series, two very close numbers do opposite things:
- ISO/IEC 27000 — Overview. Overview and (historically) vocabulary. No standalone certification requirements, no transition obligation. Historically offered free by ISO.
- ISO/IEC 27001 — Requirements. The requirements of the information security management system (ISMS). It is the standard you certify against, and it is still in its 2022 edition.
You certify against 27001. You read 27000, at most, to get your bearings. A new edition of 27000 does not touch the requirements you are assessed on — for the same reason rewriting a manual's preface does not change the rules written in the chapters.
What actually changed in 27000:2026
The sixth edition is mostly a clean-up:
- the focus shifts: overview, concepts, principles and relationships among the standards, rather than a list of terms (the title drops «and vocabulary»);
- the extensive glossary is no longer the document's focus: per ISO27001security's analysis the new edition keeps only about a dozen key terms, while official definitions remain available via ISO OBP and IEC Electropedia;
- the result is a lean document, ~11 pages, summarising the 27k family in a few clauses.
Useful as an introductory map. But it introduces no new auditable requirements for an ISO/IEC 27001 certification.
If you are certified to ISO/IEC 27001:2022: what to do
Nothing, because of 27000. Your certificate depends on the requirements of 27001:2022 (with the 2024 «climate action» amendment) and on the 93 Annex A controls: none of these move because 27000:2026 came out. No transition, no re-audit, no new control.
The only transition that mattered — from 27001:2013 to 27001:2022 — had a real deadline, 31 October 2025 (IAF MD 26), now passed: since then every audit is already against the 2022 edition. If you handled it, you're fine. If you didn't, the problem is not 27000:2026: it's that an accredited certificate not transitioned by the applicable IAF deadline is no longer valid under the ISO/IEC 27001:2022 transition path.
And auditors? Do they need to recertify?
No — not because of 27000:2026. And it is fair to separate what is documented from what is reasoning:
- Fact: an ISMS auditor's competence is anchored to 27001 (the requirements), to the ISO 19011 auditing guidelines and to the ISO/IEC 17021-1 accreditation rules. Not to 27000.
- Well-founded inference: an overview document, non-normative and without requirements, does not create re-training or re-certification obligations for auditors. No source states otherwise.
What actually required an update was the move to 27001:2022, not the release of 27000. And maintaining a personal qualification (schemes such as PECB, IRCA, Exemplar Global) depends on continuing professional development (CPD) and the scheme's rules, not on this new edition.
The point: compliance driven by evidence, not by alarmism
The lesson is not «ignore updates». It is telling signal from noise. An overview update is a chance to re-read the map of the 27k family, not a certification emergency. Whenever someone tells you «you must recertify», the right question is only one: against which requirement? If the answer is «none, the overview changed», you can get back to work. Serious compliance is measured on evidence and requirements, not on version-number anxiety.
Sources
Compliance without alarmism: we start from the real requirements
Tomato helps SMEs read regulatory updates for what they are, and translate ISO 27001, NIS2 and the AI Act into concrete controls and evidence — without selling emergencies.
Talk to us →