Every valid certificate is now ISO 27001:2022
The three-year transition from ISO 27001:2013 ended on 31 October 2025: since that date, 2013-edition certificates are invalid. Any organisation certifying today does so against ISO/IEC 27001:2022 and its 93 Annex A controls — including the 2022 additions such as threat intelligence, cloud security and data leakage prevention. If a supplier shows you a 2013 certificate in 2026, it has lapsed.
How certification works in France
Certification is delivered by accredited certification bodies — in France, accreditation comes from COFRAC (or an equivalent European accreditor). The process itself is the same everywhere: a Stage 1 audit (documentation review), a Stage 2 audit (on-site verification that the ISMS actually runs), then a certificate valid three years with annual surveillance audits and a recertification cycle. What auditors want first is the documentary core: scope, information security policy, risk assessment and treatment, Statement of Applicability, and the topic-specific policies your SoA declares.
Where ISO 27001 sits in the French ecosystem
France layers its own schemes on top of, or alongside, ISO 27001:
| Scheme | Relationship to ISO 27001 | Who needs it |
|---|---|---|
| ISO 27001 | The base management-system certification | Any organisation selling to enterprises, or building trust |
| HDS | Builds on ISO 27001 (plus ISO 20000-1 and health-specific rules) | Hosts of French personal health data |
| SecNumCloud | Separate ANSSI qualification with its own requirements | Cloud providers targeting the French public sector and OIV/OSE |
| ReCyF (NIS2) | ANSSI framework; an ISO 27001 ISMS covers most of its 20 objectives | Entities preparing for NIS2 |
Two practical consequences. First, ISO 27001 is the best common denominator: the same ISMS feeds HDS, NIS2/ReCyF preparation and enterprise due diligence. Second, ANSSI’s free publications (hygiene guide, ReCyF) make excellent French-language implementation references for Annex A controls.
A realistic path for a French SME
- Scope tightly — one product, one platform team; you can extend later.
- Run the risk assessment and derive your Statement of Applicability.
- Generate and tailor the documentary core — the compressible part of the project.
- Operate for a few weeks (access reviews, incident drill, internal audit, management review) to produce evidence.
- Pick a COFRAC-accredited body and schedule Stage 1/Stage 2.
Primary sources
- ISO — ISO/IEC 27001 official page (iso.org/standard/27001).
- ANSSI — guides and ReCyF (cyber.gouv.fr).
- Agence du Numérique en Santé — HDS certification (esante.gouv.fr).
How PolicyForge helps
PolicyForge generates the ISO 27001:2022-aligned documentary core — the top-level policy and the topic-specific policies your SoA declares — bilingual, versioned, with approval blocks. Start free → · See the ISO 27001 generator