Home
Resources

ISO/IEC 27001:2022 Deepdive

Framework Deepdive
ISO/IEC 27001:2022 Deepdive

Summary

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

1. Overview

What ISO/IEC 27001:2022 Is

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). Published 25 October 2022 and amended by 27001:2022/Amd 1:2024 (introducing climate change considerations in Clauses 4.1 and 4.2), it replaces the 2013 edition for all certification purposes. The standard is published by the International Organization for Standardization at iso.org/standard/27001. Certification is performed by an accredited certification body against the requirements clauses (4 through 10) and Annex A.

Who It Applies To

Any organization of any size that handles information of value. Most common adopters: B2B SaaS, fintech, healthcare, professional services, manufacturers, and government suppliers. ISO 27001 is the international assurance counterpart to SOC 2 in the US market and is contractually required by many enterprise European, UK, and Asia-Pacific buyers.

Outcome

An ISO 27001:2022 certificate from an accredited certification body, valid for three years subject to annual surveillance audits and a full recertification audit before the end of the cycle. Increasingly, customers also expect parallel SOC 2 attestation for US-facing services.

Security Consultants delivers ISO 27001 readiness, implementation, and ongoing program management through the ISO 27001 consulting service. For background on the methodology and how the standard maps to AI governance, see our blog post How to integrate ISO 42001 with ISO 27001 without rebuilding your ISMS.

2. Scope & Applicability

Mandatory ISMS Scope

Clause 4.3 requires the organization to determine and document the boundaries and applicability of the ISMS. The scope statement is published on the certificate and visible to customers, so it functions as both a compliance and a commercial artifact. Typical scope statements describe the services in scope, the locations, the populations, and the technologies that operate the in-scope information processing.

Climate Change Amendment

27001:2022/Amd 1:2024 amends Clause 4.1 (external and internal issues) and Clause 4.2 (interested parties needs and expectations) to expressly include climate change considerations. Auditors began verifying this from 2024 onward; current certificates must demonstrate consideration of climate change in the context analysis.

Statement of Applicability (SoA)

Clause 6.1.3 d) requires a Statement of Applicability that lists every Annex A control, indicates whether it is applicable, references its implementation, and justifies inclusions and exclusions. The SoA is the single most-scrutinized document in the engagement.

Mandatory Requirements

Clauses 4–10 are mandatory. Annex A controls are selected based on the risk assessment and must be justified in the SoA, but the standard requires that controls necessary to address risks are implemented; exclusions must be justified and not affect the ISMS's ability to provide information security. ISO/IEC 27002:2022 provides implementation guidance for Annex A controls but is not a certification requirement.

3. Core Principles

Plan-Do-Check-Act

The ISMS follows the PDCA cycle: Plan (Clauses 4–7 — context, leadership, planning, support), Do (Clause 8 — operation), Check (Clause 9 — performance evaluation), Act (Clause 10 — improvement). Certification verifies that the cycle operates.

Risk-Driven Control Selection

Clause 6.1.2 requires a documented risk assessment methodology. The organization identifies risks, assesses them by likelihood and impact, treats them, and tracks residual risk. Annex A controls support the treatment plan; controls not relevant to identified risks are excluded from the SoA with justification.

Annex A Themes (2022)

The 93 Annex A controls in the 2022 edition are organized into four themes:

  • A.5 Organizational — 37 controls covering policies, roles, threat intelligence, supplier relationships, information security in project management, etc.
  • A.6 People — 8 controls covering screening, terms of employment, awareness, disciplinary process, etc.
  • A.7 Physical — 14 controls covering perimeter, entry controls, securing offices, equipment maintenance, etc.
  • A.8 Technological — 34 controls covering identity, access, authentication, vulnerability management, logging, monitoring, encryption, secure development, cloud security, etc.

Eleven New Controls in 2022

A.5.7 Threat intelligence; A.5.23 Information security for use of cloud services; A.5.30 ICT readiness for business continuity; A.7.4 Physical security monitoring; A.8.9 Configuration management; A.8.10 Information deletion; A.8.11 Data masking; A.8.12 Data leakage prevention; A.8.16 Monitoring activities; A.8.23 Web filtering; A.8.28 Secure coding.

4. Control Breakdown

Clause 4 — Context of the Organization

Determine external and internal issues including climate change (4.1), interested parties (4.2), scope (4.3), and the ISMS (4.4). Evidence: context analysis document with documented climate-change considerations; interested-parties register; scope statement.

Clause 5 — Leadership

Top management commitment (5.1), information security policy (5.2), roles and responsibilities (5.3). Evidence: signed policy, RACI for ISMS roles, leadership meeting minutes covering security.

Clause 6 — Planning

Actions to address risks and opportunities (6.1.1), risk assessment (6.1.2), risk treatment with SoA (6.1.3), and information security objectives (6.2). Clause 6.3 (introduced in 2022) covers planning of changes to the ISMS. Evidence: risk methodology, risk register, treatment plan, SoA, objectives with metrics and review records.

Clause 7 — Support

Resources (7.1), competence (7.2), awareness (7.3), communication (7.4), documented information (7.5). Evidence: competence matrix, training records, communication plan, document control procedures.

Clause 8 — Operation

Operational planning and control (8.1), risk assessment performed (8.2), risk treatment performed (8.3). Evidence: operational records demonstrating the controls in the SoA are operating.

Clause 9 — Performance Evaluation

Monitoring, measurement, analysis, evaluation (9.1); internal audit (9.2); management review (9.3). Internal audit must be performed against a documented program covering all clauses and Annex A controls over a defined cycle. Management review must occur at planned intervals (typically annually at minimum) and address the inputs and outputs in 9.3.2 and 9.3.3. See our ISO 27001 internal audit service.

Clause 10 — Improvement

Continual improvement (10.1) and nonconformity and corrective action (10.2). Evidence: nonconformity register, corrective action records, evidence of continual improvement.

Annex A.5 Organizational (highlights)

A.5.1 Information security policies; A.5.7 Threat intelligence (new); A.5.23 Information security for use of cloud services (new); A.5.30 ICT readiness for business continuity (new); A.5.19–5.22 Supplier relationships; A.5.24–5.28 Information security incident management.

Annex A.6 People (highlights)

A.6.1 Screening; A.6.3 Information security awareness, education and training; A.6.4 Disciplinary process; A.6.5 Responsibilities after termination; A.6.7 Remote working; A.6.8 Information security event reporting.

Annex A.7 Physical (highlights)

A.7.1 Physical security perimeters; A.7.2 Physical entry; A.7.4 Physical security monitoring (new); A.7.10 Storage media; A.7.13 Equipment maintenance.

Annex A.8 Technological (highlights)

A.8.1 User endpoint devices; A.8.2 Privileged access rights; A.8.3 Information access restriction; A.8.5 Secure authentication; A.8.7 Protection against malware; A.8.8 Management of technical vulnerabilities; A.8.9 Configuration management (new); A.8.10 Information deletion (new); A.8.11 Data masking (new); A.8.12 Data leakage prevention (new); A.8.16 Monitoring activities (new); A.8.23 Web filtering (new); A.8.24 Use of cryptography; A.8.25–8.32 Secure development including A.8.28 Secure coding (new); A.8.29 Security testing in development and acceptance.

5. Minimum Requirements (Non-Negotiable)

Mandatory Documents

  • Scope of the ISMS (Clause 4.3)
  • Information Security Policy (Clause 5.2)
  • Risk Assessment Methodology and results (Clause 6.1.2)
  • Risk Treatment Plan (Clause 6.1.3)
  • Statement of Applicability (Clause 6.1.3 d)
  • Information Security Objectives (Clause 6.2)
  • Documented evidence of competence (Clause 7.2)
  • Documented information determined necessary for the ISMS (Clause 7.5.1 b)
  • Internal Audit Programme (Clause 9.2)
  • Management Review records (Clause 9.3)
  • Nonconformity and Corrective Action records (Clause 10.2)
  • Documented information for the Annex A controls implemented per the SoA

Mandatory Processes

  • Risk assessment performed and updated
  • Internal audit covering the ISMS clauses and SoA controls over the audit cycle
  • Management review at planned intervals
  • Treatment of nonconformities with documented corrective action
  • Annual information security awareness training
  • Supplier security management including periodic review
  • Incident management and continual improvement

6. Technical Implementation Guidance

Risk Methodology

  • Document the methodology in writing including asset / threat / vulnerability / impact / likelihood / risk scoring
  • Identify owners for every risk and treatment action
  • Update on material change and at least annually. See our risk assessment service.

SoA Discipline

  • List all 93 Annex A controls
  • For each, state applicable / not applicable and the justification
  • Reference the implementation evidence by document or system
  • Map controls to risk treatment
  • Update on every material change to scope, risk, or controls

Annex A Implementation

  • Implement the 11 new 2022 controls explicitly: threat intelligence (A.5.7), cloud services security (A.5.23), ICT readiness for BC (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), DLP (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), secure coding (A.8.28)
  • Where the ISMS rides on cloud platforms, document inheritance from FedRAMP / SOC 2 service-provider reports
  • Integrate with SOC 2 controls where applicable for shared evidence

Internal Audit and Management Review

  • Build an internal audit program covering every clause and SoA control across the certification cycle
  • Use ISO 19011 as the audit methodology reference
  • Conduct management review at least annually with the Clause 9.3.2 inputs and 9.3.3 outputs explicit

7. Policy & Procedure Requirements

  • Information Security Policy (top-level)
  • Acceptable Use Policy
  • Access Control Policy
  • Risk Management Procedure
  • Asset Management Policy and Asset Inventory
  • Supplier Risk Management Policy
  • Cloud Services Security Policy (A.5.23)
  • Threat Intelligence Procedure (A.5.7)
  • Cryptography Policy (A.8.24)
  • Logging and Monitoring Standard (A.8.15, A.8.16)
  • Vulnerability Management Procedure (A.8.8)
  • Configuration Management Procedure (A.8.9)
  • Secure Development Standard including Secure Coding (A.8.25–8.28)
  • Data Classification, Masking, Deletion, DLP Standard (A.8.10, A.8.11, A.8.12)
  • Web Filtering Standard (A.8.23)
  • Physical Security Procedure (A.7.x)
  • Information Security Incident Management Procedure
  • Business Continuity and ICT Readiness Plan (A.5.30)
  • Document Control Procedure
  • Internal Audit Programme and Procedure
  • Management Review Procedure
  • Nonconformity and Corrective Action Procedure

For combined ISO 27001 + ISO 27701 + ISO 42001 deployments, most documents serve all three with privacy-specific and AI-specific extensions. See our ISO 27701 service and ISO 42001 service.

8. Audit Evidence & Verification

Stage 1 (Documentation Review)

The accredited certification body reviews the ISMS documentation including scope, policy, risk methodology, risk treatment plan, SoA, internal audit results, and management review records. Output: a written report of findings and a readiness decision for Stage 2.

Stage 2 (Implementation and Effectiveness)

The certification body tests the ISMS in operation including process audits, control sampling, interviews, and observation. Findings are classified as major nonconformities (block certification until corrected and verified), minor nonconformities (must be addressed in defined timeframes), opportunities for improvement, and observations.

Surveillance and Recertification

  • Surveillance audits annually for two years after initial certification
  • Full recertification audit before the three-year certificate expiry
  • Each surveillance audit samples a defined subset of clauses and Annex A controls; the certification body's audit plan covers the full ISMS across the cycle

Typical Evidence Categories

  • Mandatory documents listed in Section 5
  • Annex A control implementation evidence per the SoA
  • Internal audit and management review records
  • Operational records demonstrating controls in operation across the audit window

Common Remediation Items

  • SoA without justifications for non-applicable controls
  • Risk register treated as a one-time exercise
  • Internal audit program that does not cover all clauses and SoA controls across the cycle
  • Management review minutes missing the Clause 9.3.2/9.3.3 inputs and outputs
  • Eleven 2022 controls implemented superficially
  • Climate-change consideration missing from context analysis

9. Implementation Timeline Considerations

Typical Duration

  • First-time certification (mature controls): 4–6 months from kickoff to Stage 2 audit
  • First-time certification (substantial remediation): 9–18 months
  • Annual surveillance: 2–3 weeks of CB fieldwork plus continuous evidence collection
  • Recertification: 4–6 weeks of CB fieldwork plus a full prior internal audit cycle

Milestones

  • Context analysis (including climate change) and scope
  • Risk methodology and risk assessment
  • SoA drafted
  • Policy set and procedure rollout
  • Annex A control implementation including the eleven 2022 additions
  • Internal audit cycle completed
  • Management review held
  • Stage 1 audit
  • Stage 2 audit
  • Certificate issued

Dependencies

  • Top management commitment evidenced through policy and resource allocation
  • Engineering capacity for the technical Annex A controls
  • vCISO or program lead to coordinate (see vCISO service)

10. Ongoing BAU Requirements

  • Annual risk assessment refresh
  • Annual internal audit cycle
  • Annual management review
  • Annual information security awareness training
  • Continuous vulnerability scanning and management
  • Periodic supplier review
  • Incident management and nonconformity tracking
  • SoA maintained current
  • Surveillance audit annually; recertification before three-year expiry

11. Maturity Levels

Minimum Compliance

  • ISMS scope and policy in place
  • Risk assessment and SoA documented
  • Annex A controls implemented per SoA
  • Internal audit and management review operational
  • Manual evidence collection

Intermediate

  • Integrated ISMS evidence library shared with SOC 2 and PCI DSS where applicable
  • Automated control monitoring through compliance automation tooling
  • Threat intelligence (A.5.7) feeding the risk register
  • Continuous configuration validation through IaC and policy as code

Advanced

  • Integrated ISO 27001 + ISO 27701 + ISO 42001 + SOC 2 evidence library
  • Real-time control telemetry for the ISMS
  • Mature threat-intelligence-driven risk treatment
  • Predictive risk analytics and continuous improvement KPIs

12. FAQs

How is ISO 27001 different from ISO 27002?

ISO 27001 is the certifiable management system standard with mandatory Clauses 4–10 and Annex A control objectives. ISO 27002 is implementation guidance for the Annex A controls. ISO 27002 is not a certification standard and must not be cited as a requirement.

How is ISO 27001 different from SOC 2?

ISO 27001 is an international certification of an ISMS issued by an accredited certification body. SOC 2 is a US attestation by a CPA firm against the AICPA Trust Services Criteria. They overlap on roughly 65–75 percent of the underlying controls. Many B2B SaaS programs run both. See our SOC 2 service.

Do we need a Statement of Applicability?

Yes. Clause 6.1.3 d) requires it. The SoA lists every Annex A control and documents applicability and implementation. Auditors examine it closely; SoA quality is one of the strongest signals of ISMS maturity.

Do we need to implement all 93 Annex A controls?

You must implement controls necessary to address the risks identified in your risk assessment. Annex A controls determined not necessary may be excluded from the SoA with documented justification. In practice, most B2B SaaS organizations apply most of Annex A.

What does ISO 27001 cost?

It depends on the scope (whole company or only the software development team), on the current tech debt (for example, if your DB is 3 version behind or using EOL software, they need to be updated to address the technical vulnerability management control), the current security maturity (do you have AV/EDR implemented already or its needs to be purchased. Costs scale with scope size, number of locations, and audit duration.

Can we use a compliance automation tool?

Yes — Drata, Vanta, Secureframe, etc and similar tools accelerate evidence collection. Here at Security Consultants we have done many successful manual ISMS implementation without any GRC tool, however, for long term operation we highly recommend to use them. These tools will not a substituterISMS design, risk treatment, internal audit, or management review.

How does ISO 27001 stack with ISO 27701 and ISO 42001?

ISO 27001 is the base ISMS. ISO 27701 extends it with PIMS controls mapped to GDPR. ISO 42001 is the parallel AI management system. A single integrated management system delivers all three with framework-specific extensions. See our ISO 27701 service and ISO 42001 service.

What is the typical certificate cycle?

Three years. Initial certification audit (Stage 1 plus Stage 2), then surveillance audits in years 1 and 2, then a full recertification audit before the certificate expires at the end of year 3.

What happens if we have a major nonconformity?

The certification body will not issue (or will suspend) the certificate until the nonconformity is corrected and verified. Minor nonconformities are typically permitted to certify with a corrective action plan that must close within a defined timeframe.

13. Summary

ISO/IEC 27001:2022 is the international management system standard for information security and the principal commercial assurance signal for enterprise B2B procurement outside the US. The 2022 edition reorganizes Annex A into four themes and 93 controls, introduces 11 new controls covering modern cloud and operational concerns, and (via the 2024 Amendment) requires climate-change consideration in context analysis. Certification rests on a documented risk-driven ISMS, a credible Statement of Applicability, internal audit and management review discipline, and operational evidence of the controls selected.

To scope an engagement, book a call from the ISO 27001 consulting service page, or talk to us about combining ISO 27001 with ISO 27701, ISO 42001, internal audit, or a complete vCISO program for ongoing program management. For a practical view of stacking AI governance, see our blog post How to integrate ISO 42001 with ISO 27001 without rebuilding your ISMS.

Share this post

Related articles

Framework Deepdive

NIS 2 Compliance Deepdive

Read article
NIS 2 Compliance Deepdive cover
Framework Deepdive

DORA Compliance Deepdive

Read article
DORA Compliance Deepdive cover
Framework Deepdive

SOC 1 Deepdive

Read article
SOC 1 Deepdive cover