ISO 27001:2022 Readiness Accelerator

The transition deadline of October 31, 2025 has passed. Any ISO 27001:2013 certificate is now invalid. Organizations still operating on 2013 are out of compliance, and new certifications must use ISO 27001:2022 (with the 2024 environmental amendment). This workbook is built specifically for 2022 — not a patched 2013 template.

What changed in 2022: Annex A was restructured from 114 controls across 14 control objectives to 93 controls across 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). 24 controls were merged, 58 updated, and 11 new controls added. Five control attributes introduced for taxonomy: Control type (Preventive / Detective / Corrective), Information security properties (CIA), Cybersecurity concepts (NIST CSF mapping), Operational capabilities, and Security domains. Clause 6.3 is new: changes must be planned, documented, with evidence retained.

The 11 new controls get dedicated attention in this workbook:

A.5.7 Threat intelligence — collection and analysis requirements, sharing obligations, integration with ISMS risk process. A.5.23 Information security for use of cloud services — acquisition, use, management, and exit of cloud services. A.5.30 ICT readiness for business continuity — ICT continuity planning, DR strategies, testing requirements. A.7.4 Physical security monitoring — monitoring sensitive areas, detection systems, response procedures. A.8.9 Configuration management — secure configuration baselines, change control, automated compliance checking. A.8.10 Information deletion — secure erasure across all storage media, cloud services, end-of-life procedures. A.8.11 Data masking — pseudonymization, anonymization techniques, use-case appropriate masking. A.8.12 Data leakage prevention — DLP tool requirements, monitoring approaches, classification integration. A.8.16 Monitoring activities — event monitoring, SIEM requirements, anomaly detection thresholds. A.8.23 Web filtering — acceptable use enforcement, malicious content blocking, bypass controls. A.8.28 Secure coding — SSDLC requirements, code review standards, vulnerability testing.

20-tab architecture mirrors the proven SOC 2 Readiness Accelerator structure:

ISMS Scoping & Context (Clause 4) — organization context, interested parties, scope definition, scope statement generator.

Leadership & Risk Appetite (Clause 5) — top management commitment template, information security policy, ISMS roles and responsibilities matrix.

Risk Assessment Framework (Clause 6) — ISO 27005-aligned risk methodology, asset × threat × vulnerability scoring, risk treatment options (Treat / Tolerate / Transfer / Terminate), risk acceptance criteria.

ISMS Planning Log (Clause 6.3) — change planning register with documentation requirements, evidence trail for auditors.

Support & Competence (Clause 7) — awareness program tracker, training records, communication plan, documented information register.

Operations (Clause 8) — operational planning controls, outsourced process management.

Performance Evaluation (Clause 9) — internal audit schedule and tracker, management review agenda template, KPI dashboard.

Improvement (Clause 10) — nonconformity and corrective action register, continual improvement log.

Annex A — Organizational Controls (A.5, 37 controls) — each control with: description, 2022 vs 2013 mapping, implementation guidance, evidence requirements, maturity score (0–4), gap flag.

Annex A — People Controls (A.6, 8 controls) — HR security controls from pre-employment through termination.

Annex A — Physical Controls (A.7, 14 controls) — physical and environmental security controls.

Annex A — Technological Controls (A.8, 34 controls) — technical security controls including all 11 new additions.

2013 → 2022 Transition Gap Analysis — side-by-side mapping of your 2013 control status to 2022 requirements. Highlights: merged controls requiring re-documentation, new controls with zero coverage, updated controls requiring evidence refresh. Produces a prioritized transition task list.

Control Attributes Matrix — all 93 controls tagged with control type, CIA properties, NIST CSF function, operational capability, and security domain. Enables attribute-based filtering for specific audit questions.

Evidence Tracker — maps each control to required evidence artifacts with owner, location, review date, and audit-ready flag.

Policy Library — 16 pre-built ISO 27001:2022-aligned policies: Information Security Policy, Acceptable Use, Access Control, Cryptography, Physical Security, Supplier Security, Incident Management, Business Continuity, Change Management, Risk Assessment, Asset Management, Human Resources Security, Secure Development, Data Classification, Monitoring, Cloud Security.

SOC 2 Crosswalk — for organizations pursuing both certifications. Maps ISO 27001:2022 Annex A controls to SOC 2 Trust Service Criteria. The overlap is substantial: ~75 of 93 Annex A controls have direct SOC 2 CC mapping. The compliance trifecta (ISO 27001 + SOC 2 + HIPAA) is the target state for healthcare B2B SaaS selling globally — this tab makes the dual-cert path explicit.

Certification Readiness Dashboard — overall ISMS maturity score, control coverage by theme, Stage 1 audit readiness indicator (documentation completeness), Stage 2 readiness indicator (operational evidence), and estimated timeline to certification.