The Complete ISOΒ 27001:2022 Guide
Everything a security team needs to understand the standard, plan certification, and maintain it β without hiring a consultant.
Quick reference
ISO 27001 at a glance
What it covers
ISO 27001 is an international standard for Information Security Management Systems (ISMS). It provides a systematic framework for managing sensitive company information β covering people, processes, and technology.
Who needs it
Any organisation handling sensitive data β especially those selling to enterprise customers, regulated sectors (finance, healthcare, government), or operating in the EU or UK where it is increasingly a procurement prerequisite.
What changed in 2022
The 2022 update restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes. Four new controls were added covering threat intelligence, ICT readiness, web filtering, and secure coding.
How long it takes
From starting gap analysis to completing Stage 2 audit typically takes 8β12 weeks for a focused team. Scope size, existing documentation maturity, and evidence gaps are the primary drivers of timeline variation.
The standard explained
What is ISO 27001?
ISO/IEC 27001 is the leading international standard for Information Security Management Systems (ISMS), published by the International Organization for Standardization. It defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organisation's overall risk management processes.
Unlike a prescriptive checklist, ISO 27001 is a risk-based framework. Organisations select controls from Annex A based on a documented risk assessment β meaning two certified organisations may implement different controls and both be compliant, as long as each can justify their choices.
Certification is awarded by an accredited third-party certification body after a two-stage audit. Once certified, organisations undergo annual surveillance audits and a full recertification audit every three years. Certification demonstrates to customers, partners, and regulators that information security is managed systematically β it is widely regarded as a gold standard for B2B trust.
ISO 27001 vs SOC 2 β what's the difference?
Origin
Standard type
Certification
Geography
Scope
Audit frequency
βMany enterprise customers β particularly in Europe β require ISO 27001 certification before signing a contract. It has become the de-facto minimum for selling to regulated industries.β
Security practitioner consensus
Updated standard
The 2022 revision β what changed
ISO 27001:2022 replaced the 2013 edition. The core clauses (4β10) saw minor clarifications, but Annex A was substantially restructured to align with ISO 27002:2022.
93
down from 114
Total controls
Annex A was consolidated from 114 controls across 14 domains to 93 controls across 4 themes. Many controls were merged to remove duplication.
4
previously 14
Control themes
Controls now sit in 4 themes: Organisational (A.5), People (A.6), Physical (A.7), and Technological (A.8) β replacing 14 alphabetically organised domains.
11
brand new addition
Control attributes
Each control now has 11 attributes (e.g. control type, cybersecurity concept, operational capabilities) enabling structured filtering and mapping.
The 4 new controls added in 2022
These controls did not exist in ISO 27001:2013 and reflect how the threat landscape evolved over the intervening decade.
Organisations must collect, analyse, and act upon information about information security threats. This formalises threat intelligence as a mandatory discipline, not just a nice-to-have.
ICT continuity must be planned, implemented, and tested based on business continuity objectives. This bridges the gap between ISMS and Business Continuity Management.
Access to external websites must be managed to reduce exposure to malicious content. Organisations must have controls preventing access to known malicious domains.
Secure coding principles must be applied to software development. This codifies OWASP-style practices β input validation, output encoding, least privilege β into the ISMS.
Control domains
Annex A at a glance
Annex A of ISO 27001:2022 contains 93 controls organised across 4 themes. Not all controls are mandatory β organisations declare which apply in their Statement of Applicability (SoA) and must justify any exclusions.
* Physical controls (A.7) require evidence from facilities management systems. AISEC supports documentation and evidence linking but cannot replace physical access control tooling.
Step by step
The certification journey
Most organisations complete initial certification in 8β12 weeks when they have executive sponsorship, a dedicated owner, and the right tooling. Here is what each phase involves.
01
Gap analysis & scoping
Weeks 1β2Define the boundaries of your ISMS β which systems, locations, and processes are in scope. Run a gap analysis against all 93 Annex A controls to establish your baseline. Document the scope statement and get it signed off by leadership.
- Define ISMS scope: people, systems, locations, and services
- Conduct gap analysis against all 93 Annex A controls
- Document baseline scores for each control (implemented / partial / not started)
- Identify top-priority gaps and assign owners
- Get scope statement signed off by the leadership team
02
Documentation & controls implementation
Weeks 3β8The bulk of the work: draft and publish all required policies, implement controls, and begin collecting evidence. The mandatory documentation set includes the ISMS policy, risk assessment methodology, Statement of Applicability, and risk treatment plan.
- Draft all mandatory policies: ISMS, acceptable use, access control, incident management
- Implement technical controls: MFA, logging, encryption, patch management
- Complete risk assessment using your chosen methodology (likelihood Γ impact)
- Produce the Statement of Applicability (SoA) with applicability rationale
- Collect and link evidence to each implemented control
03
Internal audit
Week 9Conduct a formal internal audit of your ISMS against the full Annex A. This is a self-assessment but must be documented, with findings, corrective actions, and sign-off. It prepares you for the external audit and closes any remaining gaps.
- Plan the internal audit with defined scope, criteria, and audit team
- Test each implemented control against its evidence
- Document non-conformities and observations
- Raise corrective action plans (CAPs) for any non-conformity found
- Confirm CAPs are closed before Stage 1 external audit
04
External audit β Stage 1 & Stage 2
Weeks 10β12The certification body conducts two audit stages. Stage 1 is a documentation review (typically remote) β auditors check that your ISMS documentation meets the standard's requirements. Stage 2 is the implementation audit β auditors verify that controls are operating effectively in practice.
- Stage 1: Auditor reviews all documentation β policies, SoA, risk register, audit records
- Stage 1 findings: any major issues must be resolved before Stage 2
- Stage 2: On-site (or remote) verification that controls operate as documented
- Auditor raises non-conformities; you provide corrective evidence within agreed timeframe
- Certification decision: certificate issued, valid for 3 years with annual surveillance
Audit readiness
Common mistakes that fail audits
Most certification failures are not caused by missing controls β they are caused by implementation gaps, evidence weaknesses, and process breakdowns that are entirely preventable. Here are the five most common.
Scope too broad β including everything
Organisations that scope their entire business often cannot collect sufficient evidence for every system. Start with a well-defined, defensible scope. You can expand after initial certification.
Policies not followed in practice
A published policy with no evidence of enforcement will fail Stage 2. Every policy must have operational evidence β access review records, training logs, incident tickets β proving it is actually followed.
No evidence trail for controls
Auditors look for evidence. Saying "we do this" is not sufficient. Screenshots, log exports, review sign-offs, and configuration outputs must be linked to each control and dated within the audit period.
Risk assessment not reviewed annually
ISO 27001 requires the risk assessment to be maintained and reviewed at planned intervals or when significant changes occur. Producing a risk register once and never updating it is a common major non-conformity.
Access reviews not documented
User access rights must be reviewed at regular intervals (typically quarterly). Many organisations perform reviews informally but keep no records β leaving them unable to demonstrate the control during audit.
How to avoid all five
The common thread across every audit failure is the same: manual, disconnected processes that produce no audit trail. AISEC addresses each failure mode directly.
AISEC platform
How AISEC accelerates ISO 27001
Purpose-built for the ISO 27001:2022 lifecycle β from initial gap analysis to continuous compliance monitoring after certification.
AI Policy Generation
90 seconds per policy
Generate audit-ready policies for all Annex A control families from a plain-language description. Claude drafts, your team reviews, AISEC tracks the approval workflow with full audit trail.
Automated Evidence Collection
10 native connectors
Pull evidence automatically from AWS Config, GitHub, Jira, Confluence, Slack, and more. Every artefact is linked to the correct control, scored for quality, and timestamped.
Instant Gap Analysis
Baseline in minutes
Get an instant baseline against all 93 controls β with AI-prioritised remediation recommendations, effort estimates, and links to policy templates for each gap.
Risk Register
5Γ5 likelihood/impact matrix
A working risk register β not a spreadsheet. Likelihood Γ impact scoring, heat-map visualisation, treatment workflow (accept/mitigate/transfer/avoid), and owner assignment.
Immutable Audit Trail
Cryptographic hash chain
Every create, update, delete, and access event is cryptographically anchored. No admin can alter or delete entries. Export a signed PDF for your certification body on demand.
Compliance Drift Detection
6-hour snapshots
Continuous monitoring of your compliance posture. Snapshots every 6 hours. Score alerts delivered via email, Slack, or webhook when coverage drops below your configured threshold.
From gap analysis to first audit in 8β12 weeks
AISEC handles the documentation, evidence collection, and continuous monitoring β so your team can focus on building a security programme that actually works, not chasing paperwork.