The 2022 revision of ISO/IEC 27001 restructured Annex A from 14 clauses down to four themes β Organizational, People, Physical, and Technological β and consolidated the control count to 93, with 11 new controls addressing areas like threat intelligence, cloud security, and data masking. If your last certification cycle was under the 2013 version, this isn't a cosmetic update; it changes how you organise your Statement of Applicability and your evidence trail.
Where to start a gap assessment
- Map your existing controls to the four themes. Organizational controls (policies, roles, supplier relationships), People controls (screening, training, remote working), Physical controls (secure areas, equipment), and Technological controls (access control, cryptography, secure development, monitoring).
- Review the new controls specifically. Threat intelligence, cloud security posture, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding are the additions most organisations haven't documented yet.
- Re-validate your risk assessment methodology. Your risk treatment plan needs to reference the updated control set, not the 2013 structure.
What auditors actually check
Certification bodies aren't grading your policy documents on prose quality β they're checking whether your documented controls match what's actually happening operationally, and whether you can produce evidence on request. The most common finding in first-time audits isn't a missing control; it's a control that exists on paper but has no evidence trail (access review logs, training completion records, incident tickets) behind it.
A realistic timeline
For an organisation with reasonable security hygiene already in place, gap assessment through to certification audit typically takes 8β16 weeks: a few weeks for gap assessment and Statement of Applicability, several weeks of control implementation and evidence collection running in parallel with day-to-day operations, then internal audit before the external certification audit. Organisations starting from close to zero should budget closer to 4β6 months.
ISO 27001 alone isn't a security program
Certification demonstrates a functioning information security management system β it doesn't replace penetration testing, red teaming, or a security leadership function. Many of the strongest security programs we work with run ISO 27001 compliance, VAPT, and a vCISO engagement in parallel, because each answers a different question: "are our controls documented and operating," "can our systems actually be broken into," and "who owns the decisions in between."
Want us to assess this risk in your own environment?
Book a free scoping call with our team.



