Operating an ISMS under ISO 27001:2022 after the 2025 transition

The three-year transition period for ISO/IEC 27001:2022 ended on 31 October 2025. Certificates issued against the 2013 edition are no longer valid. Surveillance and recertification audits now assess the 2022 version exclusively.

Annex A structural changes

The 2013 edition organised 114 controls into 14 domains. The 2022 edition contains 93 controls grouped under four themes: organisational (37 controls), people (8), physical (14), and technological (34). Eleven controls are new. Fifty-seven controls from the prior edition were merged into fewer statements. Three controls were removed. The remaining controls received updated wording to reflect current practice.

The four-theme structure removes some artificial boundaries that existed between domains. Access control, for example, now appears in both organisational and technological sections, which matches how most cloud platforms implement the controls in practice.

New controls relevant to cloud SaaS

Several additions address areas that were only implicit before. Control 5.7 on threat intelligence requires organisations to collect and analyse information about threats that are relevant to their information assets. For a multi-tenant SaaS operator this means monitoring vulnerability disclosures that affect the underlying platform components and the customer workloads running on them.

Control 5.23 addresses information security for the use of cloud services. It covers selection, contractual arrangements, and ongoing monitoring of cloud service providers. In a regulated environment the control intersects directly with DORA third-party requirements when the same cloud services support critical functions.

Control 8.9 on configuration management and 8.12 on data leakage prevention are now explicit. Both map to features that SaaS platforms already expose through infrastructure-as-code pipelines and egress controls. The standard now expects documented processes and evidence that the controls operate continuously rather than only at deployment time.

Control 8.19 on information deletion and several monitoring-related additions (8.15, 8.16) close gaps that auditors previously treated under broader logging or disposal statements.

Mapping to platform operations after transition

Organisations that completed a gap analysis before the deadline still need to maintain the Statement of Applicability against the new numbering. References in policies, procedures and audit work programmes must point to the 2022 control identifiers.

For a platform that provides certificate lifecycle automation, the relevant technological controls include key management (now under 5.31 or merged equivalents) and secure system architecture. Evidence consists of change records, key rotation logs, and the results of automated scans rather than static configuration screenshots.

Access Fabric-style controls on user provisioning, session management and privileged access map to both organisational controls on access control (5.15-5.18) and technological controls on authentication and logging. Physical and people controls remain relevant for on-premise components and for staff handling customer data.

Surveillance expectations in 2026

Auditors expect to see that the organisation reviewed its risk assessment and Statement of Applicability when the transition audit occurred, and that subsequent changes to the control environment are reflected in updated documentation. A register that simply renumbered the old 2013 controls without addressing the new requirements or the merged statements will be challenged.

Organisations that run continuous compliance tooling can export current control status against the 93 controls for each surveillance cycle. This reduces the preparation time compared with manual evidence collection against the prior structure.

See the platform components that generate artefacts for technological and organisational controls under the current edition of the standard.