The Shift in ISO 27001:2022
The transition to the ISO/IEC 27001:2022 standard simplified the previous control structure, consolidating the 114 Annex A controls into 93 controls grouped into 4 distinct categories. This restructure makes it easier to assign control owners and collect audit evidence across modern technological stacks.
However, Stage 1 (Document Review) and Stage 2 (On-site/Technical Verification) certification audits remain rigorous. Auditors will not just look at your policies; they will demand proof of control execution over time.
The Four Control Domains of Annex A
Understanding the four restructured domains is essential for managing your preparation checklist:
| Domain | Controls Count | Key Focus Areas | Example Controls |
|---|---|---|---|
| Organizational Controls (A.5) | 37 controls | Policies, roles, asset management, risk reviews, and vendor relationship rules. | A.5.15 (Access control), A.5.36 (Compliance with policies) |
| People Controls (A.6) | 8 controls | Screening, onboarding, security awareness training, and remote working. | A.6.3 (Security awareness, education and training) |
| Physical Controls (A.7) | 14 controls | Perimeter security, equipment protection, facility monitoring, and storage. | A.7.2 (Physical entry), A.7.10 (Storage media) |
| Technological Controls (A.8) | 34 controls | Network security, system hardening, log monitoring, vulnerability management, and secure coding. | A.8.8 (Management of technical vulnerabilities), A.8.20 (Network security) |
Step-by-Step Audit Preparation Roadmap
Security teams should follow this roadmap in the months leading up to their certification audit:
- Establish the ISMS Scope: Clearly define the boundaries of your Information Security Management System (ISMS), identifying the physical locations, networks, and product applications in scope.
- Perform a Gap Analysis: Review all 93 controls against your current state. Document which controls are implemented, which are in progress, and which are excluded (with justification in your Statement of Applicability).
- Conduct a Risk Assessment: Map assets, identify threat vectors, and calculate likelihood vs. impact. Record these in your GRC Risk Register, showing clear treatment plans for high-risk items.
- Implement Policies & Procedures: Draft clear, standard-aligned operational policies for access control, cryptography, incident response, and vendor management.
- Gather Continuous Evidence: Run regular, automated security scans. Having active reports from vulnerability assessments and penetration testing proves to the auditor that your technical controls (especially under Domain A.8) are operating continuously.
Auditor Tip: One of the most common findings in Stage 2 audits is a lack of historical evidence. An auditor wants to see that you didn't just run a scanner the week before the audit. Proving that you run automated, weekly assessments across your APIs, cloud setups, and code commits shows a mature, operating ISMS.
Documenting Readiness
Using a structured readiness spreadsheet allows teams to maintain control progress, tag evidence documents, and calculate compliance percentages across organizational, people, physical, and technological sectors before Stage 1 commences.