Definition

ISO/IEC 27001:2022 replaces the 2013 edition, restructuring Annex A from 114 controls across 14 domains to 93 controls across 4 themes, introducing 11 net-new controls (e.g., A.5.7 Threat intelligence, A.8.8 Management of technical vulnerabilities, A.5.23 Information security for cloud services). Transition requires existing certified organisations to update their Statement of Applicability (SoA), risk treatment plan, and ISMS documentation to the 2022 control set before the October 2025 IAF deadline.

Why it matters

The pressure on ISO/IEC 27001 programmes is shifting in specific, observable ways:

• Certification bodies (BSI, Bureau Veritas, SGS) stopped issuing ISO 27001:2013 certificates after October 2023; Gulf and Indian enterprise procurement teams now reject 2013-edition certificates in RFPs.
• UAEIIA and SAMA-regulated entities referencing ISO 27001 in their control frameworks must align to the 2022 edition to satisfy NCA ECC-1 mapping requirements updated in 2024.
• The 11 new controls cover cloud (A.5.23), threat intelligence (A.5.7) and data masking (A.8.11) — gaps that external auditors will specifically test in Stage 2 from 2024 onwards.
• Failure to transition before the October 2025 deadline automatically suspends certification, invalidating contractual compliance representations and triggering cure clauses in enterprise SaaS contracts worth AED 500K–5M.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• SoA spreadsheet v2022 — columns for control ID, applicability decision, justification for exclusion, and link to implementing policy (Word/Confluence)
• Risk Treatment Plan (RTP) — control owner, residual risk score (1–25 matrix), acceptance sign-off date, mapped to 2022 Annex A IDs
• Jira epic/story tickets — tagged 'ISO27001-2022-gap' with assignee, due date and closure evidence attachment
• Internal audit report — clause 9.2, listing controls sampled, nonconformity reference numbers and corrective action due dates
• Management Review minutes — clause 9.3, signed by CISO/DPO, recording SoA version reviewed and transition milestone status

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: ISMS Manager performs clause-by-clause gap analysis mapping existing SoA (2013) to Annex A:2022 using the ISO mapping table; flags all 11 new controls as 'applicable/not applicable' with written justification.
• Day 31–60: Control owners draft or update policies for A.5.7 (threat intelligence feed subscription e.g. MISP or Recorded Future), A.5.23 (cloud security policy), and A.8.11 (data masking procedure) and submit evidence artefacts.
• Day 61–90: Internal Auditor conducts a mini Stage 1 readiness review against the updated SoA; ISMS Manager closes all Major NCs before submitting transition audit application to CB.
• Day 90+: Certification Body conducts transition audit (Stage 2 or surveillance); ISMS Manager files updated SoA v2022 and revised RTP with the CB 15 days prior.
• Ongoing: ISMS Manager reviews SoA applicability decisions at each annual management review (clause 9.3); threat intelligence control (A.5.7) reviewed quarterly against new MITRE ATT&CK updates.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• SoA coverage: 100% of 93 Annex A:2022 controls documented with applicability decision before Day 30
• Gap closure rate: ≥90% of identified gaps resolved within 60 days of gap analysis completion
• Internal audit nonconformities: 0 Majors, ≤5 Minors at transition readiness review
• Transition audit duration: 3–6 audit-days for organisations with 50–500 in-scope staff
• Time-to-certificate reissuance: 45–90 days from transition audit application submission to certificate delivery

A 90 days working plan

MAST Consulting Group runs this ISO/IEC 27001 work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against Clauses 4–10. Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through risk treatment plan and management review minutes as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with enterprise customers running vendor assurance. Document the rationale; ISO/IEC 27001 reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into spreadsheet-based SoA where a GRC tool would be overhead and Jira / ServiceNow for nonconformity tracking. A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's ISO/IEC 27001 portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: asset inventory that does not reconcile to the risk register. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: management review minutes that skip the required inputs in Clause 9.3.2. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: scope statement that excludes a customer-facing platform. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: SoA justifications that copy the control text. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on ISO/IEC 27001 engagements because the integrations are cheap and the evidence is defensible:

• spreadsheet-based SoA where a GRC tool would be overhead — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Jira / ServiceNow for nonconformity tracking — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Entra / Okta for access evidence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs ISO/IEC 27001 programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for ISO/IEC 27001 programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.