BIPI
BIPI

ISO 27001:2022 Audit Readiness Checklist — Annex A Controls Mapping, Evidence Collection and Common Gaps

Compliance

The 2022 revision of ISO 27001 added 11 new controls and reorganized Annex A from 114 to 93 controls. If your ISMS was certified under the 2013 version, the transition deadline has passed. This practical checklist covers evidence collection, the most common audit findings, and the controls that trip up even prepared teams.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 9, 2025 · 12 min read

#iso-27001#compliance#audit#isms#information-security

ISO/IEC 27001:2022 became the mandatory version for new certifications in October 2023. The transition deadline for organizations certified under the 2013 version was October 2025. Any organization still on 27001:2013 in late 2025 is technically lapsed. The 2022 revision is not cosmetic — it reflects a decade of threat landscape change, adding controls for cloud security, threat intelligence, data masking, and information deletion that the 2013 version lacked entirely.

Audit readiness for 27001:2022 is a different exercise from 2013 readiness. Certification bodies report that the new controls — particularly those addressing supply chain security, monitoring activities, and physical security of cloud environments — are the most frequent source of nonconformities in initial assessments.

93
Annex A controls in ISO 27001:2022, down from 114 in 2013 but with 11 entirely new controls
68%
of transition audits in 2024 found at least one major nonconformity in the new threat intelligence control A.5.7
Oct 2025
transition deadline — all certified organizations should be on the 2022 version by this date
The 11 new controls in 27001:2022 are not administrative additions. They address real threat vectors — threat intelligence, cloud security, secure coding, data masking — that organizations cannot wave through with a policy document.

Structure of Annex A in 2022

The 2022 revision reorganizes Annex A into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). The old 14-domain structure is gone. Auditors now assess controls within these themes, and the Statement of Applicability must reflect the new numbering. If your SoA still references the 2013 control numbers, update it before the assessment.

The 11 new controls — what evidence auditors expect

  • A.5.7 Threat intelligence — documented threat intelligence program, at least one intelligence feed, evidence of intelligence informing risk assessments or detection rules.
  • A.5.23 Information security for use of cloud services — cloud security policy, CSP evaluation criteria, contractual obligations documented.
  • A.5.30 ICT readiness for business continuity — BCP specifically addressing IT systems, recovery time and point objectives tested.
  • A.7.4 Physical security monitoring — visitor logs, CCTV review records, physical access audit reports.
  • A.8.9 Configuration management — automated configuration baseline tooling, evidence of drift detection.
  • A.8.10 Information deletion — data retention schedule, evidence of secure deletion at end of retention period.
  • A.8.11 Data masking — masking implemented in non-production environments, documented in data classification policy.
  • A.8.12 Data leakage prevention — DLP tool deployed, policy rules documented, incident log showing DLP detections.
  • A.8.16 Monitoring activities — SIEM deployment evidence, alerting thresholds, response procedures.
  • A.8.23 Web filtering — web proxy policy, evidence of enforcement, exception process.
  • A.8.28 Secure coding — SSDLC policy, SAST/DAST tooling evidence, code review records.

Evidence collection — what auditors actually look at

ISO 27001 audits are evidence-based. The auditor will not accept a policy document as proof of implementation. For each control, you need an artifact that demonstrates the control is operating. Common evidence types include: tool configuration exports, system-generated reports, change management tickets, training completion records, meeting minutes, and incident logs.

Build an evidence library mapped to each control. For each control, record: the control number, the implementing measure, the evidence artifact, the artifact owner, and the last review date. Auditors often request evidence going back 6 to 12 months. Do not try to collect evidence in the week before the assessment.

Common audit nonconformities in 2025

  1. Threat intelligence A.5.7 — having a subscription to a threat feed is not enough; you must demonstrate it influenced a security decision.
  2. Configuration management A.8.9 — manual configuration records accepted by previous auditors are now insufficient; automated baseline tooling is expected.
  3. Secure coding A.8.28 — SAST tool deployed in CI/CD but findings are not being remediated; open critical findings with no remediation plan is a nonconformity.
  4. Supplier relationships — supplier risk assessments not updated when suppliers change subcontractors.
  5. Information deletion A.8.10 — retention schedules exist but no evidence of actual deletion being performed.
  6. Internal audits — audit scope too narrow; not covering all ISMS-in-scope systems.

Clause 6 — risk treatment plan alignment

The risk treatment plan must align with Annex A controls. Every risk that is being treated by an Annex A control must reference that control in the risk treatment plan. Every Annex A control in the SoA that is marked as applicable must have a corresponding risk in the risk register that justifies its inclusion. Auditors will cross-reference these documents and will raise nonconformities for orphaned controls or unsupported inclusions.

Statement of Applicability for 2022

The SoA must list all 93 Annex A controls, mark each as applicable or not applicable, provide a justification for exclusions, and reference the implementing measure for each applicable control. Many organizations add a column for the risk register reference and evidence artifact. Auditors appreciate the SoA as a navigation document — the more useful it is as a control map, the more confidence it builds.

Closing

ISO 27001:2022 certification is achievable for organizations that treat it as an operational program, not a documentation exercise. The new controls are not bureaucratic additions — they map directly to the threats organizations face in 2025. Build your evidence library continuously, run internal audits with teeth, and do not wait for a certification audit to discover that your threat intelligence feed never informed a security decision.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.