Blog

ISO/IEC 27001:2022 Certification: Protecting Your Information Assets

How to build, certify, and maintain an Information Security Management System that meets the 2022 standard.

← Back to Blog
Published 3 December 2025 · BCERT Editorial Team · 8 min read

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). The most recent version — ISO/IEC 27001:2022 — provides a structured framework that helps organisations identify information security risks, implement appropriate controls, and demonstrate to customers, partners, and regulators that their information assets are protected. Certification is increasingly required in supply chains, public procurement, and regulated sectors including finance, healthcare, and cloud services.

What Is an ISMS and What Does ISO 27001 Require?

An Information Security Management System is a documented framework of policies, processes, procedures, and controls that manage information security risks systematically. ISO 27001 requires organisations to:

  • Define the scope of the ISMS and the context in which it operates
  • Identify and assess information security risks using a repeatable methodology
  • Select appropriate controls from Annex A (or beyond) to treat risks to an acceptable level
  • Produce a Statement of Applicability (SoA) documenting which controls apply and why
  • Set measurable information security objectives and track performance
  • Conduct regular internal audits and management reviews
  • Manage nonconformities and drive continual improvement

Annex A Controls and the Statement of Applicability

The 2022 version restructured Annex A from 114 controls in 14 domains (2013 version) to 93 controls across 4 themes: Organisational (37 controls), People (8), Physical (14), and Technological (34). Eleven new controls were introduced, addressing areas such as threat intelligence, cloud security, data leakage prevention, and secure coding.

The Statement of Applicability is one of the most scrutinised documents during certification. For each control, the SoA must record: whether the control is applicable, the justification for inclusion or exclusion, and the implementation status. Auditors use the SoA as a roadmap for the Stage 2 audit, so it must accurately reflect your risk treatment decisions.

Risk Assessment: The Foundation of ISO 27001

ISO 27001 is fundamentally risk-driven. The standard does not prescribe a specific methodology, but your approach must be consistent and produce comparable results. Most organisations use an asset-based or scenario-based approach:

  • Identify assets: Information, systems, processes, and supporting assets within scope.
  • Identify threats and vulnerabilities: What could go wrong, and what weaknesses exist?
  • Assess likelihood and impact: Score or categorise each risk using a defined scale.
  • Determine risk treatment: Accept, avoid, transfer, or mitigate — and link mitigations to Annex A controls.

Your risk assessment must be reviewed at planned intervals and whenever significant changes occur — such as adopting new technology, entering new markets, or responding to a security incident.

ISO 27001:2013 vs 2022: Key Differences

If your organisation holds a 2013 certificate, the transition deadline of 31 October 2025 has now passed. Certificates not transitioned are no longer valid. The key changes in the 2022 version are:

  • Annex A restructured from 14 domains to 4 themes
  • 11 new controls reflecting modern threats (cloud, DLP, threat intelligence)
  • New Clause 6.3 on planning changes to the ISMS
  • Annex A controls now carry informative attributes (control type, security properties, cybersecurity concepts)
  • Explicit acknowledgement that Annex A is a reference list — additional controls may be needed

For new certifications, all organisations must certify against the 2022 version. The transition involves updating your SoA, risk treatment plan, and addressing the new controls — typically a manageable exercise for a mature ISMS.

Ready to get certified?

Visit bcert.uk or contact us at info@bcert.uk to begin your ISO 27001 certification.

Apply for Certification →