ISO 27001 Implementation: A Practical Path Through the 2022 Revision

ISO/IEC 27001:2022 became binding for new certifications in October 2025, with the transition deadline for existing certificates ending in October 2026. The 2022 revision restructures Annex A into four control themes with 93 controls, replacing the 114 controls of the 2013 version. Implementation now means more than aligning documentation. It means building an Information Security Management System that produces evidence under audit conditions on a normal Tuesday.

For German organisations, the 2022 revision also shapes how regulators view NIS-2 readiness. The NIS-2 implementation law transposes Directive (EU) 2022/2555 with the standard ISMS approach as the reference baseline. This article describes a practical implementation path, from scope decision to certification audit. Sources include the German Federal Office for Information Security (BSI), the international standard ISO/IEC 27001:2022 itself, and the corresponding guidance in ISO/IEC 27002:2022.

Clause 4.3 of ISO/IEC 27001:2022 requires the organisation to determine the boundaries and applicability of the Information Security Management System. The scope decision shapes effort, audit cost, and downstream contractual leverage. Two common patterns exist. The first is a full-organisation scope, recommended for organisations under 500 employees with consolidated operations. The second is a service- or location-specific scope, recommended when a single product line or data centre carries the business risk.

The scope statement must reference clause 4.1 external and internal issues and clause 4.2 needs and expectations of interested parties. In practice, this means a written context analysis covering regulatory drivers (NIS-2, DSGVO, sector-specific law such as KRITIS-DachG), customer requirements, and supplier dependencies. The scope also references applicable exclusions, which the auditor will challenge.

A narrow scope is tempting but creates exposure. If customers ask for an ISO certificate to cover services beyond the certified scope, the certificate loses commercial value. A qualified information security officer normally drafts the scope statement together with executive management. The scope decision is documented and signed before any control work begins, because every later step references it.

Clause 6.1.2 of ISO/IEC 27001:2022 requires a documented information security risk assessment process. The standard does not prescribe a single method, but auditors expect repeatability and traceability. Common methods include the BSI IT-Grundschutz approach with cross-mapping to ISO, the ISO/IEC 27005 methodology, or a custom matrix-based assessment.

The asset register is the foundation. Every asset (information, system, process, supplier relationship) is identified, owned, and assessed for confidentiality, integrity, and availability. The 2022 revision aligns this approach with the four control themes. A risk is described by its source, the asset affected, the threat scenario, and the existing controls. The residual risk after controls is rated, typically on a five-by-five matrix combining likelihood and impact.

Risk treatment under clause 6.1.3 produces four options: modify, retain, avoid, or share. Each treatment decision references one or more Annex A controls, and these references feed directly into the Statement of Applicability. The risk assessment is reviewed at least annually under clause 8.2 and additionally on significant change. Frist läuft ab Kenntnis. The same principle applies in ISO 27001: a new risk identified on Monday triggers documented assessment within the operational rhythm, not at the next year-end.

Annex A of ISO/IEC 27001:2022 organises 93 controls into four themes. Organisational controls (37 controls, A.5) cover policies, roles, supplier relationships, classification, and incident management. People controls (8 controls, A.6) cover screening, employment terms, awareness, disciplinary process, and termination. Physical controls (14 controls, A.7) cover perimeter, entry, equipment protection, and clear desk policies. Technological controls (34 controls, A.8) cover access management, cryptography, secure development, logging, and network security.

Eleven controls are new in the 2022 revision, addressing modern operational reality. Threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28). Existing controls were merged and renumbered. The mapping between 2013 and 2022 is documented in ISO/IEC 27002:2022.

Every Annex A control is referenced in the Statement of Applicability with one of three justifications: included with reason, excluded with reason, or implemented by compensating control. Auditors examine the SoA in the first hour of a certification audit. A SoA with copy-paste justifications signals weak risk assessment. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software.

The Statement of Applicability (SoA) under clause 6.1.3 lit. d is the central audit document. It lists every Annex A control, the inclusion or exclusion decision, the justification, and the implementation status. The SoA is signed by executive management and dated. Each material change to controls or scope triggers a revision.

Beyond the SoA, ISO/IEC 27001:2022 requires several documented information items. Scope (4.3), information security policy (5.2), risk assessment and treatment methodology and results (6.1.2, 6.1.3, 8.2, 8.3), information security objectives and plans (6.2), competence evidence (7.2), operational planning and control (8.1), monitoring and measurement results (9.1), internal audit programme and results (9.2), management review results (9.3), nonconformities and corrective actions (10.1).

Each Annex A control may add further documentation, for example asset inventories (A.5.9), classification scheme (A.5.12), supplier register (A.5.19), access control policy (A.5.15), cryptographic policy (A.8.24), and backup policy (A.8.13). The total document set typically runs 30 to 60 documents in mid-sized organisations. The FAQ on ISMS documentation shows typical document hierarchies and version control patterns that survive auditor scrutiny.

Clause 7.2 of ISO/IEC 27001:2022 requires competence evidence for all persons whose work affects information security performance. In practice, this means role-specific training plans with documented completion. Generic annual e-learning is insufficient. Auditors expect role-based content: developers receive secure coding training, system administrators receive hardening and patch management training, executives receive risk decision training.

Clause 7.3 covers awareness. All employees must be aware of the information security policy, their contribution to ISMS effectiveness, and the implications of nonconformity. Awareness is evidenced through annual campaigns, phishing simulations, and acknowledgment records. The 2022 revision strengthens this through Annex A.6.3 information security awareness, education and training.

Roles are formally assigned. The information security officer reports to executive management without conflict of interest. Risk owners are named for each material risk. Asset owners are named for each major asset class. The data protection officer remains a separate function under Art. 37 GDPR but cooperates closely. Bestellurkunde, unterschrieben, abgelegt, belegbar. Every formal role appointment is documented in writing with scope, authority, and reporting line. A signed appointment register is examined in stage one audits.

Clause 9.2 of ISO/IEC 27001:2022 requires internal audits at planned intervals to determine whether the ISMS conforms to organisation requirements and standard requirements and whether it is effectively implemented and maintained. A typical programme covers all clauses and all Annex A controls within a three-year cycle, with high-risk areas audited annually.

Internal auditors must be independent of the audited area. In small organisations, this is achieved through cross-departmental rotation, external co-auditors, or audit pools across affiliated entities. The audit programme is documented, signed, and reviewed. Findings are tracked through clause 10.1 corrective action with root cause analysis. Closure requires evidence, not just declaration. Der Prüfer ruft an, der Nachweis liegt bereit.

Clause 9.3 management review is held at planned intervals, at least annually. The agenda is mandated: status of previous actions, changes in external and internal issues, feedback on ISMS performance, feedback from interested parties, results of risk assessment and treatment, opportunities for continual improvement. Management review minutes are signed and form a core audit document. A management review that consists of a 30-minute slot once a year produces visible weakness in the certification audit. The proper rhythm is quarterly operational review plus annual strategic review.

The certification audit follows ISO/IEC 17021-1. Stage one is the documentation audit. The auditor reviews scope, SoA, policies, and risk assessment. Stage one identifies major gaps before stage two and produces a stage one report with findings. Common stage one findings include incomplete SoA, missing internal audit cycle, and inadequate management review records.

Stage two is the on-site implementation audit, typically scheduled six to twelve weeks after stage one. The auditor samples controls, interviews role holders, and verifies evidence. Sample size depends on organisation size and risk profile. The audit duration follows IAF MD 5 with a defined minimum audit time per employee headcount.

Nonconformities are classified as minor or major. Minor nonconformities allow certification subject to a corrective action plan, usually within 90 days. Major nonconformities prevent certification until evidence of effective correction is provided, usually requiring an additional audit. The certificate is issued for three years with annual surveillance audits and a recertification audit before expiry. Mid-cycle scope changes require an extension audit. The 2022 transition runs until October 2026, after which certificates against the 2013 version lose validity. Audit-tight, documented, ISO 27001:2022-tight. This is the threshold the audit must clear.

Implementation duration in mid-sized organisations runs six to twelve months from kick-off to stage two. Smaller organisations with focused scope and prior security maturity reach certification in four to six months. Larger organisations with multi-site scope require twelve to eighteen months. Cost varies with scope, prior maturity, and the choice between external consultant support and internal build.

Common pitfalls fall into five categories. First, scope drift, where the certified scope no longer matches commercial reality. Second, copy-paste documentation that fails to reflect actual processes. Third, risk assessment without traceable methodology, producing a SoA that auditors cannot verify. Fourth, internal audit programmes that do not cover all controls within the three-year cycle. Fifth, management reviews that lack mandated agenda items.

Beyond these, three operational issues recur. Supplier audits (A.5.19, A.5.20, A.5.21) require evidence of supplier risk assessment and contractual obligations. Many organisations have contracts but no evidence of periodic supplier review. Patch management and vulnerability management (A.8.8) require documented timelines per criticality, not just a tool. Logging and monitoring (A.8.15, A.8.16) require defined log scope, retention, and review cadence. Auditors test these areas first because they often reveal systemic gaps. German organisations should also note the BSI cross-reference between ISO/IEC 27001 and IT-Grundschutz when public sector contracts are involved.

ISO/IEC 27001:2022 implementation can be done with spreadsheets and document folders. It often is, in the first year. The collapse usually arrives in year two, when surveillance audits require evidence of operation, not just existence. Versioning, finding tracking, evidence retention, supplier review cycles, and audit programme management overwhelm informal tools.

CIVAC is a Compliance-Plattform und Officer-as-a-Service. The Workspace covers all 93 Annex A controls with prepared policy templates, risk register, asset register, supplier register, internal audit programme, management review structure, and evidence collection. 37 ready-to-use audit templates align with the standard requirements. Data is held with EU data residency, the ISMS itself is certified to ISO/IEC 27001:2022, and the operational platform produces NIS-2 24h/72h reporting trails. License the Workspace for your internal officers, or have our officers appointed. In the second model, the Bestellurkunde is issued within two working days, and an external information security officer drives risk assessment, internal audit, supplier review, and stage two preparation. German legal references such as § 8a BSIG and § 75c SGB V remain valid in English-language operations and are tracked in the platform.

Turn reading into a mandate. Write to info@civac.de or use the contact form on civac.de. You receive a scope assessment and a recommendation on whether internal build, external officer, or hybrid model fits your maturity and timeline.