Your team has spent two years building an information security management system. You have policies, risk registers, access controls, and an incident response runbook that actually works. Now your largest customer wants ISO 27001:2022 certification by the next audit cycle, and someone has handed you a spreadsheet listing 93 Annex A controls expecting you to start from zero.
You shouldn't. The 2022 revision restructured controls — it didn't reinvent them. The challenge isn't building new processes; it's mapping what you already operate to the new Annex A taxonomy without creating duplicate evidence, parallel registers, or pointless committee meetings.
Our consultants have run this exercise across UK financial services, SaaS, and managed service firms transitioning from the 2013 version or starting fresh with mature security operations already in place. Here's how to do it properly.
What Actually Changed in the 2022 Revision
ISO/IEC 27001:2022 was published in October 2022. The transition deadline for organisations holding 2013 certificates expired on 31 October 2025 — every certified body has now moved across. The control count dropped from 114 to 93, reorganised into four themes instead of fourteen domains:
- Organisational controls (37) — governance, supplier management, threat intelligence, cloud services
- People controls (8) — screening, awareness, remote working
- Physical controls (14) — facilities, equipment, secure disposal
- Technological controls (34) — access, cryptography, secure development, monitoring
Eleven controls are genuinely new — including threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), data masking (A.8.11), data leakage prevention (A.8.12), and secure coding (A.8.28). Fifty-seven existing controls were merged or rewritten. The rest map cleanly to what you already do.
Why the Mapping Approach Matters Now
If you're pursuing certification in 2026, your certification body will assess against the 2022 standard only. But the operational pressure is heavier than that. UK financial firms operating under the FCA's PS21/3 operational resilience requirements already evidence many of the new controls — particularly business continuity, third-party risk, and incident management. For firms with EU exposure subject to DORA (which applied from 17 January 2025), the overlap with Annex A organisational controls is substantial.
The mistake is treating ISO 27001:2022 as a separate compliance track. It isn't. It's the connective tissue between your existing obligations.
The Practical Mapping Method
Our team uses a four-stage approach when mapping Annex A controls for clients with existing security work in place.
Stage 1: Inventory what you already operate
Before touching the Annex A list, document every control activity you currently perform — regardless of which framework drove it. Cyber Essentials Plus controls, SOC 2 controls, DPA 2018 records of processing, FCA operational resilience self-assessments, internal audit findings. Each one is evidence you can reuse.
Stage 2: Map evidence to controls, not controls to controls
Don't map "ISO 27001:2013 A.9.2.1" to "ISO 27001:2022 A.5.16." Map your actual joiner-mover-leaver process to A.5.16 (identity management). The unit of mapping is the evidence artefact — the documented procedure, the system log, the access review report — not the old clause number. This stops you carrying forward gaps from the 2013 implementation.
Stage 3: Apply the attributes
Annex A in the 2022 standard introduces five attributes per control: control type, information security properties, cybersecurity concepts, operational capabilities, and security domains. Use these to filter your Statement of Applicability. If a control's "cybersecurity concept" is Detect and you have no detection capability beyond endpoint AV, that's a gap — flag it now, not at Stage 2 audit.
Stage 4: Address the eleven new controls deliberately
The new controls are where most certification delays happen. Threat intelligence (A.5.7) doesn't require a commercial feed — a documented process for consuming NCSC advisories and CISA alerts and acting on them is sufficient. Data leakage prevention (A.8.12) doesn't require a DLP product if your data classification and egress controls are documented and tested. Be specific about how you implement each one and what evidence proves it.
Common Mistakes We See
The first is copying a Statement of Applicability from a template. Auditors recognise generic SoAs immediately and probe harder. The second is excluding controls without justification — every "not applicable" needs a documented reason tied to your scope, not a shrug. The third is treating the Statement of Applicability as a one-time document. It should be reviewed at every management review and after any material change to systems or suppliers.
The fourth, and most expensive, is running ISO 27001 controls in parallel with existing FCA, Cyber Essentials, or supplier assurance work instead of integrating them. One control activity should generate evidence for every framework that needs it.
How Pyralink Helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our consultants have implemented ISO 27001:2022 across regulated and unregulated UK organisations — building Statements of Applicability that map cleanly to existing controls rather than duplicating effort.
Our ISO 27001 support covers gap analysis against the 93 controls, SoA development, risk treatment planning, internal audit, and certification readiness. For organisations needing ongoing oversight, our fractional vCISO service (from £497/month) embeds senior security leadership without the headcount cost. CloudAuditX, our multi-cloud auditing platform, automates evidence collection for the technological controls in Annex A — particularly A.8.9 (configuration management), A.8.15 (logging), and A.8.16 (monitoring activities). Pyralink holds £5M professional indemnity insurance.
If you're scoping an ISO 27001:2022 implementation or transitioning from a lapsed 2013 certificate, start with visibility into what you already have.