The ISMS implementation is running on schedule. The risk assessment is signed off. Your Statement of Applicability references every control in Annex A. Then the auditor drops in for Stage 2 and flags Control 5.2, Control 5.7, Control 8.8, and three more from the 2022 update. The certification timeline slips by weeks. The CISO gets the call. If this scenario sounds familiar, you are not alone — and the cost of getting Annex A wrong is not just a delayed certificate. For UK FinServ firms regulated by the FCA or bound by the UK GDPR, a failed ISO 27001 audit can trigger regulatory scrutiny, contractual penalties, and a board-level reputational hit.
The 2022 revision of ISO 27001 consolidated the old Annex A from 114 controls to 93, introduced 11 new controls, and restructured the entire set into four thematic clusters: organisational, people, physical, and technological. The shift was not cosmetic. The new controls target operational risks that the 2013 version simply did not address — threat intelligence, cloud security, data leakage prevention, and secure configuration for ICT systems. For UK FinServ CISOs, who must simultaneously satisfy the FCA’s Operational Resilience requirements (PS21/3) and the ICO’s expectations under UK GDPR, these 11 controls are where the audit fails most often. This post dissects each one, explains why UK FinServ firms trip up, and gives you the exact fix.
Control 5.2 — Information Security Roles and Responsibilities
This control is not new in spirit, but the 2022 revision sharpened the requirement. The wording now demands that roles be “defined and allocated” and that conflicts of interest be addressed. In practice, this means your ISMS must document who owns which security decisions and who has authority to approve risk acceptance — not just in policy but in operational workflow.
Where UK FinServ firms stumble: they create an Information Security Manager role in the policy documents, but the person filling it is also the Head of IT Operations. The auditor will flag this as a segregation-of-duties failure. The fix is straightforward — produce a RACI matrix that maps every Annex A control to a named role, and ensure that no single individual both implements and audits the same control. Use your ISO 27001 certification engagement to formalise this mapping before the Stage 1 audit.
Control 5.7 — Threat Intelligence
This is a brand-new control in 2022. It requires organisations to collect and analyse threat intelligence relevant to their sector. For a UK payments processor or a fintech lender, "relevant" means the UK’s NCSC threat reports, the Financial Services Information Sharing and Analysis Centre (FS-ISAC) bulletins, and the FCA’s own thematic reviews. Blindly subscribing to a generic feed and calling it compliance will not withstand scrutiny.
Actionable step: subscribe to the NCSC’s Cyber Security Information Sharing Partnership (CiSP), assign a named analyst to review threats weekly, and document how the intelligence feeds back into your risk assessment. If you outsource this to a SOC provider, ensure the contract explicitly defines threat intelligence deliverables. We cover this in our fractional vCISO retainer — embedding threat intelligence into governance, not just into the SIEM.
Control 5.10 — Acceptable Use of Information and Other Associated Assets
When the 2013 version was published, shadow IT was a niche concern. In 2026, it is the norm. UK FinServ employees routinely use Slack, Teams, Trello, and a dozen SaaS tools that IT never approved. Control 5.10 demands an acceptable use policy that explicitly covers "associated assets" — which includes personal devices and cloud subscriptions paid by corporate credit card.
The common mistake: writing a one-page "thou shalt not" policy that ignores the operational reality of a hybrid workforce. Fix it by running a free scan with CloudAuditX to inventory your SaaS estate, then draft an acceptable use policy that names the specific tools employees may not use for sensitive client data. Have your compliance officer sign off the policy, then brief the team in a 15-minute session. Audit evidence: the policy document, the meeting minutes, and the scan results.
Control 5.23 — Information Security for Use of Cloud Services
This is the control that most UK FinServ firms underestimate. It demands that you “define, implement, and maintain policies and procedures for the acquisition, use, management, and exit from cloud services.” Notably, the control also requires the organisation to “ensure that cloud service providers implement security controls consistent with the organisation’s security requirements.” The devil is in the contractual detail.
The trip-up: relying on the cloud provider’s SOC 2 report as sufficient evidence without mapping it to your own ISMS controls. For UK-regulated entities, this is not adequate. You must conduct a due diligence assessment of the CSP, document it in your supplier risk register, and include contract clauses for data access, incident notification, and exit — the FCA’s outsourcing rules under SYSC 8 apply here. Use CloudAuditX to automate the evidence collection across AWS, Azure, and GCP, then map the outputs directly to Control 5.23 in your SoA.
Control 5.30 — ICT Readiness for Business Continuity
This is the 2022 revision’s response to the operational resilience push by regulators globally. For UK FinServ firms, it dovetails with the FCA’s PS21/3 rule, which requires firms to identify important business services, set impact tolerances, and test their ability to stay within them. Control 5.30 demands that ICT readiness is “planned, implemented, maintained, and tested based on business continuity objectives.”
The failure pattern: firms treat BC/DR testing as a once-a-year checkbox exercise. The auditor will look for evidence of scenario-based testing that includes cyber attacks, cloud provider outages, and third-party failure. Do this: schedule quarterly tabletop exercises, document lessons learned, and show how the ISMS drives improvements to the BC plan. The NCSC’s Exercise in a Box is a free, credible tool for this purpose.
Control 5.31 — Legal, Statutory, Regulatory, and Contractual Requirements
Every ISMS includes a legal register. But the 2022 revision tightens the requirement by insisting that the organisation “identify and document” how each requirement applies to the ISMS, and “determine how these requirements are addressed.” For UK FinServ, this means you cannot simply list UK GDPR and the FCA Handbook. You must show which articles and rules map to which Annex A controls.
Our approach: create a compliance matrix that cross-references UK GDPR articles (e.g., Article 32 for security of processing), the DPA 2018 provisions, the FCA’s COBS and SYSC chapters, and the Cyber Security and Resilience Bill (when it passes) against each applicable Annex A control. This is not busywork — it is the document that convinces an auditor you have done the homework. We cover this mapping in-depth in our insights.
Control 8.8 — Management of Technical Vulnerabilities
This control existed in 2013 (as 12.6.1), but the 2022 version is broader. It now explicitly covers “information systems used for business purposes” — meaning operational technology, IoT devices, and even the temperature monitoring system in the server room. UK FinServ firms that run ATMs, payment terminals, or SCADA in data centres must include these in the vulnerability scanning scope.
The practical fix: segment your vulnerability management program by asset criticality. Use the FCA’s Important Business Services as the anchor. For each IBS, define a maximum remediation SLA — typically 14 days for critical vulnerabilities, 30 for high. Automate the scan schedule with a tool like CloudAuditX and pull the results into your risk register monthly. The auditor will look for evidence that you closed the loop — a scan without a remediation ticket is not compliance.
Control 8.9 — Configuration Management
Another new control in the 2022 series, born from the recognition that misconfiguration is the root cause of most cloud breaches. Control 8.9 demands that “configurations, including security configurations, of hardware, software, services, and networks, be established, documented, implemented, monitored, and reviewed.” For a UK FinServ using AWS, this means a CIS benchmark-compliant baseline for every EC2 instance, S3 bucket, and RDS database.
Where it breaks down: firms document the baseline but never enforce it. The auditor will ask for the last three months of configuration drift reports. If you cannot produce them, you fail. Implement Infrastructure as Code with policy-as-code guardrails — tools like Terraform Sentinel or AWS Config rules. Use CloudAuditX to scan your live environment against the CIS benchmarks weekly and store the reports for audit evidence.
Control 8.12 — Data Leakage Prevention
This control is about preventing unauthorised disclosure, not just detecting it. For UK FinServ firms that handle payment card data, mortgage applications, or high-net-worth client portfolios, DLP is a regulatory imperative under UK GDPR’s data minimisation and integrity principles. The control demands “detection and prevention of information leakage via any information system.”
The common mistake: buying a DLP tool and turning it on in monitor-only mode. The auditor wants evidence of prevention — blocking rules, policy enforcement, and incident response to false positives. The budget-friendly route for SMEs is Microsoft Purview or a SaaS DLP overlay. For larger firms, endpoint DLP with USB and email filtering is non-negotiable. Run a classification exercise first — you cannot DLP data you have not labelled.
Control 8.16 — Monitoring Activities
Monitoring is not new, but the 2022 version is specific: it demands “monitoring of networks and systems for unusual or suspicious activity” and requires logs to be “retained in accordance with legal, statutory, regulatory, and contractual requirements.” For UK FinServ, ICO guidance under UK GDPR says log retention should be justified — typically 6 to 12 months for operational logs, 3 to 5 years for audit logs linked to financial transactions.
The failing point: firms log everything and keep it forever, which is a data protection risk. Or they log nothing outside the SIEM. The fix is a documented log retention schedule that aligns with the FCA’s record-keeping rules (SYSC 9) and UK GDPR’s storage limitation principle. Automate the archival and deletion. Evidence: the retention schedule, the SIEM reports, and the quarterly review minutes.
Control 8.23 — Web Filtering
The final new control in the technological cluster. It requires organisations to “manage access to external websites to reduce exposure to malicious content.” For UK FinServ, this is not just malware protection — it is about preventing data exfiltration via web mail, file uploads, and AI-powered chatbots that employees may use to process client data.
Implementation: use a cloud web gateway or DNS filtering service that blocks categories (malware, phishing, file sharing, AI assistants) by user group. Document the policy, block list exceptions, and review the logs monthly. The auditor will check that the policy covers visitors and contractors, not just permanent staff.
Security Controls Mapping: The Make-or-Break Step
Every CISO we speak to asks the same question: how do I map these 11 controls to my existing ISMS without rewriting everything? The answer lies in a structured approach to security controls mapping. Do not tackle each control in isolation. Instead, create a central mapping table that shows which existing policy, procedure, or tool satisfies each new control. For example, Control 5.7 (Threat Intelligence) maps to your risk assessment procedure. Control 8.9 (Configuration Management) maps to your change management process. Control 8.12 (Data Leakage) maps to your data protection impact assessment workflow.
This mapping becomes the evidence your auditor requests during Stage 1. It demonstrates that you have not just copied the control list — you have operationalised it. If you are starting from scratch on organisational controls 2022, prioritise Controls 5.2, 5.7, and 5.23 — they are the ones that most UK FinServ firms underinvest in. Allocate budget for a cloud auditing tool, a threat intelligence feed, and a legal register refresh. The payoff is an ISMS that does not just pass audit but genuinely reduces the risk of a regulatory fine or a data breach.
How Pyralink Helps
Pyralink Innovation Ltd, led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), specialises in helping UK FinServ firms achieve and maintain ISO 27001 certification with minimal disruption. Our consultants have built ISMS from scratch, remediated failed audits, and mapped Annex A controls to FCA regulations, UK GDPR, and NIS Regulations with precision.
We offer three concrete paths depending on where you are in your journey:
- ISO 27001 certification support: We write your SoA, risk assessment, and policy suite; we train your internal auditors; we sit with you during the certification audit to handle the tough questions on the 11 controls above. Learn more →
- CloudAuditX multi-cloud scanning: Free to start. Automates evidence collection for Controls 5.23, 8.8, 8.9, and 8.16 across AWS, Azure, and GCP. Generates CIS benchmark reports and configuration drift logs ready for audit. Run a free scan →
- Fractional vCISO retainer: From £497 per month. A qualified CISM/CISA-level practitioner embedded in your team for 4-8 hours per week — governance, risk management, threat intelligence, and board reporting. Book a consultation →
Pyralink holds £5M professional indemnity insurance and serves clients across payments, lending, wealth management, and insurance. We do not sell templates. We implement production-grade ISMS that auditors pass.
Next Step: Prove Your Controls Work
Stop guessing whether your ISMS will pass the Stage 2 audit. Run a free CloudAuditX scan against your cloud infrastructure and receive a report mapping your misconfigurations directly to Annex A controls. Then book a 30-minute security review with our team to discuss your specific gaps and the remediation timeline. Both are free and carry zero obligation.
Run a free CloudAuditX scan →
Book a free security review →