The transition window for ISO 27001:2013 certificates closed on October 31, 2025, and any organization still operating under the older standard is now out of compliance with the certification scheme. The 2022 revision is the only operative version, and the restructured Annex A and updated supply chain controls are the substantive changes that matter in practice. This post is a working summary of what implementation looks like in 2026, drawing on patterns we have seen across the certifications we have observed in the last twelve months.
The framing point worth restating is that ISO 27001 is the management system standard and ISO 27002 is the controls guidance. The 2022 revision condensed Annex A from 114 controls to 93, reorganized them into four themes, and introduced eleven controls that did not exist in the prior version. The new controls are where most of the implementation work concentrates.
What are the new controls in the 2022 Annex A?
The eleven new controls are 5.7 threat intelligence, 5.23 information security for use of cloud services, 5.30 ICT readiness for business continuity, 7.4 physical security monitoring, 8.9 configuration management, 8.10 information deletion, 8.11 data masking, 8.12 data leakage prevention, 8.16 monitoring activities, 8.23 web filtering, and 8.28 secure coding. Several of these existed implicitly in the 2013 version but are now called out as distinct controls with their own evidence expectations.
Control 5.23 on cloud services is the most consequential for SaaS organizations, because auditors now expect a formal process for selecting, using, and exiting cloud services, with documented risk acceptance for each significant provider. Control 8.28 on secure coding pulls the SDLC into the controls catalog explicitly and overlaps with supply chain controls in 8.30 outsourced development and 5.19 through 5.22 supplier relationships. The cluster of supplier and coding controls is where 2026 audits are spending the most time.
How should an established ISMS migrate cleanly?
Migration is best done as a structured remap rather than a rewrite. The 2022 Annex A controls map fairly cleanly to the 2013 controls for the 82 retained controls, and your statement of applicability should preserve the historical rationale while updating the reference. The eleven new controls require fresh analysis: each must be considered for inclusion or exclusion, with documented justification. Excluding a control is acceptable but requires a defensible reason that the auditor can test.
The hardest part of migration in practice is updating the risk treatment plan to reflect the new control structure without losing the historical context. Organizations that tried to fully rewrite their ISMS documentation in the migration window often lost institutional memory about why specific controls were selected or excluded. The cleaner approach is to retain the original risk analysis and bolt on the new controls as deltas, with a clear changelog the auditor can follow.
What does the supply chain control cluster expect?
Controls 5.19 through 5.22 cover the supplier relationship lifecycle: policy on supplier relationships, addressing security in supplier agreements, ICT supply chain security, and monitoring and review of supplier services. Control 5.21 specifically addresses ICT supply chain security and is the one auditors are reading most expansively in 2026. The expectation is that you can demonstrate awareness of and risk-based controls over your software supply chain, not just your contracted ICT vendors.
In practice the audit evidence for 5.21 looks like SBOM generation for in-house software, recorded review of supplier security posture for critical dependencies, and a documented process for handling supply chain incidents. The 2024 XZ Utils backdoor is the canonical reference incident, and lead auditors are now asking how the organization would detect and respond to a comparable event. A defensible answer combines continuous dependency monitoring with an incident response playbook that names supply chain compromise as an in-scope scenario.
Where do certification audits commonly fail in 2026?
The most common nonconformity we see is incomplete coverage of control 8.9 configuration management, particularly for cloud infrastructure that is provisioned through IaC. Organizations tend to document configuration management for endpoints and servers but treat their cloud infrastructure as a separate domain. Auditors expect a single configuration management process that covers all in-scope assets, with documented baselines, change control, and drift detection.
The second common failure is weak evidence for control 8.16 monitoring activities. The 2022 wording expanded the scope of expected monitoring to include user behavior, network activity, and information processing, with documented response procedures for anomalies. A SIEM with a generic ruleset and no documented analyst workflow does not satisfy this control. The auditor wants to see what is monitored, why, what constitutes an anomaly, and what happens when one is detected, ideally with traceable examples from the audit period.
How Safeguard Helps
Safeguard provides evidence streams that map directly onto the new supply chain controls in the 2022 Annex A. Continuous SBOM generation and retention satisfies the inventory and monitoring expectations in 5.21 and 8.16. Griffin AI runs reachability analysis to prioritize the vulnerabilities your ISMS must actually treat, with timestamped triage decisions for the audit trail. Policy gates enforce your stated criteria at the CI stage, which auditors test as evidence of operating effectiveness for 8.28 secure coding and 8.9 configuration management. TPRM scoring closes the supplier review loop in 5.19 through 5.22, and zero-CVE base images reduce the surface your treatment plan has to address.