The October 2025 ISO 27001:2022 transition deadline has passed. Organizations certified to the 2013 edition that did not complete the transition are now operating with lapsed or converted certifications. ELDR practitioner observation across organizations that did complete the transition — through advisory engagements and through review of documentation programs submitted for external assessment — surfaces three documentation architecture lessons that are worth publishing now, while the transition experience is current.
ISO 27001:2022 reorganized the 114 controls of the 2013 Annex A into 93 controls across four themes — Organizational, People, Physical, and Technological — and added 11 new controls. The reorganization was designed to improve logical coherence; in practice, it created significant Statement of Applicability (SoA) revision work for organizations whose existing SoAs mapped to the 2013 structure. Many organizations found that their SoA revision work also revealed mapping errors and coverage gaps in their existing control documentation — gaps that the transition created an opportunity to remediate but that added significantly to the transition scope.
Organizations that made expedient documentation decisions during transition — mapping existing 2013 control narratives to 2022 structure without updating the substantive control descriptions — introduced a specific audit vulnerability: the SoA maps to 2022 Annex A, but the control narratives describe 2013-era control implementations that do not reflect 2022 guidance. First surveillance audits post-transition are revealing these gaps as documentation findings. The lesson: SoA restructuring without control narrative review creates structural documentation debt that surfaces in the next audit cycle.
The 2022 Annex A's 11 new controls — including A.5.7 (Threat Intelligence), A.5.23 (Information Security for Cloud Services), A.8.10 (Information Deletion), and A.8.12 (Data Leakage Prevention) — required genuinely new control documentation, not adaptation of existing controls. Organizations that treated the new controls as editorial additions to existing narratives produced documentation that auditors found substantively inadequate in first post-transition audits. Cloud security (A.5.23) and threat intelligence (A.5.7) in particular require new documentation architecture, not incremental updates to existing cloud security and security monitoring documentation.
Organizations that have completed the transition should conduct a post-transition documentation quality review — specifically assessing whether control narratives accurately describe 2022-compliant implementations, whether the SoA accurately reflects applicability decisions for the 11 new controls, and whether the new control implementations are documented in substantive rather than nominal form. Post-transition documentation quality reviews conducted now, before the next surveillance audit, are significantly less expensive than audit finding remediation under examiner oversight.