AI-27001guided trial

Practical review

How to review a 2013-era ISMS against ISO/IEC 27001:2022

If your documents, SoA, or audit material still feel rooted in the 2013 structure, the review needs to go deeper than swapping control numbers. A cleaner review starts with the management system and then works back through Annex A and evidence.

Published 22 April 2026Updated 22 April 20266 min readOrganizations updating an older ISMS, consultants, and internal owners cleaning up inherited ISO/IEC 27001 material

Begin with a version reality check

A surprising amount of ISO/IEC 27001 material still carries 2013 assumptions long after teams say they have updated. That usually shows up in control numbering, old Annex A group names, outdated clause language, or SoAs that have been patched rather than reviewed properly.

The first step is simply to confirm what your current documents are actually built around. If the structure still assumes the old 14-group Annex A and old requirement wording, treat that as a review signal rather than a cosmetic problem.

Review the management system before the control map

It is tempting to start with the SoA because it is visible and measurable. In practice, the better starting point is the ISMS itself. Look at scope, governance, risk treatment flow, internal audit, management review, and how change is planned and controlled.

That matters because the 2022 revision tightened expectations around processes, interactions, operational control, communication, and planned change. If those parts are weak, a beautifully updated control table will not save the implementation.

Then review Annex A through the 2022 structure

Once the management system picture is clear, move into Annex A using the 2022 structure rather than the old one. Review the SoA by organizational, people, physical, and technological controls, and ask whether the applicability reasoning still holds.

This is also the point where inherited mappings need scrutiny. A straight crosswalk from 2013 to 2022 may be useful as a working aid, but it should not become the finished answer.

  • Check whether merged controls have changed how you describe the control outcome
  • Check whether the new controls are visible in treatment plans, policies, or technical evidence
  • Check whether the SoA still explains exclusions and applicability clearly
  • Check whether evidence links still point to real, current artifacts rather than stale folders

Look hard at the areas most likely to expose drift

In many older ISMS packs, the weak spots are not the classic policy headings. They are the operational areas where modern practice has moved faster than the documentation.

Cloud service use, deletion, masking, leakage prevention, monitoring, configuration management, and secure coding are all good examples. Even where the organization does some of this work already, the formal ISMS may still describe it weakly or not at all.

Finish by rewriting for the current operating model

The point of the review is not to preserve inherited wording. It is to make the ISMS easier to understand, easier to defend, and more obviously connected to current operating reality.

That usually means updating the SoA, rewriting selected policies and procedures, tightening ownership, and making sure the evidence trail is attached to the controls and decisions that matter. Once that is done, the 2022 structure starts to feel useful rather than disruptive.

Prefer to talk it through?

If you are untangling inherited ISO material, talk to AI-27001.

A lot of older ISO/IEC 27001 packs look updated until you trace them back to the actual evidence and operating process. If you are working through that cleanup, our team can talk through the evidence workflow.

See the free ISO 27001 evidence review

Related reading

Related articles to read next.

These articles sit closest to the same evidence, assurance, or standards question and give a practical next step after this piece.