AI-27001Request a free evidence review

Practical review

How to review a 2013-era ISMS against ISO/IEC 27001:2022

If your documents, SoA, or audit material still feel rooted in the 2013 structure, the review needs to go deeper than swapping control numbers. A cleaner review starts with the management system and then works back through Annex A and evidence.

6 min readOrganizations updating an older ISMS, consultants, and internal owners cleaning up inherited ISO/IEC 27001 material2026-04-22

Begin with a version reality check

A surprising amount of ISO/IEC 27001 material still carries 2013 assumptions long after teams say they have updated. That usually shows up in control numbering, old Annex A group names, outdated clause language, or SoAs that have been patched rather than reviewed properly.

The first step is simply to confirm what your current documents are actually built around. If the structure still assumes the old 14-group Annex A and old requirement wording, treat that as a review signal rather than a cosmetic problem.

Review the management system before the control map

It is tempting to start with the SoA because it is visible and measurable. In practice, the better starting point is the ISMS itself. Look at scope, governance, risk treatment flow, internal audit, management review, and how change is planned and controlled.

That matters because the 2022 revision tightened expectations around processes, interactions, operational control, communication, and planned change. If those parts are weak, a beautifully updated control table will not save the implementation.

Then review Annex A through the 2022 structure

Once the management system picture is clear, move into Annex A using the 2022 structure rather than the old one. Review the SoA by organizational, people, physical, and technological controls, and ask whether the applicability reasoning still holds.

This is also the point where inherited mappings need scrutiny. A straight crosswalk from 2013 to 2022 may be useful as a working aid, but it should not become the finished answer.

  • Check whether merged controls have changed how you describe the control outcome
  • Check whether the new controls are visible in treatment plans, policies, or technical evidence
  • Check whether the SoA still explains exclusions and applicability clearly
  • Check whether evidence links still point to real, current artifacts rather than stale folders

Look hard at the areas most likely to expose drift

In many older ISMS packs, the weak spots are not the classic policy headings. They are the operational areas where modern practice has moved faster than the documentation.

Cloud service use, deletion, masking, leakage prevention, monitoring, configuration management, and secure coding are all good examples. Even where the organization does some of this work already, the formal ISMS may still describe it weakly or not at all.

Finish by rewriting for the current operating model

The point of the review is not to preserve inherited wording. It is to make the ISMS easier to understand, easier to defend, and more obviously connected to current operating reality.

That usually means updating the SoA, rewriting selected policies and procedures, tightening ownership, and making sure the evidence trail is attached to the controls and decisions that matter. Once that is done, the 2022 structure starts to feel useful rather than disruptive.

Free review

Not ready to book? Get a practical evidence next step instead.

Pick the lower-friction option that fits where you are. We’ll use your page and campaign context to understand the request without adding tracking clutter to the visible URL.

We’ll look at one evidence flow and send practical gaps or next steps.

12
Choose an offer

Send this short request now, or add optional sales context first if it helps route the reply.

Prefer to talk it through?

If you are untangling inherited ISO material, compare notes.

A lot of older ISO/IEC 27001 packs look updated until you trace them back to the actual evidence and operating process. If you are working through that cleanup, I’m happy to compare notes.

See the free ISO 27001 evidence review

Related reading

More ISO/IEC 27001 explainers.

These pieces are meant to help technical teams, advisers, and internal owners make sense of the 2022 edition, Annex A, and how older material should be reviewed.

Telecoms insight

What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

The Telecoms Access Review is not an ISO 27001 rule, but it changes the operating environment for ISPs, altnets, wholesale buyers, and infrastructure users. That makes clean evidence ownership more important.

7 min readISP, altnet, wholesale telecoms, and TSA compliance teams
Read What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

Incident evidence insight

Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

When a perimeter firewall zero-day is exploited before every team has patched, the compliance question becomes practical: can you prove exposure, ownership, mitigation, customer impact, and management review quickly enough?

7 min readMSPs, ISPs, SaaS security teams, and ISO 27001 owners
Read Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

AI-27001 is a product of SW DIGITAL SERVICES LIMITED, registered in England and Wales. Company number 17178287.