Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
93 controls · 4 themes · 11 new controls flagged · ISO 27001:2022

The 2026 ISO 27001:2022 Checklist your certification body expects.

All 93 Annex A controls across the 4 themes, Organizational, People, Physical, Technological, with the 11 new :2022 controls flagged with implementation guidance, an editable Statement of Applicability Excel template, and the cross-mapping reference for SOC 2, HIPAA, GDPR, and NIST. Built by the same team that runs ISO 27001:2022 + ISO 27002:2022 scoring inside the RiskWatch platform.

All 93 Annex A controls + 4 themes

Org (37) + People (8) + Physical (14) + Technological (34), each with control ID, owner-prompt, and SoA inclusion/exclusion column.

11 new :2022 controls flagged

Threat intel (A.5.7), cloud security (A.5.23), ICT readiness (A.5.30), data masking (A.8.11), and the other 7, all marked with implementation guidance.

Editable Statement of Applicability

Excel SoA template with all 93 controls pre-listed, justification + status columns, ready for your stage 2 audit binder.

28-page PDF, instant link

Auditor-built. Plain English. No login, no follow-up call unless you ask.

“Used the SoA template the week before our stage 2. Found four control gaps in A.8 we’d missed in the :2013-to-:2022 mapping. Cert went through clean.”
M. Lindqvist
Security + Compliance Lead · Multinational SaaS · 1,800 employees · ISO 27001 + SOC 2 Type 2
Free Download · 28-page PDF + Excel SoA template
Send the 93-control checklist + SoA template to my inbox
Use your work email, personal addresses skip the auditor mailing list.
  • No credit card
  • No sales follow-up
  • Editable SoA template
  • Unsubscribe anytime

Past the checklist stage? Start a 30-day free trial · Book a 30-min demo

11 of 93 controls · the ones added in :2022

See the new :2022 controls, no email required.

The :2013-to-:2022 transition added 11 controls that weren’t in the prior standard. If your cert expired Oct 31, 2025 and you’re recertifying against :2022, these 11 are where most gap-analysis time goes. Here are all 11 inline. The full 93-control breakdown is in the download.

Control ID
New control + why it was added
A.5.7
Threat intelligence
Collect and analyze info about threats; was implicit in :2013, now explicit.
A.5.23
Information security for use of cloud services
Cloud-specific control covering acquisition, use, management, and exit of cloud services.
A.5.30
ICT readiness for business continuity
BCM-aligned control for ICT services availability during disruptions.
A.7.4
Physical security monitoring
Monitor premises continuously for unauthorized physical access.
A.8.9
Configuration management
Manage hardware/software/services config to maintain security baseline.
A.8.10
Information deletion
Securely delete data no longer required (GDPR + privacy alignment).
A.8.11
Data masking
Mask data in non-production + reduce sensitive data exposure.
A.8.12
Data leakage prevention
DLP measures applied to systems handling sensitive data.
A.8.16
Monitoring activities
Monitor networks/systems/applications for anomalous behavior.
A.8.23
Web filtering
Manage access to external websites to reduce malicious-content exposure.
A.8.28
Secure coding
Secure-coding principles applied to software development.
82 more controls + the SoA Excel template in the download, 4 themes, full Annex A.
Get the full 93-control PDF + SoA
Transition deadline passed

ISO 27001:2013 certifications expired Oct 31, 2025.

Every accredited certification body, UKAS, ANAB, JAS-ANZ, DAkkS, BSI, TÜV, SGS, BV, is now auditing against ISO 27001:2022 only. If your last surveillance audit was done against :2013, your next recertification is a fresh stage 1 + stage 2 against the :2022 standard. The 11 new controls and the 4-theme restructure are the gap-analysis work most teams underestimate.

Source: IAF MD 26, Transition Requirements for ISO/IEC 27001:2022

Oct 31, 2025

ISO 27001:2013 certifications expired. Every certified org must now hold ISO 27001:2022, recertification cycles in 2026 are :2022-only.

93 controls

Down from 114 in :2013. 24 controls were merged from multi-control predecessors; 58 were revised; 11 are net new.

4 themes

Replaces the prior 14 domains: Organizational (A.5, 37 controls), People (A.6, 8 controls), Physical (A.7, 14 controls), Technological (A.8, 34 controls).

ISO 27002:2022

The companion implementation guidance was published Feb 2022. The :2022 control numbering aligns to 27002:2022, the SoA template uses the new numbering throughout.

What’s inside

93 controls, four themes.

ISO 27001:2022 reorganized Annex A from 14 domains into 4 themes aligned to ISO 27002:2022. The checklist follows the new structure exactly, so what you complete maps 1:1 to what your certification body auditor reviews.

Organizational Controls

37
A.5
  • Information security policies (A.5.1)
  • Information security roles + responsibilities (A.5.2–.4)
  • Threat intelligence, NEW (A.5.7)
  • Information security in project management (A.5.8)
  • Inventory of information + other associated assets (A.5.9)
  • Acceptable use + return of assets (A.5.10–.11)
  • Classification + labelling + handling of information (A.5.12–.14)
  • Access control + identity + authentication + provisioning (A.5.15–.18)
  • Information security in supplier relationships (A.5.19–.23), incl. cloud A.5.23 NEW
  • Information security incident management (A.5.24–.28)
  • Information security during disruption + ICT readiness, NEW (A.5.29–.30)
  • Legal, statutory, regulatory, and contractual requirements (A.5.31–.34)
  • Independent review of information security + compliance (A.5.35–.37)

People Controls

8
A.6
  • Screening (A.6.1)
  • Terms and conditions of employment (A.6.2)
  • Information security awareness, education and training (A.6.3)
  • Disciplinary process (A.6.4)
  • Responsibilities after termination or change of employment (A.6.5)
  • Confidentiality or non-disclosure agreements (A.6.6)
  • Remote working (A.6.7)
  • Information security event reporting (A.6.8)

Physical Controls

14
A.7
  • Physical security perimeters + entry (A.7.1–.2)
  • Securing offices, rooms, and facilities (A.7.3)
  • Physical security monitoring, NEW (A.7.4)
  • Protection against physical and environmental threats (A.7.5)
  • Working in secure areas (A.7.6)
  • Clear desk and clear screen (A.7.7)
  • Equipment siting, maintenance, and disposal (A.7.8–.14)

Technological Controls

34
A.8
  • User endpoint devices + privileged access rights (A.8.1–.2)
  • Information access restriction + access to source code (A.8.3–.4)
  • Secure authentication (A.8.5)
  • Capacity management (A.8.6)
  • Protection against malware (A.8.7)
  • Management of technical vulnerabilities (A.8.8)
  • Configuration management, NEW (A.8.9)
  • Information deletion + data masking + DLP, all NEW (A.8.10–.12)
  • Information backup + redundancy (A.8.13–.14)
  • Logging + monitoring activities, partially NEW (A.8.15–.16)
  • Clock synchronization + use of privileged utility programs (A.8.17–.18)
  • Software installation + network controls (A.8.19–.22)
  • Web filtering, NEW (A.8.23)
  • Cryptography (A.8.24)
  • Secure development lifecycle + secure coding, NEW (A.8.25–.28)
  • Security testing in dev + acceptance + outsourced (A.8.29–.30)
  • Separation of dev/test/prod + change management (A.8.31–.32)
  • Test info + protection of info during audit testing (A.8.33–.34)
Plus the editable SoA Excel + cross-mapping reference

Excel SoA template with all 93 controls pre-listed (Included/Excluded + justification columns). PDF appendix includes cross-mapping to SOC 2 Trust Services Criteria, HIPAA Security Rule §164.308–.312, GDPR Article 32, NIST CSF 2.0, and NIST 800-53 Rev 5. 28 pages total.

Download
Get the checklist + SoA

3 fields. Inbox in 30 seconds. PDF + Excel.

  • No credit card
  • No sales follow-up
  • Editable SoA template
  • Unsubscribe anytime

Past the checklist stage? See how the platform automates ISO 27001 · SOC 2 + ISO 27001 dual program

FAQ

Common questions, answered up front.

What’s in the checklist + SoA, what changed from :2013, the Oct 31 2025 deadline, vs internal audit, cross-mapping, and what happens to your email.

What's actually in the checklist?
All 93 Annex A controls from ISO 27001:2022, organized by the four themes, Organizational (37 controls under A.5), People (8 under A.6), Physical (14 under A.7), Technological (34 under A.8). Each control entry includes the official ID, the title, a one-line implementation prompt, and a Statement of Applicability column (Included/Excluded + justification) so the same row that captures readiness becomes the source row for your SoA. The PDF is 28 pages including cover, the 4-theme summary, the 11 new-controls deep dive, the SoA primer, and a stage 2 audit-prep section. The accompanying Excel SoA template repeats the 93 controls in editable form.
What changed from ISO 27001:2013 to :2022?
Three big shifts. (1) Control count dropped from 114 to 93, 24 of the new controls merged 2 or 3 of the old ones. (2) The structure changed from 14 domains to 4 themes (Organizational/People/Physical/Technological), aligning to ISO 27002:2022. (3) 11 controls are net new: threat intelligence (A.5.7), cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28). The checklist marks each of the 11 with implementation guidance so existing :2013 programs can prioritize the gap.
My ISO 27001:2013 cert expired October 31, 2025. What do I do now?
You're not alone, UKAS, ANAB, and the other accreditation bodies confirmed the transition deadline was firm. To regain certified status you need a new stage 1 + stage 2 audit against ISO 27001:2022. Most certification bodies will pick up the recertification rather than restart fresh, but you'll need updated SoA, gap analysis against the 11 new controls, and evidence of the merged-control restructuring. The checklist's SoA template is structured exactly the way most CB auditors expect to see it.
How is this different from a full ISO 27001 internal audit?
An internal audit (per Clause 9.2) is the formal documented audit of your ISMS at planned intervals against your defined audit programme. This checklist is the readiness diagnostic that tells you whether you're ready to commission that internal audit, and whether your existing program would survive a Stage 2 certification audit. Many teams use the checklist as the pre-flight before scheduling the certification body, then the Excel SoA becomes the artifact the CB auditor reviews.
Does the SoA template work for SOC 2 + HIPAA + GDPR cross-mapping?
The SoA template ships with ISO 27001:2022 control numbering as the spine. The PDF appendix includes the cross-mapping reference for the most common adjacent frameworks: SOC 2 Trust Services Criteria, HIPAA Security Rule §164.308–.312, GDPR Article 32, NIST CSF 2.0 functions, and NIST 800-53 Rev 5 control families. If you outgrow the spreadsheet, the platform automates the cross-mapping so a single control implementation scores against multiple regimes.
Who built it, is it actually from an ISO 27001 lead auditor?
Yes. Built by RiskWatch's compliance team, drawing on the same controls library and stage 2 audit-prep work we use with SaaS, healthcare, financial-services, and MSP customers running our compliance platform. The checklist mirrors the question library inside the platform, so if you outgrow the PDF, your work translates directly.
Will you sell my email or call me 17 times?
No. We send the checklist + SoA template immediately. We add you to a low-frequency newsletter (one email per month, ISO 27001:2022 and adjacent-framework updates). One-click unsubscribe. We don't sell or share your email, see the privacy policy linked in the footer.
What if I'd rather see the platform automate the SoA + audit cycle?
If you're past the checklist stage and ready to operationalize: the platform runs continuous ISO 27001:2022 + ISO 27002:2022 + cross-framework scoring across every system in scope, with SoA generation and stage-2-audit-binder export built in. Start a 30-day free trial (no credit card) or book a 30-minute walkthrough, both available without leaving this page.
Last chance · still 3 fields

Send me the 93-control checklist + SoA template.

28-page PDF + editable Excel SoA · stage-2-audit-ready · no credit card · no sales call

  • No credit card
  • No sales follow-up
  • Editable SoA template
  • Unsubscribe anytime
Request a Demo