nexalign

Decision guide · Compliance

ISO 27001:2022 recertification: a structured migration and renewal guide

ISO 27001:2022 recertification rarely fails on the technology. It fails because the 11 new controls (Threat Intelligence, Cloud Services, DLP, Monitoring, Secure Coding, Data Masking, Web Filtering, Configuration Management, ICT Readiness, Information Deletion, Physical Security Monitoring) are decided in silos and show up as patchwork in the audit. The clean structure: per new control, one documented decision with evidence, SoA entry, risk-treatment plan and proof of effectiveness. The audit then becomes a presentation, not a surprise.

TL;DR

The 11 new 2022 controls are the recertification truth. Decide each one separately and document it.

Who owns this decision

ISMS officer as owner, CISO as approver, IT-Ops, Data Protection Officer, Legal and business units as contributors.

Key criteria to weight

  • Gap analysis against the 11 new controls

    Threat Intelligence, Cloud, DLP, Monitoring, Secure Coding etc. Per control: present, partial, missing — that is the work list.

  • Statement of Applicability (SoA)

    Each of the 93 controls in the 2022 version needs a documented applicability decision with rationale.

  • Risk treatment plan

    Re-map risks against the new control structure, name actions, owners and dates.

  • Demonstrable effectiveness

    The audit checks effectiveness, not documents. Plan evidence chains per control before the auditor arrives.

  • Integration with NIS2 / DORA / AI Act

    The management-system structure (Clauses 4 to 10) becomes the carrier structure for other regulations. Avoid double work.

  • Audit cycle and deadlines

    Recertification every 3 years, surveillance audits annually. Plan so that gap closure is visible before the surveillance audit.

Step-by-step decision flow

  1. 1

    Delta-mapping 2013 → 2022

    Re-map existing control evidence onto the 2022 structure. What stays, what is consolidated, what is new.

  2. 2

    Gap analysis against the 11 new controls

    Per new control: is the topic technically implemented? Is it documented as a process? Is there a policy? Is there evidence from the past year?

  3. 3

    Update SoA and risk treatment

    Walk through 93 controls, justify applicability, document deviations. Move the risk-treatment plan onto the 2022 structure.

  4. 4

    Update policies and procedures

    Information-security policy, cloud policy, threat-intelligence process, DLP policy, monitoring concept, configuration management.

  5. 5

    Internal audit and corrective actions

    Run the internal audit with a fresh 2022 checklist. Treat findings as corrective cases, not as an open issues list.

  6. 6

    Prepare for the recertification audit

    Anticipate auditor questions, structure the evidence folder, brief interview partners. The audit is a moderated presentation, not a blind check.

Vendor market structure

Strukturvergleich der relevanten ISMS-/Compliance-Tools für ISO 27001:2022 Zertifizierung im DACH-Mittelstand.

VendorISO 27001:2022 MappingDeutsche LokalisierungAudit-VorbereitungPreis abCloud/On-PremBSI-IT-Grundschutz
DrataNative ISO 27001:2022 FrameworkEnglisch primär, DE-Inhalte begrenztAuditor-Marketplace inkl. DACHab ca. 7.500 USD/JahrCloud-onlyKein natives BSI-Mapping
VantaNative ISO 27001:2022 FrameworkEnglisch primär, DE-Inhalte begrenztAuditor-Netzwerk in DE wachsendab ca. 8.000 EUR/JahrCloud-onlyKein natives BSI-Mapping
SecfixNative ISO 27001:2022 mit DE-FokusVollständig deutsch, DACH-fokussiertDACH-Auditor-Netzwerk integriertauf AnfrageCloud-onlyBSI-Mapping ergänzbar
veriniceISO 27001:2022 Katalog verfügbarVollständig deutschManuell, keine AutomationOpen-Source plus Pro-Edition (auf Anfrage)On-Prem oder HostedNative BSI-IT-Grundschutz-Unterstützung
DocSetMinderISO 27001:2022 unterstütztVollständig deutschAudit-Modul integriertauf AnfrageOn-PremNative BSI-IT-Grundschutz-Unterstützung
ISMS-Tool von Fox & Co.ISO 27001:2022 abgedecktVollständig deutschAudit-Modul integriertauf AnfrageOn-Prem oder HostedNative BSI-IT-Grundschutz-Mapping
HiScout GRC SuiteISO 27001:2022 unterstütztVollständig deutschAudit- und Risiko-Moduleauf AnfrageOn-Prem oder HostedNative BSI-IT-Grundschutz-Mapping

Stand: 2026-04. Basierend auf öffentlich zugänglichen Vendor-Angaben. Stand April 2026. Eigene Validierung über DecisionOS-Profil empfohlen.

Anonymised memo excerpt

SaaS-Anbieter, 220 Mitarbeiter, ISO 27001:2013 Bestandszertifikat, nächstes Audit Q4 2026

Readiness score

75

Trigger
Re-Zertifizierung muss zwingend gegen 2022er Fassung geführt werden. 11 neue Controls verlangen separate Evidenz-Ketten.
Top criteria (weights)
  • Mapping-Tiefe gegen 11 neue Controls20%
  • SoA-Aktualisierung und Begründungstiefe20%
  • Risikobehandlungsplan auf 2022er-Struktur15%
  • Internes Audit mit 2022er-Checkliste15%
  • Nachweisbare Wirksamkeit (Evidenz)15%
  • Integration mit DORA / NIS2 / AI-Act15%
Shortlist
  • Drata mit DACH-Auditor
  • Vanta mit DACH-Auditor
  • Eigenständiger DocSetMinder plus interner ISMS-Beauftragter
Decision
Drata für Compliance-Automation, eigener ISMS-Beauftragter für SoA-Begründungen, internes Audit mit externer 2-Personen-Mannschaft.
Rationale
Drata reduziert Evidence-Sammlung um geschätzt 60% gegenüber manueller Pflege. Vanta hat in DACH noch zu duenne Auditor-Abdeckung. DocSetMinder ist sehr stark, aber zu personalintensiv für 220-Personen-Saas. Hybrider Ansatz balanciert Automation und Begründungstiefe.
Residual risks
  • Drata-Mapping für A.5.7 Threat Intelligence muss um eigene Quellen ergänzt werden
  • Wirksamkeitsnachweis für A.8.16 Monitoring erst nach 6 Monaten Operations valide
Run your own memo →

Compliance note

ISO 27001:2022 is the foundation for evidence under NIS2 Art. 21, DORA Art. 6 ff. and the AI Act (Art. 9 risk management). A clean migration to 2022 substantially reduces the effort for the other regulations. The new controls on Cloud (A.5.23), Threat Intelligence (A.5.7) and Monitoring (A.8.16) directly mirror NIS2 requirements.

Common pitfalls

  • !Treating the 11 new controls as a documentation exercise instead of a real implementation.
  • !Keeping SoA justifications generic — auditors ask specifically.
  • !Not switching the risk-treatment plan to the 2022 control structure.
  • !Running the internal audit with a 2013 checklist and being caught in the external audit.
  • !Treating Threat Intelligence and Monitoring as a tool purchase instead of a process decision.

FAQ

Do I have to migrate from ISO 27001:2013 to :2022?

Yes, mandatory. The transition deadline for existing certificates ended on 31 October 2025. Every recertification from 2026 onwards runs against the 2022 version. Anyone still on a :2013 certificate must move to :2022 at the next audit cycle.

What is the difference between ISO 27001:2013 and :2022?

Instead of 114 controls in 14 domains, there are 93 controls in 4 themes (Organisational, People, Physical, Technological). 11 controls are new (Threat Intelligence, Cloud Services, ICT Readiness for Business Continuity, Data Masking, DLP, Monitoring Activities, Web Filtering, Secure Coding, Configuration Management and others). The fundamental management-system structure (Clauses 4 to 10) stays unchanged.

How long does an ISO 27001:2022 recertification take?

A structured recertification project takes 6 to 9 months: gap analysis against the 11 new controls (4 weeks), update of SoA and risk treatment (6 to 8 weeks), policy updates (parallel), internal audit cycle (2 to 4 weeks), external audit through the certifier. The documented decision per new control is the time-critical path.

Run this decision in DecisionOS →What is DecisionOS?