ISO 27001:2022 Requirements Explained for 2025 – Teleport
ISO/IEC 27001:2022 provides a framework for managing information security using an Information Security Management System (ISMS).
The October 2025 deadline to upgrade from the previous ISO 27001:2013 standard is coming fast, and organizations yet to transition risk losing their certification. Maintaining ISO/IEC 27001 certification is especially relevant for regulated industries, SaaS providers with enterprise customers, and global organizations handling sensitive data.
In this blog, we break down ISO 27001 requirements in 2025, what’s changed from 2013 to 2022, and how Teleport can help simplify ISO compliance and accelerate the journey to new or re-certification.
Understanding ISO 27001 Certification in 2025
The International Standards Organization regularly updates the requirements of ISO 27001 every five years. The most recent edition, ISO 27001:2022, retains the core structure of ISO 27001:2013’s primary management clauses and Annex A controls, with updates to reflect the modern risk landscape.
Organizations have until 31st October 2025 to complete the migration from ISO 27001:2013 to ISO 27001:2022. After this deadline, prior certifications will expire.
Whether you’re pursuing initial certification or upgrading from 2013, you’ll need to define your scope, engage leadership, allocate resources, set measurable objectives, and apply the right controls to meet audit expectations. ISO 27001:2022 formalizes these requirements across 11 main clauses and a refreshed set of Annex A controls.
Explore Annex A controls in this white paper, including new additions.
ISO 27001 Clauses and Audit Requirements
Clauses 0 through 10 comprise the ISO/IEC 27001:2022 standard. However, Clauses 4-10 contain formal certification requirements and are the focus of the audit process. These auditable clauses define how to establish, implement, maintain, and continually improve an ISMS in alignment with ISO 27001 expectations.
This includes:
- Clauses 0-3: An Introduction to ISO 27001:2022
- Clause 4: Context of the Organization
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance Evaluation
- Clause 10: Improvement
Each auditable clause (4-10) is assessed during certification for both documentation and effectiveness. This means clause-by-clause readiness is critical to ensure audit and certification success.
Below, we’ll summarize the key takeaways from each clause, alongside examples of what those clauses can look like in practice.
Clauses 0-3: An Introduction to ISO 27001:2022
These clauses outline the purpose, structure, and terminology of the standard. Clause 0 introduces ISO’s risk-based approach; Clause 1 defines the standard’s scope; Clauses 2 and 3 provide key references and definitions.
While these sections do not outline specific requirements, familiarizing yourself with these introductory clauses is highly recommended for those new to ISO 27001, or for those simply looking for a refresher on the standard.
For the purposes of this blog, we will skip the first three clauses and jump to Clause 4.
Clause 4: Context of the Organization
Clause 4 requires defining the scope of your ISMS and identifying internal and external factors that influence your organization’s information security. This includes applicable laws, industry frameworks (like NIST or CIS), contractual obligations, or infrastructure threats.
Clause 4.3 specifically requires a documented “scope of the ISMS,” requiring organizations to outline the systems, people, processes, and geographic locations of their ISMS. This scope feeds into the Statement of Applicability (SoA), which documents the Annex A controls being implemented or excluded, along with explanations of why and why not.
Example – Clause 4 in action:
A healthcare company might include HIPAA and data localization laws in its context analysis. A cloud SaaS company might include SOC 2 and customer SLAs. These inputs should reflect both regulatory obligations and business risk drivers, which also feed into Clause 6’s risk planning.
Defining too broad or too narrow a scope can lead to audit challenges or operational blind spots. Aim for clear, justifiable boundaries tied to business function and risk exposure.
Clause 5: Leadership
Clause 5 requires senior leadership to demonstrate accountability for the ISMS. This is achieved by publishing an information security policy (Clause 5.2), assigning roles and responsibilities (Clause 5.3), and embedding the ISMS practices into business operations.
Clause 5.3 connects directly to Annex A control A.5.1 (Information Security Policies), requiring that these documents be maintained, communicated, and regularly reviewed.
Example – Clause 5 in action:
The CISO signs the information security policy, the CTO is designated as the ISMS owner, and business unit leads are assigned responsibility for reviewing access to systems in their domains. Evidence of this can include org charts, role descriptions, and meeting records.
Auditors will often request proof that leadership has not only approved policies, but actively participates in review cycles and corrective actions.
Clause 6: Planning
Clause 6 focuses on identifying risks and opportunities, setting measurable objectives, and establishing formal plans for treatment mitigation.
Clause 6.1.2 requires a formal risk assessment process with criteria for evaluating likelihood and impact. Clause 6.1.3 then requires a documented risk treatment plan to specify which controls from Annex A will be used to mitigate identified risks, along with a justification for each choice.
Clause 6.2 requires defining measurable security objectives. An example objective could be: “Reduce the mean time to revoke access after a role change to under two hours by Q3.” This can be tracked and verified through audit logs and system integration reports.
Example – Clause 6 in action:
If a company identifies standing SSH access as a risk, it may select control A.8.2 (Privileged Access Rights) and document this in the risk treatment plan and SoA.
Audit success depends not only on defining objectives but showing ongoing measurement and outcomes tied to them.
Clause 7: Support
Clause 7 ensures that your ISMS is supported by the right people, training, communications, and documented information. Clause 7.2 focuses on competence, ensuring that staff involved with the ISMS have appropriate training. Clause 7.4 requires a communication strategy for both internal and external parties.
Clause 7.5 also introduces documentation control requirements. All ISMS-related records such as policies, audit logs, risk assessments, and the SoA must be version-controlled, securely stored, and easily retrievable.
Example – Clause 7 in action:
Organizations might maintain training logs showing that engineers completed secure coding and zero trust access management training courses.
Make sure training records are tied to job roles, and that your documentation system supports version history and traceability.
Clause 8: Operation
Clause 8 governs the execution of your ISMS by requiring that risk treatment plans are implemented, monitored, and continually evaluated.
Clause 8.1 calls for operational planning and control. This includes maintaining an up-to-date risk register and documenting how risks are managed, monitored, and reassessed with clear evidence of control implementation. If Annex A controls are used, their implementation must be documented, assigned to owners, and actively monitored.
Example – Clause 8 in action:
If an organization treats the risk of leaked credentials with control A.5.17 (Authentication Information), it must provide logs of certificate issuance, expiration, access revocation, and control ownership to demonstrate effective operational control. These are operational outputs of the ISMS that demonstrate ongoing enforcement and review.
ISO auditors will ask to trace each control back to a specific risk and see evidence of that control functioning in daily operations.
Clause 9: Performance Evaluation
Clause 9 formalizes how ISMS performance must be evaluated through internal audits (9.2), management reviews (9.3), and ongoing monitoring of controls and objectives (9.1). Each activity must be scheduled, repeatable, and backed by documented outputs that demonstrate whether the ISMS is operating as intended.
Example – Clause 9 in action:
If an organization treats the risk of leaked credentials with control A.5.17 (Authentication Information), it must provide logs of certificate issuance, expiration, access revocation, and control ownership to demonstrate effective operational control. These are operational outputs of the ISMS that demonstrate ongoing enforcement and review.
Auditors will expect to see clear evidence of internal audits and management reviews, with decisions and corrective actions documented for traceability.
Clause 10: Improvement
Clause 10 is about managing nonconformities (10.1) and driving continuous improvement (10.2). When controls fail or are bypassed, the root cause must be analyzed, corrective actions documented and implemented, and results independently verified where possible.
Example – Clause 10 in action:
If an access review reveals a terminated employee still had database access, the organization would log the incident and perform root cause analysis on the HR-to-identity sync process. The improvement action would involve updating the provisioning workflow and validating that access is correctly revoked in future cases.
This improvement cycle links back to Annex A controls such as A.5.24 (Incident Management Planning and Preparation) and A.5.27 (Learning From Security Incidents).
A functioning Clause 10 process is what distinguishes mature ISMS implementations from paper-compliant ones. Auditors will look for a closed-loop corrective action process with detailed evidence of follow-through.
Does ISO 27001:2022 Have Control Requirements?
Annex A of ISO/IEC 27001:2022 outlines 93 security controls that organizations can implement as part of their Information Security Management System (ISMS). These controls span four categories: People, Organizational, Technological, and Physical.
While Annex A does not require implementation of all 93 controls, it functions as a reference framework to guide risk treatment planning. Organizations must complete a Statement of Applicability (SoA) to document whether each control is implemented, the rationale behind its inclusion or exclusion, and how each selected control is applied.
In practice, Annex A serves as a structured reference to align technical, operational, and policy-level controls with ISO 27001’s broader risk treatment framework, but it should not be treated as a one-size-fits-all checklist.
What Annex A Controls Are New in ISO 27001:2022?
The 2022 update introduced several new and revised controls to address evolving risks related to cloud-native infrastructure, hybrid workforces, decentralized identity, and increased automation.
Teleport supports alignment with many of the updated controls in ISO 27001:2022, particularly those focused on identity, access, audit, and automation. This is documented in the table below.
| Revised/New ISO 27001:2022 Control | How Teleport Supports Alignment |
|---|---|
| A.5.7 Threat Intelligence | Generates real time and historical logs exportable to SIEMs for threat correlation and analysis. |
| A.5.23 Information Security for Use of Cloud Services | Centralizes access control across cloud environments (AWS, GCP, Azure, Kubernetes) using short-lived certificates and just-in-time provisioning. |
| A.5.30 ICT Readiness for Business Continuity | Enables secure access and session logging during infrastructure outages to support operational continuity in distributed environments. |
| A.8.9 Configuration Management | Audits and controls access to infrastructure configuration tools such as Terraform, Kubernetes, and CI/CD systems. |
| A.8.12 Data Leakage Prevention | Limits access exposure using time-limited certificates and role-based access to sensitive systems. |
| A.8.16 Monitoring Activities | Enables real time monitoring of active sessions, including view, pause, and termination capabilities for audit and compliance oversight. |
Looking for a more detailed ISO 27001 control mapping?
Discover how Teleport applies to key Annex A controls, including secure access, real time audit logging, automated identity governance, and more.
Simplify ISO 27001:2022 Compliance with Teleport
ISO/IEC 27001 is not mandatory. But for any security-conscious organization, certification can be a major strategic advantage.
Most customers, partners, and regulators expect you to protect sensitive data with clear, auditable controls. ISO 27001 proves that you can, and that your security posture is built to withstand real world threats. That’s part of the reason Teleport maintains our own ISO certification, assisted through the use of our Infrastructure Identity Platform.
Teleport simplifies ISO 27001:2022 implementation by removing standing access, eliminating static credentials, and unifying access control across environments. No more secrets to manage. No bastion infrastructure to maintain. Just one platform designed to make meeting key identity, access, and audit requirements simple.
Read the complete white paper to learn more.
Looking to Simplify Compliance Beyond ISO 27001?
Just as we help simplify ISO/iEC 27001 compliance, Teleport also maps to key requirements across standards and regulations like FedRAMP, SOC 2, HIPAA, PCI, NIS2, DORA, and much more.
Learn more about accelerating compliance with Teleport.
