ISO 27001:2022 in 2025: what IAM teams need to recheck

TL;DR: ISO 27001:2022 keeps the same ISMS backbone but raises the stakes for organisations that have not completed the 2013-to-2022 migration by 31 October 2025, according to Teleport. The practical issue is not certification paperwork alone, but whether identity, access, and audit evidence can prove control effectiveness under modern cloud and access patterns.

NHIMG editorial — based on content published by Teleport: ISO 27001:2022 Requirements Explained for 2025

By the numbers:

• Organizations certified to ISO 27001:2013 must complete their transition to ISO 27001:2022 by 31 October 2025 to maintain certification.

Questions worth separating out

Q: How should organisations prepare for ISO 27001:2022 certification if they rely on cloud access and admin credentials?

A: They should start by mapping scope, access ownership, and audit evidence to the controls that actually operate in production.

Q: What breaks when ISO 27001 access controls exist on paper but not in daily operations?

A: The ISMS becomes difficult to defend because auditors test effectiveness, not intent.

Q: How do security teams know whether their ISO 27001 controls are actually working?

A: They should look for evidence that controls produce measurable outcomes, such as timely revocation, complete audit trails, and consistent ownership records.

Practitioner guidance

• Map the ISMS scope to identity control boundaries Define the systems, cloud platforms, and administrative domains that actually generate access risk, then ensure the scope statement matches those boundaries and not just organisational charts.
• Build audit evidence from live identity operations Collect access logs, certificate issuance and revocation records, ownership assignments, and review outcomes in a form that can be reproduced during certification and surveillance audits.
• Tie each Annex A control to a named risk owner For every selected control, document who owns the control, which risk it addresses, and what operational evidence proves it is working in day-to-day use.

What's in the full article

Teleport's full blog covers the operational detail this post intentionally leaves for the source:

• Clause-by-clause examples of what auditors expect in each part of the ISMS, including documentation and effectiveness evidence.
• The article's control mapping for Annex A changes in 2022, including where access, monitoring, and configuration controls fit.
• Teleport's examples of how short-lived certificates and centralised access can support ISO 27001 evidence collection.
• The source's own implementation framing for compliance teams that need to move from policy to operational proof.

👉 Read Teleport's guide to ISO 27001:2022 requirements for 2025 →

ISO 27001:2022 in 2025: what IAM teams need to recheck?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →