Cybersecurity Briefing — July 6, 2025

Deadline context and governance expectations

Certification bodies will stop recognising ISO/IEC 27001:2013 certificates after 31 July 2025, meaning any organisation that has not completed the transition to the 2022 edition risks certificate lapse and board-level accountability concerns. Management systems must therefore demonstrate that governance structures, risk management processes, and integrated assurance frameworks meet the updated requirements for organisational context, leadership, planning, support, operations, performance evaluation, and improvement under Annex SL. Boards should review transition dashboards monthly, confirm that executive sponsors and the Information Security Management System (ISMS) steering committee have documented responsibilities, and ensure that minutes evidence challenge on risk appetite, resource adequacy, and cross-functional dependencies.

The governance framework must incorporate explicit links to corporate risk management, privacy, operational resilience, and third-party oversight committees. Evidence packs should include updated risk appetite statements referencing information security and resilience, board-approved transition plans, and summaries of audit committee oversight. Senior leadership should provide an accountability matrix mapping ISO clauses to control owners, assurance providers, and escalation contacts. Regulators, customers, and partners will expect to see documented decision-making that shows risk-informed prioritisation of control remediation, particularly for controls tied to critical infrastructure, safety, or personal data processing.

Transition planning and documentation control

Transition projects should maintain a structured plan that covers gap assessment, control redesign, implementation, training, and certification logistics. Boards should require evidence of a baselined project schedule, critical path milestones, and dependency logs for technology upgrades, policy refreshes, and supplier attestations. Document control is central: organisations must update their document management procedures to meet clause 7.5 expectations, including document approval, review frequency, version labelling, distribution controls, and retention schedules. Evidence packs must show audit trails for policy revisions, change histories, and access permissions.

Gap assessments need to reference the 2022 Annex A control set, showing how each control was evaluated against existing practices, identified deficiencies, and remediation actions. Governance forums should maintain heat maps highlighting high-priority control gaps, risk ratings, remediation owners, and target dates. Internal audit or independent reviewers should validate the completeness of gap assessments and maintain working papers demonstrating sampling, evidence sources, and conclusions. Boards should demand summary reports showing the closure rate of remediation actions, residual risks, and compensating controls in place until full remediation is achieved.

Risk assessment and treatment updates

Clause 6 requires organisations to revisit their information security risk assessment and treatment methodologies. Governance documentation should include updated risk assessment procedures, criteria for risk evaluation, and evidence that assessments are performed at planned intervals or when significant changes occur. Risk registers must be refreshed to align with the 2022 control taxonomy, including new controls for threat intelligence, physical security monitoring, and cloud services. Boards should review aggregated risk views that map inherent risk, control effectiveness, residual risk, and treatment plans. Evidence packs should feature sample completed risk assessments, approval records from risk owners, and tracking of risk acceptance decisions with rationale and expiry dates.

Risk treatment plans must highlight how new or updated controls mitigate identified risks, reference implementation evidence, and define monitoring metrics. Where risks are transferred to third parties or insured, governance packs must show contractual provisions, service-level agreements, and insurer obligations. Organisations should maintain a consolidated risk treatment register linking to change tickets, project plans, and testing results. Boards need to confirm that risk acceptance thresholds align with corporate appetite and that exception processes include defined review cycles and escalation triggers.

Annex A control implementation focus

The 2022 revision introduces eleven new controls and merges or restructures several others, demanding tangible implementation evidence. Boards should request detailed control narratives covering design intent, operating procedures, automation coverage, and assurance routines. Priority areas include:

• Threat intelligence (5.7): Maintain documented processes for collecting, analysing, and disseminating threat intelligence, with evidence of integration into risk assessments, incident response playbooks, and change management decisions.
• Information security for use of cloud services (5.23): Provide governance documents showing cloud service inventory, risk assessments, contractual clauses, monitoring dashboards, and incident escalation flows.
• ICT readiness for business continuity (5.30): Demonstrate alignment between ISMS controls and broader business continuity/resilience frameworks, including documented recovery objectives, scenario test reports, and stakeholder communications plans.
• Physical security monitoring (7.4): Evidence integration of access control logs, CCTV analytics, and building management systems into security operations centre workflows with defined retention and review cycles.
• Configuration management (8.9): Show policy updates, baseline documentation, change control integration, and automated monitoring of configuration drift.

Each control should have associated key performance indicators, monitoring routines, and sample evidence such as screenshots, tickets, or log extracts. Audit committees should ensure that second-line compliance reviews and internal audit engagements are scheduled for high-risk controls before certification to validate operating effectiveness.

Evidence management and audit readiness

Certification auditors will review policies, procedures, records, and evidence of control operation. Organisations need an organised evidence library—often a secure collaboration site—structured by clauses and controls. Each evidence item should include metadata: control reference, description, owner, effective date, last review, and storage location. Governance teams must run mock audits to test evidence accessibility, confirm that staff can explain processes, and ensure that any redactions comply with confidentiality obligations. Boards should receive reports summarising mock audit findings, remediation actions, and readiness status by organisational unit.

Internal audit should conduct an end-to-end readiness assessment that mirrors the certification process, covering Stage 1 document review and Stage 2 implementation testing. Working papers must document sampling approaches, interviews, and evidence evaluated. Reports should outline findings, root causes, corrective actions, and deadlines. Management must track closure of findings and provide evidence of verification. Boards should verify that corrective action logs include preventative measures and lessons learned, not merely fixes.

Training, awareness, and cultural embedding

The 2022 standard places additional emphasis on leadership, culture, and awareness. Organisations must update training programmes to reflect new controls, threat trends, and governance expectations. Evidence packs should contain training curricula, attendance records segmented by role, assessment results, and follow-up communications. Boards should review metrics on security awareness (e.g., phishing simulation outcomes, incident reporting volumes) and ensure that lessons learned feed into continuous improvement cycles. Leadership communications should reinforce the strategic importance of the ISMS, highlight progress, and set expectations for behaviour.

HR and legal teams must coordinate on disciplinary procedures, onboarding/offboarding controls, and role-based access management. Governance packs should demonstrate integration between ISMS requirements and human resources policies, with documented controls for background checks, contractual clauses, and confidentiality obligations. Cultural indicators—such as speak-up hotline usage or control incident themes—should be monitored and reported to the board.

Supplier and third-party assurance

Clause A.5.19 emphasises supplier relationship security. Organisations need a supplier governance framework that includes due diligence, contractual requirements, ongoing monitoring, and incident response coordination. Evidence should show supplier inventories, criticality ratings, data classification impacts, and resilience assessments. Boards should review dashboards summarising supplier assurance status, overdue actions, and high-risk relationships. Procurement and legal teams must confirm that contracts include updated security clauses, audit rights, breach notification requirements, and termination provisions. Where suppliers provide critical cloud or managed security services, organisations must maintain assurance reports (e.g., SOC 2, ISO/IEC 27001 certificates), penetration test summaries, and remediation evidence.

Third-party incidents should trigger lessons-learned reviews that feed back into risk assessments and treatment plans. Boards should ensure there are escalation procedures for notifying regulators, customers, and partners in line with contractual and legal obligations. Evidence packs must also cover subcontractor oversight, including attestation chains and flow-down requirements.

Performance evaluation, metrics, and management review

Clause 9 requires ongoing monitoring, measurement, analysis, and evaluation of the ISMS. Organisations should define key metrics—incident rates, detection times, patching timeliness, access review completion, training effectiveness—and maintain dashboards with trend analyses. Management reviews must occur at planned intervals, with agendas covering policy changes, objectives, performance metrics, risk assessments, audit results, nonconformities, corrective actions, and opportunities for improvement. Evidence should include signed management review minutes, action trackers, and updates provided to the board or relevant committees.

Nonconformity and corrective action processes (clause 10) must demonstrate root-cause analysis, action planning, verification, and effectiveness reviews. Boards should confirm that lessons learned are captured and integrated into strategic planning, technology roadmaps, and investment decisions. Continuous improvement logs should map to budget allocations, resource plans, and capability development initiatives.

Certification logistics and stakeholder communication

As the deadline approaches, organisations must lock in audit dates, confirm auditor availability, and ensure that scope statements reflect organisational changes. Governance packs should include certification contracts, scope diagrams, audit plans, and logistical arrangements for onsite or virtual fieldwork. Communications teams must prepare stakeholder messaging that explains the transition status, expected outcomes, and contingency plans if issues arise. Regulators and key customers may request readiness updates; boards should oversee response protocols, briefing materials, and disclosure approvals.

After certification, organisations should plan for post-transition reviews to evaluate performance, update risk registers, and refine governance structures. Evidence of lessons learned, improvements identified, and investment priorities will be critical to sustaining certification and demonstrating continual improvement. Boards that maintain disciplined oversight, comprehensive evidence packs, and transparent reporting will be able to show stakeholders that the ISMS remains robust, compliant, and resilient under the 2022 standard.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 84/100 · October 31, 2025

Cybersecurity Briefing — October 2025: ISO/IEC 27001:2013 certificates expire as transition window closes

The three-year IAF transition for ISO/IEC 27001:2022 ends on 31 October 2025, forcing all organisations certified to the 2013 edition to complete recertification audits or lose accredited status.

Cybersecurity · Credibility 84/100 · October 23, 2025

Cybersecurity Governance Briefing — ISO/IEC 27001:2022 transition deadline

The ISO/IEC 27001:2013 transition window closes, making the 2022 edition mandatory for certification bodies and forcing regulated enterprises to prove their information security management systems align with the updated…

Cybersecurity · Credibility 100/100 · May 12, 2025

Cyber Resilience Briefing — May 12, 2025

Zeph Tech outlines a 2025 quantum-ready encryption playbook, balancing immediate certificate rotation with supplier attestation workflows anchored to NIST CSF 2.0 PR.AA and ISO/IEC 27001 A.10.

Cybersecurity · Credibility 90/100 · October 22, 2024

Zero Trust Network Access Platform Comparison — October 22, 2024

Zscaler, Cloudflare, Palo Alto Networks, Cisco, and Okta lead 2025 Zero Trust roadmaps with mature policy engines, telemetry, and compliance coverage.

Cybersecurity · Credibility 90/100 · October 18, 2024

Cyber Resilience Briefing — October 18, 2024

EU Member States must transpose the NIS2 Directive by October 18, 2024, triggering new reporting, governance, and supply chain duties across essential and important entities.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.