ISO 27001:2022 for MSPs: A Practical Implementation Guide

ISO 27001:2022 replaced the 2013 version of the standard and introduced significant structural changes to Annex A, added 11 new controls, and reorganized the control set from 14 domains and 114 controls to 4 themes and 93 controls. For MSPs pursuing certification or helping clients achieve it, understanding the delta is essential for efficient implementation.

What Changed from ISO 27001:2013

Annex A Restructuring

The 2022 revision reorganized Annex A from 14 control domains (A.5 through A.18) into four thematic categories:

• Organizational controls (37 controls) — policies, roles, responsibilities, and governance
• People controls (8 controls) — workforce security, training, and disciplinary processes
• Physical controls (14 controls) — physical security, equipment, and environmental controls
• Technological controls (34 controls) — technical security measures, including the 11 new controls

The 11 New Controls

The 2022 revision added 11 new controls that reflect the security landscape since 2013. MSPs should pay particular attention to these as they represent areas where many organizations have gaps:

• A.5.7 Threat intelligence: processes for collecting, analyzing, and acting on threat intelligence
• A.5.23 Information security for use of cloud services: policies and controls specific to cloud service usage
• A.5.30 ICT readiness for business continuity: ensuring ICT systems can support business continuity requirements
• A.7.4 Physical security monitoring: monitoring for unauthorized physical access
• A.8.9 Configuration management: formal configuration management for hardware, software, and networks
• A.8.10 Information deletion: secure deletion of information when no longer required
• A.8.11 Data masking: masking of sensitive data in non-production environments
• A.8.12 Data leakage prevention: DLP controls to prevent unauthorized data exfiltration
• A.8.16 Monitoring activities: monitoring of networks, systems, and applications for anomalous behavior
• A.8.23 Web filtering: controls to manage access to external websites
• A.8.28 Secure coding: secure development practices for software developed by or for the organization

The Statement of Applicability (SoA)

The Statement of Applicability is the central document in an ISO 27001 certification — it lists all 93 Annex A controls, states whether each is applicable to your organization, and provides justification for any controls that are excluded. For MSPs, the SoA is also a sales document: it demonstrates to clients and prospects the scope and rigor of your security program.

When transitioning from ISO 27001:2013 to 2022, organizations must update their SoA to reflect the new control structure. The mapping between old and new controls is provided in Annex B of the 2022 standard.

Common SoA Mistakes

• Excluding controls without documented justification — every exclusion must be justified
• Treating the SoA as a one-time document — it must be reviewed and updated when the risk landscape changes
• Misaligning the SoA with the risk treatment plan — every control in the SoA should trace back to a risk in the risk register
• Overly broad applicability statements — 'applicable' should mean the control is actually implemented, not just that it could be

The Risk Assessment Process

ISO 27001 is fundamentally a risk management standard — the controls in Annex A are the treatment options, but the risk assessment is what determines which controls are needed and at what level. The 2022 revision did not change the risk assessment requirements significantly, but it did add more explicit requirements for risk treatment planning.

• Risk identification: identify all information security risks to the organization's information assets
• Risk analysis: assess the likelihood and impact of each identified risk
• Risk evaluation: compare risk levels against the organization's risk acceptance criteria
• Risk treatment: select treatment options (mitigate, accept, transfer, avoid) for each risk above the acceptance threshold
• Risk treatment plan: document the selected controls, owners, timelines, and residual risk for each treated risk
• Risk acceptance: formal acceptance of residual risk by authorized management

Certification Timeline and Process

ISO 27001 certification involves a two-stage audit by an accredited certification body. Stage 1 is a documentation review — the auditor reviews your ISMS documentation to verify it meets the standard's requirements. Stage 2 is the main audit — the auditor verifies that the documented controls are actually implemented and effective.

• Typical timeline from project start to certification: 6–18 months depending on organization size and existing security maturity
• Stage 1 audit: typically 1–2 days for an MSP of 20–100 employees
• Stage 2 audit: typically 2–5 days depending on scope
• Surveillance audits: annual audits between certification cycles to verify continued compliance
• Recertification: full re-audit every three years

Practical Implementation Roadmap for MSPs

• Define the ISMS scope: clearly document which systems, processes, and locations are in scope
• Conduct the initial risk assessment: identify and rate all information security risks
• Develop the Statement of Applicability: map all 93 controls, justify exclusions
• Implement the risk treatment plan: address all risks above the acceptance threshold
• Develop required documentation: policies, procedures, and records required by the standard
• Conduct internal audit: verify implementation before the external audit
• Management review: formal management review of the ISMS before certification
• Select a certification body: choose an accredited body recognized in your target markets