- How we upgraded to ISO 27001:2022 and reaccredited ourselves at the same time - without losing our minds /
- Blog
How we upgraded to ISO 27001:2022 and reaccredited ourselves at the same time – without losing our minds
When we first looked at the ISO/IEC 27001:2022 update, our initial reaction was: Well actually we can’t share our first reaction. Making the process even more interesting, we were also due for our reaccreditation at the same time. The third time we’ve been through the cycle, so we knew what we were doing there. We did have an initial temptation to treat them as separate exercises instead, we decided to tackle both in parallel and take a calm, structured approach.
Here’s how we managed to upgrade our ISMS and get through reaccreditation without completely overwhelming ourselves and what worked well along the way. We should also say that providing advice and guidance is a great partner in our ISO27001 journey Andy Brophy from “Inavate”.
Step 1: We Took a Breath and Then Did a Gap Analysis
Rather than rushing into rewriting documents or spinning up projects, we started with a practical, focused gap analysis. This helped us:
-
- Understand what had changed in the 2022 version (especially the updated control structure and 11 new controls)
- Identify what we already had in place that could map across with minimal effort, the low hanging fruit, easy wins, call them what you will.
- Highlight where we needed to invest more time (spoiler: threat intelligence and monitoring controls took the most work)
The result? A clear plan, divided into manageable phases. Just doing this piece of work, reduced a lot of initial stress.
Step 2: We Treated Documentation as an Evolution, Not a Rewrite
One of the biggest sources of overwhelm in any ISO upgrade is documentation. We approached this by:
- Updating in context: Whenever we were already reviewing a policy or process, we slotted in the necessary updates
- Using our existing SoA as a baseline, then updating it control-by-control to reflect the new Annex A
- Version-controlling everything so we could track changes and roll back if needed
This approach helped us avoid a massive “rewrite everything at once” push — and kept the process sustainable.
Step 3: We Spread the Workload and Trusted Our Teams
We didn’t centralise everything into one team. Instead:
- Each control owner was responsible for validating and updating their area (our biggest issue here is in a small company the same names can be the control point for several areas
- We always followed 2 golden rules:
- KISS: Keep it simple Stupid
- Reflect what we do, don’t change the business to meet a Control
- Regular catch-ups and progress tracking kept momentum going without creating unnecessary pressure
By decentralising, we tried to avoid bottlenecks and burnout — and by exposing new faces into the development it brought in fresh thinking from across the business.
Step 4: We Embedded the New Controls Into What We Were Already Doing
As we’ve already said, we stuck to our golden rule by not bolting on new controls just to tick boxes. For example:
- Our DevOps team was already working on improving secure coding — so we aligned it with the new requirements
- Our IT team had been piloting endpoint detection tools — perfect timing to align with threat monitoring expectations
- We used existing risk and incident management processes and just refined the templates
This mindset helped us enhance, not overcomplicate, our ISMS.
Step 5: We Ran a Realistic Internal Audit and Got Ready Together
Instead of trying to be perfect, we used our internal audit as a dry run to:
- Test new processes
- Spot weak spots (and fix them early)
- Build confidence ahead of the external audit
We also hit a big bump in the road with sickness and leave colliding meaning that our scheduled management review had to get bumped, this did cause us problems. However with clear, actionable insights we still recognise it’s an absolute critical part of the process.
Step 6: The External Audit Went Smoothly — Because We Were Ready, Not Exhausted
By the time our external auditors arrived, we weren’t scrambling. We’d:
- Prepared solid evidence packs
- Aligned stakeholders on what to expect
- Treated it as a conversation, not an interrogation
And yes — we passed! A few minor observations, but no surprises. Best of all, we felt in control the whole way through.
What Helped the Most?
- Starting early: We gave ourselves time, so nothing became a panic. But everyone still loves a looming deadline.
- Clear ownership: Everyone knew their role, and accountability was shared.
- Incremental progress: We Didn’t try to boil the ocean. Focusing on one chunk at a time
- Pragmatism over perfection: Good enough (with a plan to improve) was better than aiming for ideal and getting stuck.
Final Thoughts
Upgrading to ISO/IEC 27001:2022 and going through reaccreditation doesn’t have to be chaotic. With the right mindset, some structure, and a bit of breathing space, it’s totally manageable — even empowering.
If you’re facing the same challenge, with the deadline looming at the end of October this year, we hope you are well on the way and this resonates with you.
If not, it is time to get busy, our advice is: don’t treat it as two separate mountains to climb. Plan it once, pace yourself, if possible, and bring your people along for the journey.
You might even come out the other side with a stronger, more relevant ISMS — and a team that’s proud of it.