ISO 27001 certification has quietly become table stakes for selling B2B software in Europe. With the transition to the 2022 revision complete — the old 2013 certificates expired in late 2025 — every certified organization is now audited against the restructured control set. The certificates all look the same on a sales deck, but the systems behind them do not. The difference between an ISMS that makes an organization safer and one that is pure theater comes down to a single question: how is evidence produced?
If the answer is that someone spends three weeks before each audit taking screenshots, the ISMS is a liability. It measures the past, annoys engineers, and proves nothing about the other 49 weeks of the year. The alternative is treating evidence like any other build artifact: generated automatically, versioned, and continuously fresh.
What the 2022 revision changed for engineers
Annex A was reorganized from 114 controls in 14 domains to 93 controls in four themes: organizational, people, physical, and technological. More importantly, the new controls speak the language of modern infrastructure — threat intelligence (5.7), information security for cloud services (5.23), ICT readiness for business continuity (5.30), configuration management (8.9), data leakage prevention (8.12), monitoring activities (8.16), web filtering (8.23), and secure coding (8.28). These are things engineering teams already do or should; the standard finally names them.
The Statement of Applicability is your API contract
The SoA declares which Annex A controls apply, which do not, and why. Treat it the way you treat architecture decision records: version-controlled, reviewed when the architecture changes, and honest about exclusions. An SoA that claims every control applies is as suspicious to a good auditor as one that excludes half of them — both signal that nobody thought about the actual risk picture.
Evidence as code
The practical shift is from collecting evidence to emitting it:
- ▸Pull, don't screenshot: export access lists and MFA status from your identity provider's API, device posture from MDM, and misconfiguration findings from cloud security posture tooling — on a schedule, into an evidence store.
- ▸Infrastructure as code is change management: Terraform plans plus mandatory PR review plus a protected main branch already satisfy the change-control story; you just need to point at the trail.
- ▸Tickets are records: run access reviews, incident postmortems, and risk treatment actions in the same tracker engineering already uses, with labels an auditor can query.
- ▸Verify your compliance platform: tools in the Vanta and Drata class automate a lot of collection, but audit what each check actually tests — a green dashboard tile backed by a shallow API call is theater with better UX.
Internal audit without the dread
An internal audit run as an interrogation produces defensive answers and hidden problems. Run it as engineers run retrospectives: nonconformities are bugs, each gets an owner and a due date, and trends matter more than individual findings. Management review works best folded into an existing quarterly operations review — same metrics, same audience, one extra agenda section — rather than a ceremonial annual meeting.
A realistic path to certification in about six months:
1. Scope the ISMS narrowly and honestly — one product line and its supporting infrastructure beats a vague whole-company scope. 2. Run a risk assessment with a method simple enough that you will actually repeat it annually. 3. Draft the SoA by mapping to controls you already operate before inventing new ones. 4. Close gaps with a strong bias toward automated, self-evidencing controls. 5. Complete one full internal audit and one management review — auditors will check both happened. 6. Book the Stage 1 documentation review and Stage 2 certification audit with an accredited body.
The payoff extends well past the certificate. ISO 27001:2022 maps substantially onto NIS2 Article 21 measures and large parts of DORA's risk framework, which means one well-instrumented evidence base can serve three regulatory regimes at once. And commercially, the effect is immediate: security questionnaires that took two weeks of engineering interruptions get answered from the evidence store in an afternoon. An ISMS built as code pays rent every quarter; one built as paperwork only costs.
