Cybersecurity used to be about castles. You dug a moat, raised the drawbridge, and put a guard at the gate. If the guard had a clipboard and a checklist, you were safe. But today, your “castle” is scattered across a thousand servers in London and Slough, your “moat” is a permeable membrane of APIs, and the enemy isn’t marching on the gate – they are already inside, logging in with credentials they bought for a fiver on the dark web. 

Yet, walk into many ISO 27001 audits today, and you may see a strange piece of theatre. The auditor, bound by a rigid, decade-old script, is checking the moat. They are reviewing the visitor logbook. They are measuring the height of a fence that no one uses. Meanwhile, your data is flowing out of a misconfigured S3 bucket in the cloud. 

This is the “Compliance Theatre” trap. It treats security as a document management exercise. But with the arrival of ISO 27001:2022, particularly the revamped Annex A, the script has changed. The new standard finally admits that the castle is gone. It introduces sharp, modern controls like Threat Intelligence and Cloud Services security. 

The problem? Established in protocols accredited bodies may act like ocean liners trying to turn in a canal, still auditing 2015’s threats with 2015’s methods. 

We take a different view. As an independent certification body, we aren’t bound by the bureaucratic inertia of the “Big Box” providers. We don’t care about the font size on your policy header. We care about whether you’ve left the back door open. 

Here is how you use the 2022 requirements to stop polishing the armour and actually sharpen the sword. 

The Cloud Blind Spot (ISO 27001 Control 5.23) 

For years, audits treated the Cloud like a magic box. You showed the auditor a certificate from AWS or Azure, they ticked a box, and everyone went to lunch. 

This was madness. It’s like buying a Ferrari, driving it into a wall, and then blaming Ferrari because the car was “certified safe.” The car is safe; your driving is the risk. 

Control 5.23 (Information Security for Use of Cloud Services) in the 2022 standard demands you stop treating the cloud as someone else’s problem. It forces a hard look at the “Shared Responsibility Model.” 

The Old Way: 

• “Do you use AWS?” 
• “Yes.” 
• “Do they have ISO 27001?” 
• “Yes.” 
• “Pass.” 

The Practical Way (Post-2022 Way): 

• “Show us your S3 bucket permissions. Are they public?” 
• “How are you managing keys in your KMS?” 
• “Do you have MFA enforced on your root account?” 

We don’t waste time auditing Amazon’s data centres – they are fine. We audit your configuration. We focus the risk assessment on the interface between your data and their infrastructure. Because in 2026, a data breach won’t happen because Google’s server farm caught fire; it will happen because your dev team left an API key hardcoded in a public GitHub repo. 

Intelligence Over Ignorance (ISO 27001 Control 5.7) 

Then there is Control 5.7: Threat Intelligence. This scares SMEs. It sounds like you need a Situation Room with giant screens and a guy named “Cipher.” 

In reality, it is the difference between walking down a dark alley with headphones on versus looking over your shoulder. 

The old standard was reactive. It asked: “How do you respond to an incident?” The new standard asks: “What are you doing to see the incident coming?” 

Threat Intelligence is simply data that has been organised to help you make decisions. It isn’t magic; it’s awareness. 

The “Checkbox” Approach: 

• Subscribing to a generic spam newsletter about “Cyber Trends” and filing it in a folder marked “Evidence.” 

The “Real World” Approach: 

• Contextual: If you are a law firm, are you tracking phishing campaigns specifically targeting legal clerks? 
• Actionable: If a vulnerability is found in the VPN software you use, does your system flag it before the patch is applied? 
• Technical: Are you scraping your own domain on the dark web to see if employee credentials have been dumped? 

When we audit this, we don’t want to see a receipt for a subscription. We want to see a decision. “We saw X threat, so we changed Y rule on the firewall.” That is intelligence in motion. 

Agility Is Your Armour 

Here is the secret the industry won’t tell you: Accreditation can be a straitjacket. 

Accredited bodies are often forced to follow rigid sampling plans. They must spend X hours on Y clause, regardless of whether it matters to your business. They have to audit the “Visitor Access Policy” of a fully remote company because the rulebook says so. 

We treat audit plans like battle plans – they survive until contact with reality. 

Because we are independent, we can pivot. If we arrive at your office and see that your physical security is fine but your cloud environment is a mess, we shift our focus. We spend the hours where the risk lives. 

• Less time on “Document Control numbers.” 
• More time on Cloud Security. 
• Less time on “Management Review Minutes.” 
• More time on Threat Intelligence. 

This isn’t cutting corners; it’s putting the microscope where the bacteria are. 

Conclusion: Don’t Buy a Paper Shield 

The transition to ISO 27001:2022 is not an administrative burden to be survived. It is a golden opportunity to throw out the dead wood. 

You can treat Annex A as a shopping list of documents to write, or you can treat it as a blueprint for a modern defence system. 

Systems are imagined before they’re enforced – and they can be redesigned. You can choose an auditor who values the “Crown and Tick” logo above all else, ensuring you have a perfectly formatted manual while your cloud config leaks data. Or, you can choose a partner who understands that in the digital age, compliance is a byproduct of competence. 

The bad guys don’t check your accreditation status before they attack. They check your security controls. 

Let’s focus on the locks, not the logo: