The reorganisation nobody asked for, and why it helps anyway

When ISO/IEC 27001:2022 collapsed 114 controls across 14 clauses into 93 controls across four themes — Organisational, People, Physical, and Technological — most of the commentary focused on the number. That's the least useful thing about the change.

What actually changed for evidence

The old structure encouraged a document-by-document mapping exercise: one policy per clause, one owner per policy, done. The new thematic structure pushes in the opposite direction — it groups controls by where the evidence naturally lives.

The practical implication

If your ISMS documentation still mirrors the old 2013 clause structure with a 2022 label stapled on top, you likely have duplicate or orphaned evidence sitting in the wrong place.

Where I'd start

Before touching a single policy document, map your existing evidence sources against the new four themes and see where the gaps genuinely are.

“If a control cannot be evidenced, it does not exist.”