ISO 27001 without the theatre
Most ISO 27001 implementations fail engineering culture before they fail the audit. They produce binders nobody reads, controls nobody respects, and a certification that doesn't make the company any safer. The 2022 revision is your chance to stop doing that.
Most ISO 27001 programs I see are theatre. They produce a 200-page Statement of Applicability that nobody on the engineering team has read, a risk register maintained by one person on a quarterly cadence, and a set of controls that exist purely to be shown to an auditor. The certificate goes on the website. Nothing about the company's actual security posture changes. The next time there's a real incident, the binder is the last thing anyone reaches for.
The 2022 revision of ISO/IEC 27001 is the best opportunity in a decade to do this differently. Annex A dropped from 114 controls to 93 and reorganized them around four themes — organizational, people, physical, technological — that map much more cleanly to how modern companies actually operate. The new themes leave room for an implementation that looks like "this is how engineering already works, plus a thin layer of evidence," instead of "this is a parallel control universe nobody believes in."
The pattern that works in fast-moving engineering orgs is the same one that works for any kind of compliance: document the secure things you're already doing, then close the gaps in the rest. Don't invent new processes for the auditor. If your team already does code review with required approvers, that's your A.8.31 evidence. If your CI pipeline fails on critical Snyk findings, that's your A.8.8 evidence. If you have an incident channel in Slack and a postmortem template in Notion, that's your A.5.24 evidence. The ISMS becomes a thin metadata layer over reality, not a parallel reality.
The risk register is where most programs go wrong. The output of a risk register is supposed to be decisions — what to fix, what to accept, what to insure, what to defer. Most risk registers are output-only documents that nobody decides anything from. If your risk register isn't producing a steady flow of "yes, we're doing that" or "no, we're accepting this and here's why" decisions, it's not a risk management tool, it's a graveyard.
I'd rather have a 12-page SoA that engineering believes in than a 200-page one nobody has opened. ISO 27001:2022 finally gives you permission to ship the smaller one.