For most organizations with a robust security risk management programs and controls, it will largely be a matter of updating control language, mappings, risk assessments, internal audits and documentation to consider the new Clause updates and Annex A controls. It may also be a good opportunity to take a fresh look at the company's control framework and structure.