Most ISMS implementations treat Clause 4 as a static document created at project kickoff. ISO 27001:2022 requires something very different — a living process that continuously updates context, scope, and interested party requirements. When that process fails, the entire ISMS becomes disconnected from the organisation it is meant to protect.
The management system community has spent twenty years perfecting the architecture of integration. It has spent considerably less time asking whether the individual systems were structurally sound before connecting them. This is not integration. It is compression.
Clause 10.1 requires continual improvement. Incident management lives in Annex A.5.24–5.28. The conflation of the two is the most common structural error in ISO 27001 implementations — and it reveals an ISMS that can repair itself but cannot advance itself.