1823, 1745 to paral ransiciin al nuevo Anexo Aen 1$027001:2022 | Linkedin Ha t 20 & »& te thee Mic smpeot— Mares nofeacane: Yew ranagcew BE El enfoque lento para la transicion al nuevo Anexo A en 1SO027001:2022 27 de cctbre de 2002 Introduccion Este documento brinda algunos consejos sobre el enfoque lento para cambiar su implementacién ISO27001 existente para cumplir con los requisitos relacionados con el Anexo A de la versién 2022 de IS027001 Esto no cubre ninguno de los otros cambios a 1S027001:2022. Estos se describen en este articulo. https://www.linkedin.com/pulse/cambios-2022-version- iso27001-chris-hall/ Hay un articulo separadc https://www.linkedin.com/pulse/how-quickly-transition- annex-version-iso270012022-chris-hall/ que explica como. hacer esto répidamente sin necesidad de cambiar su evaluacién de riesgos Este articulo esté dirigido principalmente a las muchas organizaciones que han marcado muchos, sino todos, los hitps:lwwu linkedin com/pulselslow-approach-transitioning-new-annex-iso270012022-chris-hall?trackingld=To 1DgcLEIIDPpneadUyxA%30%3D 116618123, 17.45, hips lwo tnkedin.comipulselslow-approach-transtioning-new-annexiso270012022-chris-hall?trackingli=TbDqcLEIIDPpnes4UyxA%%30%9D (70) £1 enfoque teria para a transcin al nuevo Anexo Aen 180270012022 Likecln controles del Anexo A come aplicables/justficados/incluidos en su Declaracién de Aplicabilidad (SOA) y desean cambiar todas esas referencias a los nuevos controles del Anexo A y eliminar todas las referencias a los controles del antiguo Anexo A desde cualquier lugar en su Sistema de gestién de seguridad de la informacion (SGSI) Note that you do not have to change all the references in your SOA (or anywhere in your ISMS) to use the new Annex A controls but if you want to use this approach this article gives some guidance on how you might approach this. If you want to avoid this then use the “quick” approach given in the article link above. You will need to do the following, Risk Assessment and determining the necessary controls There are two main possible approaches to updating the risk assessment. Note that whatever approach you use to update your risk assessment you should also check that all the other attributes of the risk are still valid — notably the likelihood and impact. Option 1 the purist approach 1, Delete al the references to any of the old Annex A controls from your risk assessment. 2. For each risk determine which of the new Annex A controls (or any other controls from any source) are the necessary controls to manage that risk. This is the purest and safest approach but requires more effort and thinking than Option 2 below. If you want tc refresh/update your risk assessment this might be a worthwhile approach. Option 2 - the slightly more pragmatic approach As a partial alternative to the above approach you can use the mapping between the old Annex A and the new Annex 216823, 1745 (70) £1 enfoque teria para a transcin al nuevo Anexo Aen 180270012022 Likecln A that is in 1S027002:2022 (Annex B.2). However, like all mappings this needs to be used with great care There are a two main steps involved with this 1. For each risk, wherever you have an old Annex A control you look it up in column 1 of Table B.2 (the ole ‘Annex A) and replace it with the equivalent new Annex A control listed in column 2 in the table. Because there isn't an exact match between the old Annex controls and the new Annex A controls this is a guide only and you need to check that the new Annex A control is still a necessary control to manage the risk 2. For each risk you should then do a review/quality check to make sure that you have identified all the necessary controls to manage those risks. These controls can come from any source ~ notably the new ‘Annex A but could be custom controls or could come from any other control frameworks/lists ~ for example NIST CSF, CSA, CIS, etc, etc. This approach needs to be used with care but if you carefully undertake the steps above this isa viable approach. Further advice on determining controls, Be careful with this because it is important that the contro description (not the control name) exactly matches what you view as the necessary control, Le. that you are doing exactly what the third column in Annex A says. Further advice from me about determining the necessary controls is in these two articles https://wwwlinkedin.com/pulse/iso27001-how-you- should-choose-controls-needed-manage-chris-hall/ hhttps://www.linkedin.com/pulse/how-decide-level- controls-chris-hall/ This is also covered in the new 2022 version of 1S027005. Comparison with Annex A As required by clause 6.1.3 ¢) of 6027001 you will need to do the comparison with the new Annex A and keep evidence that you have done so. This might suggest to you that some of the new controls in the new Annex A that are hitps:ww linkedin com/puseslow-approsch-transitioring-new-annexiso270012022-chis-halirackingli=ToDgcLEIIOPpneadUyeA%30%30 5618123, 17.45, hips lwo tnkedin.comipulselslow-approach-transtioning-new-annexiso270012022-chris-hall?trackingli=TbDqcLEIIDPpnes4UyxA%%30%9D (70) enfoque lento paral transicén al nueve Anexo An 1S02700":2022| Linkadln not in the old Annex A might be necessary controls to manage some of your risks. This article suggests you coule do this comparison. https://wwwlinkedin.com/pulse/how- do-iso27001-comparison-annex-clause-613-c-chris-hall/ Risk Treatment You are likely to need to create a new risk treatment plan te reflect the new list of controls. You may need to implement some new controls or modify some existing controls. Statement of Applicability (SOA) You will need to create a new SCA to reflect the new list of controls. Remember that the only controls you can list in the SCA as applicable/justified are the ones that are referred to in the risk assessment. You can keep your existing approach to the SOA but now with the new Annex A, but if you want to you could create a much simpler version as described in this article https://www.linkedin.com/pulse/iso27001-what-purpose- statement-applicability-soa-should-chris-hall/. But this might be a step too far for you Other parts of your ISMS that may need changes. You are likely to need to update your performance management approach and your internal audit approach and any other documents/approaches that refer to the controls. You will need to have a hunt around and make sure you find all the references to any of the old Annex A controls You may also need to update your policies and procedures ~ especially of course if they have references to the old Annex A controls. Summary As | have said, I don't recommend this approach but recognise that many organisations will choose to “go the whole way" ~ especially as this can be a useful way of refreshing/updating the ISMS and the risk assessment 46618123, 17.45, (70) €1 enfoque lenta para a transicién al nuevo Anaxa A an 1S02700":2022 | Linkedin Chris www.btrp.co.uk Denuncia esto Publicado por @ chs Hal ee aces “ma hace una transi lena al nuevo Anexa Aen SO2TOO:2022w027001 Ass GS Recomendar ©) Comentar —-} Compartir 35 | comentaric Reacciones Q .@ .8@ .@@ ° 1 comentaric Mis eleantes ¥ adi un comentaio eu Chris Holden +30 a mases ‘Simeon Parker uno que te puede resutar interesante recomend | seiponde y chs sal6n pert en 5027001 y er de opin Més de Chris Hall wae ‘émo defini objetnos pare Cémo car un Plan de 1502700" (lsusula 62, Tatami de Riesgos '$027001(elsusula 613 e) (Chis Halen Like ‘his Hall en inked ‘Qué debe hacer cuando un auditor de cetificacibn 15027001 quiere plantar. ‘lis Hall en Link hips lwo tnkedin.comipulselslow-approach-transtioning-new-annexiso270012022-chris-hall?trackingli=TbDqcLEIIDPpnes4UyxA%%30%9D 58618/23, 17.48 (70) £1 enfocu lanta para la transicién al nuevo Anaxo A an 1S02700":2022 | Linkedin Ver todos los articulos (86) hitps:luwu linkedin com/pulselslow-approach-transtioning-new-annex-iso270012022-chris-hall?trackingld=To1DgcLElIDPpneadUyxA%30%ID 616