Professional Documents
Culture Documents
GAP ANALYSIS ISO 27001 - 2022 v1 1
GAP ANALYSIS ISO 27001 - 2022 v1 1
GAP ANALYSIS ISO 27001 - 2022 v1 1
TRANSITION CHECKLIST
• Part 1: Requirements Changes: Within the Requirement tab of this checklist, NQA has highlighted only the changes in
the ISO 27001:2022 requirements that may have a material affect on an organization's ISMS. All organizations should
review these changes and determine if the ISMS needs to be updated. All new/changed requirements must be met in
order to be deemed compliant to ISO 27001:2022.
• Part 2: ISO 27001:2022 Annex A (Information security controls) – New & Changed ISMS Controls. The numbered
tabs within this checklist correspond to the new Annex A organization of ISMS controls. All controls have been included
to aid in mapping from previous control numbers, but not all controls have material changes. NQA has highlighted the
rows (in blue) for the 11 new controls that will need to be met; and we have further highlighted the text (in red) portions
of those controls that were changed or merged and may have some material affect. All organizations should consider
these changes for potential changes within their ISMS and Information Security Management controls. There may be
cases where an organization's existing approach meets the intent of the new control in which case no changes may be
needed; however it would generally be expected that any ISMS will require some number of changes to be made in order
to address all the new ISO 27001:2022 controls. Additionally, an updated Statement of Applicability (SoA) will most likely
be required.
6 Planning
9 Performance evaluation
Requirements
Confidential Proprietary Page 2
ISO 27001:2022 Transition Checklist NQA_USA – rev 1.1
ISO 27001:2022 Transition Checklist
9.1 Monitoring, The methods selected should produce
measurement, analysis and 9.1b comparable and reproducible results to be
evaluation considered valid
10 Improvement
Requirements
Confidential Proprietary Page 3
ISO 27001:2022 Transition Checklist NQA_USA – rev 1.1
ISO 27001:2022 Transition Checklist
Client name:
Certificate number:
Date of completion:
Multi-site organisations should ensure that the requirements have been considered for all relevant locations, especially where such locations have unique
circumstances or different services/contracts/SLAs/resource models/toolsets.
Yes No
5 Operational controls
Old: 06.1.1
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 4 -of- 21
ISO 27001:2022 Transition Checklist
Segregation of duties
Management responsibilities
5.6 The organization shall establish and maintain contact with special interest
groups or other specialist security forums and professional associations.
Old: 06.1.4
Threat intelligence
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 5 -of- 21
ISO 27001:2022 Transition Checklist
Return of assets
Personnel and other interested parties as appropriate shall return all the
5.11 organization’s assets in their possession upon change or termination of
their employment, contract or agreement.
Old: 08.1.4
Classification of information
5.12 Information shall be classified according to the information security needs
of the organization based on confidentiality, integrity, availability and
relevant interested party requirements.
Old: 08.2.1
Labelling of information
Old: 08.2.2
Information transfer
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 6 -of- 21
ISO 27001:2022 Transition Checklist
Access control
Identity management
Authentication information
Access Rights
Old: 15.1.1
Old: 15.1.2
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 7 -of- 21
ISO 27001:2022 Transition Checklist
5.21 Processes and procedures shall be defined and implemented to manage the
information security risks associated with the ICT products and services
supply chain.
Old: 15.1.3
Processes for acquisition, use, management and exit from cloud services
5.23 shall be established in accordance with the organization’s information
security requirements.
NEW
The organization shall plan and prepare for managing information security
5.24 incidents by defining, establishing and communicating information security
incident management processes, roles and responsibilities.
Old: 16.1.1
5.25 The organization shall assess information security events and decide if they
are to be categorized as information security incidents.
Old: 16.1.4
Old: 16.1.5
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 8 -of- 21
ISO 27001:2022 Transition Checklist
Collection of evidence
The organization shall establish and implement procedures for the
5.28 identification, collection, acquisition and preservation of evidence related
to information security events.
Old: 16.1.7
5.30. ICT readiness shall be planned, implemented, maintained and tested based
on business continuity objectives and ICT continuity requirements.
NEW
Old: 18.1.2
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 9 -of- 21
ISO 27001:2022 Transition Checklist
Protection of records
5.33
Records shall be protected from loss, destruction, falsification,
unauthorized access and unauthorized release.
Old: 18.1.3
Old: 18.1.4
Old: 18.2.1
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 10 -of- 21
ISO 27001:2022 Transition Checklist
Client name:
Certificate number:
Date of completion:
Multi-site organisations should ensure that the requirements have been considered for all relevant locations, especially where such locations have unique
circumstances or different services/contracts/SLAs/resource models/toolsets.
Yes No
6 People controls
Screening
Old: 07.1.1
6.2 The employment contractual agreements shall state the personnel’s and
the organization’s responsibilities for information security.
Old: 07.1.2
Old: 07.2.2
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 11 -of- 21
ISO 27001:2022 Transition Checklist
Disciplinary process
Old: 07.2.3
Old: 07.3.1
Old: 13.2.4
Remote working
Security measures shall be implemented when personnel are working
6.7 remotely to protect information accessed, processed or stored outside the
organization’s premises.
Old: 06.2.2
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 12 -of- 21
ISO 27001:2022 Transition Checklist
Client name:
Certificate number:
Date of completion:
Multi-site organisations should ensure that the requirements have been considered for all relevant locations, especially where such locations have unique
circumstances or different services/contracts/SLAs/resource models/toolsets.
Yes No
7 Physical controls
7.1 Security perimeters shall be defined and used to protect areas that contain
information and other associated assets.
Old: 11.1.1
Physical entry
7.2 Secure areas shall be protected by appropriate entry controls and access
points.
Old: 11.1.2, 11.1.6
7.3 Physical security for offices, rooms and facilities shall be designed and
implemented.
Old: 11.1.3
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 13 -of- 21
ISO 27001:2022 Transition Checklist
Old: 11.1.4
7.6 Security measures for working in secure areas shall be designed and
implemented.
Old: 11.1.5
Clear desk rules for papers and removable storage media and clear screen
7.7 rules for information processing facilities shall be defined and appropriately
enforced.
Old: 11.2.9
Storage media
Storage media shall be managed through their life cycle of acquisition, use,
7.10. transportation and disposal in accordance with the organization’s
classification scheme and handling requirements.
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 14 -of- 21
ISO 27001:2022 Transition Checklist
Supporting utilities
Cabling security
7.12 Cables carrying power, data or supporting information services shall be
protected from interception, interference or damage.
Old: 11.2.3
Equipment maintenance
Old: 11.2.4
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 15 -of- 21
ISO 27001:2022 Transition Checklist
Client name:
Certificate number:
Date of completion:
Multi-site organisations should ensure that the requirements have been considered for all relevant locations, especially where such locations have unique
circumstances or different services/contracts/SLAs/resource models/toolsets.
Yes No
8 Technological controls
User end point devices
8.1 Information stored on, processed by or accessible via user end point
devices shall be protected.
Old: 06.2.1, 11.2.8
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 16 -of- 21
ISO 27001:2022 Transition Checklist
Old: 09.4.2
Capacity management
8.6 The use of resources shall be monitored and adjusted in line with current
and expected capacity requirements.
Old: 12.1.3
Old: 12.2.1
Configuration management
8.9 Inventory of information and other associated assets.
NEW
Information deletion
NEW
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 17 -of- 21
ISO 27001:2022 Transition Checklist
Data masking
NEW
NEW
Information backup
Old: 12.3.1
Old: 17.2.1
Logging
8.15 Logs that record activities, exceptions, faults and other relevant events shall
be produced, stored, protected and analysed.
Monitoring activities
Networks, systems and applications shall be monitored for anomalous
8.16 behaviour and appropriate actions taken to evaluate potential information
security incidents.
NEW
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 18 -of- 21
ISO 27001:2022 Transition Checklist
Clock synchronization
8.17 The clocks of information processing systems used by the organization shall
be synchronized to approved time sources.
Old: 12.4.4
8.18 The use of utility programs that can be capable of overriding system and
application controls shall be restricted and tightly controlled.
Old: 09.4.4
Networks security
8.20. Networks and network devices shall be secured, managed and controlled to
protect information in systems and applications.
Old: 13.1.1
Old: 13.1.2
Segregation of networks
Web filtering
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 19 -of- 21
ISO 27001:2022 Transition Checklist
Use of cryptography
8.24 Rules for the effective use of cryptography, including cryptographic key
management, shall be defined and implemented.
Old: 14.2.5
Secure coding
8.28 Secure coding principles shall be applied to software development.
NEW
Outsourced development
The organization shall direct, monitor and review the activities related to
8.30. outsourced system development.
Old: 14.2.7
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 20 -of- 21
ISO 27001:2022 Transition Checklist
8.31 Development,
secured.
testing and production environments shall be separated and
Change management
Old: 14.3.1
Old: 12.7.1
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 21 -of- 21