I17AMER 27001 2022 Auditor Transition PG V1 Nov 2022

PARTICIPANT GUIDE
ISO 27001:2022 Auditor Transition

Intertek
Document Name: I17AMER 27001:2022 Auditor Transition Participant Guide V1
Date of Issue: November 2022
Condition of Use
© 2022 Intertek
All rights reserved. No part of this work may be reproduced or copied in any form or by any means (graphic,
electronic or mechanical, including photocopying, recording, taping or information retrieval systems)
without the written permission of Intertek or as otherwise permitted by the operation of the law.
Opinions expressed by or on behalf of Intertek in this publication or during the course of any training
provided by Intertek are provided as general guidance only and do not amount to formal, legal or other
professional advice. Intertek does not warrant the accuracy or completeness of information given or its
fitness for any particular purpose. To the extent permitted by law Intertek accepts no liability for any claims
for loss or damage whether caused by its negligence (or that of any of its agents or employees) or otherwise.
https://www.intertek.com/terms/
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
TRAINING WITH INTERTEK

Intertek is a leading Total Quality Assurance provider to industries worldwide with more than 44,000
employees in 1,000 locations in over 100 countries. We provide education and trainings related to your
industry which can help drive improvement plans through Intertek training and people assurance.
Intertek expanded its global Assurance offering with the acquisition of SAI Global Assurance which
demonstrated Intertek’s commitment to providing world class assurance services and supporting the
evolving needs of our customers.
GLOBAL REGIONS AND DIFFERENT OFFERINGS

Australia:
SAI Global division provides nationally and internationally recognised training. SAI Global (RTO: 106919) is
committed to the Australian Quality Framework for training organisations, and can deliver and assess
against national competencies. For further information about the SAI Global, please visit our training
website learning.saiassurance.com.au/training‐forms and you can download the SAI Global Code of
Practice outlining our commitment as an RTO. SAI Global also offers wide range of Exemplar Global
accredited courses.
Qualifications:
Through Intertek SAI Global, you can gain a nationally recognised qualification such as a Cert IV and
Diploma as part of the Australian Qualifications Framework. SAI Global has a range of qualifications to get
you on track to learning. Visit the website for further information on the qualifications offered
learning.saiassurance.com.au/diploma‐qualifications
Canada, USA:
SAI Global division offers wide range of Exemplar Global and Probitas accredited training courses
Spain and UK:
SAI Global division offers wide range of training course
 Indonesia
SAI Global division offers wide range of Exemplar Global accredited training course
ii http://academy.intertek.com/
PARTICIPANT GUIDE
LEARNING THAT SUPPORTS BUSINESS NEEDS
Intertek provides training services that address key business management needs, including:
 Quality Management
 Occupational Health and Safety
 Environmental Management
 Information Security
 Food Safety
 Risk, Compliance and Governance
 Six Sigma and Business Improvement
 Auditing
 Social Compliance
 Medical Devices
Do you have Specific Training Needs in your Business?

We can develop face‐to‐face or online training solutions for you.
NEED NATIONALLY AND INTERNATIONALLY RECOGNISED TRAINING?
Public Training – face to face
 Venues in major capital cities and some regional centres

 Gain knowledge, develop skills and build networks
 Training programmes are delivered by qualified professionals and subject matter experts
ENJOYING YOUR TRAINING?
THINK THERE WOULD BE A BENEFIT FOR MORE OF YOUR EMPLOYEES TO ATTEND?
In‐house and customised training
 Address your team or company’s specific skills gaps, challenges and opportunities in the most
appropriate and effective format
 We’ll come to you! Convenient training and/or coaching will be delivered at a time and location
convenient for your team
 Cost‐effective method for training groups of employees
 Receive the highest standards of specific shared learning and understanding within your team
 Examples and context can be tailored to your organisation and industry
 Build a curriculum to meet your capability needs
Ensure that learning is aligned to your organisation’s objective
WE NOW OFFER MANY COURSES ONLINE ACROSS AUDITING, QUALITY, ENVIRONMENTAL

MANAGEMENT, MEDICAL, SOCIAL COMPLIANCE AND FOOD SAFETY.
Online Learning
 Employs best‐practice scenario‐based learning – put yourself in their shoes

 Learn at your own pace from any computer
http://academy.intertek.com/ iii
PARTICIPANT GUIDE
 Suitable for learning in remote areas

 Less downtime from work
 Many of our online courses are certified by Exemplar Global
 Tools and templates provided in many of our courses
INCORPORATE 360 DEGREE LEARNING
Blended Learning
 Incorporates a mixture of online and face‐to‐face

 Provides a body of theoretical knowledge that can then be applied in a practical context in the
classroom
 Reduces time
 Flexible learning
Contact Us
Need help or further training support?
Online: https://learning.saiassurance.com/
Phone: +1 (877) 426‐0714
General enquiries: training.americas@saiglobal.com
iv http://academy.intertek.com/
PARTICIPANT GUIDE
INTRODUCTION
Intertek is pleased to welcome you to this course. We hope that this training will meet your expectations.
This 1 day training course for transitioning to ISO/IEC 27001:2022 provides an opportunity to learn the
necessary skills to transition existing knowledge of the planning, conducting and reporting of an audit of
an Information Security Management System that is compliant with ISO/IEC 27001:2022.
To gain the maximum benefit from your training we encourage you to participate fully and openly. Most
importantly do not be afraid to ask questions or to make mistakes, people learn from doing both.
http://academy.intertek.com/ v
PARTICIPANT GUIDE
COURSE OVERVIEW
Purpose
This one day course provides an opportunity to learn the necessary skills to transition your existing
knowledge of the planning, conducting and reporting of an audit of an Information Security Management
System that is compliant with ISO/IEC 27001:2022.
Target Audience
This course is designed for Information Security Management System professionals who are familiar with
ISO 27001:2013 and need to know the transition requirements to 27001:2022.
Learning Outcomes
Upon successful completion of this course, participants should be able to
 Understand the controls and control purpose changes from ISO/IEC 27001:2013 to
ISO/IEC 27001:2022
 Conduct an audit of an ISMS that includes controls selected from ISO/IEC 27002:2022
COURSE RECOGNITION
Non – Accredited Course
Participants will receive a Statement of Attendance upon successful completion of the course.
vi http://academy.intertek.com/
PARTICIPANT GUIDE
Participant Support
If you are unclear or concerned with any aspect of the assessments for this course, please talk to your
facilitator.
Ask your facilitator for any further information, assistance or feedback. At your request, your facilitator is
also available to undertake alternative or additional assessments (including reasonable adjustment).
Please ask to speak to your facilitator privately if you need to discuss your individual needs.
http://academy.intertek.com/ vii
PARTICIPANT GUIDE
Icon Library
Learning activity
Where you see this icon, you are required to complete an in‐class activity
Class discussion
Definitions and notations

Where you see this icon, it is either a definition or notation for future reference
Notes
Where you see this icon, you have space to make your own notes
http://academy.intertek.com/ ix
PARTICIPANT GUIDE
Notes
Notes
x http://academy.intertek.com/
PARTICIPANT GUIDE
PRESENTATION HANDOUT
01
http://academy.intertek.com/ 1
ISO 27001:2022 AUDITOR
TRANSITION COURSE (1‐DAY)
ISO 27001:2022 Auditor Transition PPT V1 Oct 2022
1
INTERTEK AND SAI GLOBAL
Intertek expands its global Assurance
offering with acquisition of SAI Global
Assurance, a leading provider of assurance
services
Who is SAI Global Standards & Assurance?
The SAI Global Assurance division provides
management systems certification, second
party audits and training across a wide variety
of end markets to more than 60,000
customers in c.130 countries and is similar to
our existing Business Assurance line.
What benefits will I gain from this
transaction?
With Intertek and SAI’s complementary
geographical presence and service offerings,
and our global network of experienced and
qualified personnel, our combined company
will be able to better support your needs
2
locally and globally.
2
OUR HERITAGE – 30 YEARS OF MARKET LEADERSHIP
Intertek acquires Check

Safety First, forming
Intertek became the Intertek Cristal, a
first management systems market leading global Intertek acquires
registrar in the U.S. to be Intertek Acquires Intertek and Moody health, safety, quality SAI Global
accredited by the RvA (Dutch Entela, a leading International join and security risk Assurance and
Certification Council) for ISO 9001. Automotive Registrar forces management business. Standards
1993 1998 2018 2020 2021
1991 2004 2011 2019

Intertek performs our Intertek Business Assurance
first Supply Chain Earns Back‐to‐back IAOB
Assurance audits Certification Body of the Year
Award in 2020 and 2021
Intertek (then known as Warnock Intertek acquires Alchemy
Hersey Professional Services) also expansion of their global
became one of the first three registrars Assurance business into
to be accredited for ISO 9001 by the People Assurance.
Standards Council of Canada. 3
• For 30 years, Intertek Business Assurance and its legacy organizations have been
leaders in providing businesses with the tools to identify risks and opportunities,
while taking action to address anything that could have a potential impact on their
products and services.
• Over the years, we’ve expanded our service offerings from traditional ISO
management systems certification to include innovative assurance solutions covering
areas from quality, safety and sustainability throughout every industry.
• In 2020, Intertek Business Assurance earned the title of Certification Body of the Year
from the International Automotive Oversight Bureau (IAOB).
3
SAFETY AND SECURITY
The Building
• The alarm system
• Procedure for evacuation
• Evacuation route
Training Room
• Trip hazards
• Keep bags, packs etc. up off the floor
• Be aware of placement of tables and chairs
• Report any hazards
Manual Handling
• Do not move flip chart stands yourself,
ask the facilitator
• Do not move tables yourself, ask the facilitator
4
4
COURSE PURPOSE
To develop the skills needed for a qualified ISMS auditor to perform an effective
internal/external audit against the ISO/IEC 27001:2022 Information Security
Management Systems standard
Foremost in today’s information conscious environment is the subject of

‘information security’, whether for reasons of safety, security, legal, ethics or
compliance. The management of such information is of paramount importance
and an essential element of good business practice in the technologically minded
marketplace. The international standard ISO/IEC 27001 ‘Information Security
Management Systems’ and its complementary standard ISO/IEC 27002 has
provided such a framework for management of information security risks.
The ISO/IEC 27001:2013 standard has been updated to reflect changes to the
companion ISO/IEC 27002 standard. There are now 2022 versions of both.
This one-day advanced course develops the skills needed to perform effective
internal/external audits against the new ISO/IEC 27001:2022 Information Security
Management Systems standard.
5
LEARNING OUTCOMES
Upon completion of this course, participants should be able to:
• Understand the control and control purpose changes from ISO/IEC 27001:2013 to
ISO/IEC 27001:2022
• Understand the use of characteristics associated with the new controls and control
structure
• Conduct an audit of an ISMS that includes controls selected from ISO/IEC
27002:2022
Upon completion of this course, participants will be able to:
– Understand the control and control purpose changes from ISO/IEC

27001:2013 to ISO/IEC 27001:2022
– Understand the use of characteristics associated with the new controls and
control structure as part of an audit
– Conduct an audit of an ISMS that includes controls selected from ISO/IEC
27002:2022
6
COURSE OUTLINE
ISO/IEC 27001 and ISO/IEC Auditing the updated/renamed

01 27002 05 controls
Summary of the changes to ISO Auditing an upgraded ISMS
02 27001 and ISO 27002 06
03 Auditing the new controls 07 Course Summary and Questions
04 Auditing the merged controls
7
GROUP ACTIVITIES
This course is based on action learning principles.
Group activities are administered within the

classroom training environment.
The main purpose of the group activity is to

ensure that all attendees have a common
understanding, at a minimal level, of the
contextual elements of the topic.
All participants should:
• Be participative
• Ask questions to clarify understanding
• Apply knowledge and skills
• Present findings
8
LET’S GET STARTED
Get Ready! Introductions
Materials Mobiles & Email
Breaks Break times
Evacuation Food
On behalf of SAI Global, welcome to this course.
Introductions:
Introducing your trainer/assessor.
Introducing yourself to the other students:

Your name?
Your company?
Your role?
Your experience related to this course?
Your expectations of this course?
Overview of resources provided

Style of course delivery and utilization of resources during the course
We encourage you to contribute to a positive learning environment for all by:

Fully participating in learning activities and working in groups
Being responsible for your own learning
Asking questions and contributing to the learning – don’t hold back!
9
Be open minded – “I would rather be proved wrong than right.” [Socrates]
Allow for differences of opinion
Don’t write off new information until it has been put to the test
Provide real time feedback on content and clarity. You must be
responsible for raising things that you don’t understand
9
PARTICIPANT GUIDE
Programme Schedule
Day 1
TIME TIMING TOPIC

8.00 am 30 mins Introductions and Module 1
8.30 am 30 mins Module 2 – changes to ISO 27001 and ISO 27002
9:00 am 15 mins Activity 1 – Control Attributes
9:15 am 45 mins Module 3 – Auditing the new controls
10:00 am 15 mins Morning Break
10.15 am 45 mins Module 3 – Auditing the new controls
11.00 am 45 mins Module 4 – Auditing the merged controls
11.45 am 45 mins Lunch Break
12.30 pm 30 mins Module 4 – Auditing the merged controls
1.00 pm 30 mins Module 5 – Auditing the renamed controls Afternoon Break
1:30 pm 60 mins Module 6 – Auditing an upgraded ISMS
2.30 pm 15 mins Afternoon Break
3.00 pm 30 mins Summary and questions
3:30 pm 15 mins Close
viii http://academy.intertek.com/
COURSE OUTLINE

02 27001 and ISO 27002 06
11
11
01
ISO 27001 AND ISO 27002
12
MODULE 1:
ISO 27001 & ISO 27002 REFRESHER
This module refreshes the attendee's

knowledge of both the ISO 27001 and
the ISO 27002 standard and outlines
the purpose of each.
13
THE EVOLUTION OF ISO 27001 & ISO 27002
• Reminder – both standards were developed from BS 7799

• First edition of the ISO versions published as the 2005 version
• ISO 27002 and Annex A of 27001 contained 133 controls in 8 control domains
• Second issue published in 2013
• Reduction in controls to 114 in 14 control domains
• Third edition ISO/IEC 27002:2022 published in February 2022
• Reduction in controls to 93 in 4 control domains
• Third edition of ISO/IEC 27001:2022 targeted for publication in Q4 of 2022
14
The ISO 27001 and 27002 standards were derived from the BS 7799 standards first
published in the mid‐1990’s. Whilst they were suitable for the threat landscape and
technical environment of their time, changes in the landscape drove amendments to the
standards.
The original version of ISO 27001 was published in 2005 and then refreshed in 2013 with
a corresponding refresh of ISO 27002. These refreshes changed both the mandatory
clause elements of ISO 27001 but also the reference control set defined in Annex A.
Some controls in the 2005 version were removed from the 2013 version.
In 2022, there has been a refresh of both ISO 27001 and ISO 27002. Changes to the
control sets in 27002 include a reduction in control numbers from 114 to 93.
14
ISO/IEC 27001
• Titled: “Information technology — Security techniques — Information security

management systems — Requirements” note the change of name from the
previous version
• ISO 27001 defines the Requirements for an Information Security Management

System which provides Controls for all the information assets in scope, and the
processes that touch them in a business
‘shall’ is used in the text. Controls are mandatory.
• It can be, and is, used for Third Party Certification

• Annex A of this standard is derived from ISO/IEC 27002
15
15
ISO/IEC 27002
• Until 2022, titled “Information technology — Security techniques — Code of

practice for information security controls
• 2022 edition now titled “Information security, cybersecurity and privacy protection
— Information security controls”
• ISO 27002 provides detailed Guidance on implementing the Controls that can be
selected in an ISMS based on ISO 27001.
‘should’ is used in the text. Controls are therefore optional.
• It cannot be used for Third Party Certification because it is a guideline.

• Remember, it is a reference set of controls, not definitive
16
The title of the 2022 version of ISO 27002 has been changed. Previously it was called
“Information technology — Security techniques — Code of practice for information
security controls” but is now titled “Information security, cybersecurity and privacy
protection — Information security controls”.
It continues to be used as a reference set of controls for ISMS implementation and

operations
16
COURSE OUTLINE

02 27001 and ISO 27002 06
17
17
02
SUMMARY OF CHANGES TO
ISO 27001 AND ISO 27002
18
PARTICIPANT GUIDE
Notes
2 http://academy.intertek.com/
MODULE 2:
CHANGE TO ISO 27001 & ISO 27002
This module addresses the changes to both

standards.
The primary focus of this unit are the changes
to the controls in ISO 27002:2022 and the
subsequent changes
to Annex A of ISO 27001:2022
This unit will discuss the changes to these two complementary standards and the impact
on the ISMS audit process.
Given that Annex A of ISO 27001 is derived from ISO 27002, the changes to this latter
standard have driven the requirement to update ISO 27001 ensuring the continued
alignment of the standards.
19
CHANGES TO ISO 27001
• Generally, the changes to the mandatory clauses are relatively minor

• There are a number of structural changes including the addition/modification of
some of the sub‐clauses
• Summarized, the following clauses have structural modifications:
• Clause 4.2 c) which needs and expectations of interested parties will be
addressed by the ISMS
• Clause 6 (now includes a subclause 6.3)
• Clause 9.2 now has 2 sub‐clauses
• Clause 9.3 now has 3 sub‐clauses
• Clause 10 has been restructured
20
The 2022 edition of ISO 27001 has some minor changes affecting an auditor EXCEPT of
course, the control changes in Annex A to reflect the ISO 27002:2022 reference controls
set.
Changes to the mandatory clauses of the standard include some additional items to
provide clarification around some elements of Clauses 4‐10.
20
CHANGES TO CLAUSE 4
• Clause 4.2 c) now requires the organization to determine which of the

requirements of interested parties will be addressed through the information
security management system
21
21
CHANGES TO CLAUSE 6
• Clause 6.1.3(d) has now incorporated the Technical Corrigendum 2 from the
previous version of the standard. No additional audit requirements.
• Clause 6.2 now requires that the objectives be “monitored”
• New Cause 6.3 “planning of changes” relates to changes to the management
system
• Planned process is now required
• Will likely tie into Clause 8.1 Operational Planning and Control
22
There is a minor change to Clause 6.1.3(d) regarding the contents of the Statement of
Applicability (SoA). This change reflects the change to the 2013 version introduced by
the Technical Corrigendum 2, which reformats this clause to ensure clarity of the
requirements of the standard relating to the mandatory content of the Statement of
Applicability (SoA). The content of the SoA has not changed so there are no additional
audit requirements in relation to this change.
Note that with the changes to Annex A of ISO 27001, any Statement of Applicability built
to conform to this standard will have the 93 controls as its minimum set (as per Clause
6.1.3(c) and (d)).
In addition, there is now a specific requirement in Clause 6.2 regarding the requirement
to monitor security objectives. This will tie into activities relating to Clause 8.1 and
Clause 9.1. Auditor should continue to seek evidence that the ISMS supports the
defined objectives.
The 2022 version of the standard introduces a new sub‐clause Clause 6.3 “Planning of
changes”. This clause requires a planned approach to changes to the ISMS and can be
seen as part of the overall change management practices of the organization.
22
CHANGES TO CLAUSE 8
• 8.1 now refers to “requirements” rather than “information security

requirements”
• Implement Actions determined by Clause 6, by
• Establishing criteria for the processes
• Implementing control of the processes in accordance with the criteria
• Documented information shall be available
• Externally provided products or services relevant to the ISMS are to be
controlled
23
23
CHANGES TO CLAUSE 9
• Clause 9.2 (Internal Audit) has now been divided into 2 sub‐clauses
• 9.2.1 General
• 9.2.2 Internal audit programme
• No substantive changes to the requirements
• Change is more structural and for clarification
• Clause 9.3 (Management Review) has now been divided into 3 sub‐clauses
• 9.3.1 General
• 9.3.2 Management review inputs ‐ modified list of inputs
• 9.3.3 Management review results ‐ formally documented outcomes
24
Clause 9.2 regarding ISMS Internal Audit has been restructured with the original clause
being broken into 2 sub‐clauses. There are no substantive changes to this area of the
standard, with all requirements from the 2013 version still included.
Clause 9.2.1 provides the general requirements regarding Internal Audit.
Clause 9.2.2 clarifies the requirements relating to the establishment, implementation

and maintenance of an ISMS Internal Audit programme. This was an area often
overlooked in the 2013 version of the standard.
On similar lines, the management review clause has been restructured. Some key
aspects of these changes for audit purposes are the modification in the list of inputs that
must be considered and the emphasis on documenting decisions regarding changes to
the ISMS or improvement opportunities.
Note that the 2013 version did require the results of the management review to be
documented so there is no change to this requirement.
24
CHANGES TO CLAUSE 10
• Clause 10 has been restructured with

clause 10.1 and 10.2 exchanged
• No substantive changes to the

requirements
• Change is more structural and for
clarification
25
THE STRUCTURE OF ISO 27002:2022
• Simplified, reducing the number of control domains (now called “themes”) from
14 to 4
• Organizational ‐ 37 controls
• People ‐ 8 controls
• Physical ‐ 14 controls
• Technological ‐ 34 controls
• Contains up‐to‐date guidance including information for use by auditors
• Will be supported by updates to the ISO 27008 standard providing guidance for
auditing controls
• Other standards will also be updated
26
The completely restructured and updated third edition of the ISO 27002 standard
was published in February 2022.
There has been a consolidation control domains (now called “themes”), with the
number reducing from 14 to 4.
In the 2013 version, there were the following control domains with 114 controls:
• 5 Information security policies (2 controls)

• 6 Organization of information security (7 controls)
• 7 Human resource security (6 controls)
• 8 Asset management (10 controls)
• 9 Access control (14 controls)
• 10 Cryptography (2 controls)
• 11 Physical and environmental security (15 controls)
• 12 Operations security (14 controls)
• 13 Communications security (7 controls)
• 14 System acquisition, development and maintenance (13 controls)
26
• 15 Supplier relationships (5 controls)
• 16 Information security incident management (7 controls)
• 17 Information security aspects of business continuity management (4 controls)
• 18 Compliance (8 controls)
These domains have been replaced by the following control area “themes” with 93
explicit controls:
• 5 Organizational ‐ 37 controls
• 6 People ‐ 8 controls
• 7 Physical ‐ 14 controls
• 8 Technological ‐ 34 controls
From an auditor perspective, the update to the standard provides some useful guidance.
This includes the use of the control attributes discussed later.
Other standards in the ISO 27000 family will also require updates to reflect the changes
to ISO 27002. These standards will include 227003, 27004, 27008, 27009, 27010, 27011,
27017, 27019 and 27103 to name a few.
26
• 11 new controls introduced

• Reflects changes in the security landscape since 2013
• Includes use of cloud services, threat intelligence and data leakage
protection
• 24 merged controls
• 58 renamed or reviewed controls
• However, there are a number of implied controls that may well be considered
which would increase the number of total controls in use within an ISMS
27
In this version there are nominally 21 fewer controls than in the 27001:2013 edition
despite adding 11 new controls. Several of the controls in 27001:2013 have been
updated or merged.
No controls have been removed from the 2013 version but may have been merged or
renamed in the 27001:2022 version of the standard.
The actual control count is far higher (a few hundred) if you consider the controls that
are implied by the details contained in the individual controls. As such, the resultant
control set for the ISMS may well exceed the 93 controls in this standard. For instance,
the control relating to backups may have several smaller, related controls such as a
backup policy, backup schedule and the validation of backups. This could mean that
there are 4‐5 related controls not specifically called out in ISO 27002.
27
• Each control also has 5 “attributes” which can be used to categorize the controls
• Control type – Preventive, Detective. Corrective
• Information security properties – Confidentiality, Integrity, Availability
• Cybersecurity concepts – Identify, Protect, Detect, Respond, Recover
• Operational capabilities – e.g. Governance, Asset_management,
Information_protection, System_and_network_security
• Security domains – Governance and Ecosystem, Protection, Defence,
Resilience
• Can be useful in terms of validating control selection
• Organizations may assign their own attributes for their specific needs
28
One of the most useful changes to the standard from an auditor’s perspective is the
introduction of “attributes” for each control. These attributes can further describe and
categorize the relevant control.
The control type attribute provides a perspective on how and when the control helps to
modify either the consequence or the likelihood of a risk. It focusses on whether the
control prevents a risk from being realized, detects that a risk (or incident) has occurred,
or corrects the effects of the incident. Preventive controls primarily focus on reducing
the likelihood (or probability) of the incident occurring (a realized risk) whilst detective
and corrective controls assist in significantly reducing the consequence (or impact) of
the incident.
The information security property attribute addresses the security “triad” of

confidentiality, integrity and availability. Remember that Clause 6 of ISO 27001 requires
the organization to consider risks associated with the loss of confidentiality, integrity and
availability for information within scope. This attribute type then allows the auditor to
consider the effect the control has on the relevant security characteristic. For instance,
the organization may have selected a control to manage a risk relating to the loss of
integrity of the information, but this attribute type indicates that this control only
addresses the confidentiality of the information.
28
This attribute type is therefore very useful to the auditor to substantiate the risk
treatment decisions of the organization.
The cybersecurity attribute type directly aligns with the NIST Cyber Security Framework
(NIST CSF) that is frequently used by organizations to define the activities required within
an operating cybersecurity model. The attribute values in ISO 27002 are equivalent to
the “Functions” elements of the CSF.
This attribute is useful when organizations have an interest or alignment to the NIST CSF.
The Operational Capabilities attribute allows the view of the controls from a security
practitioner’s perspective of information security. The values for this attribute are:
• Governance
• Asset management
• Information protection
• Human resource security
• Physical security
• System and network security
• Application security
• Secure configuration
• Identity and access management
• Threat and vulnerability management
• Continuity
• Supplier relationships security
• Legal and compliance
• Information security event management
• Information security assurance
The final attribute is the security domain. This allows a view of the control environment
from the perspective of four (4) information security domains. These domains are:
• Governance and Ecosystem
• Protection
• Defence
• Resilience
28
• Example attributes for control 5.1 relating to information security policies
• Each control has a purpose, effectively taking the place of the control objective
from the 2013 version
29
Each control no longer has an associated “control objective” as contained in the previous
versions of the standard. This objective has been replaced by the purpose statement for
each control.
The purpose of the control explains why the control should be implemented. How the
control may be implemented is contained in the “Guidance” section of each control.
Note that this is guidance only and may not reflect how that control is implemented in
the ISMS under review.
Another useful section in each control description within ISO 27002:2022 is the “Other
information” section. A review of this section by an auditor may provide some useful
background information.
29
AUDITING ATTRIBUTE USE
• Remember, use of control attributes is not
mandatory, so absence of attributes is not a
non‐conformance
• Attributes are in ISO 27002 NOT ISO
27001!
• If attributes in use
• Do they contribute to a better picture in
terms of control selection to manage risks?
• Do they use them for clarity on
responsibilities?
• Are they using their own, and if so, for
what purpose?
• Where are they capturing the attributes?
SoA?
As mentioned previously, the use of attributes by an auditor can bring a number of

benefits to the audit. One of the primary uses of such attributes is the use of the
“Control type” attribute to assist in validating requirement of Clause 6.1.2 of ISO 27701
that the risk assessment method produces “consistent, valid and comparable results”.
Similarly, this attribute type is beneficial in validating the risk treatments required by
Clause 6.1.3 of the standard. In both cases, a validation of the control against the risk is
possible.
It may be that the organization has captured these, or other, attributes in their
Statement of Applicability. This is NOT a requirement of the ISO 27001 standard but
may be useful to both the organization and the auditors.
Note that the use of attributes provides the auditor with additional context about the
control, but a non‐conformance cannot be raised on their use, or lack of. This is the
auditee’s choice on how, or if, these attributes are used.
30
Activity 1: Auditor Use of Attributes
Task:
As a group consider the 5 attribute types for controls
and discuss a minimum of 2 ways that consideration
of the attributes can contribute to an effective ISMS
I audit.
Consider key activities normally examined within an
ISMS audit and how an organisation may use these
attributes to make their ISMS more effective.
Time:
15 minutes
31
COURSE OUTLINE

02 27001 and ISO 27002 06
32
32
03
AUDITING THE NEW
CONTROLS
33
PARTICIPANT GUIDE
Notes
MODULE 3:
AUDITING THE NEW CONTROLS
This module provides guidance to ISMS

auditors when auditing the controls added
to the ISO/IEC 27001:2022 Annex A.
This module provides guidance on auditing the 11 new controls added to the new
version of ISO 27002:2022 and therefore, Annex A of ISO/IEC 27001:2022.
34
THE 11 NEW CONTROLS
ANNEX A CONTROL IDENTIFIER CONTROL NAME

A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
There are 3 of the new controls in the section relating to security within the
organization. These controls address changes in the operating environment of most
organizations.
All new controls focus on addressing areas of risk within an organization which have
been identified as areas of concern.
35
A.5.7 THREAT INTELLIGENCE
Control
Information relating to information security threats should be collected
and analysed to produce threat intelligence.
Purpose
To provide awareness of the organization’s threat environment so that
the appropriate mitigation actions can be taken.
Notes
• Often depends on the maturity of the organization
• Generally sourced from external feeds
36
A.5.7 THREAT INTELLIGENCE
Examine / Sample / Question Interview / Observe
Have they a defined set of roles and Interview roles with responsibilities
responsibilities?
Sources of intelligence? External or Discuss how the intelligence is utilized
Internal?
Alignment with organization’s risk Are the intelligence gathering objectives
management clearly defined?
How is the threat intelligence analyzed Competence of key roles?
and used?
Is the intelligence mutually shared?
With whom?
Examples of threat intel and its use e.g.
improvements in existing controls
Threat intelligence is the practice of accumulating information from various sources

about current or potential cyber attacks against an organization or individual. This
collected information can then be analyzed, organized and used to minimize and
mitigate cybersecurity risks to the organization and individuals.
The new control relating to threat intelligence requires access to such information.
Generally, this information is sourced from external, trusted sources, which is then
analyzed by the appropriately qualified and skilled people to determine the
organization’s response.
Note that such intelligence may be related to individuals holding key positions within the
organization.
This activity is often referred to as Cyber Threat Intelligence (CTI) or “cyber intel”.
Auditing this new control first requires identification of any threat intelligence function
within the organization. Once clear accountability for this function is established, the
auditor should seek to understand a number of key elements.
These are:
1. Who has responsibility for
37
a. Defining the intelligence objectives and how is this done
b. Collecting the intelligence information
c. Analyzing the collected information
d. Determining what action should be taken, if any
e. Communicating key intelligence to interested parties within the organization
f. Sharing any gathered intelligence with interested external parties
1. Are individuals competent in their roles?
2. What information feeds are used as sources of intelligence? Trusted or untrusted?
The sources of threat intelligence may include information gathered from law
enforcement, vendors or even from the “dark web”.
Sharing threat intelligence is an extension of the objective of the previous control related
to “contact with special interest groups” (A.5.6) ensuring appropriate information flow
with respect to information security.
37
A.5.23 INFORMATION SECURITY FOR USE OF CLOUD SERVICES
Control
Processes for acquisition, use, management and exit from cloud services
should be established in accordance with the organization’s information
security requirements.
Purpose
To specify and manage information security for the use of cloud services.
38
A.5.23 INFORMATION SECURITY FOR USE OF CLOUD SERVICES
Is there a policy governing the use of Interview role with responsibilities in
cloud services? managing cloud provider relationships
Approved and communicated? Are there formal review meetings?
Are the security requirements clearly Interview roles responsible for change
defined? management and incident management
w.r.t cloud services
Responsibilities of cloud provider and Discuss data sovereignty issues
client defined?
Services agreements addressing
confidentiality, integrity and availability
Sample risk assessments of cloud
providers/services
One of the significant technological changes since the release of the 2013 versions of
the standard is the widespread adoption of cloud services. Many organizations are now
utilizing some form of cloud‐based services.
The recognition that cloud service provider play a vital role in the delivery of critical
services has driven the need for additional guidance relating to the management of risks
in this domain.
This control has been introduced to provide some high‐level guidance. However, there
are a number of additional standards that contain specific support. These include ISO
27017 providing guidance to both cloud service customers and cloud service providers
and ISO 27018 addressing the protection of Personally Identifiable Information (PII)
managed in the cloud. These standards may have been used to support this individual
control within the ISMS under audit.
Auditing this control requires collection of evidence from a number of key sources.
Considerations should include the process for the acquisition of cloud services, how
these services are managed and the processes for entering and exiting such services.
As with all third‐party arrangements, evidence of risk assessments of the cloud services
should be available. Access to the relevant service agreements would also provide
39
evidence of the security requirements and how those obligations are met.
Such agreements should include:

• How information is protected
• How access control is managed
• Where the information is stored and/or processed
• How security incidents are managed and reported
• Supply chain security issues
• Availability, backup and recovery
• Change management of the environment
• Data sovereignty issues
Auditors should note that the cloud services client may have little influence on the cloud
service provider’s security posture. This increases the need for risk assessments of the
vendor.
39
A.5.30 ICT READINESS FOR BUSINESS CONTINUITY
Control
ICT readiness should be planned, implemented, maintained and tested
based on business continuity objectives and ICT continuity requirements.
Purpose
To ensure the availability of the organization’s information and other
associated assets during disruption.
Notes
• Closely integrated with business continuity management
• Supported by ISO 27021, ISO 22301
40
A.5.30 ICT READINESS FOR BUSINESS CONTINUITY
Has a Business Impact Analysis (BIA) been Interview roles with responsibilities in business
performed? Critical business activities continuity, IT service continuity and IT recovery
prioritized?
Have the results been integrated into the
service continuity and recovery plans?
Review the IT continuity plan. Is it approved?
Does the continuity plan address continuity,
recovery and resumption issues?
Are the Recovery Time Objectives (RTO) and
Recovery Point Objectives (RPO) aligned with
the needs and priorities of the business?
Review results of exercising /testing the plan
Another new control in ISO 27001:2022 that did have some correlation to Annex A.17 in
the 2013 version.
Consideration of ICT readiness for business continuity helps to facilitate the

incorporation of infrastructure recovery and continuity issues with the broader business
continuity considerations. This change reinforces the concept that business continuity,
ICT service continuity and service recovery are interlinked rather than considered as
separate and unconnected issues.
One method of assessing the effectiveness of this control is the review of any business
continuity management framework in use.
A ley element of such a framework is a Business Impact Analysis (BIA). Such an exercise
identifies the business expectations in terms of continuity and recovery, allowing IT to
define the recovery time and recovery point objectives that will satisfy the business
requirements.
Note that the control requires such plans to be tested.
The following guidance is provided:

• Has a Business Impact Analysis (BIA) been performed? Critical business activities
41
prioritized?
• Have the results been integrated into the service continuity and recovery plans?
• Review the IT continuity plan. Is it approved?
• Does the continuity plan address continuity, recovery and resumption issues?
• Are the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) aligned
with the needs and priorities of the business?
• Review results of exercising /testing the plan
• Interview roles with responsibilities in business continuity, IT service continuity and IT
recovery
41
A.7.4 PHYSICAL SECURITY MONITORING
Control
Premises should be continuously
monitored for unauthorized physical
access.
Purpose
To detect and deter unauthorized
physical access.
Notes
• May be difficult in leased or
shared premises
42
A.7.4 PHYSICAL SECURITY MONITORING
Examine / Sample / Question Observe

Sample alarm records and response Physical security alarms/access control
systems
Sample CCTV records Surveillance cameras and physical guards
Is the control pad protected from Locations of cameras/ motion sensors etc
tampering?
Sample testing records for the alarm Interview persons responsible for
and monitoring systems (including monitoring/reviewing records including
CCTV) CCTV
Have they considered PII and data
protection? Workplace regulations?
This control requires organizations to put adequate processes and suitable surveillance
tools in place to detect and prevent unauthorized access into restricted physical areas.
Restricted Physical areas could include:

• Server rooms;
• Secure office environments where sensitive information is accessed or stored
• IT Equipment rooms; and
• IT Control stations.
This will protect the organization and limit the occurrence of incidents such as:
• Data Theft;
• Theft of physical assets like removable media;
• Tampering of physical assets;
• Deliberate infection of physical IT assets with malware; and
• Financial loss.
Locations containing sensitive information should be constantly monitoring using key

technologies such as closed‐circuit TV (CCTV).
Auditors may approach assessment of this control by:

• Confirming the physical security monitoring tools used
43
• Sampling alarm records and responses
• Sampling CCTV records.
• Observing locations of CCTV cameras
• Observing other physical security controls such as access controls on doors etc
• Interviewing persons responsible for monitoring/reviewing records including CCTV
43
A.8.9 CONFIGURATION MANAGEMENT
Control
Configurations, including security configurations, of hardware, software, services and
networks should be established, documented, implemented, monitored and
reviewed.
Purpose
To ensure hardware, software, services and networks function correctly with required
security settings, and configuration is not altered by unauthorized or incorrect
changes.
Notes
• May be addressed by ITIL or ISO 20000.1 implementation
Insert Footer Here 44
44
A.8.9 CONFIGURATION MANAGEMENT
Use of CMDB? Interview service Desk Manager (or
Configuration Manager)
Documented configuration standards
including disabling unnecessary
services and restricting access to
powerful programs
Review cycle of these standards
Use of tools to enforce standards
Use of systems management tools for
monitoring
Sample configuration records
45
This control assesses the organization’s process of ensuring that configurations are
appropriately implemented, managed and documented.
It also enables an organization to proactively determine when unauthorised or incorrect

changes have been made to network or system configurations.
The configuration management process is typically managed by administrative users

such as;
• IT Manager;
• System administrator; and
• Head of Network security/IT.

• Checking for the use of any configuration management database or control system
• Sampling configuration records
• Reviewing instances where the organization has detected system or device
misconfiguration and how this was addressed
• Reviewing how often these configuration management standards are updated
• Confirming any tools used to enforce the standards
45
A.8.10 INFORMATION DELETION
Control
Information stored in information systems, devices or in any other
storage media should be deleted when no longer required.
Purpose
To prevent unnecessary exposure of sensitive information and to
conform with legal, statutory, regulatory and contractual requirements
for information deletion.
Notes
• May be part of a broader organizational records management
approach
46
This control assesses the organization’s process of ensuring that configurations are
appropriately implemented, managed and documented.
It also enables an organization to proactively determine when unauthorised or incorrect

changes have been made to network or system configurations.
The configuration management process is typically managed by administrative users

such as;
• IT Manager;
• System administrator; and
• Head of Network security/IT.

• Checking for the use of any configuration management database or control system
• Sampling configuration records
• Reviewing instances where the organization has detected system or device
misconfiguration and how this was addressed
• Reviewing how often these configuration management standards are updated
• Confirming any tools used to enforce the standards
46
A.8.10 INFORMATION DELETION
Sanitization process for media and its Interview service desk / technical personnel
alignment with business and legal responsible for redeployment/removal of media
requirements defined?
Third part agreements include deletion Interview personnel responsible for service calls to
requirements? equipment
Are cloud service provider’s deletion methods
satisfactory?
Sample secure disposal / destruction records
Does the organization use any automatic
process for the deletion of data after a
specified period?
Are hard disks removed before equipment
removed from the premises?
47
Information stored on devices no longer required is largely ignored in many organization.

In cases where the information is sensitive, it can pose a threat to an organization when
accessed by an unauthorised personnel or a threat actor.
Information includes but not limited to the following:

• Employee information – full name, date of birth, bank details, etc.
• Client information.
• Vendor information.
This control requires organizations to have a process in place to safely delete stored
information when no longer required or it is necessary to do so.
This process ideally feeds into or complements an organization’s information retention

policy and serves as guidelines in maintaining compliance to legal or regulatory
requirements.
Audit guidance in this area includes consideration of the following matters.

• Are there any legal, contractual or regulatory requirements that influence information
deletion or retention?
• Determine the information deletion process that is used within the organization.
• Confirm that such a process meets the organization’s obligations.
47
• Review the process used to delete information no longer required.
• Sample records that should have been deleted.
• Sample secure destruction reports.
Interviewing key staff responsible for reuse and redeployment of media may provide
evidence of conformance to the organization’s processes in this area.
Note that the organization should have processes in place for the maintenance of
equipment that should include the secure removal of information from any media.
47
A.8.11 DATA MASKING
Control
Data masking should be used in accordance with the organization’s topic‐
specific policy on access control and other related topic‐specific, and
business requirements, taking applicable legislation into consideration.
Purpose
To limit the exposure of sensitive data including personally identifiable
information, and to comply with legal, statutory, regulatory and
contractual requirements.
Notes
• May be part of a broader organizational approach to sensitive
information.
48
Data masking is the process of obfuscating or modifying data such that it is

unintelligible, to protect the sensitivity of the data and prevent unauthorised disclosure
of this data.
This control requires that a process is defined and techniques in place to limit the
exposure of sensitive data to authorised personnel.
Sensitive data includes:

• Personal identifiable information (personal information) such as full name and credit
card information;
• Vendor information; and
Data masking techniques include:
• Encryption;
• Scrambling;
• Substitution; and
• Nulling out.
This helps organization to maintain compliance with legal, statutory, regulatory and
48
A.8.11 DATA MASKING

Has sensitive data requiring masking Interview business function owners re
been identified? masking requirements
What method is used? Anonymization,
data masking, encryption etc?
What legal, regulatory or contractual
requirements exist?
How is the data masking validated /
tested?
Is there a clearly defined process to
ensure “need to know” only
49
Data masking is the process of obfuscating or modifying data such that it is

unintelligible, to protect the sensitivity of the data and prevent unauthorised disclosure
of this data.

card information;

• Encryption;
• Scrambling;
• Nulling out.
49
Data masking is the process of obfuscating or modifying data such that it is unintelligible,
to protect the sensitivity of the data and prevent unauthorised disclosure of this data.

card information;

• Encryption;
• Scrambling;
• Nulling out.

• Has sensitive data requiring masking been identified?
• Verify what regulatory requirements may exist that require compliance by the
organization. How are these identified and updated?
• Confirm if the process of data masking is documented.
• Sample sensitive data that should have been masked
• Do they use any type of encryption technologies to protect data from inappropriate
disclosure?
• What access control frameworks exist to limit access to sensitive data? Policies and
procedures? Sample any access controls.
A common area of weakness in organizations is the use of production data in test

environments. However, the increased focus on protection of personally identifiable
information (PII) has highlighted the need for more effective control in this area.
49
A.8.12 DATA LEAKAGE PREVENTION
Control
Data leakage prevention measures should
be applied to systems, networks and any
other devices that process, store or
transmit sensitive information.
Purpose
To detect and prevent the unauthorized
disclosure and extraction of information
by individuals or systems.
Notes
• This controls relates to control A.5.12
regarding information classification.
A.5.12 should be effective as a
precursor to this control. 50
50
A.8.12 DATA LEAKAGE PREVENTION
Has sensitive information been identified Interview security management to determine
and classified? level of awareness amongst user communities
Check for any tools used to minimize data Sample user behavior
leakage – e.g. email attachment controls.
DLP solutions?
Are there any formal processes for data
export?
Who approves data export?
Check acceptable use rules to cover off
data leakage sources
Check user awareness training material
and records
Examine backup strategies – check for
encryption of backups of sensitive data 51
Data leakage is the process where there is unauthorised transfer of data from within an
organization to an external source.
This is very common with organizations that deal with different kinds of data with
different classifications and have interconnected/complex system infrastructure.
This control requires an organization to develop data leakage prevention measures to

prevent and detect unauthorised transfers, disclosure and exfiltration of data. This may
include procedural measures and technical controls like data loss prevention (DLP) tool
solutions.
• Has sensitive information been identified and classified?
• What is the organization’s policies around this area? Staff education and
awareness?
• Check for any tools used to minimize data leakage:
• Email attachment controls; and
• DLP solutions.
• Confirm if there has been a data leakage incident and how it was addressed.
• Review the incident and confirm that post incident activity was performed.
51
A.8.16 MONITORING ACTIVITIES
Control
Networks, systems and applications
should be monitored for anomalous
behaviour and appropriate actions
taken to evaluate potential
information security incidents.
Purpose
To detect anomalous behaviour and
potential information security
incidents.
Notes
• This control is associated with
A.8.15 regarding system logging 52
52
A.8.16 MONITORING ACTIVITIES
Confirm monitoring tools are in use Discuss how monitoring strategies were
developed
Ensure tools meet defined strategies and Contractual, legal and regulatory aspects
requirements considered?
Is any baseline of activity established to
allow for alerts of activity outside
parameters?
Check for automated alerting of events –
to whom, what is the response?
Are false positives identified and action
taken to reduce the frequency of these
alerts?
Are personnel appropriately trained in
responding to alerts? Records of 53
competency?
This control requires organizations to define and implement a process/mechanism of

monitoring activities on network, systems and applications. The process should have
considered developing appropriate actions to evaluate detected anomalous or
suspicious activities.
53
A.8.23 WEB FILTERING
• Control
• Access to external websites should be managed to reduce exposure to
malicious content.
• Purpose
• To protect systems from being compromised by malware and to prevent
access to unauthorized web resources.
• Notes
• Effectiveness of this control is partially determined by the level of user
awareness regarding Internet use.
54
This control requires an organization to implement measures and processes to filter the
web content that a personnel can access.
54
A.8.23 WEB FILTERING
Use of proxy filters, firewalls or other Interview security management on Internet
screening technology designed to content controls
restrict web traffic
Examine mechanisms used to drive
whitelisting or blacklisting of sites and
frequency of updates
Check acceptable use rules to ensure
users are clear on behavior
Check user awareness training material
and records
Check exemptions process used to gain
access to restricted sites
55
• Check the security policy suite for guidance/rules on web access and controlled
content
• Check user security training or awareness material to confirm that it includes user
obligations to enhance effective web filtering as per the relevant policy requirement.
• Confirm the web filtering tools used to restrict web traffic.
• Check exemption process used to gain access to restricted/blocked domains.
• Examine process for management of those restricted domains and sample

workstations to ensure the content filtering policies are applied.
Often the implementation of such filtering is managed by the network perimeter

security devices. These can include firewalls and proxy servers. Identification of the
technology used to filter web traffic is critical to the ability to further assess the
effectiveness of this control. Methods that may be used include whitelisting web
domains (allow access only to the domains in this list) or blacklisting domains (do not
allow access to web sites in this list). If these methods are in use check to see how
these lists are maintained.
55
A.8.28 SECURE CODING
Control
Secure coding principles should be applied to software development.
Purpose
To ensure that software is written securely thereby reducing the number of
potential information security vulnerabilities in the software.
Notes
• This control links to other related software development controls such as
A.8.29 relating to testing
56
This control requires that organizations employ secure coding practices to prevent
security vulnerabilities or flaws in software or applications.
These practices include:

• Proper impute validation;
• Strong key generation; and
• Formalization of exception handling.
The organization should ensure that these practices are documented and made available
to developers and testing personnel.
56
A.8.28 SECURE CODING
Secure software development standards or Interview application developers regarding
rules secure development
Ensure these rules apply during
planning/design, coding and the
review/maintenance cycles
Ensure these rules apply to both in‐house
and external development
Mechanisms for ensuring standards are
aligned with changing threat landscape –
inputs for threat intelligence
Application of these rules for both new
development and maintenance activities
Training provided to software engineers on
secure coding principles
Is source code appropriately protected? 57
• Determine if a secure baseline exists for application development.
• Check if any “threat intelligence” mechanisms exist to provide information to

developers on current attack scenarios and the developing threat landscape.
• Confirm that any secure coding practices are documented.
• Confirm how these rules or practices for both new development and maintenance
activities are applied.
• Check how source code is being managed.
This control is often overlooked when organizations use rapid development frameworks
such as agile development methods.
57
COURSE OUTLINE

02 27001 and ISO 27002 06
58
58
04
AUDITING THE MERGED
CONTROLS
59
PARTICIPANT GUIDE
Notes
MODULE 4:
AUDITING THE MERGED CONTROLS

auditors when auditing the 24 controls in
the ISO 27001:2022 standard that are the
outcome of merging a number of controls
from the ISO 27001:2013 version of
Annex A.
60
THE 24 MERGED CONTROLS
ISO/1EC 27001:2013 CONTROL NEW CONTROL CONTROL NAME

IDENTIFIER IDENTIFIER
A.5.1.1, A.5.1.2 A.5.1 Policies for information security
A.6.1.5, A.14.1.1 A.5.8 Information security in project management
A.8.1.1, A.8.1.2 A.5.9 Inventory of information and other associated assets
A.8.1.3, A.8.2.3 A.5.10 Acceptable use of information and other associated assets
A.13.2.1, A.13.2.2, A.13.2.3 A.5.14 Information transfer
A.9.1.1, A.9.1.2 A.5.15 Access control
A.9.2.4, A.9.3.1, A.9.4.3 A.5.17 Authentication information
A.9.2.2, A.9.2.5, A.9.2.6 A.5.18 Access rights
Monitoring, review and change management of supplier
A.15.2.1, A.15.2.2 A.5.22 services
A.17.1.1, A.17.1.2, A.17.1.3 A.5.29 Information security during disruption
A.18.1.1, A.18.1.5 A.5.31 Legal, statutory, regulatory and contractual requirements
Compliance with policies, rules and standards for
A.18.2.2, A.18.2.3 A.5.36 information security
A high level overview of the ISO 27001:2013 controls that have been merged into single
controls in the ISO 27001:2022 revision.
61
THE 24 MERGED CONTROLS
ISO/1EC 27001:2013 CONTROL NEW CONTROL CONTROL NAME

IDENTIFIER IDENTIFIER
A.16.1.2, A.16.1.3 A.6.8 Information security event reporting
A.11.1.2, A.11.1.6 A.7.2 Physical entry
A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5 A.7.10 Storage media
A.6.2.1, A.11.2.8 A.8.1 User endpoint devices
A.12.6.1, A.18.2.3 A.8.8 Management of technical vulnerabilities
A.12.4.1, A.12.4.2, A.12.4.3 A.8.15 Logging
A.12.5.1, A.12.6.2 A.8.19 Installation of software on operational systems
A.10.1.1, A.10.1.2 A.8.24 Use of cryptography
A.14.1.2, A.14.1.3 A.8.26 Application security requirements
A.14.2.8, A.14.2.9 A.8.29 Security testing in development and acceptance
Separation of development, test and production
A.12.1.4, A.14.2.6 A.8.31 environments
A.12.1.2, A14.2.2, A14.2.3, A14.2.4 A.8.32 Change Management
62
THE MERGED CONTROLS
• Designed to simplify the operations of the control framework

• Controls that had related or similar overall objectives have been combined into a
single control with a single purpose
• Auditing the new, merged, control can rely on the techniques and strategies used
to audit the controls from the 2013 standard
• The merged controls should be simpler to audit thanks to this redesign
63
This control requires that organizations employ secure coding practices to prevent
security vulnerabilities or flaws in software or applications.
These practices include:

• Proper impute validation;
• Strong key generation; and
• Formalization of exception handling.
The organization should ensure that these practices are documented and made available
to developers and testing personnel.
63
A.5.1 POLICIES FOR INFORMATION SECURITY
Control
Information security policy and topic‐specific policies should be defined,
approved by management, published, communicated to and acknowledged by
relevant personnel and relevant interested parties, and reviewed at planned
intervals and if significant changes occur.
Purpose
To ensure continuing suitability, adequacy, effectiveness of management
direction and support for information security in accordance with business
requirements, legal, statutory, regulatory and contractual requirements.
Relevant merged controls from ISO/IEC 27001:2013

• A.5.1.1 Policies for information security
• A.5.1.2 Review of the policies for information security
64
ISO 27001:2013 Merged Controls:
A 5.1.1 Policies for information security

The organisation must define a set of information security policies and ensure that these
policies are
communicated to its employees, relevant stakeholders and external parties
A.5.1.2 Review of the policies for information security

The information security policies should be continually reviewed and updated at regular
intervals to ensure their suitability and effectiveness.
64
A.5.1 POLICIES FOR INFORMATION SECURITY

• Does the policy suite contain policies • Interview security management regarding review
identified as applicable in the Statement of cycle and changes triggering review
Applicability?
• When were the policies approved and by
whom?
• Are these policies communicated to
necessary interested parties?
• Are they included in induction and regular
training activities?
• Check the minutes of meeting of
Management Review. Have they identified
any significant change in information
security environment, for example, a new
legislation, new security requirement from a
customer?
The objective of this control continues to be focused on ensuring the information security
ecosystem is based on, and clearly aligned with, the organization's requirements and any
applicable laws, regulations and contractual obligations. Given this alignment, the policy suite
for any ISMS will be unique to that organization.
Audit guidance then includes the following:

• Does the policy suite contain all the policies identified as applicable in the Statement of
Applicability?
• Does the high‐level policy convey the message that information security is everyone’s
responsibility?
• When were the policies approved and by whom?
• Has the organization identified the list of external parties and the means of
communication?
• Are these policies communicated to necessary interested parties?
• Are they included in induction and regular training activities? For new employees,
contractors and other third‐parties in scope?
• Check the minutes of meeting of Management Review. Have they identified any significant
change in information security environment, for example, a new legislation, new security
requirement from a customer?
• When were the policies last reviewed and by whom?
Auditing security policies is reasonably straightforward. Document review quickly establishes

conformance or otherwise.
65
A.5.8 INFORMATION SECURITY IN PROJECT MANAGEMENT
Control
Information security should be integrated into project management.
Purpose
To ensure information security risks related to projects and deliverables are
effectively addressed in project management throughout the project lifecycle.

• A.6.1.5 Information security in project management
• A.14.1.1 Information security requirements analysis and specification
A.6.1.5 Information security in project management
Organisations should consider information security in project management, irrespective

of the type of the project.
A.14.1.1 Information security requirements analysis and specification
The organisation needs to specify information security related requirements while

procuring new information systems or planning enhancements to existing information
systems.
66
A.5.8 INFORMATION SECURITY IN PROJECT MANAGEMENT
• Review the project management • Interview project managers
methodology
• Review if security requirements have
been specified in business
requirements.
• Check minutes of project steering
meetings
• Check responsibilities for information
security are allocated relevant to the
project
• Review project risk assessments for
information security risks
• Review software acquisition processes

to check for security specifications
The merger of the controls into this individual control enforces the need to ensure that
information security is considered within all projects and that the identification and
documentation of any relevant security requirements should be done early in all
projects, irrespective of project type.
Audit guidance includes:

• Review the project management methodology
• Review if security requirements have been specified in business requirements.
• Check minutes of project steering meetings
• Check responsibilities for information security are allocated relevant to the project
• Review project risk assessments for information security risks
• Review if ‘security’ requirements have been specified in business requirements. For
example, access control, back‐up and logging requirements?
It is common to see ‘quality’ requirements embedded at the design stage of application

development, less so security requirements. Similarly, projects tend to focus on project
risks usually related to project delivery and budget, not on any information security risks
that may need to be managed once the project has been completed.
67
A.5.9 INVENTORY OF INFORMATION AND OTHER ASSOCIATED ASSETS
Control
An inventory of information and other associated assets, including owners,
should be developed and maintained.
Purpose
To identify the organization’s information and other associated assets in order to
preserve their information security and assign appropriate ownership.

• A.8.1.1 Inventory of assets
• A.8.1.2 Ownership of assets
A.8.1.1 Inventory of assets
The organisation should identify assets associated with information and information
processing facilities and maintain an inventory of all these assets.
A.8.1.2 Ownership of assets
The organisation should assign ownership of assets maintained in the inventory.
68
A.5.9 INVENTORY OF INFORMATION AND OTHER ASSOCIATED ASSETS

• Check for an information asset
register
• Are all assets in scope listed?
• Confirm assets have assigned
owners
The objective of these controls is to identify organizational assets and ensure that they
are owned.

• Check for an information asset register
• Are all assets in scope listed?
• Confirm assets have assigned owners
Assets not owned by the organization may be used for business processing. For
example, a personal laptop or a cell phone with data storing facility. How is the
risk assessment done for such assets?
69
A.5.10 ACCEPTABLE USE OF
INFORMATION AND OTHER
ASSOCIATED ASSETS
Control
Rules for the acceptable use and
procedures for handling information and
other associated assets should be
identified, documented and implemented.
Purpose
To ensure information and other associated
assets are appropriately protected, used
and handled.
Relevant merged controls from ISO/IEC

27001:2013
• A.8.1.3 Acceptable use of assets
• A.8.2.3 Handling of assets
A.8.1.3 Acceptable use of assets

The organisation needs to identify, document and implement rules for the acceptable
use of information assets and information processing facilities.
A.8.2.3 Handling of assets
This control requires developing and implementing suitable procedures for handling
assets, based on the organisation’s information classification method.
70
A.5.10 ACCEPTABLE USE OF INFORMATION AND OTHER
ASSOCIATED ASSETS

• Is there a policy on acceptable use of • Interview staff regarding knowledge of
assets? handling assets
• How was it communicated to all
relevant parties?
• Review the procedure for handling
information assets
• Review any related training material
and training records
• Examine any tools that support
appropriate handling of information
assets

• Is there a policy on ‘acceptable use of assets’?
• How was it communicated to all relevant parties?
• Is there an acknowledgement that they have read and understood the rules?
• Is there a suitable procedure for handling information and information assets,
based on the organization’s information classification method?
• Is there any training delivered related to information handling?
Acceptable use may be addressed in a general security policy or within “codes of

conduct” guidance. Investigation on the mechanisms of conveying these requirements
should include examination of any training or awareness material, including induction
training. Records of completion of such training and any assessment mechanisms
should be sought.
71
A.5.14 INFORMATION TRANSFER
Control
Information transfer rules, procedures, or agreements should be in place for all
types of transfer facilities within the organization and between the organization
and other parties.
Purpose
To maintain the security of information transferred within an organization and
with any external interested party.

• A.13.2.1 Information transfer policies and procedures
• A.13.2.2 Agreements on information transfer
• A.13.2.3 Electronic messaging
2013 Merged Controls:
A.13.2.1 Information transfer policies and procedures
This control requires that documented transfer policies, procedures, and controls should
be established to protect the transfer of information using communication facilities.
A.13.2.2 Agreements on information transfer
Organisations must include secure transfer of business information between the

organisation and external parties in all its agreements.
A.13.2.3 Electronic messaging
Any information involved in electronic messaging should be protected against

unauthorised access.
72
A.5.14 INFORMATION TRANSFER
• Examine any documented information • Interview users involved in such transfers
transfer policies and procedures
• Check policies around electronic
messaging
• Check responsibilities relating to
information transfer including owners,
approvers and custodians
• Check labelling system used for sensitive
information being transferred
• Check for malware protection within
electronic messaging systems
• Examine training material and records
relating to awareness and responsibilities

• Review any relevant policies and procedures that address the transfer of
information within and outside the organisation. These should include rules around
electronic messaging in all forms. Such messaging may include email, MS‐Teams,
Zoom, Yammer and other forms of instant messaging.
• Check responsibilities relating to information transfer including owners, approvers
and custodians
• Check labelling system used for sensitive information being transferred
• Check for malware protection within electronic messaging systems
• Examine training material and records relating to awareness and responsibilities
Are they using mechanisms to control the type of information allowed to be transferred
via forms of electronic communication? It may be that the organization is restricting the
ability to attach/transfer documents based on their sensitivity.
Observation and interview of users would also indicate the level of implementation and
understanding of the information transfer rules.
73
A.5.15 ACCESS CONTROL
Control
Rules to control physical and logical access to
information and other associated assets should
be established and implemented based on
business and information security
requirements.
Purpose
To ensure authorized access and to prevent
unauthorized access to information and other
associated assets.

27001:2013
• A.9.1.1 Access control policy
• A.9.1.2 Access to networks and network
services
A.9.1.1 Access control policy
The organisation should establish, document, and review access control policy, based
on business and security requirements.
A.9.1.2 Access to network and network services
This control requires that users should only be able to access the network and network
services they are authorised to use.
74
A.5.15 ACCESS CONTROL
• Check access control policy and its • Interview Support Desk re access approval
approval process
• Sample user access request for
conformance to policy
• Confirm approval of access
• Check if access policy also covers
approval of physical access
• Check for appropriate segregation of
sensitive access
• Is access based on “need to know” or
roles
The intent of this control is to ensure authorized access to information and to prevent
unauthorized access to the information and any other associated assets. Auditing of
this control combines documentation review and sampling.
Interviewing the IT Service Desk staff will also provide evidence of workflows
regarding approval and provisioning of access.
Auditors may also:

• Check the access control policy and its approval and distribution
• Sample user access requests for conformance to the policy
• Confirm the process of approving access
• Check if the access policy also covers the management and approval of physical
access requests
• Check for the appropriate segregation of sensitive access, based on “need to
know”, or Role Based Access Control (RBAC)
75
A.5.17 AUTHENTICATION INFORMATION
Control
Allocation and management of authentication information should be controlled
by a management process including advising personnel of appropriate handling
of authentication information.
Purpose
To ensure proper entity authentication and prevent failures of authentication
processes.

• A.9.2.4 Management of secret authentication information of users
• A.9.3.1 Use of secret authentication information
• A.9.4.3 Password management system
A.9.2.4 Management of secret authentication information of users
The organisation must define a formal process to manage and control allocation of
secret authentication information.
A.9.3.1 Use of secret authentication information
This control is to ensure that users follow the organisation’s policies while using
secret authentication information.
A.9.4.3 Password management system
This organisation must define interactive systems for managing passwords to

consistently ensure quality passwords.
76
A.5.17 AUTHENTICATION INFORMATION
• Review the mechanisms used to issue • Interview a few users and verify their
passwords or other authentication awareness about good password security
information and sample practices
• Review password standards or guidance • Interview server administrators re domain
issued to all users level password policies
• Review user awareness training on the
subject
• Review how the operating system is
configured on the Domain server / active
directory / authentication tools
• Review use of biometric and other
authentication mechanisms
The intent of this control is to ensure proper user and entity authentication and to
prevent failures of the authentication processes. Authentication, or validation of the
identity of the user or entity, is an important concept within information security. That
identity is then used in access control.
Interviewing the IT Service Desk staff will also provide evidence of workflows
regarding validation of users when providing initial authentication information such as
the initial user password.
Auditors may also:

• Sample the mechanisms used to issue passwords or other authentication
information
• Review password standards or guidance issued to all users
• Review user awareness training on the subject
• Review how the operating system is configured on the Domain server / active
directory / authentication tools
• Review use of biometric and other authentication mechanisms
• Check for any additional requirements imposed on privileged user accounts
Enforcement of password rules is often done at the domain or server level. Interviews
with server support personnel may confirm any password strength rules in place.
77
A.5.18 ACCESS RIGHTS
Control
Access rights to information and other associated assets should be provisioned,
reviewed, modified and removed in accordance with the organization’s topic‐
specific policy on and rules for access control.
Purpose
To ensure access to information and other associated assets is defined and
authorized according to the business requirements.

• A.9.2.2 User access provisioning
• A.9.2.5 Review of user access rights
• A.9.2.6 Removal or adjustment of access rights
A.9.2.2 User access provisioning
A documented process must be implemented to assign or revoke user access rights to

all systems and services.
A.9.2.5 Review of user access rights
Users’ access rights should be reviewed by assigned asset owners at regular intervals.
A.9.2.6 Removal or adjustment of access rights
This control requires that organisations should remove information access rights of all
employees and external parties once their employment, contract or agreement is
terminated.
78
A.5.18 ACCESS RIGHTS

• Review access provisioning procedure • Interview service desk staff on access
provisioning
• Select a few samples of new users • Interview security management to find
and confirm that the process was out how frequently user accesses are
followed reviewed.
• Select a few samples of employees
and third‐party staff who have left or
changed roles and confirm that the
process was followed
• Check for the process for access

reviews to ensure currency of access
The intent of this control is to ensure access to information and other associated
assets is defined and authorized according to the business requirements.
Auditing of this control combines documentation review and sampling.
79
A.5.22 MONITORING, REVIEW AND CHANGE MANAGEMENT OF
SUPPLIER SERVICES
Control
The organization should regularly monitor, review, evaluate and manage change
in supplier information security practices and service delivery.
Purpose
To maintain an agreed level of information security and service delivery in line
with supplier agreements.

• A.15.2.1 Monitoring and review of supplier services
• A.15.2.2 Managing changes to supplier services
A.15.2.1 Monitoring and review of supplier services
This control requires that organisations must supervise and conduct frequent reviews of
its supplier service delivery.
A.15.2.2 Managing changes to supplier services
The organisation should manage changes to the provision of services by suppliers,

including maintaining and improving existing information security policies, procedures
and controls. It must consider the criticality of business information, systems and
processes involved and re‐assessment of risks.
80
A.5.22 MONITORING, REVIEW AND CHANGE MANAGEMENT OF
SUPPLIER SERVICES

• Review the list of services provided • Interview the relevant account manager
by suppliers to determine how they monitor these
services
• Review supplier change control policy • Interview procurement staff to determine
and procedures, if any how changes to third party services are
monitored
• Take a few sample of changes to
supplier services. Confirm that
policies and procedures are effective
• Sample reports or assurance records
from suppliers
The intent of this control is to maintain an agreed level of information security and
service delivery in line with supplier agreements.
Audit guidance for this control area includes:

• Review the list of services provided by suppliers
• Review a sample of service provider contracts to determine the security
expectations under that contract
• Sample reports or assurance records from suppliers
• Review supplier change control policy and procedures, if any
• Take a few sample of changes to supplier services. Confirm that policies and
procedures are effective
Interviews with the relevant account manager and procurement staff may provider
additional evidence on how services and monitored and the process regarding changes
to supplier services. Evidence of monitoring could be sought.
81
A.5.29 INFORMATION SECURITY DURING DISRUPTION
Control
The organization should plan how to maintain information security at an
appropriate level during disruption.
Purpose
To protect information and other associated assets during disruption.

• A.17.1.1 Planning information security continuity
• A.17.1.2 Implementing information security continuity
• A.17.1.3 Verify, review and evaluate information security continuity
A.17.1.1 Planning information security continuity
The requirements for information security and the continuity of information security
management during disruptive situations must be identified and documented.
A.17.1.2 Implementing information security continuity
Appropriate processes, procedures and controls should be established, documented,

implemented and maintained to ensure the required level of continuity for information
security during an adverse situation.
A.17.1.3 Verify, review and evaluate information security continuity
This control requires periodically reviewing and verifying information security continuity
controls to ensure that they are valid and effective during adverse situations.
82
A.5.29 INFORMATION SECURITY DURING DISRUPTION

• Examine business continuity plans to • Discuss information security continuity
check for inclusion of information strategies with the security management
security team
• Check BIAs for security impacts
• Check plans for inclusion of
compensating controls if key security
controls cannot be maintained during
the disruption
• Check for testing and review/update
of such plans
• Sample testing/exercising reports
This control area is supported by a wider organizational approach to business continuity

management (BCM). The absence of a broader, comprehensive BCM framework may
make assessment of this control more difficult.
The focus should be on the ability of the organization to maintain effective information
security during a disruptive event.
Audit guidance may include:

• Discuss information security continuity strategies with the security management
team
• Examine business continuity plans to check for inclusion of information security
• Check Business Impact Assessments (BIAs) for security impacts or considerations
• Check plans for inclusion of compensating controls if key security controls cannot
be maintained during the disruption
• Check for testing and review/update of such plans
• Sample testing/exercising reports
83
A.5.31 LEGAL, STATUTORY, REGULATORY AND CONTRACTUAL
REQUIREMENTS
Control
Legal, statutory, regulatory and contractual requirements relevant to information
security and the organization’s approach to meet these requirements should be
identified, documented and kept up to date.
Purpose
To ensure compliance with legal, statutory, regulatory and contractual
requirements related to information security.

• A.18.1.1 Identification of applicable legislation and contractual requirements
• A.18.1.5 Regulation of cryptographic controls
A.18.1.1 Identification of applicable legislation and contractual requirements
The organisation should clearly identify, document and update all applicable legislative
statutory, regulatory, contractual requirements and the organisation’s approach to
ensuring compliance for each information system within the organisation.
A.18.1.5 Regulation of cryptographic controls
This control specifies that the use of cryptographic controls must comply with all
relevant agreements, laws, and regulations.
84
A.5.31 LEGAL, STATUTORY, REGULATORY AND CONTRACTUAL
REQUIREMENTS

• Review list of applicable legislation • Interview legal team on update process
and regulations and key responsibilities
• Review movement of cryptographic • Discuss with legal team any cross‐border
tools across borders cryptographic transfer rules
• Sample client and supplier contracts
for any security requirements
• Sample insurance contracts for any
information security requirements
The intent of this control is to ensure that the organization complies with all legal,
statutory, regulatory and contractual requirements related to information security.
It may be necessary to interview representatives providing legal advice to the ISMS.

These may be internal or external resources. If they are external, it is more likely that
the interviews will be with security management on how they interact with external
legal partners.
During such interviews, issues including cross‐border transfer of cryptographic

technology should be raised. Generally, organizations do not actively participate in
such transfer arrangement but of the organization had a broader geographic reach this
matter may have more focus and relevance.
Audit guidance and activities include:

• Review list of applicable legislation and regulations
• Review movement of cryptographic tools across borders
• Sample client and supplier contracts for any security requirements
• Sample insurance contracts for any information security requirements
85
A.5.36 CONFORMANCE WITH POLICIES, RULES AND
STANDARDS FOR INFORMATION SECURITY
Control
Compliance with the organization’s information security policy, topic‐specific
policies, rules and standards should be regularly reviewed.
Purpose
To ensure that information security is implemented and operated in accordance
with the organization’s information security policy, topic‐specific policies, rules
and standards.

• A.18.2.2 Compliance with security policies and standards
• A.18.2.3 Technical compliance review
A.18.2.2 Compliance with security policies and standards
Managers must regularly assess and review the compliance of information processing
and procedures within their area of responsibility.
A.18.2.3 Technical compliance review
Organisations should regularly review information systems to ensure technical

compliance with the organisation’s information security policies and standards.
86
A.5.36 CONFORMANCE WITH POLICIES, RULES AND
STANDARDS FOR INFORMATION SECURITY
• Review policies and procedures • Interview key managers to understand
how this is done
• Examine reports from network • Interview security manager on assurance
scanning and penetration tests and controls testing activities
• Sample any other independent
assurance reports
• Review security calendars and
activities that may trigger
independent assessments
• Review internal and external audit
procedures and reports
The intent of this controls is to ensure that information security is implemented and
operated in accordance with the organization’s information security policy, topic‐
specific policies, rules and standards.
To achieve this, organizations should be validating compliance with their security

standards through formal testing and assurance activities.
Key audit activities may include:

• A review of policies and procedures and discussion with managers on how
conformance to these is managed and enforced
• Examination of reports from network scanning, internal and external security reviews
and penetration tests
• Sampling of any other independent assurance reports, based on their relevance to in‐
scope controls
• Review of any security calendars, task lists and activities that may drive independent
assessments
• Review of any recent internal and external audit procedures and reports
87
A.6.8 INFORMATION SECURITY EVENT REPORTING
Control
The organization should provide a mechanism for personnel to report observed
or suspected information security events through appropriate channels in a
timely manner.
Purpose
To support timely, consistent and effective reporting of information security
events that can be identified by personnel.

• A.16.1.2 Reporting information security events
• A.16.1.3 Reporting information security weaknesses
A.16.1.2 Reporting information security events
This control specifies obligations to promptly report information security incidents to

the appropriate management channels.
A.16.1.3 Reporting information security weaknesses
If and when employees and contractors using the organisation’s information systems
and services observe or suspect any information security weaknesses in systems or
services, they must note and report these immediately.
88
A.6.8 INFORMATION SECURITY EVENT REPORTING

• Examine security event and incident • Interview or observe service desk
procedures personnel on response to security events
• Examine user training material • Interview a sample of users on their
relating to security events, understanding of how events and
weaknesses and incidents weaknesses should be reported
• Sample follow‐up actions from
previous security events and
weaknesses – check effectiveness

• Examine security event and incident procedures
• Examine user training material relating to security events, weaknesses and incidents
• Sample follow‐up actions from previous security events and weaknesses – check the
effectiveness of any subsequent actions
It may be possible to observe service desk personnel responding to a report of a security

event. If this is not possible, an interview of the relevant personnel to determine the
response to such reports would be useful.
In addition, it would be useful to interview a sample of users on their understanding of

how events and weaknesses should be reported. Evidence of these reports may be
available from the incident reporting system.
89
A.7.2 PHYSICAL ENTRY
Control
Secure areas should be protected by
appropriate entry controls and access
points.
Purpose
To ensure only authorized physical
access to the organization’s
information and other associated
assets occurs.
Relevant merged controls from

ISO/IEC 27001:2013
• A.11.1.2 Physical entry controls
• A.11.1.6 Delivery and loading areas
A.11.1.2 Physical entry controls
Organisations need to enforce suitable entry controls to protect secure areas and to
ensure that only authorised personnel are allowed access.
A.11.1.6 Delivery and loading areas
Organisations need to control and, preferably, isolate access points such as delivery and
loading areas and other points where unauthorised persons could enter the premises.
90
A.7.2 PHYSICAL ENTRY

• Sample physical access records and • Walkaround to check physical security
logs controls
• Examine the physical security policies • Observe reception, delivery and loading
and procedures areas where unauthorized personnel may
gain access
• Check use of employee and visitor • Observe use of employee and visitor ids
identification and sample
• Confirm visitor escort policy • Check emergency exits for potential
unauthorized ingress
Control of the physical security plays a significant role in overall information security.
Auditors should be checking that physical access is controlled and that key entry points
into the organization are appropriately protected. This includes areas where
unauthorized personnel may enter such as loading docks and reception areas.
Key audit guidance includes the following:

• Sample physical access records and logs
• Examine the physical security policies and procedures
• Check use of employee and visitor identification and sample
• Observe use of employee and visitor ids
• Confirm visitor escort policy
• Walkaround to check the physical security controls
• Observe reception, delivery and loading areas where unauthorized personnel may
gain access
• Check emergency exits for the potential for unauthorized ingress
91
A.7.10 STORAGE MEDIA
Control
Storage media should be managed through its lifecycle
of acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme
and handling requirements.
Purpose
To ensure only authorized disclosure, modification,
removal or destruction of information on storage media.

• A.8.3.1 Management of removable media
• A.8.3.2 Disposal of media
• A.8.3.3 Physical media transfer
• A.11.2.5 Removal of assets
A.8.3.1 Management of removable media
This control requires developing and implementing relevant procedures for the
management of removable media in accordance with the organisation’s information
classification method.
A.8.3.2 Disposal of media
The organisation needs to implement formal procedures to ensure media is disposed of

securely.
A.8.3.3 Physical media transfer
This control requires protection of media containing information against unauthorised

access, misuse or corruption during transportation.
A.11.2.5 Removal of assets
This control clearly specifies that appropriate authorisation should be taken before
92
moving any equipment, information or software off‐site.
92
A.7.10 STORAGE MEDIA

• Review media handling policy and • Interview users on handling of media
procedures
• Review reuse and disposal • Interview staff responsible for media
procedures and sample destruction reuse/destruction
records
• Review media transfer processes and
sample mechanism and relevant
approvals
• Examine use of encryption on
removable media
• Examine awareness content
Key audit guidance includes the following:

• Review media handling policy and procedures
• Review reuse and disposal procedures and sample destruction records
• Review media transfer processes and sample mechanism and relevant approvals
• Examine use of encryption on removable media
• Examine awareness training material to identify guidance on media handling
Interviews with personnel responsible for media reuse or destruction will provide
sources of additional information relating to the reuse or disposal of storage media.
Such media will include hard disk drives from workstations and servers and removable
media such as portable storage devices and USB keys.
It is also worth interviewing a sample of users to determine their understanding of the

correct manner of disposing of storage media. Such topics may have been covered in
user awareness training so the interviews will provide an understanding on the
effectiveness of such training.
93
A.8.1 USER ENDPOINT DEVICES
Control
Information stored on, processed by or accessible via user endpoint devices
should be protected.
Purpose
To protect information against the risks introduced by using user endpoint
devices.

• A.6.2.1 Mobile device policy
• A.11.2.8 Unattended user equipment
A.6.2.1 Mobile device policy
The organisation must adopt and implement a policy and supporting security measures
to handle the risks associated with using mobile devices.
A.11.2.8 Unattended user equipment
This control requires users to protect equipment when leaving it unattended.
94
A.8.1 USER ENDPOINT DEVICES
• Review the policy on use of laptops and • Interview a few users of laptops and check if
mobile devices they are aware of the policies.
• Review policy settings related to • Observe workstations left unattended to
password protected screen savers confirm the activation of screen savers
• Check endpoint patching process and
sample
• Confirm restrictions on software
installation
• Check user awareness training material
re mobile device use including physical
protection guidance
• Check controls deployed on mobile
devices
Poorly secured mobile devices are more vulnerable to compromise and provide an
attacker with a potential access point into any connected systems. Therefore, controls
relating to such devices form an important part of the security ecosystem.
It is important that security updates are applied to mobile devices as soon as they
become available in order to manage the risk from such devices. Examination of the
vulnerability management (or patching) process will provide evidence of this activity.
The patching process should align to the organization's vulnerability management policy
and procedures.
Auditors should ensure that appropriate controls exist to restrict the installation of
unauthorized programs on mobile devices.
Other audit activities may include:

• Review the policy on use of laptops and mobile devices. Check if the policy addresses
use of mobile devices in public places.
• Review policy settings related to password protected screen savers
• Confirm restrictions on software installation
95
• Check user awareness training material re mobile device use including physical
protection guidance
• Check controls deployed on mobile devices
95
A.8.8 MANAGEMENT OF TECHNICAL VULNERABILITIES
Control
Information about technical vulnerabilities of information systems in use should
be obtained, the organization’s exposure to such vulnerabilities should be
evaluated and appropriate measures should be taken.
Purpose
To prevent exploitation of technical vulnerabilities.

• A.12.6.1 Management of technical vulnerabilities
• A.18.2.3 Technical compliance review
A.12.6.1 Management of technical vulnerabilities
This control deals with technical vulnerabilities of information systems and specifies
that the organisation’s exposure to such vulnerabilities must be evaluated and
addressed appropriately.
A.18.2.3 Technical compliance review
Organisations should regularly review information systems to ensure technical

compliance with the organisation’s information security policies and standards.
96
A.8.8 MANAGEMENT OF TECHNICAL VULNERABILITIES
• Review vulnerability management • Interview systems administrators
policy and procedures responsible for patching
• Review sources of vulnerability
information
• Sample records of risk/vulnerability
assessment decisions
• Sample patching records
• Review use of vulnerability
management tools such as Qualys
• Review security calendar for schedule
of testing
• Sample penetration testing reports
Applying patches or updates is critical to ensuring the ongoing security of applications,

drivers, operating systems and firmware. In doing so, it is important that patches or
updates are applied consistently and in a secure manner. Organizations should have a
policy and supporting procedures related to the identification, assessment and
application of such updates.
The following audit guidance may apply:

• Review vulnerability management policy and procedures
• Review sources of vulnerability information
• Sample records of risk/vulnerability assessment decisions
• Sample patching records
In addition, the assessment of the environment’s technical compliance to the

organization’s policies and security standards should be evaluated for effectiveness.
Such assessment may include the use of automated tools such as Qualys or utilize
planned testing.
Auditors may:
• Review use of vulnerability management tools such as Qualys
• Review security calendar for schedule of testing
• Sample penetration testing reports
97
A.8.15 LOGGING
Control
Logs that record activities, exceptions, faults and other relevant events should be
produced, stored, protected and analyzed.
Purpose
To record events, generate evidence, ensure the integrity of log information,
prevent against unauthorized access, identify information security events that
can lead to an information security incident and to support investigations.

• A.12.4.1 Event logging
• A.12.4.2 Protection of log information
• A.12.4.3 Administrator and operator logs
A.12.4.1 Event logging
This control requires maintaining and reviewing event logs related to user activities,
exceptions, faults and information security events.
A.12.4.2 Protection of log information
Organisations must ensure that its logging facilities and event logs are protected
against tampering and unauthorised access.
A.12.4.3 Administrator and operator logs
This control requires recording the system administrator and system operator
activities, with focus on protection and regular review of these logs.
98
A.8.15 LOGGING

• Review the logging and log retention • Interview security management on the
policies analysis of logs
• Sample logging settings on key
devices
• Review log data location, storage,
backup and archiving and the access
to such
• Check that privileged users do not
have update access to logging data –
sample some access lists
• Examine the use of SIEM services
Event log monitoring is critical to maintaining the security posture of systems. Such logs
can be used to detect information security events or to investigate security incidents.
Protection of such logs in therefore important, particularly from potential alteration by

privileged users.
Auditors may:
• Review use of vulnerability management tools such as Qualys
• Review the logging and log retention policies
• Sample logging settings on key devices
• Review log data location, storage, backup and archiving and the access to such
• Check that privileged users do not have update access to logging data – sample some
access lists
• Examine the use of SIEM services
• Interview security management on the analysis of logs
99
A.8.19 INSTALLATION OF SOFTWARE ON OPERATIONAL SYSTEMS
Control
Procedures and measures should be implemented to securely manage software
installation on operational systems.
Purpose
To ensure integrity of operational systems and prevent exploitation of technical
vulnerabilities.

• A.12.5.1 Installation of software on operational systems
• A.12.6.2 Restrictions on software installation
A.12.5.1 Installation of software on operational systems
Organisations must define and implement procedures to control software installation

on operational systems.
A.12.6.2 Restrictions on software installation

Rules governing the installation of software by users shall be established and
implemented.
100
A.8.19 INSTALLATION OF SOFTWARE ON OPERATIONAL SYSTEMS
• Review testing practices for new and • Interview systems administrators responsible
changed applications for installations
• Review policies on software installation
• Sample access controls on systems
• Sample any software register identifying
vendor software
• Sample the currency of vendor software
to ensure it is still maintained
• For supplier‐maintained software, check
access is restricted to minimum
necessary
• Is application control (or “whitelisting”)
in use?
The intent of this control is to limit the ability to install unauthorized software within the
production environment.

• Review testing practices for new and changed applications
• Review policies on software installation
• Sample access controls on systems
• Sample any software register identifying vendor software
• Sample the currency of vendor software to ensure it is still maintained
• For supplier‐maintained software, check access is restricted to minimum necessary
• Is application control (or “whitelisting”) in use?
Interviews with the systems administrators on the processes involved in management of

software installation should include authorisation for such installation and any
testing/validation on such installations.
If application control is implemented, how are requests for non‐standard software

handled?
101
A.8.24 USE OF CRYPTOGRAPHY
Control
Rules for the effective use of cryptography, including
cryptographic key management, should be defined and
implemented.
Purpose
To ensure the proper and effective use of cryptography
to protect the confidentiality, authenticity or integrity
of information according to business and information
security requirements, and taking into consideration
legal, statutory, regulatory and contractual
requirements related to cryptography.

• A.10.1.1 Policy on the use of cryptographic controls
• A.10.1.2 Key management
A.10.1.1 Policy on the use of cryptographic controls
The organisation must develop and implement a policy on the use of cryptographic
controls for protection of information.
A.10.1.2 Key management
This control is about developing and implementing a policy on the use, protection and
lifetime of cryptographic keys throughout their entire lifecycle.
102
A.8.24 USE OF CRYPTOGRAPHY

• Review the cryptographic policy • Interview systems administrators
responsible for management of digital
certificates and encryption keys
• Confirm encryption technology was
selected to meet business objectives
• Review any key management
procedures
• Sample digital certificates to validate
currency
• Sample the use of encryption on
mobile devices
The purpose of cryptography is to provide confidentiality, integrity, authentication and

non‐repudiation of data.
Cryptographic methods include the use of Virtual Private Networks (VPNs), digital
certificates and Transport Layer Security (TLS). It is likely that most, if not all,
organizations utilize cryptographic tools in some form.
Documented cryptographic key management processes and procedures can assist with
the secure use and management of cryptographic keys and any associated hardware and
software.

• Review the cryptographic policy
• Confirm encryption technology was selected to meet business objectives
• Review any key management procedures
• Sample digital certificates to validate currency
• Sample the use of encryption on mobile devices
• Interview systems administrators responsible for management of digital certificates
and encryption keys
• Interview the systems administrator to determine the version of TLS in use. Ideally, it
should be v1.3 or higher
103
A.8.26 APPLICATION SECURITY REQUIREMENTS
Control
Information security requirements should be identified, specified and approved
when developing or acquiring applications.
Purpose
To ensure all information security requirements are identified and addressed
when developing or acquiring applications.

• A.14.1.2 Securing application services on public networks
• A.14.1.3 Protecting application services transactions
A.14.1.2 Securing application services on public networks
The organisation must consider security measures to minimise the risk of fraudulent
activity, contract dispute and unauthorised access in case of information involved in
application services passing over public networks.
A.14.1.3 Protecting application services transactions
This control requires that organisations implement additional security measures to

protect information involved in application service transactions and to prevent
incomplete transmission, misrouting, unauthorised message alteration, disclosure,
message duplication or replay.
104
A.8.26 APPLICATION SECURITY REQUIREMENTS

• Check authentication and trust • Interview security management re
mechanisms involvement in app design
• Sample design and specifications • Interview security management re privacy
documentation to identify security and other regulatory requirements
considerations
• Check what non‐repudiation • Interview application developers and
mechanisms are in place for systems architects regarding function and
application transactions e.g. PKI data level security design
• Check transaction logging
• Sample risk assessments of new or
changed applications

• Check authentication and trust mechanisms
• Sample design and specifications documentation to identify security considerations
• Check what non‐repudiation mechanisms are in place for application transactions e.g.
PKI
• Check transaction logging
• Sample risk assessments of new or changed applications
• Interview security management re involvement in app design
• Interview security management re privacy and other regulatory requirements
• Interview application developers and systems architects regarding function and data
level security design
105
A.8.29 SECURITY TESTING IN DEVELOPMENT AND
ACCEPTANCE
Control
Security testing processes should be defined and implemented in the
development lifecycle.
Purpose
To validate if information security requirements are met when applications or
code are deployed to the production environment.

• A.14.2.8 System security testing
• A.14.2.9 System acceptance criteria
A.14.2.8 System security testing
This control requires that any security‐related functionality should be tested during
development.
A.14.2.9 System acceptance testing
For acceptance testing, the organisation needs to establish programs and related criteria
for new information systems, upgrades and new versions.
106
A.8.29 SECURITY TESTING IN DEVELOPMENT AND
ACCEPTANCE
• Examine testing procedures to ensure • Interview applications testing personnel
testing of security functions is
conducted
• Sample test plans and results
• Review how criteria for acceptance of
new systems are defined, agreed,
documented, and tested
• Review any penetration test reports
and action taken on outcomes
The purpose of this control is to validate if the information security requirements are
met within applications or code when they are deployed to the production
environment.
Security testing should be undertaken against the agreed security specifications before
the deployment of the application into the production environment. To validate this
has occurred, the auditor should determine whether these specifications have been
captured.

• Examine testing procedures to ensure testing of security functions is conducted at key
development stages
• Sample test plans and results
• Review how criteria for acceptance of new systems are defined, agreed, documented,
and tested
• Review any penetration test reports and action taken on outcomes
• Interviews with personnel responsible for applications testing
107
A.8.31 SEPARATION OF DEVELOPMENT, TEST
AND PRODUCTION ENVIRONMENTS
Control
Development, testing and production
environments should be separated and
secured.
Purpose
To protect the production environment and
data from compromise by development and
test activities.

27001:2013
• A.12.1.4 Separation of development,
testing and operational environments
• A.14.2.6 Secure development environment
A.12.1.4 Separation of development, test and operational environments
The organisation should separate development, test and operational facilities to reduce
the risks of unauthorised access or changes to the operational system.
A.14.2.6 Secure development environment
This control requires organisations to establish and protect secure development

environments for system development and integration through its lifecycle.
108
A.8.31 SEPARATION OF DEVELOPMENT, TEST AND
PRODUCTION ENVIRONMENTS
• Review the access control policy in relation • Interview application development management
to the various environments on the presence of development, test and
production environments
• Sample access to confirm restricted access to • Interview applications developers regarding
each as per the access control policy? separation of roles and responsibilities
• Review rules for migrating between
environments
• Check use of sensitive data in the non‐
production environments
• Check security control differences between
environments and identify that associated
risks have been noted and addressed
• Check use of production data in training
environments
The intent of this control is to protect the production environment and data from
compromise by development and test activities.
Appropriate levels of separation should exist between these environments. Obtaining

information from key personnel on the design of this environment will identify sources
of additional evidence and further areas for assessment.
Audit guidance:
• Review the access control policy in relation to the various environments
• Sample access to confirm restricted access to each as per the access control policy?
• Review rules for migrating between environments
• Check use of sensitive data in the non‐production environments
• Check security control differences between environments and identify that associated
risks have been noted and addressed
• Check use of production data in training environments
• Interview application development management on the presence of development,
test and production environments
• Interview applications developers regarding separation of roles and responsibilities
109
A.8.32 CHANGE MANAGEMENT
Control
Changes to information processing facilities and information systems should be
subject to change management procedures.
Purpose
To preserve information security when executing changes.

• A.12.1.2 Change management
• A.14.2.2 System change control procedures
• A.14.2.3 Technical review of applications after operating platform changes
• A.14.2.4 Restrictions on changes to software packages
A.12.1.2 Change management
The organisation must manage and control changes to all its business processes,
information processing facilities and systems that affect information security.
A.14.2.2 System change control procedures
Organisations need to implement formal change control procedures to manage changes

to systems within the development lifecycle.
A.14.2.3 Technical review of applications after operating platform changes
The control specifies that business critical applications must be reviewed and tested
when operating platforms are changed. This safeguards the organisation’s operations
from any adverse impacts.
110
A.14.2.4 Restrictions on changes to software packages
Changes and modifications should be restricted and controlled to ensure that the
changes made do not have an adverse impact on the internal integrity or security of the
software.
110
A.8.32 CHANGE MANAGEMENT

• Review change management • Interview change manager on change
procedure control process
• Sample some change records
• Check approval processes for changes
• Check any necessary documentation,
continuity/recovery and backup
processes are also changed
• Sample test plans related to changes
• Check access restrictions to
production systems and
environments
Changes represent a significant area of risk to the environment unless carefully and
formally controlled. Therefore, evidence should be sought to validate that such a
controlled process exists and is effective.
Evidence that may be sought or audit activities undertaken include:

• Review change management procedure
• Sample some change records
• Check approval processes for changes
• Check any necessary documentation, continuity/recovery and backup processes are
also changed
• Sample test plans related to changes
• Check access restrictions to production systems and environments
• Interview change manager on change control process
111
COURSE OUTLINE

02 27001 and ISO 27002 06
112
112
05
AUDITING THE RENAMED
CONTROLS
113
PARTICIPANT GUIDE
Notes
MODULE 5: AUDITING THE RENAMED
CONTROLS

auditors when auditing the controls that
have been renamed in the ISO 27001:2022
version of Annex A.
114
AUDITING THE RENAMED CONTROLS
• 23 controls were renamed for the sake of

easier understanding
• However, no change in the control
intent
• Audit guidance from previous versions of

these controls can still be utilized
• Note that 35 controls remain

fundamentally unchanged except for the
control number change
115
AUDITING THE RENAMED CONTROLS (1 OF 3)
ISO/IEC 27001:2013 Control ISO/IEC 27001:2022 Control

A.6.2.2 Teleworking A.6.7 Remote working
9.2.1 User registration and de‐registration 5.16 Identity management
9.2.3 Management of privileged access rights 8.2 Privileged access rights
9.4.2 Secure log‐on procedures 8.5 Secure authentication
9.4.5 Access control to program source code 8.4 Access to source code
7.3.1 Termination or change of employment 6.5 Responsibilities after termination or
responsibilities change of employment
11.1.1 Physical security perimeter 7.1 Physical security perimeters
11.2.6 Security of equipment and assets off‐ 7.9 Security of assets off‐premises
premises
11.2.9 Clear desk and clear screen policy 7.7 Clear desk and clear screen
Auditing guidance for these controls remains the same as per the ISO 27001:2013
version of the standard.
116

A.12.2.1 Controls against malware A.8.7 Protection against malware
A.12.7.1 Information systems audit controls A.8.34 Protection of information systems
during audit testing
A.13.1.1 Network controls A.8.20 Networks security
A.13.1.3 Segregation in networks A.8.22 Segregation of networks
A.14.2.1 Secure development policy A.14.2.1 Secure development policy
A.14.2.5 Secure system engineering principles A.8.27 Secure system architecture and
engineering principles
A.14.3.1 Protection of test data A.8.33 Test information
A.15.1.1 Information security policy for A.5.19 Information security in supplier
supplier relationships relationships
117

A.15.1.2 Addressing security within supplier A.5.20 Addressing information security within
agreements supplier agreements
A.15.1.3 Information and communication A.5.21 Managing information security in the
technology supply chain ICT supply chain
A.16.1.1 Responsibilities and procedures A.5.24 Information security incident
management planning and preparation
A.16.1.4 Assessment of and decision on A.5.25 Assessment and decision on
information security events information security events
A.17.2.1 Availability of information processing A.8.14 Redundancy of information processing
Facilities facilities
A.18.1.4 Privacy and protection of personally A.5.34 Privacy and protection of PII
identifiable information
118
COURSE OUTLINE

02 27001 and ISO 27002 06
119
119
06
AUDITING AN UPGRADED
ISMS
120
MODULE 6: AUDITING THE RENAMED
CONTROLS
This module addresses the key focus
areas when auditing an ISMS that has
been upgraded from the ISO
27001:2013 version of the standard to
the ISO 27001:2022 version of the
standard.
121
AUDITING AN UPGRADED ISMS
• Key artifacts that will have been updated
• Management review procedure
• ISMS change management process
• Risk assessment/treatment documentation
• (Risk Register)
• Statement of Applicability
• Corrective actions register
• Improvements register
• Internal Audit program
• High level Information Security Policy
• Others that may have been updated

• Information Security calendar
• Measures and Metrics register
Auditing an upgraded ISMS requires examination of the processes used by the

organization to address the mandatory clause changes.
Key changes may include:

• How the new clause 6.3 related to changes to the ISMS has been addressed within
documentation. This may be a change to an existing procedure or may have involved
the development of a new procedure related to control of changes to the ISMS and
the planning of such changes.
• Potential changes to the ISMS Management Review process to ensue the capture of
the outcomes of the review. This was always a requirement of clause 9.3 so the
upgrade may not have triggered any change.
• Inclusion of a process for monitoring of the security objectives. This may be included
in an updated job description or included in the charter of a governance forum. It
may also be included in a scheduled / planned activity.
Artefacts that will be updated will include:

• Risk assessment/treatment documentation (Risk Register)
• Statement of Applicability
• Corrective actions register
122
• Improvements register
• Internal Audit program
Depending on the ISMS implementation, a security calendar and the measures and
metrics recoding process/artefact may have also been updated.
122
THE RISK REGISTER
• During the transition to the new standard the following should have occurred:
1. Review of the existing risk assessments and risk treatments to realign control ids
2. Consideration of the new controls in terms of more effective risk treatment
3. Review of the risk management procedure to assess if modifications to reference
the new version of the standard and new control set are required
• Transition team may have used Annex B of ISO/IEC 27002:2022 to assist with the
mappings of 2013 ‐> 2022 control references
• When auditing the risk management approach consider using the security attributes of
the controls to validate whether the risk assessment process produces consistent, valid
and comparable outcomes
• A control selected that indicates a reduction in risk around integrity but has no
impact in that domain
Results of the risk assessment and treatment processes will involve reference to existing
and planned controls. This is often done using the control reference from Annex A of
ISO 27001. With the change to the control reference identifiers for the 2022 version of
the standard, an activity will be required to remap the new control references.
From an auditor's view, the auditor must ensure that these references are correct in the
risk assessments/treatments (often captured in a risk register) as this information is
frequently used to build out the Statement of Applicability.
One of the significant benefits of the new version of ISO 27002 is the use of “control
attributes”. These attributes are useful during an audit due to the additional information
provided regarding the nature and use of the control. Auditors may use these attributes
to validate the appropriateness of a control and the relevance to the associated risk.
For instance, a control used to reduce risk related to the integrity of the information may
not be suitable if the attributes indicate it manage risks related to confidentiality only.
The auditor can use these attributes to validate that the risk assessment process
produces consistent, valid and comparable outcomes.
123
THE STATEMENT OF APPLICABILITY (SOA)
• The Statement of Applicability will have been rebuilt to align with the changes to
Annex A of ISO 27001:2022
• Modifications to the risk register should have triggered an update to the SoA in
terms of the relationship between risks and controls
• A review of the exclusion of any of the new controls should be conducted as part
of the audit
• A reminder – exclusion of controls from Annex A must be justified (Clause
6.1.3(d) of ISO 27001)
With the control reference changes, the Statement of Applicability (SoA) will have been
rebuilt.
The risk to control mapping will have been revisited.
The previous requirements regarding the contents of the SoA remain.
124
THE CORRECTIVE ACTIONS REGISTER
• Existing non‐conformances documented in a corrective actions register should
have been reviewed
• Non‐conformances against old control references
• Should have been re‐assessed and captured against the aligned new control
reference
• Any non‐conformances raised during the current audit should obviously be

raised against the new control set as part of the audit criteria for the current
audit
• Proposed corrective action should have been reviewed in the light of the control
changes
• Possible that the merged controls may change proposed corrective action
Again, any corrective actions register is likely to reference control identifiers. Previous
non‐conformances will have control id refences to the previous version of the standard.
These should have been changed.
Reference to the historic finding would be useful but not required.
A note regarding corrective action. With the merger of some controls in the new
version, the organization should have revisited the corrective actions to ensure that they
remain relevant and do not need modification.
125
THE IMPROVEMENTS
REGISTER
• Existing improvements documented in an

improvements register should have been
reviewed
• Improvements tagged against old
control references
• Should have been re‐assessed and
captured against the aligned new
control reference
• Proposed improvements should have

been reviewed in the light of the control
changes
• Possible that the new controls may
provide alternative solutions
Similarly, the improvements register is likely to reference control identifiers. Previous

improvements may have control id refences to the previous version of the standard.
These should have been changed.
Reference to the historic finding would be useful but not required.
A note regarding improvements. With the merger of some controls in the new version,
the organization should have revisited the improvements to ensure that they remain
relevant and do not need modification.
126
THE INTERNAL AUDIT PROGRAM
• The internal audit program will have identified the control areas to be reviewed
during each audit within the program
• These individual audits will have included key control areas in their planned
scope which will be referencing the 2013 control ids
• A modified internal audit program is required, referencing the new control ids as
part of the proposed scope of each of the audits within the program
• The audit criteria for each audit must also have been altered to reference the
ISO/IEC 27001:2022 standard
The ISMS internal audit program will have identified the control areas to be reviewed
during each audit within the program. These individual audits will have included key
control areas in their planned scope which will be referencing the 2013 control ids.
A modified internal audit program is required, referencing the new control ids as part of
the proposed scope of each of the audits within the program.
Note that the audit criteria for each audit must also have been altered to reference the
ISO/IEC 27001:2022 standard.
127
THE INFORMATION SECURITY POLICY
• The Information Security policy required by Clause 5.2 of the standard is likely to
have explicitly referenced the standard by year of publication
• This should have been updated, the version number of the document
incremented, and the policy approved
• Other documentation may also be referencing the standard in this manner

• All documentation should have been reviewed to check for this. Evidence of
this review process is valuable
The Information Security policy required by Clause 5.2 of the standard is likely to have
explicitly referenced the standard by year of publication. This should have been
updated, the version number of the document incremented, and the policy approved.
There may also be other documentation referencing the standard in this manner.
Evidence of the review of all ISMS documentation should be sought to validate this.
128
THE INFORMATION SECURITY
CALENDAR
• Many organizations run some form

of security calendar or task list to
ensure that all planned security
activities occur in a timely manner
• Such calendars sometimes cross‐
reference the activity with a control
from the Statement of Applicability
(SoA)
• If so, the calendar will require
modification to reflect the
change in the SoA
129
MEASURES AND METRICS
• Likely that a number of the controls selected within the ISMS are being measured
• A review of these measurements should have occurred, and adjustments made if
this process directly references the controls by control identifier
• Consider whether the adjusted measures and metrics include any of the 11 new
controls.
• If so, it is unlikely that there will have been time to collect a significant
amount of evidence to support any trending around these controls
It is likely that a number of the controls selected within the ISMS are being measured as
required by clause 9.1 of the standard.
A review of these measurements should have occurred, and adjustments made if this
process directly references the controls by control identifier.
The organization should have considered whether these adjusted measures and metrics
have sought to include measurements of any of the 11 new controls. If so, it is unlikely
that there will have been sufficient time to collect a significant amount of evidence to
support any trending around these controls.
130
Activity 2: Auditing Updated Artefacts
Task:
Individually, select one of the following updated artefacts
and assemble an audit guidance tool (checklist, flowchart) to
aid in the review of this artefact against the new version of
the ISO 27001 standard.
I Choose from a Risk Register or a Statement of Applicability
Time:
15 minutes
131
COURSE OUTLINE

02 27001 and ISO 27002 06
04 Auditing the merged controls 08 Q&A
132
132
COURSE OUTLINE
01 ISO/IEC 27001 and ISO/IEC 27002 05 Auditing the updated/renamed

controls
Summary of the changes to ISO 27001

02 and ISO 27002 06 Auditing an upgraded ISMS
03 Auditing the new controls 07 Course Summary and Q & A
133
133
10
COURSE SUMMARY AND
Q&A
134
SUMMARY
• Clauses 4‐10 of ISO/IEC 27001 remain largely unchanged from an audit

perspective
• Minor clause adjustments but requirements largely unchanged
• New clause 6.3 regarding planned changes
• Annex A has undergone significant revision
• All control identifiers have been changed
• 11 new controls for consideration
• Renaming some controls provides additional clarity for both the ISMS
operators and auditors
• The audit process is the same, just more attention is required on the control
additions and mergers
From an audit perspective, clauses 4‐10 of the ISO/IEC 27001 standard remain largely
unchanged in the 2022 version of the standard. There have been some minor
adjustments and the inclusion of a new sub‐clause, clause 6.3, relating to changes to
the ISMS.
135
Q & A Session
136
PARTICIPANT GUIDE
Notes
137

I17AMER 27001 2022 Auditor Transition PG V1 Nov 2022

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

I17AMER 27001 2022 Auditor Transition PG V1 Nov 2022

Uploaded by

Copyright:

Available Formats

PARTICIPANT GUIDE

ISO 27001:2022 Auditor Transition

TRAINING WITH INTERTEK

GLOBAL REGIONS AND DIFFERENT OFFERINGS

Spain and UK:

SAI Global division offers wide range of training course

LEARNING THAT SUPPORTS BUSINESS NEEDS

Do you have Specific Training Needs in your Business?

NEED NATIONALLY AND INTERNATIONALLY RECOGNISED TRAINING?

Public Training – face to face

 Venues in major capital cities and some regional centres

ENJOYING YOUR TRAINING?

THINK THERE WOULD BE A BENEFIT FOR MORE OF YOUR EMPLOYEES TO ATTEND?

In‐house and customised training

Ensure that learning is aligned to your organisation’s objective

WE NOW OFFER MANY COURSES ONLINE ACROSS AUDITING, QUALITY, ENVIRONMENTAL

 Employs best‐practice scenario‐based learning – put yourself in their shoes

 Suitable for learning in remote areas

INCORPORATE 360 DEGREE LEARNING

 Incorporates a mixture of online and face‐to‐face

Phone: +1 (877) 426‐0714

General enquiries: training.americas@saiglobal.com

Definitions and notations

ISO 27001:2022 Auditor Transition PPT V1 Oct 2022

Intertek acquires Check

1993 1998 2018 2020 2021

1991 2004 2011 2019

Foremost in today’s information conscious environment is the subject of

Upon completion of this course, participants should be able to:

Upon completion of this course, participants will be able to:

– Understand the control and control purpose changes from ISO/IEC

ISO/IEC 27001 and ISO/IEC Auditing the updated/renamed

03 Auditing the new controls 07 Course Summary and Questions

04 Auditing the merged controls

Group activities are administered within the

The main purpose of the group activity is to

All participants should:

• Ask questions to clarify understanding

• Apply knowledge and skills

Get Ready! Introductions

Materials Mobiles & Email

Breaks Break times

On behalf of SAI Global, welcome to this course.

Introducing yourself to the other students:

Overview of resources provided

We encourage you to contribute to a positive learning environment for all by:

TIME TIMING TOPIC

ISO/IEC 27001 and ISO/IEC Auditing the updated/renamed

03 Auditing the new controls 07 Course Summary and Questions

04 Auditing the merged controls

This module refreshes the attendee's

• Reminder – both standards were developed from BS 7799

• Titled: “Information technology — Security techniques — Information security

• ISO 27001 defines the Requirements for an Information Security Management

• It can be, and is, used for Third Party Certification

• Until 2022, titled “Information technology — Security techniques — Code of

‘should’ is used in the text. Controls are therefore optional.

• It cannot be used for Third Party Certification because it is a guideline.

It continues to be used as a reference set of controls for ISMS implementation and

ISO/IEC 27001 and ISO/IEC Auditing the updated/renamed

03 Auditing the new controls 07 Course Summary and Questions

04 Auditing the merged controls

This module addresses the changes to both

• Generally, the changes to the mandatory clauses are relatively minor