Professional Documents
Culture Documents
I17AMER 27001 2022 Auditor Transition PG V1 Nov 2022
I17AMER 27001 2022 Auditor Transition PG V1 Nov 2022
© 2022 Intertek
All rights reserved. No part of this work may be reproduced or copied in any form or by any means (graphic,
electronic or mechanical, including photocopying, recording, taping or information retrieval systems)
without the written permission of Intertek or as otherwise permitted by the operation of the law.
Opinions expressed by or on behalf of Intertek in this publication or during the course of any training
provided by Intertek are provided as general guidance only and do not amount to formal, legal or other
professional advice. Intertek does not warrant the accuracy or completeness of information given or its
fitness for any particular purpose. To the extent permitted by law Intertek accepts no liability for any claims
for loss or damage whether caused by its negligence (or that of any of its agents or employees) or otherwise.
https://www.intertek.com/terms/
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Intertek expanded its global Assurance offering with the acquisition of SAI Global Assurance which
demonstrated Intertek’s commitment to providing world class assurance services and supporting the
evolving needs of our customers.
SAI Global division provides nationally and internationally recognised training. SAI Global (RTO: 106919) is
committed to the Australian Quality Framework for training organisations, and can deliver and assess
against national competencies. For further information about the SAI Global, please visit our training
website learning.saiassurance.com.au/training‐forms and you can download the SAI Global Code of
Practice outlining our commitment as an RTO. SAI Global also offers wide range of Exemplar Global
accredited courses.
Qualifications:
Through Intertek SAI Global, you can gain a nationally recognised qualification such as a Cert IV and
Diploma as part of the Australian Qualifications Framework. SAI Global has a range of qualifications to get
you on track to learning. Visit the website for further information on the qualifications offered
learning.saiassurance.com.au/diploma‐qualifications
Canada, USA:
SAI Global division offers wide range of Exemplar Global and Probitas accredited training courses
Indonesia
SAI Global division offers wide range of Exemplar Global accredited training course
ii http://academy.intertek.com/
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Intertek provides training services that address key business management needs, including:
Quality Management
Occupational Health and Safety
Environmental Management
Information Security
Food Safety
Risk, Compliance and Governance
Six Sigma and Business Improvement
Auditing
Social Compliance
Medical Devices
Address your team or company’s specific skills gaps, challenges and opportunities in the most
appropriate and effective format
We’ll come to you! Convenient training and/or coaching will be delivered at a time and location
convenient for your team
Cost‐effective method for training groups of employees
Receive the highest standards of specific shared learning and understanding within your team
Examples and context can be tailored to your organisation and industry
Build a curriculum to meet your capability needs
Online Learning
http://academy.intertek.com/ iii
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Blended Learning
Contact Us
Need help or further training support?
Online: https://learning.saiassurance.com/
iv http://academy.intertek.com/
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
INTRODUCTION
Intertek is pleased to welcome you to this course. We hope that this training will meet your expectations.
This 1 day training course for transitioning to ISO/IEC 27001:2022 provides an opportunity to learn the
necessary skills to transition existing knowledge of the planning, conducting and reporting of an audit of
an Information Security Management System that is compliant with ISO/IEC 27001:2022.
To gain the maximum benefit from your training we encourage you to participate fully and openly. Most
importantly do not be afraid to ask questions or to make mistakes, people learn from doing both.
http://academy.intertek.com/ v
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
COURSE OVERVIEW
Purpose
This one day course provides an opportunity to learn the necessary skills to transition your existing
knowledge of the planning, conducting and reporting of an audit of an Information Security Management
System that is compliant with ISO/IEC 27001:2022.
Target Audience
This course is designed for Information Security Management System professionals who are familiar with
ISO 27001:2013 and need to know the transition requirements to 27001:2022.
Learning Outcomes
Upon successful completion of this course, participants should be able to
Understand the controls and control purpose changes from ISO/IEC 27001:2013 to
ISO/IEC 27001:2022
Conduct an audit of an ISMS that includes controls selected from ISO/IEC 27002:2022
COURSE RECOGNITION
Non – Accredited Course
Participants will receive a Statement of Attendance upon successful completion of the course.
vi http://academy.intertek.com/
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Participant Support
If you are unclear or concerned with any aspect of the assessments for this course, please talk to your
facilitator.
Ask your facilitator for any further information, assistance or feedback. At your request, your facilitator is
also available to undertake alternative or additional assessments (including reasonable adjustment).
Please ask to speak to your facilitator privately if you need to discuss your individual needs.
http://academy.intertek.com/ vii
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Icon Library
Learning activity
Where you see this icon, you are required to complete an in‐class activity
Class discussion
Notes
Where you see this icon, you have space to make your own notes
http://academy.intertek.com/ ix
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Notes
Notes
x http://academy.intertek.com/
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
PRESENTATION HANDOUT
01
http://academy.intertek.com/ 1
ISO 27001:2022 AUDITOR
TRANSITION COURSE (1‐DAY)
1
INTERTEK AND SAI GLOBAL
Intertek expands its global Assurance
offering with acquisition of SAI Global
Assurance, a leading provider of assurance
services
Who is SAI Global Standards & Assurance?
The SAI Global Assurance division provides
management systems certification, second
party audits and training across a wide variety
of end markets to more than 60,000
customers in c.130 countries and is similar to
our existing Business Assurance line.
What benefits will I gain from this
transaction?
With Intertek and SAI’s complementary
geographical presence and service offerings,
and our global network of experienced and
qualified personnel, our combined company
will be able to better support your needs
2
locally and globally.
2
OUR HERITAGE – 30 YEARS OF MARKET LEADERSHIP
• For 30 years, Intertek Business Assurance and its legacy organizations have been
leaders in providing businesses with the tools to identify risks and opportunities,
while taking action to address anything that could have a potential impact on their
products and services.
• Over the years, we’ve expanded our service offerings from traditional ISO
management systems certification to include innovative assurance solutions covering
areas from quality, safety and sustainability throughout every industry.
• In 2020, Intertek Business Assurance earned the title of Certification Body of the Year
from the International Automotive Oversight Bureau (IAOB).
3
SAFETY AND SECURITY
The Building
• The alarm system
• Procedure for evacuation
• Evacuation route
Training Room
• Trip hazards
• Keep bags, packs etc. up off the floor
• Be aware of placement of tables and chairs
• Report any hazards
Manual Handling
• Do not move flip chart stands yourself,
ask the facilitator
• Do not move tables yourself, ask the facilitator
4
4
COURSE PURPOSE
To develop the skills needed for a qualified ISMS auditor to perform an effective
internal/external audit against the ISO/IEC 27001:2022 Information Security
Management Systems standard
The ISO/IEC 27001:2013 standard has been updated to reflect changes to the
companion ISO/IEC 27002 standard. There are now 2022 versions of both.
This one-day advanced course develops the skills needed to perform effective
internal/external audits against the new ISO/IEC 27001:2022 Information Security
Management Systems standard.
5
LEARNING OUTCOMES
• Understand the control and control purpose changes from ISO/IEC 27001:2013 to
ISO/IEC 27001:2022
• Understand the use of characteristics associated with the new controls and control
structure
• Conduct an audit of an ISMS that includes controls selected from ISO/IEC
27002:2022
6
COURSE OUTLINE
7
GROUP ACTIVITIES
This course is based on action learning principles.
• Be participative
• Present findings
8
LET’S GET STARTED
Evacuation Food
Introductions:
Introducing your trainer/assessor.
9
Be open minded – “I would rather be proved wrong than right.” [Socrates]
Allow for differences of opinion
Don’t write off new information until it has been put to the test
Provide real time feedback on content and clarity. You must be
responsible for raising things that you don’t understand
9
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Programme Schedule
Day 1
viii http://academy.intertek.com/
COURSE OUTLINE
11
11
01
ISO 27001 AND ISO 27002
12
MODULE 1:
ISO 27001 & ISO 27002 REFRESHER
13
THE EVOLUTION OF ISO 27001 & ISO 27002
14
The ISO 27001 and 27002 standards were derived from the BS 7799 standards first
published in the mid‐1990’s. Whilst they were suitable for the threat landscape and
technical environment of their time, changes in the landscape drove amendments to the
standards.
The original version of ISO 27001 was published in 2005 and then refreshed in 2013 with
a corresponding refresh of ISO 27002. These refreshes changed both the mandatory
clause elements of ISO 27001 but also the reference control set defined in Annex A.
Some controls in the 2005 version were removed from the 2013 version.
In 2022, there has been a refresh of both ISO 27001 and ISO 27002. Changes to the
control sets in 27002 include a reduction in control numbers from 114 to 93.
14
ISO/IEC 27001
15
ISO/IEC 27002
The title of the 2022 version of ISO 27002 has been changed. Previously it was called
“Information technology — Security techniques — Code of practice for information
security controls” but is now titled “Information security, cybersecurity and privacy
protection — Information security controls”.
16
COURSE OUTLINE
17
17
02
SUMMARY OF CHANGES TO
ISO 27001 AND ISO 27002
18
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Notes
2 http://academy.intertek.com/
MODULE 2:
CHANGE TO ISO 27001 & ISO 27002
This unit will discuss the changes to these two complementary standards and the impact
on the ISMS audit process.
Given that Annex A of ISO 27001 is derived from ISO 27002, the changes to this latter
standard have driven the requirement to update ISO 27001 ensuring the continued
alignment of the standards.
19
CHANGES TO ISO 27001
The 2022 edition of ISO 27001 has some minor changes affecting an auditor EXCEPT of
course, the control changes in Annex A to reflect the ISO 27002:2022 reference controls
set.
Changes to the mandatory clauses of the standard include some additional items to
provide clarification around some elements of Clauses 4‐10.
20
CHANGES TO CLAUSE 4
21
21
CHANGES TO CLAUSE 6
• Clause 6.1.3(d) has now incorporated the Technical Corrigendum 2 from the
previous version of the standard. No additional audit requirements.
• Clause 6.2 now requires that the objectives be “monitored”
• New Cause 6.3 “planning of changes” relates to changes to the management
system
• Planned process is now required
• Will likely tie into Clause 8.1 Operational Planning and Control
22
There is a minor change to Clause 6.1.3(d) regarding the contents of the Statement of
Applicability (SoA). This change reflects the change to the 2013 version introduced by
the Technical Corrigendum 2, which reformats this clause to ensure clarity of the
requirements of the standard relating to the mandatory content of the Statement of
Applicability (SoA). The content of the SoA has not changed so there are no additional
audit requirements in relation to this change.
Note that with the changes to Annex A of ISO 27001, any Statement of Applicability built
to conform to this standard will have the 93 controls as its minimum set (as per Clause
6.1.3(c) and (d)).
In addition, there is now a specific requirement in Clause 6.2 regarding the requirement
to monitor security objectives. This will tie into activities relating to Clause 8.1 and
Clause 9.1. Auditor should continue to seek evidence that the ISMS supports the
defined objectives.
The 2022 version of the standard introduces a new sub‐clause Clause 6.3 “Planning of
changes”. This clause requires a planned approach to changes to the ISMS and can be
seen as part of the overall change management practices of the organization.
22
CHANGES TO CLAUSE 8
23
23
CHANGES TO CLAUSE 9
• Clause 9.2 (Internal Audit) has now been divided into 2 sub‐clauses
• 9.2.1 General
• 9.2.2 Internal audit programme
• No substantive changes to the requirements
• Change is more structural and for clarification
• Clause 9.3 (Management Review) has now been divided into 3 sub‐clauses
• 9.3.1 General
• 9.3.2 Management review inputs ‐ modified list of inputs
• 9.3.3 Management review results ‐ formally documented outcomes
24
Clause 9.2 regarding ISMS Internal Audit has been restructured with the original clause
being broken into 2 sub‐clauses. There are no substantive changes to this area of the
standard, with all requirements from the 2013 version still included.
On similar lines, the management review clause has been restructured. Some key
aspects of these changes for audit purposes are the modification in the list of inputs that
must be considered and the emphasis on documenting decisions regarding changes to
the ISMS or improvement opportunities.
Note that the 2013 version did require the results of the management review to be
documented so there is no change to this requirement.
24
CHANGES TO CLAUSE 10
25
THE STRUCTURE OF ISO 27002:2022
• Simplified, reducing the number of control domains (now called “themes”) from
14 to 4
• Organizational ‐ 37 controls
• People ‐ 8 controls
• Physical ‐ 14 controls
• Technological ‐ 34 controls
• Contains up‐to‐date guidance including information for use by auditors
• Will be supported by updates to the ISO 27008 standard providing guidance for
auditing controls
• Other standards will also be updated
26
The completely restructured and updated third edition of the ISO 27002 standard
was published in February 2022.
There has been a consolidation control domains (now called “themes”), with the
number reducing from 14 to 4.
In the 2013 version, there were the following control domains with 114 controls:
26
• 15 Supplier relationships (5 controls)
• 16 Information security incident management (7 controls)
• 17 Information security aspects of business continuity management (4 controls)
• 18 Compliance (8 controls)
These domains have been replaced by the following control area “themes” with 93
explicit controls:
• 5 Organizational ‐ 37 controls
• 6 People ‐ 8 controls
• 7 Physical ‐ 14 controls
• 8 Technological ‐ 34 controls
From an auditor perspective, the update to the standard provides some useful guidance.
This includes the use of the control attributes discussed later.
Other standards in the ISO 27000 family will also require updates to reflect the changes
to ISO 27002. These standards will include 227003, 27004, 27008, 27009, 27010, 27011,
27017, 27019 and 27103 to name a few.
26
THE STRUCTURE OF ISO 27002:2022
• However, there are a number of implied controls that may well be considered
which would increase the number of total controls in use within an ISMS
27
In this version there are nominally 21 fewer controls than in the 27001:2013 edition
despite adding 11 new controls. Several of the controls in 27001:2013 have been
updated or merged.
No controls have been removed from the 2013 version but may have been merged or
renamed in the 27001:2022 version of the standard.
The actual control count is far higher (a few hundred) if you consider the controls that
are implied by the details contained in the individual controls. As such, the resultant
control set for the ISMS may well exceed the 93 controls in this standard. For instance,
the control relating to backups may have several smaller, related controls such as a
backup policy, backup schedule and the validation of backups. This could mean that
there are 4‐5 related controls not specifically called out in ISO 27002.
27
THE STRUCTURE OF ISO 27002:2022
• Each control also has 5 “attributes” which can be used to categorize the controls
• Control type – Preventive, Detective. Corrective
• Information security properties – Confidentiality, Integrity, Availability
• Cybersecurity concepts – Identify, Protect, Detect, Respond, Recover
• Operational capabilities – e.g. Governance, Asset_management,
Information_protection, System_and_network_security
• Security domains – Governance and Ecosystem, Protection, Defence,
Resilience
• Can be useful in terms of validating control selection
• Organizations may assign their own attributes for their specific needs
28
One of the most useful changes to the standard from an auditor’s perspective is the
introduction of “attributes” for each control. These attributes can further describe and
categorize the relevant control.
The control type attribute provides a perspective on how and when the control helps to
modify either the consequence or the likelihood of a risk. It focusses on whether the
control prevents a risk from being realized, detects that a risk (or incident) has occurred,
or corrects the effects of the incident. Preventive controls primarily focus on reducing
the likelihood (or probability) of the incident occurring (a realized risk) whilst detective
and corrective controls assist in significantly reducing the consequence (or impact) of
the incident.
28
This attribute type is therefore very useful to the auditor to substantiate the risk
treatment decisions of the organization.
The cybersecurity attribute type directly aligns with the NIST Cyber Security Framework
(NIST CSF) that is frequently used by organizations to define the activities required within
an operating cybersecurity model. The attribute values in ISO 27002 are equivalent to
the “Functions” elements of the CSF.
This attribute is useful when organizations have an interest or alignment to the NIST CSF.
The Operational Capabilities attribute allows the view of the controls from a security
practitioner’s perspective of information security. The values for this attribute are:
• Governance
• Asset management
• Information protection
• Human resource security
• Physical security
• System and network security
• Application security
• Secure configuration
• Identity and access management
• Threat and vulnerability management
• Continuity
• Supplier relationships security
• Legal and compliance
• Information security event management
• Information security assurance
The final attribute is the security domain. This allows a view of the control environment
from the perspective of four (4) information security domains. These domains are:
• Governance and Ecosystem
• Protection
• Defence
• Resilience
28
THE STRUCTURE OF ISO 27002:2022
• Each control has a purpose, effectively taking the place of the control objective
from the 2013 version
29
Each control no longer has an associated “control objective” as contained in the previous
versions of the standard. This objective has been replaced by the purpose statement for
each control.
The purpose of the control explains why the control should be implemented. How the
control may be implemented is contained in the “Guidance” section of each control.
Note that this is guidance only and may not reflect how that control is implemented in
the ISMS under review.
Another useful section in each control description within ISO 27002:2022 is the “Other
information” section. A review of this section by an auditor may provide some useful
background information.
29
AUDITING ATTRIBUTE USE
• Remember, use of control attributes is not
mandatory, so absence of attributes is not a
non‐conformance
• Attributes are in ISO 27002 NOT ISO
27001!
• If attributes in use
• Do they contribute to a better picture in
terms of control selection to manage risks?
• Do they use them for clarity on
responsibilities?
• Are they using their own, and if so, for
what purpose?
• Where are they capturing the attributes?
SoA?
It may be that the organization has captured these, or other, attributes in their
Statement of Applicability. This is NOT a requirement of the ISO 27001 standard but
may be useful to both the organization and the auditors.
Note that the use of attributes provides the auditor with additional context about the
control, but a non‐conformance cannot be raised on their use, or lack of. This is the
auditee’s choice on how, or if, these attributes are used.
30
Activity 1: Auditor Use of Attributes
Task:
As a group consider the 5 attribute types for controls
and discuss a minimum of 2 ways that consideration
of the attributes can contribute to an effective ISMS
I audit.
Consider key activities normally examined within an
ISMS audit and how an organisation may use these
attributes to make their ISMS more effective.
Time:
15 minutes
31
COURSE OUTLINE
32
32
03
AUDITING THE NEW
CONTROLS
33
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Notes
2 http://academy.intertek.com/
MODULE 3:
AUDITING THE NEW CONTROLS
This module provides guidance on auditing the 11 new controls added to the new
version of ISO 27002:2022 and therefore, Annex A of ISO/IEC 27001:2022.
34
THE 11 NEW CONTROLS
There are 3 of the new controls in the section relating to security within the
organization. These controls address changes in the operating environment of most
organizations.
All new controls focus on addressing areas of risk within an organization which have
been identified as areas of concern.
35
A.5.7 THREAT INTELLIGENCE
Control
Information relating to information security threats should be collected
and analysed to produce threat intelligence.
Purpose
To provide awareness of the organization’s threat environment so that
the appropriate mitigation actions can be taken.
Notes
• Often depends on the maturity of the organization
• Generally sourced from external feeds
36
A.5.7 THREAT INTELLIGENCE
Examine / Sample / Question Interview / Observe
Have they a defined set of roles and Interview roles with responsibilities
responsibilities?
Sources of intelligence? External or Discuss how the intelligence is utilized
Internal?
Alignment with organization’s risk Are the intelligence gathering objectives
management clearly defined?
How is the threat intelligence analyzed Competence of key roles?
and used?
Is the intelligence mutually shared?
With whom?
Examples of threat intel and its use e.g.
improvements in existing controls
The new control relating to threat intelligence requires access to such information.
Generally, this information is sourced from external, trusted sources, which is then
analyzed by the appropriately qualified and skilled people to determine the
organization’s response.
Note that such intelligence may be related to individuals holding key positions within the
organization.
This activity is often referred to as Cyber Threat Intelligence (CTI) or “cyber intel”.
Auditing this new control first requires identification of any threat intelligence function
within the organization. Once clear accountability for this function is established, the
auditor should seek to understand a number of key elements.
These are:
1. Who has responsibility for
37
a. Defining the intelligence objectives and how is this done
b. Collecting the intelligence information
c. Analyzing the collected information
d. Determining what action should be taken, if any
e. Communicating key intelligence to interested parties within the organization
f. Sharing any gathered intelligence with interested external parties
1. Are individuals competent in their roles?
2. What information feeds are used as sources of intelligence? Trusted or untrusted?
The sources of threat intelligence may include information gathered from law
enforcement, vendors or even from the “dark web”.
Sharing threat intelligence is an extension of the objective of the previous control related
to “contact with special interest groups” (A.5.6) ensuring appropriate information flow
with respect to information security.
37
A.5.23 INFORMATION SECURITY FOR USE OF CLOUD SERVICES
Control
Processes for acquisition, use, management and exit from cloud services
should be established in accordance with the organization’s information
security requirements.
Purpose
To specify and manage information security for the use of cloud services.
38
A.5.23 INFORMATION SECURITY FOR USE OF CLOUD SERVICES
Examine / Sample / Question Interview / Observe
Is there a policy governing the use of Interview role with responsibilities in
cloud services? managing cloud provider relationships
Approved and communicated? Are there formal review meetings?
Are the security requirements clearly Interview roles responsible for change
defined? management and incident management
w.r.t cloud services
Responsibilities of cloud provider and Discuss data sovereignty issues
client defined?
Services agreements addressing
confidentiality, integrity and availability
Sample risk assessments of cloud
providers/services
One of the significant technological changes since the release of the 2013 versions of
the standard is the widespread adoption of cloud services. Many organizations are now
utilizing some form of cloud‐based services.
The recognition that cloud service provider play a vital role in the delivery of critical
services has driven the need for additional guidance relating to the management of risks
in this domain.
This control has been introduced to provide some high‐level guidance. However, there
are a number of additional standards that contain specific support. These include ISO
27017 providing guidance to both cloud service customers and cloud service providers
and ISO 27018 addressing the protection of Personally Identifiable Information (PII)
managed in the cloud. These standards may have been used to support this individual
control within the ISMS under audit.
Auditing this control requires collection of evidence from a number of key sources.
Considerations should include the process for the acquisition of cloud services, how
these services are managed and the processes for entering and exiting such services.
As with all third‐party arrangements, evidence of risk assessments of the cloud services
should be available. Access to the relevant service agreements would also provide
39
evidence of the security requirements and how those obligations are met.
Auditors should note that the cloud services client may have little influence on the cloud
service provider’s security posture. This increases the need for risk assessments of the
vendor.
39
A.5.30 ICT READINESS FOR BUSINESS CONTINUITY
Control
ICT readiness should be planned, implemented, maintained and tested
based on business continuity objectives and ICT continuity requirements.
Purpose
To ensure the availability of the organization’s information and other
associated assets during disruption.
Notes
• Closely integrated with business continuity management
• Supported by ISO 27021, ISO 22301
40
A.5.30 ICT READINESS FOR BUSINESS CONTINUITY
Examine / Sample / Question Interview / Observe
Has a Business Impact Analysis (BIA) been Interview roles with responsibilities in business
performed? Critical business activities continuity, IT service continuity and IT recovery
prioritized?
Have the results been integrated into the
service continuity and recovery plans?
Review the IT continuity plan. Is it approved?
Does the continuity plan address continuity,
recovery and resumption issues?
Are the Recovery Time Objectives (RTO) and
Recovery Point Objectives (RPO) aligned with
the needs and priorities of the business?
Review results of exercising /testing the plan
Another new control in ISO 27001:2022 that did have some correlation to Annex A.17 in
the 2013 version.
One method of assessing the effectiveness of this control is the review of any business
continuity management framework in use.
A ley element of such a framework is a Business Impact Analysis (BIA). Such an exercise
identifies the business expectations in terms of continuity and recovery, allowing IT to
define the recovery time and recovery point objectives that will satisfy the business
requirements.
41
prioritized?
• Have the results been integrated into the service continuity and recovery plans?
• Review the IT continuity plan. Is it approved?
• Does the continuity plan address continuity, recovery and resumption issues?
• Are the Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) aligned
with the needs and priorities of the business?
• Review results of exercising /testing the plan
• Interview roles with responsibilities in business continuity, IT service continuity and IT
recovery
41
A.7.4 PHYSICAL SECURITY MONITORING
Control
Premises should be continuously
monitored for unauthorized physical
access.
Purpose
To detect and deter unauthorized
physical access.
Notes
• May be difficult in leased or
shared premises
42
A.7.4 PHYSICAL SECURITY MONITORING
This control requires organizations to put adequate processes and suitable surveillance
tools in place to detect and prevent unauthorized access into restricted physical areas.
This will protect the organization and limit the occurrence of incidents such as:
• Data Theft;
• Theft of physical assets like removable media;
• Tampering of physical assets;
• Deliberate infection of physical IT assets with malware; and
• Financial loss.
43
• Sampling alarm records and responses
• Sampling CCTV records.
• Observing locations of CCTV cameras
• Observing other physical security controls such as access controls on doors etc
• Interviewing persons responsible for monitoring/reviewing records including CCTV
43
A.8.9 CONFIGURATION MANAGEMENT
Control
Configurations, including security configurations, of hardware, software, services and
networks should be established, documented, implemented, monitored and
reviewed.
Purpose
To ensure hardware, software, services and networks function correctly with required
security settings, and configuration is not altered by unauthorized or incorrect
changes.
Notes
• May be addressed by ITIL or ISO 20000.1 implementation
44
A.8.9 CONFIGURATION MANAGEMENT
Examine / Sample / Question Interview / Observe
Use of CMDB? Interview service Desk Manager (or
Configuration Manager)
Documented configuration standards
including disabling unnecessary
services and restricting access to
powerful programs
Review cycle of these standards
Use of tools to enforce standards
Use of systems management tools for
monitoring
Sample configuration records
45
This control assesses the organization’s process of ensuring that configurations are
appropriately implemented, managed and documented.
45
A.8.10 INFORMATION DELETION
Control
Information stored in information systems, devices or in any other
storage media should be deleted when no longer required.
Purpose
To prevent unnecessary exposure of sensitive information and to
conform with legal, statutory, regulatory and contractual requirements
for information deletion.
Notes
• May be part of a broader organizational records management
approach
46
This control assesses the organization’s process of ensuring that configurations are
appropriately implemented, managed and documented.
46
A.8.10 INFORMATION DELETION
Examine / Sample / Question Interview / Observe
Sanitization process for media and its Interview service desk / technical personnel
alignment with business and legal responsible for redeployment/removal of media
requirements defined?
Third part agreements include deletion Interview personnel responsible for service calls to
requirements? equipment
Are cloud service provider’s deletion methods
satisfactory?
Sample secure disposal / destruction records
Does the organization use any automatic
process for the deletion of data after a
specified period?
Are hard disks removed before equipment
removed from the premises?
47
This control requires organizations to have a process in place to safely delete stored
information when no longer required or it is necessary to do so.
47
• Review the process used to delete information no longer required.
• Sample records that should have been deleted.
• Sample secure destruction reports.
Interviewing key staff responsible for reuse and redeployment of media may provide
evidence of conformance to the organization’s processes in this area.
Note that the organization should have processes in place for the maintenance of
equipment that should include the secure removal of information from any media.
47
A.8.11 DATA MASKING
Control
Data masking should be used in accordance with the organization’s topic‐
specific policy on access control and other related topic‐specific, and
business requirements, taking applicable legislation into consideration.
Purpose
To limit the exposure of sensitive data including personally identifiable
information, and to comply with legal, statutory, regulatory and
contractual requirements.
Notes
• May be part of a broader organizational approach to sensitive
information.
48
This control requires that a process is defined and techniques in place to limit the
exposure of sensitive data to authorised personnel.
48
A.8.11 DATA MASKING
49
This control requires that a process is defined and techniques in place to limit the
exposure of sensitive data to authorised personnel.
This helps organization to maintain compliance with legal, statutory, regulatory and
contractual requirements.
49
Data masking is the process of obfuscating or modifying data such that it is unintelligible,
to protect the sensitivity of the data and prevent unauthorised disclosure of this data.
This control requires that a process is defined and techniques in place to limit the
exposure of sensitive data to authorised personnel.
This helps organization to maintain compliance with legal, statutory, regulatory and
contractual requirements.
49
A.8.12 DATA LEAKAGE PREVENTION
Control
Data leakage prevention measures should
be applied to systems, networks and any
other devices that process, store or
transmit sensitive information.
Purpose
To detect and prevent the unauthorized
disclosure and extraction of information
by individuals or systems.
Notes
• This controls relates to control A.5.12
regarding information classification.
A.5.12 should be effective as a
precursor to this control. 50
50
A.8.12 DATA LEAKAGE PREVENTION
Examine / Sample / Question Interview / Observe
Has sensitive information been identified Interview security management to determine
and classified? level of awareness amongst user communities
Check for any tools used to minimize data Sample user behavior
leakage – e.g. email attachment controls.
DLP solutions?
Are there any formal processes for data
export?
Who approves data export?
Check acceptable use rules to cover off
data leakage sources
Check user awareness training material
and records
Examine backup strategies – check for
encryption of backups of sensitive data 51
Data leakage is the process where there is unauthorised transfer of data from within an
organization to an external source.
This is very common with organizations that deal with different kinds of data with
different classifications and have interconnected/complex system infrastructure.
51
A.8.16 MONITORING ACTIVITIES
Control
Networks, systems and applications
should be monitored for anomalous
behaviour and appropriate actions
taken to evaluate potential
information security incidents.
Purpose
To detect anomalous behaviour and
potential information security
incidents.
Notes
• This control is associated with
A.8.15 regarding system logging 52
52
A.8.16 MONITORING ACTIVITIES
Examine / Sample / Question Interview / Observe
Confirm monitoring tools are in use Discuss how monitoring strategies were
developed
Ensure tools meet defined strategies and Contractual, legal and regulatory aspects
requirements considered?
Is any baseline of activity established to
allow for alerts of activity outside
parameters?
Check for automated alerting of events –
to whom, what is the response?
Are false positives identified and action
taken to reduce the frequency of these
alerts?
Are personnel appropriately trained in
responding to alerts? Records of 53
competency?
53
A.8.23 WEB FILTERING
• Control
• Access to external websites should be managed to reduce exposure to
malicious content.
• Purpose
• To protect systems from being compromised by malware and to prevent
access to unauthorized web resources.
• Notes
• Effectiveness of this control is partially determined by the level of user
awareness regarding Internet use.
54
This control requires an organization to implement measures and processes to filter the
web content that a personnel can access.
54
A.8.23 WEB FILTERING
Examine / Sample / Question Interview / Observe
Use of proxy filters, firewalls or other Interview security management on Internet
screening technology designed to content controls
restrict web traffic
Examine mechanisms used to drive
whitelisting or blacklisting of sites and
frequency of updates
Check acceptable use rules to ensure
users are clear on behavior
Check user awareness training material
and records
Check exemptions process used to gain
access to restricted sites
55
• Check the security policy suite for guidance/rules on web access and controlled
content
• Check user security training or awareness material to confirm that it includes user
obligations to enhance effective web filtering as per the relevant policy requirement.
55
A.8.28 SECURE CODING
Control
Secure coding principles should be applied to software development.
Purpose
To ensure that software is written securely thereby reducing the number of
potential information security vulnerabilities in the software.
Notes
• This control links to other related software development controls such as
A.8.29 relating to testing
56
This control requires that organizations employ secure coding practices to prevent
security vulnerabilities or flaws in software or applications.
The organization should ensure that these practices are documented and made available
to developers and testing personnel.
56
A.8.28 SECURE CODING
Examine / Sample / Question Interview / Observe
Secure software development standards or Interview application developers regarding
rules secure development
Ensure these rules apply during
planning/design, coding and the
review/maintenance cycles
Ensure these rules apply to both in‐house
and external development
Mechanisms for ensuring standards are
aligned with changing threat landscape –
inputs for threat intelligence
Application of these rules for both new
development and maintenance activities
Training provided to software engineers on
secure coding principles
Is source code appropriately protected? 57
• Confirm how these rules or practices for both new development and maintenance
activities are applied.
This control is often overlooked when organizations use rapid development frameworks
such as agile development methods.
57
COURSE OUTLINE
58
58
04
AUDITING THE MERGED
CONTROLS
59
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Notes
2 http://academy.intertek.com/
MODULE 4:
AUDITING THE MERGED CONTROLS
60
THE 24 MERGED CONTROLS
A high level overview of the ISO 27001:2013 controls that have been merged into single
controls in the ISO 27001:2022 revision.
61
THE 24 MERGED CONTROLS
62
THE MERGED CONTROLS
63
This control requires that organizations employ secure coding practices to prevent
security vulnerabilities or flaws in software or applications.
The organization should ensure that these practices are documented and made available
to developers and testing personnel.
63
A.5.1 POLICIES FOR INFORMATION SECURITY
Control
Information security policy and topic‐specific policies should be defined,
approved by management, published, communicated to and acknowledged by
relevant personnel and relevant interested parties, and reviewed at planned
intervals and if significant changes occur.
Purpose
To ensure continuing suitability, adequacy, effectiveness of management
direction and support for information security in accordance with business
requirements, legal, statutory, regulatory and contractual requirements.
64
A.5.1 POLICIES FOR INFORMATION SECURITY
The objective of this control continues to be focused on ensuring the information security
ecosystem is based on, and clearly aligned with, the organization's requirements and any
applicable laws, regulations and contractual obligations. Given this alignment, the policy suite
for any ISMS will be unique to that organization.
65
A.5.8 INFORMATION SECURITY IN PROJECT MANAGEMENT
Control
Information security should be integrated into project management.
Purpose
To ensure information security risks related to projects and deliverables are
effectively addressed in project management throughout the project lifecycle.
66
A.5.8 INFORMATION SECURITY IN PROJECT MANAGEMENT
Examine / Sample / Question Interview / Observe
• Review the project management • Interview project managers
methodology
• Review if security requirements have
been specified in business
requirements.
• Check minutes of project steering
meetings
• Check responsibilities for information
security are allocated relevant to the
project
• Review project risk assessments for
information security risks
The merger of the controls into this individual control enforces the need to ensure that
information security is considered within all projects and that the identification and
documentation of any relevant security requirements should be done early in all
projects, irrespective of project type.
67
A.5.9 INVENTORY OF INFORMATION AND OTHER ASSOCIATED ASSETS
Control
An inventory of information and other associated assets, including owners,
should be developed and maintained.
Purpose
To identify the organization’s information and other associated assets in order to
preserve their information security and assign appropriate ownership.
The organisation should identify assets associated with information and information
processing facilities and maintain an inventory of all these assets.
68
A.5.9 INVENTORY OF INFORMATION AND OTHER ASSOCIATED ASSETS
The objective of these controls is to identify organizational assets and ensure that they
are owned.
Assets not owned by the organization may be used for business processing. For
example, a personal laptop or a cell phone with data storing facility. How is the
risk assessment done for such assets?
69
A.5.10 ACCEPTABLE USE OF
INFORMATION AND OTHER
ASSOCIATED ASSETS
Control
Rules for the acceptable use and
procedures for handling information and
other associated assets should be
identified, documented and implemented.
Purpose
To ensure information and other associated
assets are appropriately protected, used
and handled.
This control requires developing and implementing suitable procedures for handling
assets, based on the organisation’s information classification method.
70
A.5.10 ACCEPTABLE USE OF INFORMATION AND OTHER
ASSOCIATED ASSETS
71
A.5.14 INFORMATION TRANSFER
Control
Information transfer rules, procedures, or agreements should be in place for all
types of transfer facilities within the organization and between the organization
and other parties.
Purpose
To maintain the security of information transferred within an organization and
with any external interested party.
This control requires that documented transfer policies, procedures, and controls should
be established to protect the transfer of information using communication facilities.
72
A.5.14 INFORMATION TRANSFER
Examine / Sample / Question Interview / Observe
• Examine any documented information • Interview users involved in such transfers
transfer policies and procedures
• Check policies around electronic
messaging
• Check responsibilities relating to
information transfer including owners,
approvers and custodians
• Check labelling system used for sensitive
information being transferred
• Check for malware protection within
electronic messaging systems
• Examine training material and records
relating to awareness and responsibilities
Are they using mechanisms to control the type of information allowed to be transferred
via forms of electronic communication? It may be that the organization is restricting the
ability to attach/transfer documents based on their sensitivity.
Observation and interview of users would also indicate the level of implementation and
understanding of the information transfer rules.
73
A.5.15 ACCESS CONTROL
Control
Rules to control physical and logical access to
information and other associated assets should
be established and implemented based on
business and information security
requirements.
Purpose
To ensure authorized access and to prevent
unauthorized access to information and other
associated assets.
The organisation should establish, document, and review access control policy, based
on business and security requirements.
This control requires that users should only be able to access the network and network
services they are authorised to use.
74
A.5.15 ACCESS CONTROL
Examine / Sample / Question Interview / Observe
• Check access control policy and its • Interview Support Desk re access approval
approval process
• Sample user access request for
conformance to policy
• Confirm approval of access
• Check if access policy also covers
approval of physical access
• Check for appropriate segregation of
sensitive access
• Is access based on “need to know” or
roles
The intent of this control is to ensure authorized access to information and to prevent
unauthorized access to the information and any other associated assets. Auditing of
this control combines documentation review and sampling.
Interviewing the IT Service Desk staff will also provide evidence of workflows
regarding approval and provisioning of access.
75
A.5.17 AUTHENTICATION INFORMATION
Control
Allocation and management of authentication information should be controlled
by a management process including advising personnel of appropriate handling
of authentication information.
Purpose
To ensure proper entity authentication and prevent failures of authentication
processes.
The organisation must define a formal process to manage and control allocation of
secret authentication information.
This control is to ensure that users follow the organisation’s policies while using
secret authentication information.
76
A.5.17 AUTHENTICATION INFORMATION
Examine / Sample / Question Interview / Observe
• Review the mechanisms used to issue • Interview a few users and verify their
passwords or other authentication awareness about good password security
information and sample practices
• Review password standards or guidance • Interview server administrators re domain
issued to all users level password policies
• Review user awareness training on the
subject
• Review how the operating system is
configured on the Domain server / active
directory / authentication tools
• Review use of biometric and other
authentication mechanisms
The intent of this control is to ensure proper user and entity authentication and to
prevent failures of the authentication processes. Authentication, or validation of the
identity of the user or entity, is an important concept within information security. That
identity is then used in access control.
Interviewing the IT Service Desk staff will also provide evidence of workflows
regarding validation of users when providing initial authentication information such as
the initial user password.
Enforcement of password rules is often done at the domain or server level. Interviews
with server support personnel may confirm any password strength rules in place.
77
A.5.18 ACCESS RIGHTS
Control
Access rights to information and other associated assets should be provisioned,
reviewed, modified and removed in accordance with the organization’s topic‐
specific policy on and rules for access control.
Purpose
To ensure access to information and other associated assets is defined and
authorized according to the business requirements.
Users’ access rights should be reviewed by assigned asset owners at regular intervals.
This control requires that organisations should remove information access rights of all
employees and external parties once their employment, contract or agreement is
terminated.
78
A.5.18 ACCESS RIGHTS
The intent of this control is to ensure access to information and other associated
assets is defined and authorized according to the business requirements.
Auditing of this control combines documentation review and sampling.
79
A.5.22 MONITORING, REVIEW AND CHANGE MANAGEMENT OF
SUPPLIER SERVICES
Control
The organization should regularly monitor, review, evaluate and manage change
in supplier information security practices and service delivery.
Purpose
To maintain an agreed level of information security and service delivery in line
with supplier agreements.
This control requires that organisations must supervise and conduct frequent reviews of
its supplier service delivery.
80
A.5.22 MONITORING, REVIEW AND CHANGE MANAGEMENT OF
SUPPLIER SERVICES
The intent of this control is to maintain an agreed level of information security and
service delivery in line with supplier agreements.
Interviews with the relevant account manager and procurement staff may provider
additional evidence on how services and monitored and the process regarding changes
to supplier services. Evidence of monitoring could be sought.
81
A.5.29 INFORMATION SECURITY DURING DISRUPTION
Control
The organization should plan how to maintain information security at an
appropriate level during disruption.
Purpose
To protect information and other associated assets during disruption.
The requirements for information security and the continuity of information security
management during disruptive situations must be identified and documented.
This control requires periodically reviewing and verifying information security continuity
controls to ensure that they are valid and effective during adverse situations.
82
A.5.29 INFORMATION SECURITY DURING DISRUPTION
The focus should be on the ability of the organization to maintain effective information
security during a disruptive event.
83
A.5.31 LEGAL, STATUTORY, REGULATORY AND CONTRACTUAL
REQUIREMENTS
Control
Legal, statutory, regulatory and contractual requirements relevant to information
security and the organization’s approach to meet these requirements should be
identified, documented and kept up to date.
Purpose
To ensure compliance with legal, statutory, regulatory and contractual
requirements related to information security.
The organisation should clearly identify, document and update all applicable legislative
statutory, regulatory, contractual requirements and the organisation’s approach to
ensuring compliance for each information system within the organisation.
This control specifies that the use of cryptographic controls must comply with all
relevant agreements, laws, and regulations.
84
A.5.31 LEGAL, STATUTORY, REGULATORY AND CONTRACTUAL
REQUIREMENTS
The intent of this control is to ensure that the organization complies with all legal,
statutory, regulatory and contractual requirements related to information security.
85
A.5.36 CONFORMANCE WITH POLICIES, RULES AND
STANDARDS FOR INFORMATION SECURITY
Control
Compliance with the organization’s information security policy, topic‐specific
policies, rules and standards should be regularly reviewed.
Purpose
To ensure that information security is implemented and operated in accordance
with the organization’s information security policy, topic‐specific policies, rules
and standards.
Managers must regularly assess and review the compliance of information processing
and procedures within their area of responsibility.
86
A.5.36 CONFORMANCE WITH POLICIES, RULES AND
STANDARDS FOR INFORMATION SECURITY
Examine / Sample / Question Interview / Observe
• Review policies and procedures • Interview key managers to understand
how this is done
• Examine reports from network • Interview security manager on assurance
scanning and penetration tests and controls testing activities
• Sample any other independent
assurance reports
• Review security calendars and
activities that may trigger
independent assessments
• Review internal and external audit
procedures and reports
The intent of this controls is to ensure that information security is implemented and
operated in accordance with the organization’s information security policy, topic‐
specific policies, rules and standards.
87
A.6.8 INFORMATION SECURITY EVENT REPORTING
Control
The organization should provide a mechanism for personnel to report observed
or suspected information security events through appropriate channels in a
timely manner.
Purpose
To support timely, consistent and effective reporting of information security
events that can be identified by personnel.
If and when employees and contractors using the organisation’s information systems
and services observe or suspect any information security weaknesses in systems or
services, they must note and report these immediately.
88
A.6.8 INFORMATION SECURITY EVENT REPORTING
89
A.7.2 PHYSICAL ENTRY
Control
Secure areas should be protected by
appropriate entry controls and access
points.
Purpose
To ensure only authorized physical
access to the organization’s
information and other associated
assets occurs.
Organisations need to enforce suitable entry controls to protect secure areas and to
ensure that only authorised personnel are allowed access.
Organisations need to control and, preferably, isolate access points such as delivery and
loading areas and other points where unauthorised persons could enter the premises.
90
A.7.2 PHYSICAL ENTRY
Control of the physical security plays a significant role in overall information security.
Auditors should be checking that physical access is controlled and that key entry points
into the organization are appropriately protected. This includes areas where
unauthorized personnel may enter such as loading docks and reception areas.
91
A.7.10 STORAGE MEDIA
Control
Storage media should be managed through its lifecycle
of acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme
and handling requirements.
Purpose
To ensure only authorized disclosure, modification,
removal or destruction of information on storage media.
This control requires developing and implementing relevant procedures for the
management of removable media in accordance with the organisation’s information
classification method.
This control clearly specifies that appropriate authorisation should be taken before
92
moving any equipment, information or software off‐site.
92
A.7.10 STORAGE MEDIA
Interviews with personnel responsible for media reuse or destruction will provide
sources of additional information relating to the reuse or disposal of storage media.
Such media will include hard disk drives from workstations and servers and removable
media such as portable storage devices and USB keys.
93
A.8.1 USER ENDPOINT DEVICES
Control
Information stored on, processed by or accessible via user endpoint devices
should be protected.
Purpose
To protect information against the risks introduced by using user endpoint
devices.
The organisation must adopt and implement a policy and supporting security measures
to handle the risks associated with using mobile devices.
94
A.8.1 USER ENDPOINT DEVICES
Examine / Sample / Question Interview / Observe
• Review the policy on use of laptops and • Interview a few users of laptops and check if
mobile devices they are aware of the policies.
• Review policy settings related to • Observe workstations left unattended to
password protected screen savers confirm the activation of screen savers
• Check endpoint patching process and
sample
• Confirm restrictions on software
installation
• Check user awareness training material
re mobile device use including physical
protection guidance
• Check controls deployed on mobile
devices
Poorly secured mobile devices are more vulnerable to compromise and provide an
attacker with a potential access point into any connected systems. Therefore, controls
relating to such devices form an important part of the security ecosystem.
It is important that security updates are applied to mobile devices as soon as they
become available in order to manage the risk from such devices. Examination of the
vulnerability management (or patching) process will provide evidence of this activity.
The patching process should align to the organization's vulnerability management policy
and procedures.
Auditors should ensure that appropriate controls exist to restrict the installation of
unauthorized programs on mobile devices.
95
• Check user awareness training material re mobile device use including physical
protection guidance
• Check controls deployed on mobile devices
95
A.8.8 MANAGEMENT OF TECHNICAL VULNERABILITIES
Control
Information about technical vulnerabilities of information systems in use should
be obtained, the organization’s exposure to such vulnerabilities should be
evaluated and appropriate measures should be taken.
Purpose
To prevent exploitation of technical vulnerabilities.
This control deals with technical vulnerabilities of information systems and specifies
that the organisation’s exposure to such vulnerabilities must be evaluated and
addressed appropriately.
96
A.8.8 MANAGEMENT OF TECHNICAL VULNERABILITIES
Examine / Sample / Question Interview / Observe
• Review vulnerability management • Interview systems administrators
policy and procedures responsible for patching
• Review sources of vulnerability
information
• Sample records of risk/vulnerability
assessment decisions
• Sample patching records
• Review use of vulnerability
management tools such as Qualys
• Review security calendar for schedule
of testing
• Sample penetration testing reports
Auditors may:
• Review use of vulnerability management tools such as Qualys
• Review security calendar for schedule of testing
• Sample penetration testing reports
97
A.8.15 LOGGING
Control
Logs that record activities, exceptions, faults and other relevant events should be
produced, stored, protected and analyzed.
Purpose
To record events, generate evidence, ensure the integrity of log information,
prevent against unauthorized access, identify information security events that
can lead to an information security incident and to support investigations.
This control requires maintaining and reviewing event logs related to user activities,
exceptions, faults and information security events.
Organisations must ensure that its logging facilities and event logs are protected
against tampering and unauthorised access.
This control requires recording the system administrator and system operator
activities, with focus on protection and regular review of these logs.
98
A.8.15 LOGGING
Event log monitoring is critical to maintaining the security posture of systems. Such logs
can be used to detect information security events or to investigate security incidents.
Auditors may:
• Review use of vulnerability management tools such as Qualys
• Review the logging and log retention policies
• Sample logging settings on key devices
• Review log data location, storage, backup and archiving and the access to such
• Check that privileged users do not have update access to logging data – sample some
access lists
• Examine the use of SIEM services
• Interview security management on the analysis of logs
99
A.8.19 INSTALLATION OF SOFTWARE ON OPERATIONAL SYSTEMS
Control
Procedures and measures should be implemented to securely manage software
installation on operational systems.
Purpose
To ensure integrity of operational systems and prevent exploitation of technical
vulnerabilities.
100
A.8.19 INSTALLATION OF SOFTWARE ON OPERATIONAL SYSTEMS
Examine / Sample / Question Interview / Observe
• Review testing practices for new and • Interview systems administrators responsible
changed applications for installations
• Review policies on software installation
• Sample access controls on systems
• Sample any software register identifying
vendor software
• Sample the currency of vendor software
to ensure it is still maintained
• For supplier‐maintained software, check
access is restricted to minimum
necessary
• Is application control (or “whitelisting”)
in use?
The intent of this control is to limit the ability to install unauthorized software within the
production environment.
101
A.8.24 USE OF CRYPTOGRAPHY
Control
Rules for the effective use of cryptography, including
cryptographic key management, should be defined and
implemented.
Purpose
To ensure the proper and effective use of cryptography
to protect the confidentiality, authenticity or integrity
of information according to business and information
security requirements, and taking into consideration
legal, statutory, regulatory and contractual
requirements related to cryptography.
The organisation must develop and implement a policy on the use of cryptographic
controls for protection of information.
This control is about developing and implementing a policy on the use, protection and
lifetime of cryptographic keys throughout their entire lifecycle.
102
A.8.24 USE OF CRYPTOGRAPHY
Cryptographic methods include the use of Virtual Private Networks (VPNs), digital
certificates and Transport Layer Security (TLS). It is likely that most, if not all,
organizations utilize cryptographic tools in some form.
Documented cryptographic key management processes and procedures can assist with
the secure use and management of cryptographic keys and any associated hardware and
software.
103
A.8.26 APPLICATION SECURITY REQUIREMENTS
Control
Information security requirements should be identified, specified and approved
when developing or acquiring applications.
Purpose
To ensure all information security requirements are identified and addressed
when developing or acquiring applications.
The organisation must consider security measures to minimise the risk of fraudulent
activity, contract dispute and unauthorised access in case of information involved in
application services passing over public networks.
104
A.8.26 APPLICATION SECURITY REQUIREMENTS
105
A.8.29 SECURITY TESTING IN DEVELOPMENT AND
ACCEPTANCE
Control
Security testing processes should be defined and implemented in the
development lifecycle.
Purpose
To validate if information security requirements are met when applications or
code are deployed to the production environment.
This control requires that any security‐related functionality should be tested during
development.
For acceptance testing, the organisation needs to establish programs and related criteria
for new information systems, upgrades and new versions.
106
A.8.29 SECURITY TESTING IN DEVELOPMENT AND
ACCEPTANCE
Examine / Sample / Question Interview / Observe
• Examine testing procedures to ensure • Interview applications testing personnel
testing of security functions is
conducted
• Sample test plans and results
• Review how criteria for acceptance of
new systems are defined, agreed,
documented, and tested
• Review any penetration test reports
and action taken on outcomes
The purpose of this control is to validate if the information security requirements are
met within applications or code when they are deployed to the production
environment.
Security testing should be undertaken against the agreed security specifications before
the deployment of the application into the production environment. To validate this
has occurred, the auditor should determine whether these specifications have been
captured.
107
A.8.31 SEPARATION OF DEVELOPMENT, TEST
AND PRODUCTION ENVIRONMENTS
Control
Development, testing and production
environments should be separated and
secured.
Purpose
To protect the production environment and
data from compromise by development and
test activities.
The organisation should separate development, test and operational facilities to reduce
the risks of unauthorised access or changes to the operational system.
108
A.8.31 SEPARATION OF DEVELOPMENT, TEST AND
PRODUCTION ENVIRONMENTS
Examine / Sample / Question Interview / Observe
• Review the access control policy in relation • Interview application development management
to the various environments on the presence of development, test and
production environments
• Sample access to confirm restricted access to • Interview applications developers regarding
each as per the access control policy? separation of roles and responsibilities
• Review rules for migrating between
environments
• Check use of sensitive data in the non‐
production environments
• Check security control differences between
environments and identify that associated
risks have been noted and addressed
• Check use of production data in training
environments
The intent of this control is to protect the production environment and data from
compromise by development and test activities.
Audit guidance:
• Review the access control policy in relation to the various environments
• Sample access to confirm restricted access to each as per the access control policy?
• Review rules for migrating between environments
• Check use of sensitive data in the non‐production environments
• Check security control differences between environments and identify that associated
risks have been noted and addressed
• Check use of production data in training environments
• Interview application development management on the presence of development,
test and production environments
• Interview applications developers regarding separation of roles and responsibilities
109
A.8.32 CHANGE MANAGEMENT
Control
Changes to information processing facilities and information systems should be
subject to change management procedures.
Purpose
To preserve information security when executing changes.
The organisation must manage and control changes to all its business processes,
information processing facilities and systems that affect information security.
The control specifies that business critical applications must be reviewed and tested
when operating platforms are changed. This safeguards the organisation’s operations
from any adverse impacts.
110
A.14.2.4 Restrictions on changes to software packages
Changes and modifications should be restricted and controlled to ensure that the
changes made do not have an adverse impact on the internal integrity or security of the
software.
110
A.8.32 CHANGE MANAGEMENT
Changes represent a significant area of risk to the environment unless carefully and
formally controlled. Therefore, evidence should be sought to validate that such a
controlled process exists and is effective.
111
COURSE OUTLINE
112
112
05
AUDITING THE RENAMED
CONTROLS
113
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Notes
2 http://academy.intertek.com/
MODULE 5: AUDITING THE RENAMED
CONTROLS
114
AUDITING THE RENAMED CONTROLS
115
AUDITING THE RENAMED CONTROLS (1 OF 3)
Auditing guidance for these controls remains the same as per the ISO 27001:2013
version of the standard.
116
AUDITING THE RENAMED CONTROLS (2 OF 3)
Auditing guidance for these controls remains the same as per the ISO 27001:2013
version of the standard.
117
AUDITING THE RENAMED CONTROLS (3 OF 3)
Auditing guidance for these controls remains the same as per the ISO 27001:2013
version of the standard.
118
COURSE OUTLINE
119
119
06
AUDITING AN UPGRADED
ISMS
120
MODULE 6: AUDITING THE RENAMED
CONTROLS
This module addresses the key focus
areas when auditing an ISMS that has
been upgraded from the ISO
27001:2013 version of the standard to
the ISO 27001:2022 version of the
standard.
121
AUDITING AN UPGRADED ISMS
• Key artifacts that will have been updated
• Management review procedure
• ISMS change management process
• Risk assessment/treatment documentation
• (Risk Register)
• Statement of Applicability
• Corrective actions register
• Improvements register
• Internal Audit program
• High level Information Security Policy
122
• Improvements register
• Internal Audit program
Depending on the ISMS implementation, a security calendar and the measures and
metrics recoding process/artefact may have also been updated.
122
THE RISK REGISTER
• During the transition to the new standard the following should have occurred:
1. Review of the existing risk assessments and risk treatments to realign control ids
2. Consideration of the new controls in terms of more effective risk treatment
3. Review of the risk management procedure to assess if modifications to reference
the new version of the standard and new control set are required
• Transition team may have used Annex B of ISO/IEC 27002:2022 to assist with the
mappings of 2013 ‐> 2022 control references
• When auditing the risk management approach consider using the security attributes of
the controls to validate whether the risk assessment process produces consistent, valid
and comparable outcomes
• A control selected that indicates a reduction in risk around integrity but has no
impact in that domain
Results of the risk assessment and treatment processes will involve reference to existing
and planned controls. This is often done using the control reference from Annex A of
ISO 27001. With the change to the control reference identifiers for the 2022 version of
the standard, an activity will be required to remap the new control references.
From an auditor's view, the auditor must ensure that these references are correct in the
risk assessments/treatments (often captured in a risk register) as this information is
frequently used to build out the Statement of Applicability.
One of the significant benefits of the new version of ISO 27002 is the use of “control
attributes”. These attributes are useful during an audit due to the additional information
provided regarding the nature and use of the control. Auditors may use these attributes
to validate the appropriateness of a control and the relevance to the associated risk.
For instance, a control used to reduce risk related to the integrity of the information may
not be suitable if the attributes indicate it manage risks related to confidentiality only.
The auditor can use these attributes to validate that the risk assessment process
produces consistent, valid and comparable outcomes.
123
THE STATEMENT OF APPLICABILITY (SOA)
• The Statement of Applicability will have been rebuilt to align with the changes to
Annex A of ISO 27001:2022
• Modifications to the risk register should have triggered an update to the SoA in
terms of the relationship between risks and controls
• A review of the exclusion of any of the new controls should be conducted as part
of the audit
• A reminder – exclusion of controls from Annex A must be justified (Clause
6.1.3(d) of ISO 27001)
With the control reference changes, the Statement of Applicability (SoA) will have been
rebuilt.
124
THE CORRECTIVE ACTIONS REGISTER
• Existing non‐conformances documented in a corrective actions register should
have been reviewed
• Non‐conformances against old control references
• Should have been re‐assessed and captured against the aligned new control
reference
• Proposed corrective action should have been reviewed in the light of the control
changes
• Possible that the merged controls may change proposed corrective action
Again, any corrective actions register is likely to reference control identifiers. Previous
non‐conformances will have control id refences to the previous version of the standard.
These should have been changed.
A note regarding corrective action. With the merger of some controls in the new
version, the organization should have revisited the corrective actions to ensure that they
remain relevant and do not need modification.
125
THE IMPROVEMENTS
REGISTER
A note regarding improvements. With the merger of some controls in the new version,
the organization should have revisited the improvements to ensure that they remain
relevant and do not need modification.
126
THE INTERNAL AUDIT PROGRAM
• The internal audit program will have identified the control areas to be reviewed
during each audit within the program
• These individual audits will have included key control areas in their planned
scope which will be referencing the 2013 control ids
• A modified internal audit program is required, referencing the new control ids as
part of the proposed scope of each of the audits within the program
• The audit criteria for each audit must also have been altered to reference the
ISO/IEC 27001:2022 standard
The ISMS internal audit program will have identified the control areas to be reviewed
during each audit within the program. These individual audits will have included key
control areas in their planned scope which will be referencing the 2013 control ids.
A modified internal audit program is required, referencing the new control ids as part of
the proposed scope of each of the audits within the program.
Note that the audit criteria for each audit must also have been altered to reference the
ISO/IEC 27001:2022 standard.
127
THE INFORMATION SECURITY POLICY
• The Information Security policy required by Clause 5.2 of the standard is likely to
have explicitly referenced the standard by year of publication
• This should have been updated, the version number of the document
incremented, and the policy approved
The Information Security policy required by Clause 5.2 of the standard is likely to have
explicitly referenced the standard by year of publication. This should have been
updated, the version number of the document incremented, and the policy approved.
There may also be other documentation referencing the standard in this manner.
Evidence of the review of all ISMS documentation should be sought to validate this.
128
THE INFORMATION SECURITY
CALENDAR
129
MEASURES AND METRICS
• Likely that a number of the controls selected within the ISMS are being measured
• A review of these measurements should have occurred, and adjustments made if
this process directly references the controls by control identifier
• Consider whether the adjusted measures and metrics include any of the 11 new
controls.
• If so, it is unlikely that there will have been time to collect a significant
amount of evidence to support any trending around these controls
It is likely that a number of the controls selected within the ISMS are being measured as
required by clause 9.1 of the standard.
A review of these measurements should have occurred, and adjustments made if this
process directly references the controls by control identifier.
The organization should have considered whether these adjusted measures and metrics
have sought to include measurements of any of the 11 new controls. If so, it is unlikely
that there will have been sufficient time to collect a significant amount of evidence to
support any trending around these controls.
130
Activity 2: Auditing Updated Artefacts
Task:
Individually, select one of the following updated artefacts
and assemble an audit guidance tool (checklist, flowchart) to
aid in the review of this artefact against the new version of
the ISO 27001 standard.
I Choose from a Risk Register or a Statement of Applicability
Time:
15 minutes
131
COURSE OUTLINE
132
132
COURSE OUTLINE
133
133
10
COURSE SUMMARY AND
Q&A
134
SUMMARY
From an audit perspective, clauses 4‐10 of the ISO/IEC 27001 standard remain largely
unchanged in the 2022 version of the standard. There have been some minor
adjustments and the inclusion of a new sub‐clause, clause 6.3, relating to changes to
the ISMS.
135
Q & A Session
136
ISO 27001:2022 AUDITOR TRANSITION
PARTICIPANT GUIDE
Notes
2 http://academy.intertek.com/
137