Is your organization preparing for the ISO 27001 certification? Are you on your way to make the perfect ISO 27001 stage 1 audit checklist? We can help!
Making a checklist is an effective way to keep track of your progress and ensure you don’t forget anything crucial during the demanding process. However, before making that checklist, it’ll be wise to take a final look at the new controls of ISO 27001:2022.
The recent Annex A update of ISO 27001 has left many scratching their heads.
Essentially, the update intended to simplify the implementation of controls while making them more relevant to the nature of modern-day cyber crimes. Yet, the modifications might have made things more complex for you rather than streamlining it if you have been following ISO 27001:2013.
Since the stage 1 ISO audit is about assessing documentation, clearing these doubts is critical!
Hence, in today’s blog, we present a straightforward outline of all the changes to ISO 27001 controls.
This outline will help ensure you’re indeed on the correct path and ready to jump into the ISO 27001 stage 1 audit checklist.
So, dive into the section below!
A Look At The Updated ISO 27001 Controls!
Annex A is a part of ISO 27001 that contains classified security controls. Companies are responsible for determining which of these controls apply to their organization and implementing them accordingly.
In ISO 27001, the controls take a risk-based approach associated with the Statement of Applicability.
ISO 27001:2013 contained a total of 114 controls separated into 14 categories. These controls covered a wide range of information security issues.
ISO 27001:2022 aligned the Annex A controls. It merged 24 controls and revised 58 of them. Currently, the standard has 93 controls divided into four categories, including 11 new ones.
Statement of Applicability
A must-include point in your ISO 27001 stage 1 audit checklist is the Statement of Applicability or SoA. This document outlines the Annex A control your organization has implemented.
Your auditors will refer to SoA to learn about what controls you have and have not executed at your organization.
The Updated ISO 27001:2022 Annex A Controls
The current version of ISO 27001 has 4 categories for its controls instead of 14. These categories are:
• Organizational (37 controls)
• People (8 controls)
• Physical (14 controls)
• Technological (34 controls)
Now, here’s an outline of all the current controls of ISO 27001:2022 that you might want to assess before making the ISO 27001 stage 1 audit checklist.
ISO 27001:2022, Organizational Controls
• Policies for Information Security
• Information Security Roles and Responsibilities
• Segregation of Duties
• Management Responsibilities
• Contact With Authorities
• Contact With Special Interest Groups
• Threat Intelligence
• Information Security in Project Management
• Inventory of Information and Other Associated Assets
• Acceptable Use of Information and Other Associated Assets
• Return of Assets
• Classification of Information
• Labeling of Information
• Information Transfer
• Access Control
• Identity Management
• Authentication Information
• Access Rights
• Information Security in Supplier Relationships
• Addressing Information Security Within Supplier Agreements
• Managing Information Security in the ICT Supply Chain
• Monitoring, Reviewing, and Change Management of Supplier Services
• Information Security for Use of Cloud Services
• Information Security Incident Management Planning and Preparation
• Assessment and Decision on Information Security Events
• Response to Information Security Incidents
• Learning From Information Security Incidents
• Collection of Evidence
• Information Security During Disruption
• ICT Readiness for Business Continuity
• Legal, Statutory, Regulatory and Contractual Requirements
• Intellectual Property Rights
• Protection of Records
• Privacy and Protection of PII
• Independent Review of Information Security
• Compliance With Policies, Rules, and Standards for Information Security
• Documented Operating Procedures
ISO 27001:2022, People Controls
• Screening
• Terms and Conditions of Employment
• Information Security Awareness, Education and Training
• Disciplinary Process
• Responsibilities After Termination or Change of Employment
• Confidentiality or Non-Disclosure Agreements
• Remote Working
• Information Security Event Reporting
ISO 27001:2022, Physical Controls
• Physical Security Perimeters
• Physical Entry
• Securing Offices, Rooms, and Facilities
• Physical Security Monitoring
• Protecting Against Physical and Environmental Threats
• Working In Secure Areas
• Clear Desk and Clear Screen
• Equipment Siting and Protection
• Security of Assets Off-Premises
• Storage Media
• Supporting Utilities
• Cabling Security
• Equipment Maintenance
• Secure Disposal or Reuse of Equipment
ISO 27001:2022, Technological Controls
It is the lengthiest category among the four control categories. Therefore, make it a top priority in your ISO 27001 stage 1 audit checklist.
• User Endpoint Devices
• Privileged Access Rights
• Information Access Restriction
• Access to Source Code
• Secure Authentication
• Capacity Management
• Protection Against Malware
• Management of Technical Vulnerabilities
• Configuration Management
• Information Deletion
• Data Masking
• Data Leakage Prevention
• Information Backup
• Redundancy of Information Processing Facilities
• Logging
• Monitoring Activities
• Clock Synchronization
• Use of Privileged Utility Programs
• Installation of Software on Operational Systems
• Networks Security
• Security of Network Services
• Segregation of Networks
• Web filtering
• Use of Cryptography
• Secure Development Life Cycle
• Application Security Requirements
• Secure System Architecture and Engineering Principles
• Secure Coding
• Security Testing in Development and Acceptance
• Outsourced Development
• Separation of Development, Test, and Production Environments
• Change Management
• Test Information
• Protection of Information Systems During Audit Testing
What Annex A Controls Should You Include?
Now, you are prepared to create an ISO 27001 stage 1 audit checklist and carry out a thorough assessment!
Still, if you have doubts about what controls you should execute, evaluate your company’s operations, legal requirements, business goals, and information security risks.
Do any of the above controls apply to those aspects? If yes, then you should consider executing it.
Remember, if a control does not apply to your organization, you should not feel obliged to implement it. However, during the ISO 27001 stage 1 audit, your auditor will inquire about the controls you didn’t execute. At that moment, you should be prepared to justify your decision. Hopefully, this blog will help achieve your audit goal.