Home
General
ISO 27000 2022 Documented Information Audit
ISO 27000 2022 Documented Information Audit
Steven Hall

ISO 27000 2022 Documented Information Audit

Transition of the requirements of the ISO27001 / ISO27002 2013 standard to the requirements of the ISO27001 / ISO27002 2022 standard including Annex A across relevant documentation

Use this Template
Print as PDF
graphic of a hand making an okay sign ×

Free ISO 27000 2022 Documented Information Audit Checklist

Use this Template

ISO 27000 2022 Documented Information Audit

  • Department

  • Conducted on

  • Prepared by

  • Location

  • Auditor(s)

  • Auditees

Audit Plan

  • Establish the Audit Plan Include timings, interested parties, and context

  • Determine the Scope of the Audit

Objectives

  • Determine the objectives of the audit

Process /Function

  • Determine what part of the Standard is being audited.

Method and records required

  • undefined

Executive Summary

  • Summarise the findings of the audit

Audit findings Report

  • Review of historical internal and 3rd party reports

  • 4 - Understanding the Context of the Organisation <br>4.1 Understanding the organization and its context<br>The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

NOTE: Determining these issues refers to establishing the external and internal context of the organization considered in Clause 5.4.1 of ISO 31000:2018

  • 4.2 Understanding the needs and expectations of interested parties<br>The organization shall determine:<br>a) interested parties that are relevant to the information security management system

  • 4.2 Understanding the needs and expectations of interested parties<br>The organization shall determine:<br>b) the relevant requirements of these interested parties

  • 4.2 Understanding the needs and expectations of interested parties<br>The organization shall determine:<br>c) which of these requirements will be addressed through the ISMS

NOTE The requirements of interested parties can include legal and regulatory requirements and contractual obligations

  • 4.3 Determining the scope of the information security management system<br>The organization shall determine the boundaries and applicability of the ISMS to establish its scope.<br>When determining this scope, the organization shall consider:<br>a) the external and internal issues referred to in 4.1

  • 4.3 Determining the scope of the information security management system<br>The organization shall determine the boundaries and applicability of the ISMS to establish its scope.<br>When determining this scope, the organization shall consider:<br>b) the requirements referred to in 4.2

  • 4.3 Determining the scope of the information security management system<br>The organization shall determine the boundaries and applicability of the ISMS to establish its scope.<br>When determining this scope, the organization shall consider:<br>c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations

  • The scope shall be available as documented information

  • 4.4 Information security management system<br>The organization shall establish, implement, maintain and continually improve an ISMS, including the processes needed and their interactions, in accordance with the requirements of this document.

  • 5 - Leadership<br>5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organisation

  • 5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>b) ensuring the integration of the ISMS requirements into the organization’s processes

  • 5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>c) ensuring that the resources needed for the information security management system are available

  • 5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>d) communicating the importance of effective information security management and of conforming to the ISMS requirements

  • 5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>e) ensuring that the ISMS achieves its intended outcome(s)

  • 5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>f) directing and supporting persons to contribute to the effectiveness of the ISMS

  • 5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>g) promoting continual improvement

  • 5.1 Leadership and commitment<br>Top management shall demonstrate leadership and commitment with respect to the ISMS by:<br>h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility

NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence

  • 5.2 Policy<br>Top management shall establish an information security policy that:<br>a) is appropriate to the purpose of the organisation

  • 5.2 Policy<br>Top management shall establish an information security policy that:<br>b) includes information security objectives (6.2) or provides the framework for setting information security objectives

  • 5.2 Policy<br>Top management shall establish an information security policy that:<br>c) includes a commitment to satisfy applicable requirements related to information security

  • 5.2 Policy<br>Top management shall establish an information security policy that:<br>d) includes a commitment to continual improvement of the ISMS

  • 5.2 Policy<br>The information security policy shall:<br>e) be available as documented information

  • 5.2 Policy<br>The information security policy shall:<br>f) be communicated within the organization

  • 5.2 Policy<br>The information security policy shall:<br>g) be available to interested parties, as appropriate

  • 5.3 Organizational roles, responsibilities and authorities<br>Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization.<br>Top management shall assign the responsibility and authority for:<br>a) ensuring that the ISMS conforms to the requirements of this document

  • 5.3 Organizational roles, responsibilities and authorities<br>Top management shall assign the responsibility and authority for:<br>b) reporting on the performance of the ISMS to top management

NOTE Top management can also assign responsibilities and authorities for reporting performance of the ISMS within the organization

  • 6 Planning<br>6.1 Actions to address risks and opportunities<br>6.1.1 General<br>When planning for the ISMS, the organization shall consider<br>the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:<br>a) ensure the ISMS can achieve its intended outcome(s)

  • 6.1.1 General<br>When planning for the ISMS, the organization shall consider<br>the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:<br>b) prevent, or reduce, undesired effects

  • 6.1.1 General<br>When planning for the ISMS, the organization shall consider<br>the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:<br>c) achieve continual improvement

  • 6.1.1 General<br>The organization shall plan:<br>d) actions to address these risks and opportunities

  • 6.1.1 General<br>The organization shall plan:<br>e) how to<br>1) integrate and implement the actions into its ISMS processes

  • 6.1.1 General<br>The organization shall plan:<br>e) how to<br>2) evaluate the effectiveness of these actions

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>a) establishes and maintains information security risk criteria that include:<br>1) the risk acceptance criteria

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>a) establishes and maintains information security risk criteria that include:<br>2) criteria for performing information security risk assessments

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>b) ensures that repeated information security risk assessments produce consistent, valid and comparable results

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>c) identifies the information security risks:<br>1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the ISMS

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>c) identifies the information security risks:<br>2) identify the risk owners

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>d) analyses the information security risks:<br>1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>d) analyses the information security risks:<br>2) assess the realistic likelihood of risk occurrence identified in 6.1.2 c) 1)

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>e) evaluates the information security risks:<br>1) compare the results of risk analysis with the risk criteria established in 6.1.2 a)

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>e) evaluates the information security risks:<br>2) prioritize the analysed risks for risk treatment

  • 6.1.2 Information security risk assessment<br>The organization shall define and apply an information security risk assessment process that:<br>d) analyses the information security risks:<br>3) determine the levels of risk

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>a) select appropriate information security risk treatment options, taking account of the risk assessment results

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen

NOTE 1 Organizations can design controls as required, or identify them from any source

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted

NOTE 2 Annex A contains a list of possible information security controls. Users of this document are directed to Annex A to ensure that no necessary information security controls are overlooked

NOTE 3 The information security controls listed in Annex A are not exhaustive and additional information security controls can be included if needed

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>d) produce a Statement of Applicability that contains:<br>— the necessary controls (see 6.1.3 b) and c))

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>d) produce a Statement of Applicability that contains:<br>— justification for their inclusion

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>d) produce a Statement of Applicability that contains:<br>— whether the necessary controls are implemented or not

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>d) produce a Statement of Applicability that contains:<br>— the justification for excluding any of the Annex A controls

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>e) formulate an information security risk treatment plan

  • 6.1.3 Information security risk treatment<br>The organization shall define and apply an information security risk treatment process to:<br>f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks

  • 6.1.3 Information security risk treatment<br>The organization shall retain documented information about the information security risk treatment process

NOTE 4 The information security risk assessment and treatment process in this document aligns with the principles and generic guidelines provided in ISO 31000

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall:<br>a) be consistent with the information security policy

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall:<br>b) be measurable (if practicable)

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall:<br>c) take into account applicable information security requirements, and results from risk assessment and risk treatment

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall:<br>d) be monitored

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall:<br>e) be communicated

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall:<br>f) be updated as appropriate

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall:<br>g) be available as documented information

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine:<br>h) what will be done

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine:<br>i) what resources will be required

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine:<br>j) who will be responsible

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine:<br>k) when it will be completed

  • 6.2 Information security objectives and planning to achieve them<br>The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organization shall determine:<br>l) how the results will be evaluated

  • 6.3 Planning of changes<br>When the organization determines the need for changes to the ISMS, the changes shall be carried out in a planned manner

  • 7 Support<br>7.1 Resources<br>The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS

  • 7.2 Competence<br>The organization shall:<br>a) determine the necessary competence of person(s) doing work under its control that affects its information security performance

  • 7.2 Competence<br>The organization shall:<br>b) ensure that these persons are competent on the basis of appropriate education, training, or experience

  • 7.2 Competence<br>The organization shall:<br>c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken

  • 7.2 Competence<br>The organization shall:<br>d) retain appropriate documented information as evidence of competence

NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons

  • 7.3 Awareness<br>Persons doing work under the organization’s control shall be aware of:<br>a) the information security policy

  • 7.3 Awareness<br>Persons doing work under the organization’s control shall be aware of:<br>b) their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance

  • 7.3 Awareness<br>Persons doing work under the organization’s control shall be aware of:<br>c) the implications of not conforming with the ISMS requirements

  • 7.4 Communication<br>The organization shall determine the need for internal and external communications relevant to the ISMS including:<br>a) on what to communicate

  • 7.4 Communication<br>The organization shall determine the need for internal and external communications relevant to the ISMS including:<br>b) when to communicate

  • 7.4 Communication<br>The organization shall determine the need for internal and external communications relevant to the ISMS including:<br>c) with whom to communicate

  • 7.4 Communication<br>The organization shall determine the need for internal and external communications relevant to the ISMS including:<br>d) how to communicate

  • 7.5 Documented information<br>7.5.1 General<br>The organization’s ISMS shall include:<br>a) documented information required by this document

  • 7.5 Documented information<br>7.5.1 General<br>The organization’s ISMS shall include:<br>b) documented information determined by the organization as being necessary for the effectiveness of the ISMS

NOTE The extent of documented information for an ISMS can differ from one organization to another due to: 1) the size of organization and its type of activities, processes, products and services 2) the complexity of processes and their interactions 3) the competence of persons

  • 7.5.2 Creating and updating<br>When creating and updating documented information the organization shall ensure appropriate:<br>a) identification and description (e.g. a title, date, author, or reference number)

  • 7.5.2 Creating and updating<br>When creating and updating documented information the organization shall ensure appropriate:<br>b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic)

  • 7.5.2 Creating and updating<br>When creating and updating documented information the organization shall ensure appropriate:<br>c) review and approval for suitability and adequacy

  • 7.5.3 Control of documented information<br>Documented information required by the ISMS and by this document shall be controlled to ensure:<br>a) it is available and suitable for use, where and when it is needed

  • 7.5.3 Control of documented information<br>Documented information required by the ISMS and by this document shall be controlled to ensure:<br>b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity)

  • 7.5.3 Control of documented information<br>For the control of documented information, the organization shall address the following activities, as applicable:<br>c) distribution, access, retrieval and use

  • 7.5.3 Control of documented information<br>For the control of documented information, the organization shall address the following activities, as applicable:<br>d) storage and preservation, including the preservation of legibility

  • 7.5.3 Control of documented information<br>For the control of documented information, the organization shall address the following activities, as applicable:<br>e) control of changes (e.g. version control)

  • 7.5.3 Control of documented information<br>For the control of documented information, the organization shall address the following activities, as applicable:<br>f) retention and disposition

  • 7.5.3 Control of documented information<br>Documented information of external origin, determined by the organization to be necessary for the planning and operation of the ISMS, shall be identified as<br>appropriate, and controlled

NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information, etc

  • 8 Operation<br>8.1 Operational planning and control<br>The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by<br>— establishing criteria for the processes

  • 8 Operation<br>8.1 Operational planning and control<br>The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by<br>— implementing control of the processes in accordance with the criteria

  • 8.1 Operational planning and control<br>Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned

  • 8.1 Operational planning and control<br>The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary

  • 8.1 Operational planning and control<br>The organization shall ensure that externally provided processes, products or services that are relevant to the ISMS are controlled

  • 8.2 Information security risk assessment<br>The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a)

  • 8.2 Information security risk assessment<br>The organization shall retain documented information of the results of the information security risk assessments

  • 8.3 Information security risk treatment<br>The organization shall implement the information security risk treatment plan

  • 8.3 Information security risk treatment<br>The organization shall retain documented information of the results of the information security risk treatment

  • 9 Performance evaluation<br>9.1 Monitoring, measurement, analysis and evaluation<br>The organization shall determine:<br>a) what needs to be monitored and measured, including information security processes and controls

  • 9.1 Monitoring, measurement, analysis and evaluation<br>The organization shall determine:<br>b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid

  • 9.1 Monitoring, measurement, analysis and evaluation<br>The organization shall determine:<br>c) when the monitoring and measuring shall be performed

  • 9.1 Monitoring, measurement, analysis and evaluation<br>The organization shall determine:<br>d) who shall monitor and measure

  • 9.1 Monitoring, measurement, analysis and evaluation<br>The organization shall determine:<br>e) when the results from monitoring and measurement shall be analysed and evaluated

  • 9.1 Monitoring, measurement, analysis and evaluation<br>The organization shall determine:<br>f) who shall analyse and evaluate these results

  • 9.1 Monitoring, measurement, analysis and evaluation<br>Documented information shall be available as evidence of the results

  • 9.1 Monitoring, measurement, analysis and evaluation<br>The organization shall evaluate the information security performance and the effectiveness of the ISMS

  • 9.2 Internal audit<br>9.2.1 General<br>The organization shall conduct internal audits at planned intervals to provide information on whether the ISMS:<br>a) conforms to<br>1) the organization’s own requirements for its ISMS

  • 9.2.1 General<br>The organization shall conduct internal audits at planned intervals to provide information on whether the ISMS:<br>a) conforms to<br>2) the requirements of this document

  • 9.2.1 General<br>The organization shall conduct internal audits at planned intervals to provide information on whether the ISMS:<br>b) is effectively implemented and maintained

  • 9.2.2 Internal audit programme<br>The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.<br>When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits.<br>The organization shall:<br>a) define the audit criteria and scope for each audit

  • 9.2.2 Internal audit programme<br>The organization shall:<br>b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process

  • 9.2.2 Internal audit programme<br>The organization shall:<br>c) ensure that the results of the audits are reported to relevant management

  • 9.2.2 Internal audit programme<br>The organization shall:<br>Documented information shall be available as evidence of the implementation of the audit programme(s) and the audit results

  • 9.3 Management review<br>9.3.1 General<br>Top management shall review the organization's ISMS at planned<br>intervals to ensure its continuing suitability, adequacy and effectiveness

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>a) the status of actions from previous management reviews

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>b) changes in external and internal issues that are relevant to the ISMS

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>c) changes in needs and expectations of interested parties that are relevant to the ISMS

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>d) feedback on the information security performance, including trends in:<br>1) nonconformities and corrective actions

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>d) feedback on the information security performance, including trends in:<br>2) monitoring and measurement results

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>d) feedback on the information security performance, including trends in:<br>3) audit results

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>d) feedback on the information security performance, including trends in:<br>4) fulfilment of information security objectives

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>e) feedback from interested parties

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>f) results of risk assessment and status of risk treatment plan

  • 9.3.2 Management review inputs<br>The management review shall include consideration of:<br>g) opportunities for continual improvement

  • 9.3.3 Management review results<br>The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the ISMS

  • 9.3.3 Management review results<br>Documented information shall be available as evidence of the results of management reviews

  • 10 Improvement<br>10.1 Continual improvement<br>The organization shall continually improve the suitability, adequacy and effectiveness of the ISMS

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>a) react to the nonconformity, and as applicable:<br>1) take action to control and correct it

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>a) react to the nonconformity, and as applicable:<br>2) deal with the consequences

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:<br>1) reviewing the nonconformity

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:<br>2) determining the causes of the nonconformity

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:<br>3) determining if similar nonconformities exist, or could potentially occur

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>c) implement any action needed

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>d) review the effectiveness of any corrective action taken

  • 10.2 Nonconformity and corrective action<br>When a nonconformity occurs, the organization shall:<br>e) make changes to the information security management system, if necessary

  • 10.2 Nonconformity and corrective action<br>Corrective actions shall be appropriate to the effects of the nonconformities encountered

  • 10.2 Nonconformity and corrective action<br>Documented information shall be available as evidence of:<br>f) the nature of the nonconformities and any subsequent actions taken

  • 10.2 Nonconformity and corrective action<br>Documented information shall be available as evidence of:<br>g) the results of any corrective action

  • ANNEX A <br>ISO27002_2022 Controls Matrix <br>A5.1 Policies for information security

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.2 Information Security Roles and Responsibilities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.3 Segregation of Duties

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.4 Management Responsibilities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.5 Contact with Authorities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.6 Contact with Special Interest Groups

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.7 Threat intelligence

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.8 Information Security in Project Management

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.9 Inventory of Information and Other Associated Assets

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.10 Acceptable Use of Information and Other Associated Assets

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.11 Return of Assets

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.12 Classification of Information

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.13 Labelling of Information

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.14 Information Transfer

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.15 Access Control

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.16 Identity Management

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.17 Authentication Information

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.18 Access Rights

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.19 Information Security in Supplier Relationships

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.20 Addressing Information Security Within Supplier Agreements

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.21 Managing Information Security in the ICT Supply Chain

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.22 Monitoring, Review and Change Management of Supplier Services

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.23 Information Security for Use of Cloud Services

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.24 Information Security Incident Management Planning and Preparation

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.25 Assessment and Decision on Information Security Events

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.26 Response to Information Security Incidents

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.27 Learning from Information Security Incidents

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.28 Collection of Evidence

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.29 Information Security During Disruption

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.30 ICT Readiness for Business Continuity

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.31 Legal, Statutory, Regulatory and Contractual Requirements

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.32 Intellectual Property Rights

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.33 Protection of Records

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.34 Privacy and Protection of PII

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.35 Independent Review of Information Security

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.36 Compliance with Policies, Rules and Standards for Information Security

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A5.37 Documented Operating Procedures

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.1 Screening

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.2 Terms and Conditions of Employment

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.3 Information Security Awareness, Education, and Training

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.4 Disciplinary Process

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.5 Responsibilities After Termination or Change of Employment

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.6 Confidentiality or Non-Disclosure Agreements

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.7 Remote Working

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A6.8 Information Security Event Reporting

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.1 Physical Security Perimeters

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.2 Physical Entry

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.3 Securing Offices, Rooms and Facilities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.4 Physical Security Monitoring

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.5 Protecting Against Physical and Environmental Threats

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.6 Working in Secure Areas

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.7 Clear Desk and Clear Screen

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.8 Equipment Siting and Protection

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.9 Security of Assets Off-Premises

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.10 Storage Media

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.11 Supporting Utilities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.12 Cabling Security

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.13 Equipment Maintenance

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A7.14 Secure Disposal or Re-Use of Equipment

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.1 User Endpoint Devices

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.2 Privileged Access Rights

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.3 Information Access Restriction

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.4 Access to Source Code

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.5 Secure Authentication

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.6 Capacity Management

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.7 Protection Against Malware

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.8 Management of Technical Vulnerabilities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.9 Configuration Management

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.10 Information Deletion

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.11 Data Masking

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.12 Data Leakage Prevention

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.13 Information Backup

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.14 Redundancy of Information Processing Facilities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.15 Logging

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.16 Monitoring Activities

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.17 Clock Synchronisation

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.18 Use of Privileged Utility Programs

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.19 Installation of Software on Operational Systems

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.20 Network Security

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.21 Security of Network Services

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.22 Segregation of Networks

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.23 Web Filtering

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.24 Use of Cryptography

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.25 Secure Development Life Cycle

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.26 Application Security Requirements

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.27 Secure System Architecture and Engineering Principles

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.28 Secure Coding

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.29 Security Testing in Development and Acceptance

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.30 Outsourced Development

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.31 Separation of Development, Test and Production Environments

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.32 Change Management

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.33 Test Information

  • ANNEX A <br>ISO27002_2022 Controls Matrix ISO27002_2022 Controls Matrix <br>A8.34 Protection of Information Systems During Audit Testing

Opportunites for Improvement

  • Non Conformance/OFI/Positive feedback report

Follow up

  • Determine follow up actions and timings

Register updates

  • Action Register

  • Audit Program

  • Risk register

  • Audit register

  • Process Register

Verification

  • Auditor(s)

  • Auditees

ISO 27000 2022 Documented Information Audit
Steven Hall

ISO 27000 2022 Documented Information Audit

Transition of the requirements of the ISO27001 / ISO27002 2013 standard to the requirements of the ISO27001 / ISO27002 2022 standard including Annex A across relevant documentation

Use this Template
The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.

Related checklists

back arrow for carousel
back arrow for carousel
iAuditor Logo Icon ©SafetyCulture 2022