- Think Week 🧠
- Posts
- Don't sleepwalk into your transition audit.
Don't sleepwalk into your transition audit.
You have purchased a license for the new 2022 revision of ISO 27001, and, after a moment of converting the "CHF" currency to something more local, you are relieved that this expense report might actually go through without anyone questioning why ISO standards cost money yet again — ugh, a topic for another day. 😒
You skim the standard, and it appears that all the favorites, such as scope, risk assessment, internal audit, management review, and the ISO 27002 controls, are still there to some extent.
Maybe a few controls look removed, and there are a few newcomers — 11 net new controls to be exact. Oh, and some controls appear to be combined — 24 consolidated controls in this release.
Sayonara, “teleworking” control.
You died when my home phone was disconnected 8 years ago.
So, what do you really need to do to prepare your management system for one of these transition audits from your certification body in the first 36 months after ISO/IEC 27001:2022 was published?
Let’s break it down using IAF MD 26.
Within Section 4.2 of these instructions, the IAF outlines actions of the CAB (i.e., conformity assessment body, but you can think “certification body” for our purposes).
Gap Analysis: What you see in this bullet point is the only guidance that certification bodies also have at their disposal. For this one, we are looking for anything documented via a form of self-assessment. We have accepted assessments performed through compliance SaaS platforms as well as a simple Excel workbook demonstrating a side-by-side of the requirements of ISO/IEC 27001:2022 and how the organization believes they meet the criteria. There are several open-source documents comparing the 2013 and 2022 revisions of ISO 27001 you can find with simple online searches if you need a starting point.
Common pitfall: Organizations attempt to leverage their second-party audit (i.e., internal audit) for this evidence. Your internal audit activity should be limited to a verification mechanism that your system has upgraded to meet the 2022 revision and not performing this upfront gap analysis on behalf of the management system operators.Statement of Applicability (SoA): New control set, new you. Frequently, organizations will apply the Annex A controls detailed explicitly within the ISO 27001 standard as a form of risk mitigation to inherent risks affecting their management system scope. If you fall into this bucket, your organization will need to re-map these controls since the ISO/IEC 27001:2013 standard is no longer applicable. Additionally, for the 11 net new controls, there will be extra attention on clause 6.1.3(d) to ensure that these controls have been listed, justified for inclusion or exclusion with explanatory notes, as well as represented by a documented implementation status.
Pro tip: Stop relying on Annex A controls. Most of these controls are written at such a high level that purist security practitioners attempt to discredit the entire ISO 27001 standard before thinking about how these controls are intended to be applied via a risk-based approach and methodology. The most mature certified organizations have internal control sets balancing all of their compliance obligations and simply map their control sets to any ISO 27001 controls that they have justified for inclusion in their scope before going above and beyond the baseline control descriptions.Modifications to Risk Treatment Plans, as appropriate: This one is probably the simplest of the 4 objectives explicitly stated within IAF MD 26. In simple terms, if you have any open risk treatment plans from prior cycles or previous reviews AND these plans have applied an Annex A control from ISO/IEC 27001:2013, these Annex A controls will need to be re-mapped to the control set within ISO/IEC 27001:2022. Your organization does not need to address this objective for already completed risk treatment plans. Then, of course, on a go-forward basis, ensure your organization is applying the ISO/IEC 27001:2022 control set for newly identified risk treatment plans.
Implementation & Effectiveness of New or Changed Controls: When we first read this objective, we were initially confused as this really feels like number 1 but maybe a follow-on action. Let’s call it number 1b.
In essence, this is the next step after your self-administered gap analysis. You review the changes in ISO/IEC 27001:2022, decide where gaps exist, determine their severity, create an action plan, and ensure the minimum requirements are complete prior to an external audit. Your certification body has to obtain objective evidence that your management system has implemented the new standard, and this process flow of corrective action identification through to corrective action close-out is easy and defensible evidence to meet this objective.
And, for added bonus, this last item is not listed within IAF MD 26, but is hidden in the standard itself.
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the requirements of this document.
Yes, your certification body must also determine that the internal audit activity was executed against ISO/IEC 27001:2022 and cannot certify the scope to the new revision with this omission.
In summary, these steps feel intuitive for a major release but note that each of these items above will need to be supported by objective evidence in the form of documented information.
Breathe easy – this standard apparently only receives major updates once every 10 years.
🧠 🧠 🧠 🧠 🧠
Reply