March 6, 2023

Last Updated on June 17, 2024

3 Things Your ISO 27001:2022 Auditor Will Love to See

If you’re looking at a certification, recertification, or surveillance audit against the new ISO 27001:2022 version, you might be concerned about what’s new in the standard and/or the audit process that auditors will be looking for.

To help orgs prepare for ISO 27001:2022, a recent episode of The Virtual CISO Podcast features “recurring guests” Ryan Mackie and Danny Manimbo, principals at Schellman. Pivot Point Security CISO and Managing Partner, John Verry, is the host.

#1: A robust risk assessment

The risk assessment is a foundational element of any information security management system (ISMS). How do you roll out new controls if you haven’t assessed risk in those areas? And ISO 27002:2022 controls guidance arms orgs—and auditors—with a helpful new risk assessment and control evaluation tool: attributes.

Ryan explains: “One of the things obviously that we’re looking for in any audit is how somebody might have incorporated changes within their certified management system. So, if they move from on-prem to the cloud or whatever it might be, can they demonstrate that their risk assessment scaled accordingly? Whether that’s looking at attributes or just the process and the methodology in general. Assessing change/risk is always going to be part of our approach. And these tools can help facilitate that conversation.”

John relates that a Schellman auditor recently gave Pivot Point Security an Opportunity for Improvement (OFI) because he didn’t see evidence in the risk assessment about a new control that was added to the ISMS.

“That’s really the way that whole process is supposed to work,” John offers. “I would be encouraged by an auditor using attributes in the way you discussed in being critical of our risk management process.”

#2: A focus on what’s changed in your control set

To ensure registrars/certification bodies are prepared for ISO 27001:2022, the International Accreditation Forum issued Mandatory Document 26 (MD 26). Firms seeking certification or recertification with the new standard can gain insight from this free, publicly available document (recently updated to Issue 2) on what auditors will be focusing on.

“At a minimum we would be looking at those 11 net new controls [in ISO 27001 Annex A],” Danny describes. “Whether you’re doing a surveillance or recertification audit, I think there’s a lot of ‘nerves’ out there that when that transition occurs, we’re going to be auditing 100% of the controls. … But that is not the case.”

 

#3: Updates to your SOA and other key ISMS documentation

If you’ve freshened up your risk assessment in line with the new ISO 27001:2022 guidance, have you followed that through to your Statement of Applicability (SOA), internal audit results, and other key documentation?

“You’re basically looking at the management system elements that needed to have scaled accordingly,” Danny clarifies. “While the clauses didn’t materially change, we know you’re going to have to update your risk assessment. We know as a result that new risk treatment is going to change your SOA. Did your internal audit cover these things? Those are the main elements of what we’d look at for a surveillance or recertification audit.”

For a first-time certification audit, of course, the whole ISMS will be under scrutiny, including whatever has recently changed to align with ISO 27001:2022.

What’s next?

To hear this podcast with ISO 27001:2022 audit experts Ryan Mackie and Danny Manimbo, click here.

Here’s what’s new with the ISO 27001 controls: The New ISO 27002:2022—What’s New with the Controls?