ISO 27001 : 2013 to ISO 27001:2022

Transition Support Series

How to conduct Audit of Merged Controls

ISO 27001:2022

MAST CONSULTING GROUP

www.mastcgoup.com
 ELEVEN NEW CONTROLS** ADDED TO ISO 27001:2022
Control Control Title
A.5.7 Threat Intelligence
A.5.23 Information Security for use of Cloud
Services
A.5.30 ICT Readiness for Business Continuity
A.7.4 Physical Security Monitoring
A.8.9 Configuration Management
A.8.10 Information Deletion
Control Control Title
A.8.11 Data Masking
A.8.12 Data Leakage Prevention

A.8.16 Monitoring Activities

A.8.23 Web Filtering
* * S H AR E D I N E A R LIE R P O S T
A.8.28 Secure Coding
MERGED CONTROLS ISO 27001:2022
Control Number Control Title
A.16.1.2, A.16.1.3 A.6.8 Information security event reporting
A.11.1.2, A.11.1.6 A.7.2 Physical entry
A.8.3.1, A.8.3.2, A.8.3.3, A.7.10 Storage media
A.11.2.5
A.6.2.1, A.11.2.8 A.8.1 User endpoint devices
A.12.6.1, A.18.2.3 A.8.8 Management of technical vulnerabilities
A.12.4.1, A.12.4.2, A.12.4.3 A.8.15 Logging
A.12.5.1, A.12.6.2 A.8.19 Installation of software on operational systems
A.10.1.1, A.10.1.2 A.8.24 Use of cryptography
A.14.1.2, A.14.1.3 A.8.26 Application security requirements
A.14.2.8, A.14.2.9 A.8.29 Security testing in development and acceptance
A.12.1.4, A.14.2.6 A.8.31 Separation of development, test and production environments
A.12.1.2, A14.2.2, A14.2.3, A.8.32 Change Management
A14.2.4
Structure of ISO 27002:2022 Attributes
Attributes

Each control has a purpose, effectively taking the place of the control objective from the 2013
version
 AUDITING ATTRIBUTE USE

1. The use of control attributes is not mandatory hence absence of attributes is not a non-conformity
2. Attributes are in ISO 27002 only, NOT in ISO 27001
3. If attributes in use
- Do they contribute in terms of control selection to manage risks?
- Do they use them for clarity on responsibilities?
- Are they using their own, and if so, for what purpose?
- Where are they capturing the attributes? SoA?
 Control Description
The organization should provide a mechanism for
personnel to report observed or suspected
information security events through appropriate
channels in a timely manner.

Purpose
AUDITING AGAINST To support timely, consistent, and effective reporting
of information security events that can be identified
A.6.8 by personnel.
INFORMATION
SECURITY EVENT How
REPORTING Design and implement procedure, provide training and
promulgating email, telephone numbers
 Audit Question /Sampling
records & documents
Examine security event and
incident procedures
Examine user training material
AUDITING AGAINST relating to security events,
weaknesses and incidents
A.6.8 INFORMATION
SECURITY EVENT Sample follow-up actions from
previous security events and
REPORTING weaknesses – check
effectiveness
Interview / Review the
Sampled Documented
information
Sample the reported events
Interview or observe service
desk personnel on response to
security events
Interview a sample of users on
their understanding of how
events and weaknesses shall
be reported
 Control Description
Secure areas should be protected by
appropriate entry controls and access points.

Purpose
To ensure only authorized physical access to
the organization’s information and other
AUDITING AGAINST associated assets occurs.

A.7.2 How
PHYSICAL ENTRY Security Guards, CCTVs, enhanced Patrolling
Sensors-May be difficult in leased or shared
premises
 Audit Question /Sampling
records & documents
Sample physical access records Walkaround to check
and logs
Examine the physical security
policies and procedures
AUDITING AGAINST
A.7.2 Check use of employee and
visitor identification and
PHYSICAL ENTRY sample
Confirm visitor escort policy
Interview / Review the
Sampled Documented
information
physical security controls
Observe reception, delivery
and loading areas where
unauthorized personnel may
gain access
Observe use of employee
and visitor IDs
Check emergency exits for
potential unauthorized
ingress
 Control Description
Storage media should be managed through their
life cycle of acquisition, use, transportation, and
disposal in accordance with the organization’s
classification scheme and handling requirements.

Purpose
AUDITING AGAINST To ensure only authorized disclosure, modification,
removal, or destruction of information on storage
A.7.10 media.

STORAGE MEDIA
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review media handling policy Interview users on handling of
and procedures media
Review reuse and disposal Interview staff responsible for
procedures and sample media reuse/destruction
AUDITING AGAINST destruction records

Review media transfer Sample the instances of

A.7.10 processes and sample media transfer & media
mechanism and relevant disposals and review them for
STORAGE MEDIA approvals their process compliance

Examine use of encryption on

removable media Examine
awareness content
 Control Description
Information stored on, processed by or accessible via
user endpoint devices should be protected..

Purpose
To protect information against the risks introduced by
using user endpoint devices.
AUDITING AGAINST

A.8.1
USER ENDPOINT
DEVICES
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review the policy on use of Interview a few users of laptops
laptops and mobile devices and check if they are aware of
the policies.

AUDITING AGAINST Review policy settings related Observe workstations left

to password protected screen unattended to confirm the
savers activation of screen savers
A.8.1
USER ENDPOINT Check endpoint patching
DEVICES process and sample
Confirm restrictions on Sample the laptops for the
software installation & implementation and
controls installed on mobile effectiveness of controls
devices
 Control Description
Information about technical vulnerabilities of information
systems in use should be obtained, the organization’s
exposure to such vulnerabilities should be evaluated and
appropriate measures should be taken.

Purpose
AUDITING AGAINST To prevent exploitation of technical vulnerabilities.

A .8.8 How
M A NAGEMENT O F May be part of a broader organizational records
TE CHNICAL management approach
V ULNERABILITIES
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review vulnerability Interview systems
management policy and administrators
procedures responsible for patching
AUDITING AGAINST Review sources of Review the reports of
vulnerability information VA & Pentest carried
A.8.8 MANAGEMENT & sample penetration out
OF TECHNICAL testing reports
VULNERABILITIES Sample records of
risk/vulnerability
assessment decisions
Sample patching records
 Control Description
Logs that record activities, exceptions, faults, and other
relevant events should be produced, stored, protected,
and analyzed.

Purpose
To record events, generate evidence, ensure the integrity
AUDITING AGAINST of log information, prevent unauthorized access, identify
information security events that can lead to an
A.8.15 information security incident, and to support
investigations.
LOGGING
How
This control relates to control A.5.12 regarding
information classification. A.5.12 shall be effective as a
precursor to this control.
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review the logging and Interview security
log retention policies management on the
analysis of logs
Sample logging settings Review the log records
AUDITING AGAINST
on key devices
Review log data location, Sample the access
A.8.15 storage, backup and privileges for logs
LOGGING archiving and the access
to such
Check that privileged
users do not have update
access to logging data –
sample some access lists
 Control Description
Procedures and measures should be implemented to
securely manage software installation on operational
systems.

Purpose
To ensure the integrity of operational systems and
AUDITING AGAINST
prevent exploitation of technical vulnerabilities.
A .8.19
INSTA LLATION O F
SO F TWARE O N
O PE RATIONAL SYSTEMS
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review testing practices for new Interview systems
and changed applications administrators responsible
for installations
Review policies on software Sample the whitelisted
AUDITING AGAINST installation, whitelisting etc. software
Sample access controls on systems
A .8.19
Sample any software register
INSTA LLATION O F identifying vendor software
SO F TWARE O N
O PE RATIONAL Sample the currency of vendor
SYSTEMS software to ensure it is still
maintained
 Control Description
Rules for the effective use of cryptography, including
cryptographic key management, should be defined
and implemented..

Purpose
To ensure proper and effective use of cryptography
AUDITING AGAINST
to protect the confidentiality, authenticity or integrity
of information according to business and information
A.8.24 security requirements, and taking into consideration
legal, statutory, regulatory and contractual
USE OF
requirements related to cryptography.
CRYPTOGRAPHY
 Audit Question /Sampling
records & documents
Review the cryptographic
policy
AUDITING AGAINST Confirm encryption technology
was selected to meet business
A.8.24 objectives
Review any key management
USE OF procedures
CRYPTOGRAPHY Sample digital certificates to Sample the DSCs
validate currency
Sample the use of encryption
on mobile devices
Interview / Review the
Sampled Documented
information
Interview systems
administrators responsible
for management of digital
certificates and encryption
keys
Sample the data at rest and
also sample the data in
transit
 Control Description
Information security requirements should be identified,
specified and approved when developing or
acquiring applications.

Purpose
To ensure all information security requirements are
AUDITING AGAINST identified and addressed when developing or acquiring
applications.
A.8.26
APPLICATION
SECURITY
REQUIREMENTS
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Check authentication and trust Interview security
mechanisms management re involvement
in app design
Sample design and Interview security
AUDITING AGAINST specifications documentation to management re privacy and
identify security considerations other regulatory requirements
Check what non-repudiation Interview application
A.8.26 mechanisms are in place for developers and systems
application transactions e.g. PKI architects regarding function
APPLICATION and data level security design
SECURITY Check transaction logging
REQUIREMENTS
Sample risk assessments of new
or changed applications
 Control Description
Security testing processes should be defined and
implemented in the development life cycle.

Purpose
To validate if information security requirements are
met when applications or code are deployed to the
AUDITING AGAINST production environment.

A.8.29
SECURITY TESTING IN
DEVELOPMENT AND
ACCEPTANCE
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Examine testing procedures to Interview applications testing
ensure testing of security personnel
functions is conducted
Sample test plans and results Sample the unit, integration
tests for review
AUDITING AGAINST
Review how criteria for
acceptance of new systems are
A.8.29
defined, agreed, documented,
SECURITY TESTING IN and tested
Review any penetration test
DEVELOPMENT AND reports and action taken on
ACCEPTANCE outcomes
Sample risk assessments of new
or changed applications
 Control Description
Development, testing and production environments
should be separated and secured.

Purpose
To protect the production environment and data from
compromise by development and test activities.
AUDITING AGAINST

A.8.31
SEPARATION OF
DEVELOPMENT, TEST
AND PRODUCTION
ENVIRONMENTS
 Audit Question /Sampling Interview / Review the
records & documents Sampled Documented
information
Review the access control policy in Interview application development
relation to the various environments management on the presence of
development, test and production
environments
Sample access to confirm restricted Interview applications developers
AUDITING AGAINST access to each as per the access regarding separation of roles and
control policy? responsibilities

A.8.31 Review rules for migrating between

environments
SEPARATION OF Check use of sensitive data in the
DEVELOPMENT, TEST non-production environments &
trainings
AND PRODUCTION Check security control differences
ENVIRONMENTS between environments and identify
that associated risks have been
noted and addressed
 Control Description
Changes to information processing facilities and
information systems should be subject to change
management procedures.

Purpose
To preserve information security when executing
AUDITING AGAINST changes..

A.8.32
CHANGE
MANAGEMENT
 Audit Question /Sampling
records & documents
Review change management
procedure
Interview / Review the
Sampled Documented
information
Interview change manager on
change control process

Sample some change records Sample Changes to Production

AUDITING AGAINST systems and process
compliance
Check approval processes for
A.8.32 changes
Check any necessary
CHANGE
documentation,
MANAGEMENT continuity/recovery and backup
processes are also changed
Sample test plans related to
changes
Please contact us to support you in transitioning to ISO 27001: 2022
LET’S WORK TOGETHER..

MAST CONSULTING GROUP

www.mastcgoup.com

+971566815617,+918652207020 | anil@mastcgroup.com | LINKEDIN

UNITED ARAB EMIRATES, KSA ,INDIA