GAP ANALYSIS ISO 27001 - 2022 v1 1

ISO 27001:2022 GAP ANALYSIS /
TRANSITION CHECKLIST
Instructions For Use

This document identifies the major changes within ISO 27001:2022, and thus potential gaps that may exist within an ISMS
based upon ISO 27001:2013. This document is provided both as a Gap Analysis and as a Transition Checklist that should
be used by organizations to prepare for and support their transition from the ISO 27001:2013 standard to the ISO
27001:2022 standard. Note that an NQA transition audit will be required to confirm an organization's transition to ISO
27001:2022 conformance; this may be conducted either in conjunction with an existing surveillance or reassessment
audit, or as a stand-alone event. Additional "transition time" will be required to assess these changes.
• Part 1: Requirements Changes: Within the Requirement tab of this checklist, NQA has highlighted only the changes in
the ISO 27001:2022 requirements that may have a material affect on an organization's ISMS. All organizations should
review these changes and determine if the ISMS needs to be updated. All new/changed requirements must be met in
order to be deemed compliant to ISO 27001:2022.
• Part 2: ISO 27001:2022 Annex A (Information security controls) – New & Changed ISMS Controls. The numbered
tabs within this checklist correspond to the new Annex A organization of ISMS controls. All controls have been included
to aid in mapping from previous control numbers, but not all controls have material changes. NQA has highlighted the
rows (in blue) for the 11 new controls that will need to be met; and we have further highlighted the text (in red) portions
of those controls that were changed or merged and may have some material affect. All organizations should consider
these changes for potential changes within their ISMS and Information Security Management controls. There may be
cases where an organization's existing approach meets the intent of the new control in which case no changes may be
needed; however it would generally be expected that any ISMS will require some number of changes to be made in order
to address all the new ISO 27001:2022 controls. Additionally, an updated Statement of Applicability (SoA) will most likely
be required.
ISO 27001:2022 Transition Checklist NQA_USA – rev 1.1

ISO 27001:2022 Transition Checklist
Client # & name:
Audit # & Certificate #:
Date of completion:
Part 1: Annex SL Changes, excluding changes to Annex A.
C Has the Client

l demonstrated that they
Revisions / a
Revised Requirement Evidence of Compliance have met the
Potential Gaps u Comments if required
s requirements of this
e clause?
4 Context of the Organization Yes No
4.2 Understanding the which of these requirements will be addressed

needs and expectations of 4.2 c through the information security management
interested parties system
4.4 Information security 4.4

including the processes needed and their
management system interactions
6 Planning
6.2 Information security objectives and planning to achieve them
6.2 Information security

objectives and planning to d be monitored
achieve them
When the organization determines the need for

changes to the information security
6.3 Planning of changes 6.3
management system, the changes shall be
carried out in a planned manner
7 Support of the service management system
9 Performance evaluation
Requirements
Confidential Proprietary Page 2
9.1 Monitoring, The methods selected should produce
measurement, analysis and 9.1b comparable and reproducible results to be
evaluation considered valid
changes in needs and expectations of interested

9.3 Management review 9.3.2c parties that are relevant to the information
security management system
10 Improvement
10.1 Continual improvement (Numbering Switch)
10.1 Nonconformity and

corrective action (unlikley to have impact)
10.2 Continual 10.2

Noncomformity and corrective action
Improvement (Numbering Switch)
(unlikely to have impact)
Requirements
Confidential Proprietary Page 3
Client name:
Certificate number:
Date of completion:
Part 2: ISO 27002:2022 Annex A – New & Changed controls
Multi-site organisations should ensure that the requirements have been considered for all relevant locations, especially where such locations have unique
circumstances or different services/contracts/SLAs/resource models/toolsets.
Has the Client

ISO 27001:2022 ISO 27001:2022 Cross Reference and the significant changes Demonstrated they
Control Number from the 2013 version Evidence to support compliance have met the Comments if Required
requirements of this
clause?
Yes No
5 Operational controls
Policies for information security

Information security policy and topic-specific policies shall be defined,
5.1 approved by management, published, communicated to and acknowledged
by relevant personnel and relevant interested parties, and reviewed at
planned intervals and if significant changes occur.
Old: 05.1.1, 05.1.2
5.2 Information security roles and responsibilities

Information security roles and responsibilities shall be defined and
allocated according to the organization needs.
Old: 06.1.1
Segregation of duties
5.3 Conflicting duties and conflicting areas of responsibility shall be segregated.

Old: 06.1.2
ISO 27001:2022 Transition Checklist NQA_USA – rev 1 .1 Confiedential and Propriety 4 -of- 21
Management responsibilities
Management shall require all personnel to apply information security in

5.4 accordance with the established information security policy, topic-specific
policies and procedures of the organization.
Old: 07.2.1
Contact with authorities

The organization shall establish and maintain contact with relevant
5.5 authorities.
Old: 06.1.3
Contact with special interest groups
5.6 The organization shall establish and maintain contact with special interest
groups or other specialist security forums and professional associations.
Old: 06.1.4
Threat intelligence
5.7 Information relating to information security threats shall be collected and

analysed to produce threat intelligence.
New control
Information security in project management
5.8 Information security shall be integrated into project management

Old: 06.1.5; 14.1.1
Inventory of information and other associated assets

5.9 An inventory of information and other associated assets, including owners,
shall be developed and maintained.
Old: 08.1.1, 08.1.2
Acceptable use of information and other associated assets

5.10.
Rules for the acceptable use and procedures for handling information and
other associated assets shall be identified, documented and implemented.
Old: 08.1.3, 08.2.3
Return of assets
Personnel and other interested parties as appropriate shall return all the
5.11 organization’s assets in their possession upon change or termination of
their employment, contract or agreement.
Old: 08.1.4
Classification of information
5.12 Information shall be classified according to the information security needs
of the organization based on confidentiality, integrity, availability and
relevant interested party requirements.
Old: 08.2.1
Labelling of information
An appropriate set of procedures for information labelling shall be
5.13 developed and implemented in accordance with the information
classification scheme adopted by the organization.
Old: 08.2.2
Information transfer
Information transfer rules, procedures, or agreements shall be in place for

5.14 all types of transfer facilities within the organization and between the
organization and other parties.
Old: 13.2.1, 13.2.2, 13.2.3
Access control
Rules to control physical and logical access to information and other
5.15 associated assets shall be established and implemented based on business
and information security requirements.
Old: 09.1.1, 09.1.2
Identity management
5.16 The full life cycle of identities shall be managed.

Old: 09.2.1
Authentication information
5.17 Allocation and management of authentication information shall be

controlled by a management process, including advising personnel on
appropriate handling of authentication information.
Old: 09.2.4, 09.3.1, 09.4.3
Access Rights
5.18 Access rights to information and other associated assets shall be

provisioned, reviewed, modified and removed in accordance with the
organization’s topic-specific policy on and rules for access control.
Old: 09.2.2, 09.2.5, 09.2.6
Information security in supplier relationships
Processes and procedures shall be defined and implemented to manage

5.19 the information security risks associated with the use of supplier’s
products or services.
Old: 15.1.1
Addressing information security within supplier agreements
5.20. Relevant information security requirements shall be established and agreed

with each supplier based on the type of supplier relationship.
Old: 15.1.2
Managing information security in the information and communication

technology (ICT) supply chain
5.21 Processes and procedures shall be defined and implemented to manage the
information security risks associated with the ICT products and services
supply chain.
Old: 15.1.3
Monitoring, review and change management of supplier services
The organization shall regularly monitor, review, evaluate and manage

5.22 change in supplier information security practices and service delivery.
Old: 15.2.1, 15.2.2
Information security for use of cloud services
Processes for acquisition, use, management and exit from cloud services
5.23 shall be established in accordance with the organization’s information
security requirements.
NEW
Information security incident management planning and preparation
The organization shall plan and prepare for managing information security
5.24 incidents by defining, establishing and communicating information security
incident management processes, roles and responsibilities.
Old: 16.1.1
Assessment and decision on information security events
5.25 The organization shall assess information security events and decide if they
are to be categorized as information security incidents.
Old: 16.1.4
Response to information security incidents
5.26 Information security incidents shall be responded to in accordance with the

documented procedures.
Old: 16.1.5
Learning from information security incidents
Knowledge gained from information security incidents shall be used to

5.27 strengthen and improve the information security controls.
Old: 16.1.6
Collection of evidence
The organization shall establish and implement procedures for the
5.28 identification, collection, acquisition and preservation of evidence related
to information security events.
Old: 16.1.7
Information security during disruption
5.29 The organization shall plan how to maintain information security at an

appropriate level during disruption.
Old: 17.1.1, 17.1.2, 17.1.3
ICT readiness for business continuity
5.30. ICT readiness shall be planned, implemented, maintained and tested based
on business continuity objectives and ICT continuity requirements.
NEW
Legal, statutory, regulatory and contractual requirements
Legal, statutory, regulatory and contractual requirements relevant to

5.31 information security and the organization’s approach to meet these
requirements shall be identified, documented and kept up to date.
Old: 18.1.1, 18.1.5
Intellectual property rights
5.32 The organization shall implement appropriate procedures to protect

intellectual property rights.
Old: 18.1.2
Protection of records
5.33
Records shall be protected from loss, destruction, falsification,
unauthorized access and unauthorized release.
Old: 18.1.3
Privacy and protection of personal identifiable information (PII)
The organization shall identify and meet the requirements regarding the
5.34 preservation of privacy and protection of PII according to applicable laws
and regulations and contractual requirements.
Old: 18.1.4
Independent review of information security
The organization’s approach to managing information security and its

5.35 implementation including people, processes and technologies shall be
reviewed independently at planned intervals, or when significant changes
occur.
Old: 18.2.1
Compliance with policies, rules and standards for information security
5.36 Compliance with the organization’s information security policy, topic-

specific policies, rules and standards shall be regularly reviewed.
Old: 18.2.2, 18.2.3
Documented operating procedures
5.37 Operating procedures for information processing facilities shall be

documented and made available to personnel who need them.
Old: 12.1.1
Areas for further detail
Client name:
Certificate number:
Date of completion:
Has the Client

clause?
Yes No
6 People controls
Screening
Background verification checks on all candidates to become personnel shall

be carried out prior to joining the organization and on an ongoing basis
6.1 taking into consideration applicable laws, regulations and ethics and be
proportional to the business requirements, the classification of the
information to be accessed and the perceived risks.
Old: 07.1.1
Terms and conditions of employment
6.2 The employment contractual agreements shall state the personnel’s and
the organization’s responsibilities for information security.
Old: 07.1.2
Information security awareness, education and training
Personnel of the organization and relevant interested parties shall receive

6.3 appropriate information security awareness, education and training and
regular updates of the organization's information security policy, topic-
specific policies and procedures, as relevant for their job function.
Old: 07.2.2
Disciplinary process
A disciplinary process shall be formalized and communicated to take actions
6.4 against personnel and other relevant interested parties who have
committed an information security policy violation.
Old: 07.2.3
Responsibilities after termination or change of employment

Information security responsibilities and duties that remain valid after
6.5 termination or change of employment shall be defined, enforced and
communicated to relevant personnel and other interested parties.
Old: 07.3.1
Confidentiality or non-disclosure agreements

Confidentiality or non-disclosure agreements reflecting the organization’s
6.6 needs for the protection of information shall be identified, documented,
regularly reviewed and signed by personnel and other relevant interested
parties.
Old: 13.2.4
Remote working
Security measures shall be implemented when personnel are working
6.7 remotely to protect information accessed, processed or stored outside the
organization’s premises.
Old: 06.2.2
Information security event reporting
The organization shall provide a mechanism for personnel to report

6.8 observed or suspected information security events through appropriate
channels in a timely manner.
Old: 16.1.2, 16.1.3
Client name:
Certificate number:
Date of completion:
Has the Client

clause?
Yes No
7 Physical controls
Physical security perimeters
7.1 Security perimeters shall be defined and used to protect areas that contain
information and other associated assets.
Old: 11.1.1
Physical entry
7.2 Secure areas shall be protected by appropriate entry controls and access
points.
Old: 11.1.2, 11.1.6

Securing offices, rooms and facilities
7.3 Physical security for offices, rooms and facilities shall be designed and
implemented.
Old: 11.1.3
Physical security monitoring
7.4 Premises shall be continuously monitored for unauthorized physical access.

NEW
Protecting against physical and environmental threats
Protection against physical and environmental threats, such as natural

7.5 disasters and other intentional or unintentional physical threats to
infrastructure shall be designed and implemented.
Old: 11.1.4
Working in secure areas
7.6 Security measures for working in secure areas shall be designed and
implemented.
Old: 11.1.5
Clear desk and clear screen

Clear desk rules for papers and removable storage media and clear screen
7.7 rules for information processing facilities shall be defined and appropriately
enforced.
Old: 11.2.9
Equipment siting and protection
7.8 Equipment shall be sited securely and protected.

Old: 11.2.1
Security of assets off-premises
7.9 Off-site assets shall be protected.

Old: 11.2.6
Storage media
Storage media shall be managed through their life cycle of acquisition, use,
7.10. transportation and disposal in accordance with the organization’s
classification scheme and handling requirements.
Old: 08.3.1, 08.3.2, 08.3.3, 11.2.5
Supporting utilities
Information processing facilities shall be protected from power failures and

7.11 other disruptions caused by failures in supporting utilities.
Old: 11.2.2
Cabling security
7.12 Cables carrying power, data or supporting information services shall be
protected from interception, interference or damage.
Old: 11.2.3
Equipment maintenance
7.13 Equipment shall be maintained correctly to ensure availability, integrity and

confidentiality of information.
Old: 11.2.4
Secure disposal or re-use of equipment
Items of equipment containing storage media shall be verified to ensure

7.14 that any sensitive data and licensed software has been removed or securely
overwritten prior to disposal or re-use.
Old: 11.2.7
Client name:
Certificate number:
Date of completion:
Has the Client

clause?
Yes No
8 Technological controls
User end point devices
8.1 Information stored on, processed by or accessible via user end point
devices shall be protected.
Old: 06.2.1, 11.2.8
Privileged access rights

8.2 The allocation and use of privileged access rights shall be restricted and
managed.
Old: 09.2.3
Information access restriction
Access to information and other associated assets shall be restricted in

8.3 accordance with the established topic-specific policy on access control.
Old: 09.4.1
Access to source code
Read and write access to source code, development tools and software
8.4 libraries shall be appropriately managed.
Old: 09.4.5
Secure authenticationContact with authorities
Secure authentication technologies and procedures shall be implemented

8.5 based on information access restrictions and the topic-specific policy on
access control.
Old: 09.4.2
Capacity management
8.6 The use of resources shall be monitored and adjusted in line with current
and expected capacity requirements.
Old: 12.1.3
Protection against malware
8.7 Protection against malware shall be implemented and supported by

appropriate user awareness.
Old: 12.2.1
Management of technical vulnerabilities
Information about technical vulnerabilities of information systems in use

8.8 shall be obtained, the organization’s exposure to such vulnerabilities shall
be evaluated and appropriate measures shall be taken.
Old: 12.6.1, 18.2.3
Configuration management
8.9 Inventory of information and other associated assets.
NEW
Information deletion
8.10. Information stored in information systems, devices or in any other storage

media shall be deleted when no longer required.
NEW
Data masking
Data masking shall be used in accordance with the organization’s topic-

8.11 specific policy on access control and other related topic-specific policies,
and business requirements, taking applicable legislation into consideration.
NEW
Data leakage prevention

8.12 Data leakage prevention measures shall be applied to systems, networks
and any other devices that process, store or transmit sensitive information.
NEW
Information backup
Backup copies of information, software and systems shall be maintained

8.13 and regularly tested in accordance with the agreed topic-specific policy on
backup.
Old: 12.3.1
Redundancy of information processing facilities
8.14 Information processing facilities shall be implemented with redundancy

sufficient to meet availability requirements.
Old: 17.2.1
Logging
8.15 Logs that record activities, exceptions, faults and other relevant events shall
be produced, stored, protected and analysed.
Old: 12.4.1, 12.4.2, 12.4.3
Monitoring activities
Networks, systems and applications shall be monitored for anomalous

8.16 behaviour and appropriate actions taken to evaluate potential information
security incidents.
NEW
Clock synchronization
8.17 The clocks of information processing systems used by the organization shall
be synchronized to approved time sources.
Old: 12.4.4
Use of privileged utility programs
8.18 The use of utility programs that can be capable of overriding system and
application controls shall be restricted and tightly controlled.
Old: 09.4.4
IInstallation of software on operational systems
8.19 Procedures and measures shall be implemented to securely manage

software installation on operational systems.
Old: 12.5.1, 12.6.2
Networks security
8.20. Networks and network devices shall be secured, managed and controlled to
protect information in systems and applications.
Old: 13.1.1
Security of network services
8.21 Security mechanisms, service levels and service requirements of network

services shall be identified, implemented and monitored.
Old: 13.1.2
Segregation of networks
Groups of information services, users and information systems shall be

8.22 segregated in the organization’s networks.
Old: 13.1.1
Web filtering
Access to external websites shall be managed to reduce exposure to

8.23 malicious content.
NEW
Use of cryptography
8.24 Rules for the effective use of cryptography, including cryptographic key
management, shall be defined and implemented.
Old: 10.1.1, 10.1.2
Secure development life cycle

Rules for the secure development of software and systems shall be
8.25 established and applied.
Old: 14.2.1
Application security requirements
8.26 Information security requirements shall be identified, specified and

approved when developing or acquiring applications.
Old: 14.1.2, 14.1.3
Secure system architecture and engineering principles
8.27 Principles for engineering secure systems shall be established, documented,

maintained and applied to any information system development activities.
Old: 14.2.5
Secure coding
8.28 Secure coding principles shall be applied to software development.
NEW
Security testing in development and acceptance
Security testing processes shall be defined and implemented in the

8.29 development life cycle.
Old: 14.2.8, 14.2.9
Outsourced development
The organization shall direct, monitor and review the activities related to
8.30. outsourced system development.
Old: 14.2.7
Separation of development, test and production environments
8.31 Development,
secured.
testing and production environments shall be separated and
Old: 12.1.4, 14.2.6
Change management
8.32 Changes to information processing facilities and information systems shall

be subject to change management procedures.
Old: 12.1.2, 14.2.2, 14.2.3, 14.2.4
8.33 Test information

Test information shall be appropriately selected, protected and managed.
Old: 14.3.1
Protection of information systems during audit testing
Audit tests and other assurance activities involving assessment of

8.34 operational systems shall be planned and agreed between the tester and
appropriate management.
Old: 12.7.1

GAP ANALYSIS ISO 27001 - 2022 v1 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GAP ANALYSIS ISO 27001 - 2022 v1 1

Uploaded by

Copyright:

Available Formats

ISO 27001:2022 GAP ANALYSIS /

Instructions For Use

ISO 27001:2022 Transition Checklist NQA_USA – rev 1.1

Part 1: Annex SL Changes, excluding changes to Annex A.

C Has the Client

4 Context of the Organization Yes No

4.2 Understanding the which of these requirements will be addressed

4.4 Information security 4.4

6.2 Information security objectives and planning to achieve them

6.2 Information security

When the organization determines the need for

7 Support of the service management system

changes in needs and expectations of interested

10.1 Continual improvement (Numbering Switch)

10.1 Nonconformity and

10.2 Continual 10.2

Part 2: ISO 27002:2022 Annex A – New & Changed controls

Has the Client

Policies for information security

5.2 Information security roles and responsibilities

5.3 Conflicting duties and conflicting areas of responsibility shall be segregated.

Management shall require all personnel to apply information security in

Contact with authorities

Contact with special interest groups

5.7 Information relating to information security threats shall be collected and

Information security in project management

5.8 Information security shall be integrated into project management

Inventory of information and other associated assets

Old: 08.1.1, 08.1.2

Acceptable use of information and other associated assets

Old: 08.1.3, 08.2.3

Information transfer rules, procedures, or agreements shall be in place for

Old: 09.1.1, 09.1.2

5.16 The full life cycle of identities shall be managed.

5.17 Allocation and management of authentication information shall be

Old: 09.2.4, 09.3.1, 09.4.3

5.18 Access rights to information and other associated assets shall be

Old: 09.2.2, 09.2.5, 09.2.6

Information security in supplier relationships

Processes and procedures shall be defined and implemented to manage

Addressing information security within supplier agreements

5.20. Relevant information security requirements shall be established and agreed

Managing information security in the information and communication

Monitoring, review and change management of supplier services

The organization shall regularly monitor, review, evaluate and manage

Information security for use of cloud services

Information security incident management planning and preparation

Assessment and decision on information security events

Response to information security incidents

5.26 Information security incidents shall be responded to in accordance with the

Learning from information security incidents

Knowledge gained from information security incidents shall be used to

Information security during disruption

5.29 The organization shall plan how to maintain information security at an

ICT readiness for business continuity

Legal, statutory, regulatory and contractual requirements

Legal, statutory, regulatory and contractual requirements relevant to

Old: 18.1.1, 18.1.5

Intellectual property rights

5.32 The organization shall implement appropriate procedures to protect

Privacy and protection of personal identifiable information (PII)

Independent review of information security

The organization’s approach to managing information security and its