CQI-IRCA Certified ISO 27001:2022

Auditor/ Lead Auditor Course - Handouts

QACA/TM/ISMSLA-01
Issue 01, Rev 01 dated Nov, 2022
www.qualityaustriacentralasia.com -1-
 ISO / IEC 27001:2022 – CLAUSE 4

CONTEXT OF ORGANISATION:

CLAUSE 4.1 - Understanding the Organisation and its context

The environment in which the organisation operates

Purpose – Understanding the nature of business of the organisation

and defining the same.

Intended outcome of ISMS – determine the planned result of

implementation

Internal & External issues – Identify the business risks &

opportunities on the organizational level. The organization can take
reference from Clause 5.4.1 of ISO 31000:2018

www.qualityaustriacentralasia.com -2-
 ISO / IEC 27001:2022 – CLAUSE 4

CONTEXT OF ORGANISATION:

CLAUSE 4.2 - Understanding the needs and expectations of interested

parties

Consider interested parties and their needs and expectation*.

Determine which of the needs pertaining to the interested parties would

be addressed through the ISMS.

Requirements of interested parties may include legal and regulatory

requirements and contractual obligations relevant to ISMS

*Need – Mandatory requirement

*Expectation – Good to have things

www.qualityaustriacentralasia.com -3-
 ISO / IEC 27001:2022 – CLAUSE 4

CONTEXT OF ORGANISATION:

Clause 4.3 : Determining the scope of the information security

management system

The scope and boundaries and applicability of the ISMS must be

examined and defined considering the internal and external issues,
interested parties’ requirements, as well as the existing interfaces and
dependencies between the organization’s activities and those performed
by other organizations.

It should consider the requirements of the interested parties and the

business risks while deciding the scope

Documentation Requirement –The scope of the ISMS shall be

documented.

www.qualityaustriacentralasia.com -4-
 ISO / IEC 27001:2022 – CLAUSE 4

CONTEXT OF ORGANISATION:

Clause 4.4 Information security management system

The organisation shall implement, establish, maintain and continually

improve the ISMS.

The processes needed and their interaction has to be addressed within

the management system.

It should also establish a methodology to continually improving the

same.

www.qualityaustriacentralasia.com -5-
 ISO / IEC 27001:2022 – CLAUSE 5

LEADERSHIP:

Clause 5.1 Leadership & Commitment

Top management leadership must be demonstrable and active. The

clause insist on leadership and not just management.

a) Establish policy and objectives in line with strategic direction

b) Ensure integration with organizations processes
c) Ensure resources
d) Communicate importance of management and conformity
e) Ensure ISMS achieves intended outcomes
f) Directing and supporting persons involved in the ISMS
g) Promoting continual improvement
h) Supporting other relevant managers.

ISO 27001:2013 Awreness Course 6

www.qualityaustriacentralasia.com -6-
 ISO / IEC 27001:2022 – CLAUSE 5

LEADERSHIP:

Clause 5.2 Information Security Policy

The top management should develop the IS Policy and make sure that it is
communicated to the entire organisation and relevant interested parties
a) Is appropriate to the purpose of the Organisation
b) Includes information security objectives or provides the framework for
setting information security objectives
c) Includes a commitment to satisfy applicable requirements related to
information security
d) Includes a commitment to continual improvement of the information security
management system
e) Is available as documented information
f) Be communicated within the Organisation
g) Be available to interested parties

Documentation Requirement –The IS Policy statement.

www.qualityaustriacentralasia.com -7-
 ISO / IEC 27001:2022 – CLAUSE 5

LEADERSHIP:

Clause 5.3 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities

for roles relevant to information security are assigned and
communicated.

Define an ISMS reporting structure in the Organisation

ISMS achieves intended outcomes

Directing and supporting persons to contribute to effectiveness of ISMS

www.qualityaustriacentralasia.com -8-
 ISO / IEC 27001:2022 – CLAUSE 6

PLANNING:

Clause 6.1.2 Information security risk assessments

The Organisation shall define and apply a risk assessment approach that;
establishes and maintains risk acceptance criteria and criteria for performing
risk assessments
• Ensures repeatability producing consistent, valid and comparable results

• That identifies security risks associated with loss of Confidentiality, Integrity

and Availability and identifies Risk Owners
• Analyses risks; potential consequences, realistic likelihood, levels of risk
• Evaluates risks; compares and priorities

Documentation Requirement – Risk assessment methodology

www.qualityaustriacentralasia.com -9-
 ISO / IEC 27001:2022 – CLAUSE 6

PLANNING:

Clause 6.1.3 Information security risk treatment

The Organisation shall define and apply Information security risk

treatment process to; select treatment options
• Determine controls “from any source”
• Compare controls with Annex A
• Produce a Statement of Applicability
• Formulate a treatment plan
• Obtain owners approval of treatments and residual risks

Documentation Requirement – Risk treatment methodology. Statement

of Applicability shall be documented

www.qualityaustriacentralasia.com - 10 -
 ISO / IEC 27001:2022 – CLAUSE 6

PLANNING:

Clause 6.1.3 Information security risk treatment

Produce a Statement of Applicability that contains -

• the necessary controls (see 6.1.3 b) and c))
• justification for their inclusion
• whether the necessary controls are implemented or not; and
• the justification for excluding any Annex A controls

Documentation Requirement – Risk treatment methodology. Statement

of Applicability shall be documented

www.qualityaustriacentralasia.com - 11 -
 ISO / IEC 27001:2022 – CLAUSE 6
PLANNING:
Clause 6.2 Information security objectives and planning to achieve them

Aligned with Information security policy and established at relevant functions and
levels

Be measurable (where practicable)

Be monitored (new requirement)

Have to and take into account applicable information security requirements, and risk
assessment and risk treatment results

Be communicated, monitored and updated

Plan to achieve objectives : specific actions, responsibilities, resources, timelines,

evaluation method defined

Documentation Requirement – ISMS Objectives

www.qualityaustriacentralasia.com - 12 -
 ISO / IEC 27001:2022 – CLAUSE 7

SUPPORT:
Clause 7.1 Resources
Requires resources to be determined and provided at all stages of the
Information security management system

Clause 7.2 Competence

Determine necessary competence
Ensure persons are competent
Actions to acquire the necessary competence
Evaluation of effectiveness of these actions

Clause 7.3 Awareness

Specifies requirement of awareness on Information security policy, contribution
to effectiveness of ISMS and implications of NOT conforming with ISMS
requirements

Documentation Requirement – Competence related documents

www.qualityaustriacentralasia.com - 13 -
 ISO / IEC 27001:2022 – CLAUSE 7

SUPPORT:
Clause 7.4 Communication
Addresses internal and external communication relevant to ISMS including what
to communicate, when to, with whom, and “how” to communicate

Clause 7.5 Documented information

‘Documented information’ - new term that replaces ‘documents’ and ‘records’ –
erstwhile commonly used in management system standards

These requirements relate to the creation and updating of documented

information and to their control.

Information Necessary for the effectiveness of the ISMS is required Documented

Information

www.qualityaustriacentralasia.com - 14 -
 ISO / IEC 27001:2022 – CLAUSE 8

OPERATION:
Clause 8.1 Operational planning and control
Organizations must plan and control the processes needed to meet their
information security requirements including:
1. keeping documents
2. management of change
3. responding to adverse events
4. the control of any “externally provided processes” processes

Clause 8.2 Information security risk assessment

Perform the Risk assessment based on the criteria mentioned in Clause 6.

Clause 8.3 Information security risk treatment

Executing Risk treatment plans, actions and results.

Documentation Requirement – Risk Assessment reports, Risk treatment plans

& results
www.qualityaustriacentralasia.com - 15 -
 ISO / IEC 27001:2022 – CLAUSE 9

PERFORMANCE EVALUATION:
Clause 9.1 Monitoring, measurement, analysis and evaluation
Identifying various IS Metrics to be monitored and measured.
Assigning monitoring responsibilities to the competent person.
The new requirements for measurement of effectiveness are more specific and
far reaching than the 2005 version which referred to effectiveness of controls.

Clause 9.2 Internal audit

Objectives of internal audits
Plan, establish, implement and maintain audit program
Considerations while preparing an audit program
Ensuring objectivity and impartiality of audits
Reporting audit results

www.qualityaustriacentralasia.com - 16 -
 ISO / IEC 27001:2022 – CLAUSE 9

PERFORMANCE EVALUATION:
Clause 9.3 Management review

Ensuring Management reviews ISMS performance periodically

Management conducting periodic reviews on ISMS performance, status

of previous issues, risk assessments reports, Audits, NCs, Corrective
actions, and feedback)

Documentation Requirement – Results of the Management review.

www.qualityaustriacentralasia.com - 17 -
 ISO / IEC 27001:2022 – CLAUSE 10

IMPROVEMENT:
Clause 10.1 Continual improvement
Defining processes for deriving ISMS improvements through periodic
risk assessments, internal and external audits, periodic MRs and
interested parties' feedback
Adding improvements to the ISMS policies, processes and procedures

Clause 10.2 Nonconformity and corrective action

Developing and maintaining an NC Register

Defining procedures for ISMS NC corrective actions

Documentation Requirement – ISO 27001 ISMS NC Register along with

corrective action details.

www.qualityaustriacentralasia.com - 18 -
 ISO / IEC 27001:2022 – MANDATORY
DOCUMENTED INFORMATION

The requirement for documented information is spread through the

standard and not summarized under one clause These are listed below
Clause Documented information
4.3 Scope of the ISMS
5.2 Information security policy
6.1.2 Information security risk assessment process
6.1.3 Information security risk treatment process
6.1.3 d) Statement of Applicability
6.1.3 e) Risk treatment plan
6.2 Information security objectives
7.2 Evidence of competence
7.5.1 b) Documented information determined by the organization as being
necessary for the effectiveness of the ISMS
8.1 documented information to the extent necessary to have confidence
that the processes have been carried out as planned.

www.qualityaustriacentralasia.com - 19 -
 ISO / IEC 27001:2022 – MANDATORY
DOCUMENTED INFORMATION

Clause Documented information

8.2 Results of the information security risk assessments

9.3 Results of the information security risk treatment
9.1 Evidence of the monitoring and measurement results
9.2 g) Evidence of the audit program(s) and the audit results
9.3 Evidence of the results of management reviews

10.1 f) Evidence of the nature of the nonconformities and any

subsequent actions taken

10.1 g) Evidence of the results of any corrective action

www.qualityaustriacentralasia.com - 20 -
 ISO / IEC 27001:2022 –
ANNEXURE A
 The number of controls is reduced from 114 to 93

 Classifies controls as ‘corrective’ ‘preventive’ or ‘detective’

 Identify the impact of the controls on ‘confidentiality’, ‘integrity’ or ‘availability

or a combination of these

 Whether the control exists to ‘identify’, ‘protect’, ‘detect’, ‘respond’ or ‘recover

ISO/IEC 27002 Control name Control type Information security properties Cybersecurity concepts Operational capabilities Security domains
control
identifier
5.2 Information security roles and #Confidential- ity #Integrity #Govern- ance_and_ Ecosystem
responsi- bilities #Preventive #Availability #Identify #Governance #Protection
#Resilience
5.7 Threat intelli- gence #Preventive #Confidential- ity #Integrity #Identify #De- tect #Respond #Threat_and_ vulnerability_ #Defence #Re- silience
#Detective #Availability management
#Corrective
6.5 Responsi- bilities after termination or #Confidential- ity #Integrity #Human_re- source_secu- rity #Asset_ #Governance_ and_Ecosys- tem
#Preventive #Protect
change of employment #Availability management
8.7 Protection against mal- ware #Preventive #Confidential- ity #Integrity #Protect #De- tect #System_and_ network_secu- rity #Protection
#Detective #Availability #Informa- tion_protec- tion #Defence
#Corrective

www.qualityaustriacentralasia.com - 21 -
 ISO / IEC 27001:2022 –
ANNEXURE A
Themes of the control

Organisation Controls

People Controls

Physical Controls

Technology Controls

www.qualityaustriacentralasia.com - 22 -
 ISO / IEC 27001:2022 –
ANNEXURE A – NEW CONTROLS

Treat Intelligence
Information security for use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

www.qualityaustriacentralasia.com - 23 -