Clause reference
I have a quick question regarding the clause reference. I am assuming that first column references the ISO standard and then during the audit in the evidence section I map the corresponding control?
For example, if the organization does not have suppliers specified in A.5.22 but in A.15.1 I just map the evidence to the question?
Assign topic to the user
From your question I’m understanding you want to know how to use an Internal audit checklist based on ISO 27001:2013 considering the references from ISO 27001:2022.
Considering that, your first assumption is correct. The first column references the ISO standard clause.
Regarding mapping the corresponding control in the evidence section, I suggest you add a second column beside the column clause, so you can have the two columns providing the link between the clause from both versions. For example: https://i.imgur.com/JFfCfM7.png
This way works better when you handle multiple controls from ISO 27001: 2013 that were merged in a single control in ISO 27001:2022 (this data about controls placed in a specific column makes reading them easier).
For further information, see:
- ISO 27001:2013 to ISO 27001:2022 Conversion Tool https://advisera.com/insight/iso-27001-2013-to-iso-27001-2022-conversion-tool/
Comment as guest or Sign in
Nov 18, 2022