Clause reference
I have a quick question regarding the clause reference. I am assuming that first column references the ISO standard and then during the audit in the evidence section I map the corresponding control?
For example, if the organization does not have suppliers specified in A.5.22 but in A.15.1 I just map the evidence to the question?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
From your question I’m understanding you want to know how to use an Internal audit checklist based on ISO 27001:2013 considering the references from ISO 27001:2022.
Considering that, your first assumption is correct. The first column references the ISO standard clause.
Regarding mapping the corresponding control in the evidence section, I suggest you add a second column beside the column clause, so you can have the two columns providing the link between the clause from both versions. For example: https://i.imgur.com/JFfCfM7.png
This way works better when you handle multiple controls from ISO 27001: 2013 that were merged in a single control in ISO 27001:2022 (this data about controls placed in a specific column makes reading them easier).
For further information, see:
- ISO 27001:2013 to ISO 27001:2022 Conversion Tool https://advisera.com/insight/iso-27001-2013-to-iso-27001-2022-conversion-tool/
Comment as guest or Sign in
Nov 18, 2022