Expert Advice Community

Guest

Clause reference

  Quote
Guest
Guest user Created:   Nov 18, 2022 Last commented:   Nov 18, 2022

Clause reference

I have a quick question regarding the clause reference. I am assuming that first column references the ISO standard and then during the audit in the evidence section I map the corresponding control?

For example, if the organization does not have suppliers specified in A.5.22 but in A.15.1 I just map the evidence to the question?

0 0

Assign topic to the user

ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS

Basics of identification of interested parties and their requirements.

ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS

Basics of identification of interested parties and their requirements.

Expert
Rhand Leal Nov 18, 2022

From your question I’m understanding you want to know how to use an Internal audit checklist based on ISO 27001:2013 considering the references from ISO 27001:2022.

Considering that, your first assumption is correct. The first column references the ISO standard clause. 

Regarding mapping the corresponding control in the evidence section, I suggest you add a second column beside the column clause, so you can have the two columns providing the link between the clause from both versions. For example: https://i.imgur.com/JFfCfM7.png

This way works better when you handle multiple controls from ISO 27001: 2013 that were merged in a single control in ISO 27001:2022 (this data about controls placed in a specific column makes reading them easier).

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 18, 2022

Nov 18, 2022