Hi iso people.
I'm in a middle of ISO 27001:2013 implementation. I'm just finishing chapter 9.
Now I've read ISO 27002:2022 and I would like to implement the new controls instead of Annex from ISO 27001:2013.
Will that get me in trouble if I write that we've decided to use the new set of controls and excluded Annex from 2013 completely?
This will depend on the date you want to be certified. In case you want to be certified before March 2023 - go with 2013 revision, after March 2023 go with 2022 revision.
Please note that after the release of the new version of ISO 27001, any required changes will have a transition period to be implemented (in general this transition period is of two years after a change in a management system standard is released, which is plenty of time to do this transition for most controls).
To clear things up, I was talking about getting certified in the old ISO 27001:2013, but excluding the annex and implementing controls from the new ISO 27002:2022.
In my opinion you should be able to exclude the whole annex, justify with "New controls fit the organization better". Then implement controls from the new ISO 27002:2022 (justified with risk assessment).
My question is then, is my justification for exclusion likely to be accepted by an external auditor?
Regarding your justification, the best course of action is to ask your certification body if it is acceptable to it because you are talking about using a 2022 set of controls for an ISO 27001:2013 certification (in theory this is acceptable, but your certification body will have the final decision).
Our previous answer took into consideration you stated that you are finishing section 9, and unless it is imperative you implement the new controls before March 2023 (e.g., there is a legal requirement, or it will bring you a greater competitive advantage), a smoother transition would be more recommendable, and it is possible.