New implementation: ISO 27001:2013 + ISO 27002:2022

This will depend on the date you want to be certified. In case you want to be certified before March 2023 - go with 2013 revision, after March 2023 go with 2022 revision.

Please note that after the release of the new version of ISO 27001, any required changes will have a transition period to be implemented (in general this transition period is of two years after a change in a management system standard is released, which is plenty of time to do this transition for most controls).

For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/ 
- Should you start implementing ISO 27001 2013 or 2022 revision? https://advisera.com/insight/chatbot-implement-iso-27001-2013-or-2022-revision/

To clear things up, I was talking about getting certified in the old ISO 27001:2013, but excluding the annex and implementing controls from the new ISO 27002:2022.

In my opinion you should be able to exclude the whole annex, justify with "New controls fit the organization better". Then implement controls from the new ISO 27002:2022 (justified with risk assessment).

My question is then, is my justification for exclusion likely to be accepted by an external auditor?

First of all, sorry for this confusion.

Regarding your justification, the best course of action is to ask your certification body if it is acceptable to it because you are talking about using a 2022 set of controls for an ISO 27001:2013 certification (in theory this is acceptable, but your certification body will have the final decision).

Our previous answer took into consideration you stated that you are finishing section 9, and unless it is imperative you implement the new controls before March 2023 (e.g., there is a legal requirement, or it will bring you a greater competitive advantage), a smoother transition would be more recommendable, and it is possible.