Document Review and Fieldwork Under the 2022 Revision

In auditing under ISO/IEC 27001:2022, document review and fieldwork are critical components that ensure a comprehensive evaluation of the Information Security Management System (ISMS) in alignment with the updated standard.

The 2022 revision introduces new requirements and controls that require auditors to adjust their approach during both the document review phase and on-site fieldwork.

Understanding these changes helps auditors accurately verify compliance, identify risks, and assess the effectiveness of controls.

Document Review Under the 2022 Revision

Auditing under the revised ISO/IEC 27001 involves evaluating refreshed documentation that demonstrates compliance with the new structure. The list below outlines the key documentation components for review.

1. Updated Documentation Requirements: Auditors should expect revised or new documentation reflecting the streamlined 93 Annex A controls, updated clauses including Clause 6.3 on planning for changes, and enhanced risk management practices.

2. Statement of Applicability (SoA): The SoA must be reviewed carefully to ensure it accurately lists applicable controls, including newly introduced ones, and justifies any exclusions in accordance with organizational risk assessments.

3. Change Management Records: Documents detailing ISMS change management processes, impact analysis, and approval workflows become more critical due to added planning requirements.

4. Control Implementation Evidence: Documentation supporting control effectiveness, such as reports on threat intelligence activities, secure cloud configurations, and monitoring logs, needs to be evaluated during this phase.

5. Risk Assessment and Treatment Plans: The latest risk assessments and treatment plans must be reviewed to verify they conform to the updated risk-based approach outlined in the revision.

Fieldwork Execution Under the 2022 Revision

Audit fieldwork now demands closer attention to emerging control areas and contextual risk applications. Here are the areas where auditors should focus their evaluations and observations.

1. Verification of Control Implementation: Physical inspection and interviews should confirm that new and updated controls are effectively implemented, such as continuous physical security monitoring and secure coding practices.

2. Risk-Based Sampling: Fieldwork should prioritize audit samples based on organizational context and risk profiles, reflecting the flexible approach encouraged by the new standard.

3. Evaluation of New Operational Domains: Auditors need to assess the operation of technological, people, physical, and organizational controls within their distinct domains, ensuring understanding and practical application.

4. Management and Employee Interviews: Inquiries should focus on leadership involvement in ISMS changes, awareness of new control requirements, and communication effectiveness.

5. Incident and Monitoring Reviews: Review of security incidents, monitoring activities, and corrective actions related to new controls must form part of the audit fieldwork.