Common Issues Identified During Audits of ISO 27001:2022

Clause and control coverage

Clause 9.2 of ISO 27001 requires you to conduct internal audits at planned intervals to establish whether your ISMS conforms to your organisation's own and the Standard’s requirements.  As such, organisations must create an audit programme that covers both their own policy requirements, and the mandatory clauses and applicable controls from ISO 27001:2022.  However, it is fairly common that organisations have no means of determining whether this has been achieved within their audit programme, particularly for the Annex A controls.  

You, therefore, need to a way to track which clauses and controls have been audited over the course of the audit programme.  This tracking is essential to demonstrate that audit coverage is complete (or at least planned) across the full scope of the ISMS.  Meanwhile, by the end of the certification cycle, you must be able to provide evidence that all mandatory clauses and applicable controls have been audited during the certification period.  

Considering the importance of processes

Clause 9.2 of the Standard also requires you to ‘consider the importance of the processes concerned’ when planning the ISO 27001 internal audit programme; one of the most effective means of doing so is to use the output from the risk assessment process.  As a general rule of thumb, business processes identified as higher risk should be audited more often, while lower risk areas are likely to need less frequent audits.  

Having identified the higher risk areas, you can also identify the controls relevant to those areas, which should be audited more often.  For example, if the audit programme is planned to cover the period of ISO 27001 certification (typically 3 years), then controls associated with higher risk areas may be audited 2-3 times per year, whereas controls associated with areas of lower risk may only be looked at annually, or perhaps even just once over the 3-year period.    

Changes to controls in ISO 27001:2022

The two issues outlined above have always existed; however, in their transition to the new version of the Standard, some organisations have not fully accounted for the introduction of the revised Annex A control set in ISO 27001:2022.  Many of the controls map to their predecessors, but due to some being merged and additional guidance for each control being provided in ISO 27002:2022, the importance of individual controls may have changed.  Titles, requirement wording, and the numbering of certain controls have also changed.  

In light of these changes, it is advisable to confirm that this information is reflected accurately across your internal audit programme documentation, making sure to check every document that references controls, not just the internal audit schedule.  

Beyond keeping documentation current, you also need to take care when planning and conducting the internal audits themselves.  Auditors must be aware of the changes to requirements introduced in ISO 27001:2022 to ensure that they are auditing the controls correctly.  If you haven’t done so already, it may be necessary to provide training to auditors covering the changes in the Standard.

ISO 27001:2022 has seen the introduction of a requirement in Clause 8.1 for processes associated with Clause 6 (which includes risk management) to be conducted  in accordance with established criteria, aimed at ensuring consistency of approach.  Regarding risk management, this would mean that whenever your organisation conducts a risk assessment, for example, the process and therefore the outputs should be consistent, regardless of who has conducted it, or for what reason.

However, in a number of cases, the criteria for performing these processes (which include management of objectives and change management, as well as risk management) have not been clearly established, potentially leading to inconsistencies in process execution.  

Controls maturity

As stated above, many of the Annex A controls have been updated - both in terms of control requirements and the guidance provided in ISO 27002, ensuring that current best practice is considered.  This impacts the risk assessment process because, as part of that process, you must assess the effectiveness of the controls you have implemented to mitigate relevant threats.  

Generally, when performing risk assessments, a scoring system will be used to determine impact and likelihood.  You should not assume that a threat which previously scored as low likelihood will automatically retain the same rating now the ISMS is aligned to ISO 27001:2022.  Both changes to the wording of the requirement itself, and particularly the updated guidance in ISO 27002, mean that the maturity of a control may need to be re-evaluated.  You will also need to ensure that you have relevant and sufficient documentation to demonstrate that this re-evaluation has taken place.  

Use of attributes

Organisations sometimes struggle to document a justification for inclusion of controls within their Statement of Applicability (SoA), as required by Clause 6.1.3.  Generally, it is suggested that this is achieved by simply referring to the threat that the control is designed to mitigate, or perhaps the risk identification number that has been documented.  

However, the updated version of ISO 27002 now provides an alternative method of justifying control inclusions with the introduction of control attributes.  These attributes are:

• Control type
• Information security properties
• Cybersecurity concepts
• Operational capabilities
• Security domains.  

Control attributes can be combined to identify controls that suit a specific purpose.  For example, if you are looking to configure systems to prevent unauthorised access to your information assets, look for preventive (control type), confidentiality (information security properties) and secure configuration (operational capabilities) attributes in the list of controls  - in this case, Control 8.18 (Use of privileged utility programmes).  

Having identified the appropriate control, you can use the attributes to formulate your justification for implementation, i.e., the control is required to ensure the secure configuration of systems in order to prevent unauthorised access to information assets.  

While there is no requirement to use the control attributes, they do provide an alternative method of selecting controls in the first place, as well as a straightforward way to document justification of their inclusion in the SoA.

It is generally accepted that the list of considerations in Clause 9.3.2 (Management review inputs) essentially provides the agenda that should be used during management reviews.  In the 2022 version of the Standard, a new item has appeared on this agenda, i.e., 9.3.2c, changes in the needs and expectations of interested parties.  

Some organisations have missed this completely, but those that haven’t should not fall into the trap of believing that it is a simple update to the agenda.  This addition likely requires a new process to be introduced within the ISMS, as you need to identify if there have actually been any changes to interested parties’ needs and expectations.  For example, if one of your interested parties is the Information Commissioner’s Office (ICO), you need to periodically check whether there have been any changes to what the ICO expects, probably by reviewing their website.  

This process needs to be applied to all of your interested parties so that you can clearly determine whether relevant changes have occurred, and retain evidence of those changes.  Equally important, where no changes are identified, evidence of the checks being performed must also be retained so that you can confidently conclude during management reviews that no changes have occurred.

We have previously explained how internal audit and risk management processes have been impacted by changes to control requirements in Annex A, but these changes also mean that you may need to update your approach to operating these controls.  Below are some examples of updated control requirements that may have been missed when transitioning to ISO 27001:2022.

5.1 Policies for information security

This control now requires policies to be acknowledged by relevant personnel and by relevant interested parties.  

5.15 Access control

The rules associated with access control are now specifically required to cover physical as well as logical access, and the guidance states that the two should be aligned.  For example, if a certain level of clearance is required for logical access to specific information that resides on a particular server, then the physical access to the server should also require at least the same level of clearance.  

5.23 Information security for use of cloud services

This is a new control in the 2022 version, but its wording highlights something that should be in place for all third-party relationships; namely, exit from those relationships.   When the relationship with a supplier ends, for whatever reason, provision needs to be made for the return or destruction of any assets they have in their possession, disabling access to the organisation’s systems, etc.  

6.5 Responsibilities after termination or change of employment

A change of this control’s wording and some additional guidance in ISO 27002 means that you not only need to reiterate the restrictive covenants within contracts of employment or engagement, but also communicate the fact that a person is leaving the organisation to other personnel.  This helps to ensure that processes the leaver was involved in can continue operating by planning the leaver’s replacement.

During the transition to the 2022 version of the Standard, most organisations will have identified the actions required to remain conformant with the Standard.  However, URM’s audit experience indicates that certain requirements have occasionally been missed, such as those highlighted in this blog - it is also possible that other gaps remain overlooked.  

As such, it is strongly recommended that organisations thoroughly re-read both ISO 27001 and ISO 27002 to confirm that all requirements have been fully addressed.  This is particularly important where processes need to be in place that will generate evidence over time.  While such evidence may not have been required during initial transition assessments, as controls or processes were newly introduced, it will be expected as organisations approach their first continual assessment visits against the 2022 version of the Standard.  Ensuring that these processes are operating effectively, and that appropriate evidence exists, will help avoid nonconformities during more formal audits and assessments.