Changes in the audit of controls according to the new version of ISO/IEC 27002:2022

The standard ISO/IEC 27002 was revised, and a new version was published in 2022, changing the list of information security controls given in the standard. Due to this revision, the certification audit process for the standard ISO 27001 certification will be impacted. The primary goal of this paper is to analyse newly introduced controls and their impact on the certification audit process against the standard ISO/IEC 27001. The paper starts with an overview of the ISO 27000 family and main standards and an overview of changes introduced in new versions of both ISO/IEC 27001 and ISO/IEC 27002, followed by an overview of the theory behind audits and information security audits. All new controls from the standard ISO 27002 are described and discussed in terms of risks, control, and testing steps. For each of these controls, a risk control matrix (RCM) is developed and presented in the paper. A demonstration of developed RCMs is conducted through the Case Study written on the example company. It is described how the new controls will impact the example company and what evidence will have to be collected to provide assurance that the new controls are designed and operating effectively.