Changes in the audit of controls according to the new version of ISO/IEC 27002:2022
| Thesis title: | Changes in the audit of controls according to the new version of ISO/IEC 27002:2022 |
|---|---|
| Author: | Milosavljevic, Nikola |
| Thesis type: | Diploma thesis |
| Supervisor: | Svatá, Vlasta |
| Opponents: | Sigmund, Tomáš |
| Thesis language: | English |
| Abstract: | The standard ISO/IEC 27002 was revised, and a new version was published in 2022, changing the list of information security controls given in the standard. Due to this revision, the certification audit process for the standard ISO 27001 certification will be impacted. The primary goal of this paper is to analyse newly introduced controls and their impact on the certification audit process against the standard ISO/IEC 27001. The paper starts with an overview of the ISO 27000 family and main standards and an overview of changes introduced in new versions of both ISO/IEC 27001 and ISO/IEC 27002, followed by an overview of the theory behind audits and information security audits. All new controls from the standard ISO 27002 are described and discussed in terms of risks, control, and testing steps. For each of these controls, a risk control matrix (RCM) is developed and presented in the paper. A demonstration of developed RCMs is conducted through the Case Study written on the example company. It is described how the new controls will impact the example company and what evidence will have to be collected to provide assurance that the new controls are designed and operating effectively. |
| Keywords: | ISMS; ISO/IEC 27002; ISO/IEC 27001; IT Audits; Information security |
| Thesis title: | Changes in the audit of controls according to the new version of ISO/IEC 27002:2022 |
|---|---|
| Author: | Milosavljevic, Nikola |
| Thesis type: | Diplomová práce |
| Supervisor: | Svatá, Vlasta |
| Opponents: | Sigmund, Tomáš |
| Thesis language: | English |
| Abstract: | The standard ISO/IEC 27002 was revised, and a new version was published in 2022, changing the list of information security controls given in the standard. Due to this revision, the certification audit process for the standard ISO 27001 certification will be impacted. The primary goal of this paper is to analyse newly introduced controls and their impact on the certification audit process against the standard ISO/IEC 27001. The paper starts with an overview of the ISO 27000 family and main standards and an overview of changes introduced in new versions of both ISO/IEC 27001 and ISO/IEC 27002, followed by an overview of the theory behind audits and information security audits. All new controls from the standard ISO 27002 are described and discussed in terms of risks, control, and testing steps. For each of these controls, a risk control matrix (RCM) is developed and presented in the paper. A demonstration of developed RCMs is conducted through the Case Study written on the example company. It is described how the new controls will impact the example company and what evidence will have to be collected to provide assurance that the new controls are designed and operating effectively. |
| Keywords: | ISMS; ISO/IEC 27002; ISO/IEC 27001; IT Audits; Information security |
Information about study
| Study programme: | Information Systems Management |
|---|---|
| Type of study programme: | Magisterský studijní program |
| Assigned degree: | Ing. |
| Institutions assigning academic degree: | Vysoká škola ekonomická v Praze |
| Faculty: | Faculty of Informatics and Statistics |
| Department: | Department of Systems Analysis |
Information on submission and defense
| Date of assignment: | 20. 10. 2022 |
|---|---|
| Date of submission: | 28. 6. 2023 |
| Date of defense: | 29. 8. 2023 |
| Identifier in the InSIS system: | https://insis.vse.cz/zp/82446/podrobnosti |