In which of its clauses ISO 27001:2022 asks to consider?

ISO 27001:2022 states that when the organization determines the need for

changes to the ISMS, the changes shall be carried out in a planned manner in its

clause :

Annex A of ISO 27001:2022 defines 4 categories (organizational, people,

physical and technological) to group the 93 information security controls.

Once the audit has been carried out, the auditor in charge of the audit must

prepare the Audit Report. This report establishes:

a. Audit objectives

b. Scope of the audit.

c. Auditees and the audit period.

d. Documentation of the contact person.

e. Documentation of the lead auditor and other auditors.

f. Dates and locations where the audit activities took place.

g. Audit criteria.

h. Audit statements.

i. Audit Conclusions.

The audit objectives define what is to be achieved with the individual audit.

The Statement of Applicability (SoA) must contain:

a. The controls necessary to implement the chosen information security

risk treatment option(s).

b. Justification of inclusions.

c. Whether or not the necessary controls are implemented.

d. Justification for exclusions from any of the controls in annex A.

During the closing meeting the lead auditor should explain, for example, any

related post-audit activities (e.g., implementation and review of corrective

actions, handling of audit complaints, appeals process).