ISO 27001:2022 Client Transition Checklist, v1 External and Confidential

ISO 27001:2022 Client Transition

Checklist
for

Date completed on

© Centre for Assessment Ltd 2023 Centre for Assessment Ltd.

Lee House, 90 Great Bridgewater Street, Manchester, M1 5JW
This report remains the property of Centre for Assessment Tel: +44 (0) 161 237 4080
e-mail: [email protected]
web: www.centreforassessment.co.uk
 ISO 27001:2022 Client Transition Checklist

IMPORTANT NOTES

This checklist is a guide and aide memoir only. Successful completion of this plan does not guarantee
being successful at your transition audit, which will also require objective evidence of compliance with
new and changed requirements.

The checklist is structured in 3 parts as follows:

- Part 1 covers the changes and additions to the main clauses 4 to 10 of ISO 27001:2022
- Part 2 covers the new and changed Annex A controls
- Part 3 covers the changes and additions that are likely to be required to an already operational information
security management system (ISMS) as a result of addressing the changes defined in parts 1 and 2

Transition dates and deadlines

 Existing ISO 27001:2017 certificates: By 31st October 2025 (3 years after publication of ISO
27001:2022) all organisations must have completed the transition to the updated version ISO
27001 and hold an updated certificate. All ISO 27001:2017 certificates will have an expiry
date no later than 31st October 2025.

Step-by-step guide to the transition process:

 Step one (Client) – Complete the 27001:2022 transition application form and submit this to
Centre for Assessment as soon as possible, and at least 4 months prior to your transition audit
taking place.
 Step two (Head Office) – Centre for Assessment’s head office staff will review the application
and inform you of the cost’s involved, which you should have received along with this ISO 27001
Client Transition Checklist Template.
 Step three (Auditor) – Centre for Assessment’s auditor will contact you and agree the date for
the transition audit.
 Step four (Client) – Complete the 27001 Client Transition Checklist Template including details of
actions taken and evidence demonstrating compliance and have the completed document ready
for the transition audit. Please note that failure to complete the Checklist will result in a
chargeable cancellation of the transition audit.
 Step five (Auditor) – Centre for Assessment’s auditor will complete the transition audit and
identify any findings requiring a Continual Improvement Record to be completed. Note: If the
transition audit identifies major non-conformances a further audit may be required.
 Step six (Client) – If applicable, you should complete and return the Continual Improvement
Record to the Auditor, along with evidence of correction and corrective action.
 Step seven (Auditor) –Upon receipt, Centre for Assessment’s auditor will review the Continual
Improvement Record and evidence for acceptance. If additional actions are required, you will be
asked to resubmit. Once accepted, this document and associated evidence will be passed to
Centre for Assessment head office for a certification decision.
 Step eight (Head Office) – Centre for Assessment’s head office will undertake a panel technical
review and make a certification decision.
 Step nine (Head office) – upon a successful outcome of the transition audit, Centre for
Assessment will issue you with a ISO 27001 certificate. See transition guide and FAQ for more
details.
 END OF TRANSITION PROCESS
 ISO 27001:2022 Client Transition Checklist

CHECKLIST AND ACTION LOG

Part 1 - Changes and additions to the main clauses 4 to 10 of ISO 27001:2022

Amendments in Summary of additional, or CLIENT ACTIONS RESPONSIBILITY BY WHEN
clauses 4 to 10 of ISO changed, requirements
27001:2022 within the standard

4.2 [addition of 4.2(c)] Requirement to define which

of the interested party
“which of these requirements will result in
[interested party] subsequent actions being
requirements will be taken (such as identification
addressed through the of risk and implementation
information security of risk treatment / control).
management system”
4.4 [addition of …] Requirement that,
dependent on the existing
“including the processes structure of the ISMS,
needed [for the organisations should
maintenance and consider and review ISMS
improvement of the processes and the
ISMS] and their implementation of process-
interactions, in based auditing.
accordance with the
requirements of this
document.
6.1.3 [amended wording Change of emphasis from
underlined below] Annex A being
‘comprehensive’ to listing
“Annex A contains a list only possible controls.
of possible [rather than Organisations to consider
previously the need for additional
“comprehensive”] controls (other than just the
information security 93 in ISO 27001:2022
controls.” Annex A)
6.3 [new clause, aligning A new requirement, aligning
with other management with other management
system Standards] system standard
requirements, in that there
“Planning of Changes” should be evidence that
 ISO 27001:2022 Client Transition Checklist
Amendments in Summary of additional, or CLIENT ACTIONS RESPONSIBILITY BY WHEN
clauses 4 to 10 of ISO changed, requirements
27001:2022 within the standard

[to the ISMS] changes made to the ISMS

are made in a controlled
manner.

8.1 [additional wording This is a clarification of

underlined] existing requirements.
Externally provided products
“The organisation shall and services (and
ensure that externally processes) that are relevant
provided process, to information security are to
products or services that be controlled.
are relevant to the ISMS
are controlled”

[i.e. not just “processes”

as was previously
defined]
9.3.2(c) [addition of] An enhanced requirement in
that the management review
“changes and needs and is now to include “changes
expectations of and needs and expectations
interested parties that of interested parties that are
are relevant to the relevant to the information
information security security management
management system.” system.”
 ISO 27001:2022 Client Transition Checklist

Part 2 - Annex A new and changed information security controls

Notes:
1. Comprehensive guidance for determining and implementing the new and changed Annex A controls is defined in ISO 27002:2022
2. ISO 27002:2022 states “A control is defined as a measure that modifies or maintains risk”. Therefore, each of the new and changed controls in the table
below, if declared applicable in the Statement of Applicability, needs to be associated with a risk (or risks) on the risk assessment.
3. Where a control is defined as being not applicable, the reason(s) should be summarised

New ISO 27001:2022 Summary of changes / CLIENT ACTIONS RESPONSIBILITY BY WHEN

Annex A controls additions

5.7 Threat intelligence. Threat information to be gathered,

analysed and, as necessary,
Information relating to addressed through risk
information security management.
threats should be
collected and analysed to Appropriate actions should be
produce threat defined to detect, respond to,
intelligence prevent and to reduce threat
impacts.

5.16 Identity Management This control is to ensure the

unique identification of individuals
The full life cycle of and systems accessing an
identities shall be information and associated
managed. assets, thereby enabling
appropriate assignment of access
rights.

This control enhances the old ISO

27001:2013 control A.9.2.1

Identities can be assigned to an

individual person, groups of
persons, i.e. shared identities, or
to a IT device or asset.

Identities should be controlled,

and relevant records should be
maintained.

There should be a process for

 ISO 27001:2022 Client Transition Checklist
New ISO 27001:2022 Summary of changes / CLIENT ACTIONS RESPONSIBILITY BY WHEN
Annex A controls additions

managing changes to identities as

well as identities provided by third
parties.

5.17 Authentication This control replaces ISO

Information 27001:2013 controls A9.2,4,
A9.3.1 and 9.4.3 but has been
Allocation and significantly enhanced and
management of includes:
authentication information
should be controlled by a - personal passwords or
management process, PINs,
including advising - new, replacement or
personnel on the temporary authentication
appropriate handling of provision and verification
authentication of the user identity.
information. - Authentication information
transmission.
- Post set-up changes to
system and software
default authentication
information provided by
suppliers / manufacturers.
- Retention of records of
the allocation and
management of
authentication information
and events.
- Awareness around
confidentiality of
authentication information

5.23 Information security Cloud services should be

for use of cloud services. controlled from the point of
procurement, through their
Processes for acquisition, ongoing use and management
use, management and and, when no longer required, the
exit from cloud services termination of the cloud service
should be established in and transfer to another provider
accordance with the should be carried out in a
organization’s information controlled manner. Risks and

New ISO 27001:2022
Annex A controls
security requirements.
5.29 Information Security
during disruption
The organisation should
plan how to maintain
information security at an
appropriate level during
disruption.
5.30 ICT readiness for
business continuity
ICT readiness should be
planned, implemented,
maintained and tested
based on business
continuity objectives and
ICT continuity
requirements
6.6 Confidentiality or non-
disclosure agreements
Confidentiality or non-
disclosure agreements
reflecting the
organization’s needs for
the protection of
information should be
identified, documented,
regularly reviewed and
signed by personnel and
other relevant interested
parties.
6.7 Remote working
ISO 27001:2022 Client Transition Checklist
Summary of changes / CLIENT ACTIONS RESPONSIBILITY BY WHEN
additions
controls to be considered.
This control includes similar
continuity requirements as in ISO
27001:2013 controls A17.1.1,
A17.1.2, A17.1.3, i.e. developing,
implementing, testing, reviewing
and evaluating plans for the
security of information of critical
business processes following
interruption or failure.
However, there is now more
emphasis on “restoration”.
Information and communication
technology (ICT) readiness
arrangements need to be in place
and tested to cover an ICT
disaster, crisis or disruption.
This control includes similar non-
disclosure and confidentiality
requirements as the ISO
27001:2013 Annex A13.2.4 but
now specifically requires
signature by personnel and other
relevant interested parties.
This has replaced the old ISO
 ISO 27001:2022 Client Transition Checklist
New ISO 27001:2022 Summary of changes / CLIENT ACTIONS RESPONSIBILITY BY WHEN
Annex A controls additions

27001:2013 control A6.2.2

Security measures shall “Teleworking”.
be implemented when
personnel are working A topic-specific policy on remote
remotely to protect working may be issued or an
information accessed, alternative option chosen.
processed or stored
outside the organisation’s
premises
7.4 Physical security The physical areas that need to
monitoring be monitored should be defined
along with the arrangements for
Premises should be continual monitoring.
continuously monitored
for unauthorized physical
access
7.9 This enhances the old ISO
Security of assets off- 27001:2013 control A.11.2.6 with
premises the specific addition of protection
of ‘bring your own devices’
Off-site assets shall be (BYOD).
protected.
7.10 This enhances the old ISO
Storage media 27001:2013 controls A.8.3 and
A.11.2.5.
Storage media shall be
managed through their A topic-specific policy may be
life cycle of acquisition, created or an alternative option
use, transportation and chosen.
disposal in accordance
with the organisation’s
classification scheme and
handling requirements.
8.1 User Endpoint This control enhances the ISO
Devices 27001:2013 Annex A6.2.1 and
A11.2.8 controls for mobile
Information stored on, devices by requiring all endpoints
processed by or to be controlled, not just mobile
accessible via user end devices.
point devices shall be
protected

New ISO 27001:2022
Annex A controls
8.9 Configuration
management
Configurations, including
security configurations, of
hardware, software,
services and networks
should be established,
documented,
implemented, monitored
and reviewed.
8.10 Information deletion
Information stored in
information systems,
devices or in any other
storage media should be
deleted when no longer
required.
8.11 Data masking
Data masking should be
used in accordance with
the organization’s topic-
specific policy on access
control and other related
topic-specific policies,
and business
requirements, taking
applicable legislation into
consideration.
8.12 Data leakage
prevention
ISO 27001:2022 Client Transition Checklist
Summary of changes / CLIENT ACTIONS RESPONSIBILITY BY WHEN
additions
Security configurations of
hardware, software, services and
networks need to be documented,
implemented, monitored and
reviewed, including:
- Security configurations
need to be recorded.
- Evidence to be available
of monitoring security
configurations.
- Manufacturers’ default
security configurations
risks review.
Information, particularly sensitive
information, should be deleted
when no longer needed and this
includes business information not
just PII.
Records should be kept of
deletion, internal or those
provided by external providers.
Sensitive information, particularly
PII, should be masked using
techniques such as data masking,
pseudonymization,
anonymization, encryption and
obfuscation.
The requirements of legislation
should be considered.
Appropriate checks should be
carried out to ensure that the
information has been satisfactorily
masked.
Consideration needs to be given
to what information should be
subject to data leakage
 ISO 27001:2022 Client Transition Checklist
New ISO 27001:2022 Summary of changes / CLIENT ACTIONS RESPONSIBILITY BY WHEN
Annex A controls additions

Data leakage prevention prevention (DLP) measures. Also,

measures should be leakage channels should be
applied to systems, considered.
networks and any other
devices that
process, store or transmit
sensitive information.
8.16 Monitoring activities The relevant networks, systems
and applications that would
Networks, systems and benefit from regular monitoring for
applications should be anomalous behaviour and
monitored for anomalous potential security incidents should
behaviour and be identified.
appropriate
actions taken to evaluate Records of monitoring should be
potential information maintained.
security incidents.
8.23 Web filtering Access to external websites to be
controlled.
Access to external
websites should be
managed to reduce
exposure to malicious
content.
8.26 Application Security This control replaces the ISO
Requirements 27001:2013 controls A14.1.2 and
A14.1.3 controls but there is now
Information security a wider scope and clearer
requirements should be definition of the requirements.
identified, specified and
approved when Whether internally developed or
developing or acquired, application security
acquiring applications. requirements should be defined
and approved.

The security requirements for

transactional services should be
defined, as should the security
requirements for electronic
ordering and payment
 ISO 27001:2022 Client Transition Checklist
New ISO 27001:2022 Summary of changes / CLIENT ACTIONS RESPONSIBILITY BY WHEN
Annex A controls additions

applications.
8.28 Secure coding Secure coding principles and
minimum standards should be
Secure coding principles defined in order to reduce security
should be applied to vulnerabilities in developed
software development software.
8.34 This enhances the old ISO
Protection of information 27001:2013 control A.12.7.1 and
systems during audit now includes management
testing approval.

Audit tests and other

assurance activities
involving assessment of
operational systems shall
be planned and agreed
between the tester and
appropriate management.
 ISO 27001:2022 Client Transition Checklist

Part 3 – Other changes necessary to a ISMS as a result of ISO 27001:2022

Notes:
1. Various other changes are likely to be required to an already operational information security management system (ISMS) as a result of addressing the
changes defined in parts 1 and 2 above and transitioning to ISO 27001:2022
2. These changes are summarised below and evidence is required of the effective implementation of these in the table below

Oher ISMS changes Other considerations CLIENT ACTIONS RESPONSIBILITY BY WHEN

5.2 Information Update as necessary.

Security policy
[statement] …

Updated if necessary
6.1.2 Risk If an organisation has used the Annex
assessment results A control references within their risk
assessment results and risk treatment
plan, the control numbers will need to
be updated or a suitable cross
reference provided.

6.1.3 Statement of The Statement of Applicability needs

applicability … to be updated with the new controls or
a cross reference from the 2013
updated with new controls to the 2022 controls. There
controls needs to be justification for inclusion or
exclusion of the new controls.

6.3 “Planning of As required by clause 6.3, for the

Changes” [to the changes made to the ISMS as a result
ISMS] of implementing the ISO 27001:2022,
there should be evidence of planning
and control of these changes.

7.2, A6.3 Relevant employees and contractors

Competence and should have been made aware of the
information security new and changed requirements and
system awareness controls in the ISMS to ensure that
they are competent to implement and
maintain these. Documented
evidence of any new competences,
awareness and training should be
maintained
 ISO 27001:2022 Client Transition Checklist
Oher ISMS changes Other considerations CLIENT ACTIONS RESPONSIBILITY BY WHEN

7.5, A5.1 ISMS ISMS documentation needs to be

documentation updated as required to reflect the new
updated if required controls and the changed numbering
….. of existing controls.

such as an ISMS
manual, topic-
specific policies (as
defined in A5.1),
audit checklists, etc.
9.2 Internal audits The new and changed requirements in
carried out by the clauses 4 to 10 and in Annex A need
client (of the new and to be subject to internal audit. CfA
changed ISO strongly urges clients to carry out
27001:2022 these audits prior to the external ISO
requirements. 27001:2022 transition audit. However,
Including the new in lieu of the audits being completed,
Annex A controls) CfA will accept an internal audit
programme that shows when these
new and changed requirements will be
audited within reasonable timescales
and based on risk. Note also the
potential need for process audits, as
defined in clause 4.4 above (in part 1
of this report), if process audits were
not previously carried out

9.3 Management The new and changed requirements in

review carried out by clauses 4 to 10 and in Annex A need
the client (of the new to be subject to management review.
and changed ISO CfA strongly urges clients to carry out
27001:2022 this management review prior to the
requirements) external ISO 27001:2022 migration
audit. However, in lieu of a full
management review, CfA will accept
evidence of clause 9.3.2(c) only being
reviewed by top management and a
planned date for the full review taking
place within reasonable timescales
ISO 27001:2022 Client Transition Checklist