Skip to content


Internal Audit for ISO 27001:2022

The International Organization for Standardization (ISO) is an independent, non-governmental, international standard development organization. The ISO develops standards for best practices that are internationally agreed upon by experts. Within the ISO’s list of standards for best practices, there is an area that is constantly evolving and needs to be addressed: information security. The ISO 27001:2022 standard is the most recent update to the standards for information security management systems (ISMS) for organizations. A key component of ISO 27001 implementation is the required annual internal audit of the organization’s ISMS.

What is ISO 27001:2022?

ISO 27001 sets the standard and defines the requirements that an organization’s ISMS must meet. This standard provides businesses of all sizes, from all sectors, with guidelines for establishing, implementing, maintaining, and continually improving the ISMS. Compliance with the ISO 27001 standard means that there is a system in place to manage risks related to the security of data owned or data handled by the organization. Organizations will use this standard as guidance for tailoring their ISMS as appropriate by following guidelines for selecting and implementing appropriate information security controls. These controls are listed in Annex A of the ISO 27001 standard.

The 2022 updates to the ISO 27001 standard included some major and minor changes to the structure, wording, and alignment of the guidelines provided to organizations. Some of the notable adjustments in Annex A include:

  1. The structure of Annex A has been consolidated into four principal areas: Organizational, People, Physical, and Technological.
  2. The number of controls in Annex A has decreased from 114 controls to 93 controls overall. Some controls from this list have been merged, removed completely, new controls have been introduced, and others have been updated as practices and technologies evolve.

The 2022 update is in response to the constant changes in the global digital landscape and the evolution of organizational procedures and technology. With organizations developing new business practices, employees working from home, and “bring your own device” practices being implemented, core business practices are becoming increasingly cloud-based and reliant on technology. The updates to the ISO 27001 standards aim to provide more well-rounded controls which will, in turn, allow organizations to address increasingly sophisticated security risks, ensure business continuity, and create a competitive advantage within their industries.

Why is ISO 27001 Important?

As technology becomes more sophisticated, the threats and risks that businesses face become more sophisticated. As a result, along with these new risks and threats, cybercrime continues to rise.

The ISO 27001 standard aims to help organizations become aware of risks and be proactive in their identification of organizational weaknesses. This standard encourages organizations to take a well-rounded approach to information security by vetting all aspects of the organization, such as the people, policies, and technologies in place. An ISMS that is implemented in conjunction with the ISO 27001 standard is a tool that organizations use for risk management, cyber resilience, and operational excellence. As the digital world evolves and businesses are subjected to new threats, the ISO 27001 standard has become increasingly important for organizations to implement.

Who Needs ISO 27001?

These days, data theft, cybercrime, and increased liability for privacy leaks are all threats that organizations must address. All businesses should think strategically about information security needs, how those needs relate to the organization’s goals, processes and procedures, and organizational structure.

Establishing an ISMS that conforms to this standard allows organizations to apply a risk management process that is appropriate for their size and needs, as well as adjust that process as distinct factors evolve.

How Can It Benefit Your Organization?

Since compliance with the ISO 27001 standard can benefit all organizations, it is important to understand what benefits are possible when implementing and maintaining a compliant ISMS. Some of those benefits include helping organizations with:

  • Resilience to cyberattacks.
  • Preparedness for new risks and threats.
  • Data integrity, confidentiality, and availability.
  • Security across all supporting areas.
  • Organization-wide protections and cost savings.
  • Support digitization strategies.

Adopting the approach described in the ISO 27001 standard means that organizations will make sure that information security is built into organizational processes, information systems, and management controls. As a result, organizations can gain a new efficiency and could emerge as leaders in their respective industries.

For more information regarding our internal audit experience, be sure to visit our Internal Audit Services page and don’t hesitate to reach out to Elaine Nissley if you would like more information on our internal audit, readiness, and consulting services for the ISO 27001 standard.

About the Author

Cecily Carl

Cecily joined McKonly & Asbury in 2023 and is currently a Senior Consultant in the firm’s Consulting Services group.

Subscribe to Our Newsletter

Contact Us