- The 2022 revision of ISO 27001 introduces a shift from domain-based to theme-based auditing, allowing a more natural flow in audits and enhancing auditors’ flexibility.
- The new structure, organized into four broad themes, better aligns with current technological architectures and security practices, improving risk-based auditing approaches.
- AI and automation are expected to play an increasing role in audits, particularly in reviewing electronic evidence and automating compliance processes.
In the 2022 revision of ISO 27001, there has been a notable shift from domain-based to theme-based auditing, a change intended to streamline the audit process and make it more conversational. This reorganization into broader themes gives auditors more flexibility to tailor audits to an organization’s specific risks, technologies, and operations. According to David Forman, founder of Mastermind Assurance, this new structure allows auditors to follow risk-based controls more naturally, reducing interruptions in the audit process.
The restructured ISO 27001 features four overarching themes instead of the 14 domains in the previous version. This shift helps organizations better align their security practices with modern hosting and technological architectures while maintaining compliance with the standard. Additionally, Forman points out that theme-based auditing helps organizations map their controls more effectively to frameworks like the Cloud Security Alliance’s CCM, further simplifying the audit process.
Automation and AI are expected to be more significant in security audits. Automating the review of electronic evidence and compliance processes could streamline audits, although there are concerns that AI may reveal new issues that could increase audit findings. However, Forman suggests that the market, rather than audit technology, will drive these changes, emphasizing that AI’s role in audits will ultimately enhance efficiency and compliance visibility.
Leave a Reply
You must be logged in to post a comment.