ISO 27001:2022

CLIENT GAP ANALYSIS TOOL

Instructions for use:

This gap analysis document provides a simple framework for evaluating your quality management system against the requirements of ISO
27001:2022. It is split into two tables:
• Part 1: new concepts – highlighting the new concepts introduced in ISO 27001:2022 and the related clauses, processes and functional
activities.
• Part 2: requirements – highlighting amended clauses, processes and functional activities between ISO 27001:2013 and ISO 27001:2022.
Please complete each table by recording the evidence acquired from one full internal audit against the requirements of ISO 27001:2022. If you are
unable to provide evidence of compliance, you may not be ready to complete the transition to ISO 27001:2022. In this case, please inform NQA
that you need additional time to prepare for the transition – we will work with you to select a mutually agreeable date to complete the transition.
Please ensure that this completed document and internal audit records are available to your auditor at the opening meeting of your
transition audit.

Client name: Enview Technologies LLP Completion date: 23-09-2024

Part 1: New concepts

Tip: Ensure that these new concepts have been deployed in a manner that supports the Process Approach and Risk-Based Thinking.

New requirement Phase Clause(s) Activity

A more explicit requirement for ensuring that interested Identify 4.2.a.b.c) Have you identified interested parties relevant to the
parties, their needs and expectations relevant to the ISMS, their relevant requirements and which of these will
ISMS have been identified. be addressed by the ISMS?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Meeting minutes, surveys, or feedback reports Yes No

from consultations Regulatory and contractual
requirements documents, Risk assessment
identifying expectations (e.g., SLA
agreements, compliance mandates, audit
reports)
New requirement Phase Clause(s) Activity
New requirement for the adoption of a process Identify 4.4 Has planning for the information security management
approach (where before this was implied). system determined the processes of your organization
and interactions with the ISMS?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence:-Process inventory document listing Yes No

key business processes (e.g., HR, IT, finance,
operations, procurement, etc.).
Process interaction diagram or process map
showing relationships and dependencies
between processes.
Evidence:
New requirement Phase Clause(s) Activity
Roles and responsibilities matrix (RACI chart).
Explicit requirement
Documentation for topowners
of process management
for eachto ensure Action 5.3 Have top management established (and are they
that information security roles, responsibilities and supportive of,) a mechanism for communicating
identified process.
authorities are communicated within the organization. responsibilities and authorities for roles relevant to
information security within the organization?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Approved Information Security Policy
document.
Management sign-off or endorsement of the
policy.
Policy distribution records or acknowledgment
logs.
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 1
New requirement Phase Clause(s) Activity
Information security objectives are to be monitored. Assess 6.2.d) Have you established how information security
objectives are to be monitored and whom shall be
responsible for this?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
ISMS performance monitoring plan.
Key Performance Indicators (KPIs) linked to
each information security objective.
Defined metrics such as incident response
time, risk reduction rates, patch management
compliance,
New etc.
requirement Phase Clause(s) Activity
Changes to the ISMS are to be planned. Plan 6.3 Have you established a process for managing changes
to the ISMS? How are changes authorised?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Approved Change Management Policy
document.
Change Control Procedure detailing roles,
responsibilities, and workflows.
Evidence:
Change
New Request Forms (CRFs).
requirement Phase Clause(s) Activity
Completed CRFs Found
Changes in the needs and expectations of interested Action 9.3.2.c) Are the needs and expectations of interested parties
parties are to be addressed during management (relevant to the ISMS) reviewed during MR?
review.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Management Review Agenda with a section
titled Needs and Expectations of Interested
Parties.
Version-controlled meeting agenda template
ensuring consistency in reviews.
New requirement Phase Control(s) Activity
Threat intelligence Plan 5.7 Have you identified your threat intelligence requirements
based upon a risk assessment of information,
information storage and information processing assets?
What information relating to security threats do you
collect/receive?
Is information relating to security threats analysed and if
so, by whom?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Approved risk assessment reports (aligned
with Clause 6.1.2).
Asset inventory or classification register
mapping threats to assets.
Records showing prioritization of threat
intelligence needs based on risk severity.
Evidence:
Threat Intelligence Requirements Document
outlining:
Types of threats to be monitored (e.g.,
malware, phishing, APTs).
Source of threats (external/internal,
sector-specific).
Relevant information assets to protect.
Documented relationship between risks and
threat intelligence needs.

NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 2
 New requirement Phase Control(s) Activity
Security considerations and controls for cloud Plan 5.23 Do you use any cloud services?
services.
How do you determine which cloud services are required
by your organization and which cloud model is the best
fit (IaaS, PaaS, SaaS, etc.)?
What controls do you have in place to monitor the
performance/effectiveness of your cloud service
provider?
Have you planned for changes to or termination of your
cloud service(s) provider? What are your processes for
this?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Cloud Usage Policy covering:
Criteria for selecting cloud services.
Assessment of business needs and alignment
with cloud models (IaaS, PaaS, SaaS).
Security and compliance considerations.
Evidence:
Cloud Needs Assessment Report detailing:
Specific organizational requirements (e.g.,
data storage, compute resources,
collaboration tools).
Comparison of cloud models (IaaS, PaaS,
SaaS) based on organizational needs.
Justification for the chosen cloud model.
Evidence:
Vendor selection criteria and comparison
reports.
Compliance checklists for providers (e.g.,
adherence to ISO 27001, GDPR, HIPAA, etc.).
Cloud provider contracts or Service Level
Agreements (SLAs) detailing performance
guarantees.
New requirement
Evidence: Phase Control(s) Activity
Business continuity
Performance and Logs
Monitoring IT readiness
and Reports: Plan 5.30 Does your BCP include requirements to ensure the
Metrics such as uptime, latency, and resource confidentiality, integrity and availability of information in
utilization. BC situations?
SLA compliance reports provided by the cloud Have the IT requirements for BC been tested?
service provider.
Have you established RTO/RPOs for your IT in BC
Security monitoring logs (e.g., access logs, situations?
event logs) from cloud services.
Evidence
Alerts or of compliance
incidents related(Client to complete)
to cloud service Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
performance.
(Assessor to complete)
Evidence:
Cloud Risk Assessment Reports identifying:
Evidence: Yes No
Potential
BCP risks (e.g.,
document datacovering:
sections breaches, service
downtime,
Measures to data residency
ensure issues).
data confidentiality during
Controls
BC implemented
situations to mitigate
(e.g., encryption, these risks.
access
Integration with ISMS risk treatment plans.
controls).
Controls to maintain data integrity (e.g.,
checksums, version control).
Strategies to ensure availability (e.g., backups,
redundant systems, failover mechanisms).
Clear roles and responsibilities for maintaining
CIA.
Evidence:
Records of testing activities such as:
Disaster recovery tests (e.g., restoring data
from backups, failover drills).
Tabletop exercises simulating BC situations.
Testing of alternative communication channels
and critical IT infrastructure.
Results of testing, including pass/fail
outcomes and corrective actions taken.
Approval or sign-off of testing results by senior
management or IT teams.
Evidence:
Management review meeting minutes
discussing BC plans.
Approval/sign-off of BCP and DRP documents.
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1
Updates made to recovery plans based on Page 3
 New requirement Phase Control(s) Activity
Physical security monitoring Action 7.4 How do you ensure that your premises are continuously
monitored for unauthorised access?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Policy document covering:
Access control procedures (e.g., authorized
personnel only).
Physical barriers (e.g., gates, turnstiles, locked
doors).
Requirements
New requirementfor ID badges, biometric Phase Control(s) Activity
systems, or other identification methods.
Configuration management Action 8.9 Do you have a process for ensuring that systems are
Visitor management protocols (e.g.,
appropriately configured/hardened?
check-in/check-out systems).
How do you ensure that the above process is being
followed?
Is system configuration monitored and reviewed?

Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Policy document specifying configuration
hardening requirements for various systems
(e.g., servers, workstations, network devices,
applications).
Security baselines for operating systems,
applications, and network devices (e.g., CIS
Benchmarks, NIST standards).
Configuration settings for disabling
unnecessary services, applying security
patches, and restricting access rights.
Evidence:
Configuration review reports or audit logs
showing that configurations are periodically
checked for compliance with security
standards.
Internal audit records confirming that system
configurations adhere to the approved
hardening guidelines.
Reports from security or IT teams reviewing
New requirement Phase Control(s) Activity
configuration management processes and
Information deletion
ensuring compliance. Plan 8.10 Have you identified what information you hold as
Evidence: an organization and established rules governing its
retention and deletion?
Continuous monitoring solution (e.g., SIEM,
network monitoring tools) tracking Action 8.10 How do you ensure that information (when no longer
configuration changes in real time. required,) is deleted from your information systems,
devices or other storage media?
Reports from monitoring tools showing
Evidence offrom
deviations compliance (Client
the approved to complete)
configuration Has the client demonstrated they have Comments if required (Assessor to complete)
settings. met the requirements of this clause?
Alerts triggered when unauthorized changes (Assessor to complete)
or misconfigurations are detected on systems.
Evidence: Yes No
Policy document specifying information
retention periods for various categories of data
(e.g., financial records, customer data,
employee records).
Detailed retention schedules outlining how
long different types of information must be
kept before they can be deleted.
Guidelines for categorizing and labeling
information according to its sensitivity and
retention needs.
Evidence:
Clear process and workflow for managing the
retention and deletion of information (e.g.,
when information should be archived, when it
should be permanently deleted).
Documentation of legal, regulatory, and
business requirements that influence retention
periods (e.g., financial reporting laws, data
protection regulations).
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 4
Procedures outlining how to handle
New requirement Phase Control(s) Activity
Data masking Plan 8.11 Have you identified what sensitive data you hold as an
organization and established rules governing the need to
mask this data?
Plan 8.11 How is access to raw, sensitive data controlled?
Action 8.11 Do you have a process for masking data?
Plan 8.11 What applicable legislation have you considered with
regards to data and data masking?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Policy document outlining the types of
sensitive data held by the organization (e.g.,
personally identifiable information (PII),
financial data, health information, payment
card information).
Classification labels or metadata on data,
indicating whether it is sensitive and requires
masking.
Records of data classification activities and
decisions, including a list of systems or
databases storing sensitive data.
Evidence:
A formal policy detailing how data masking is
applied, the types of sensitive data that require
masking, and the methods used (e.g.,
tokenization, encryption, redaction).
Step-by-step procedures that specify when
and how sensitive data should be masked in
systems, databases, and reports.
Documentation of any exceptions or specific
rules for handling particular types of sensitive
data.
New requirement
Evidence: Phase Control(s) Activity
Data leakage
Access controlprevention
lists (ACLs), role-based access Action 8.12 Have you identified what sensitive information you store,
controls (RBAC), or permission matrices process and/or transmit as an organization?
showing how access to sensitive data is Have you identified the systems, apps, tools that are
granted based on user roles and needs. used to store, process and/or transmit this sensitive
Logs and reports showing that only authorized information?
personnel have access to raw, unmasked Have you assessed your data leakage risks?
sensitive data.
What processes/tools do you have in place to prevent
Integration with authentication systems (e.g.,
data leakage?
multi-factor authentication, single sign-on) for
Evidence
sensitive of compliance
data access. (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
Evidence: met the requirements of this clause?
(Assessor to complete)
Screenshots or configuration files from data
masking tools (e.g., data tokenization, data
Evidence: Yes No
obfuscation software,document
A policy or guideline encryptionidentifying
tools) the
showing implementation and usage.
categories of sensitive information, such as
Reports from
Personally these tools
Identifiable demonstrating
Information (PII), that
sensitive data is
financial data, masked
health data,inintellectual
production
environments,
property, etc. as well as in non-production
environments
Detailed records(e.g., testing
of the or development).
classification of
Records
sensitive of periodic
data acrossvalidation to ensure theor
various departments
data masking
functions withinprocess is functioning
the organization correctly
(e.g., HR,
and securely.
finance, legal).
Evidence.
A register orWeinventory
secure datathat based on India IT
tracks sensitive
Act rules guidelines
data types and where they are stored or
processed.

Evidence:
An updated inventory of all systems, apps,
and tools (e.g., databases, cloud services,
email platforms, CRM systems) used in the
organization to handle sensitive data.
A mapping of sensitive data flows between
systems and external entities, showing where
data is stored, processed, and transmitted.
Network diagrams or data flow diagrams
illustrating the systems involved in the
handling of sensitive information.
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 5
Evidence:
 New requirement Phase Control(s) Activity
Monitoring activities Action 8.16 Are your networks monitored for anomalous behaviour?
Plan 8.16 If/when detected, how is anomalous behaviour evaluated
and reported?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
A documented network monitoring policy that
includes the types of anomalies to be
detected, monitoring tools, and how
continuous monitoring is conducted.
A clear definition of "anomalous behavior,"
such as unusual network traffic patterns,
unauthorized access attempts, or abnormal
system behavior.
Policies outlining monitoring of both internal
and external traffic to detect potential threats
or breaches.

Evidence:
A detailed incident response procedure that
outlines the steps for evaluating anomalous
behavior once it is detected, including
investigation, containment, and remediation
New requirement Phase Control(s) Activity
processes.
Web filtering
Records of past incidents where anomalous Action 8.23 Is access to external websites managed to reduce
behavior was detected, evaluated, and exposure to malicious content?
responded to (e.g., reports from recent Are employees aware of the information security
security incidents or network breaches). risks that unmanaged web browsing poses to the
A clear process for escalating significant organization?
Evidence
anomalies oftocompliance
appropriate(Client
teams,toincluding
complete) Has the client demonstrated they have Comments if required (Assessor to complete)
security, IT, and management. met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
A documented policy specifying the types of
websites that employees are allowed to
access, restrictions on high-risk websites, and
procedures for handling requests to access
restricted sites.
A list of categories (e.g., entertainment, social
media, adult content) and associated risks that
are blocked or monitored.
Guidelines for managing access to
cloud-based services, social media, and other
web applications to minimize exposure to
malicious content.
Procedures for reviewing and updating the list
of blocked or restricted websites based on
New requirement
current security trends. Phase Control(s) Activity
Secure coding Plan 8.28 What secure coding principles and practices have you
Evidence: implemented in your organization?
Training records or attendance logs from
How do you ascertain competence of your developers?
mandatory cybersecurity awareness training
Evidence
sessions,ofincluding
compliance topics(Client
relatedtoto
complete)
the Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
dangers of visiting untrusted or unmanaged
(Assessor to complete)
websites (e.g., malware, phishing, social
engineering).
Evidence: Yes No
Training
A securematerials or presentation
coding policy slides that
or coding standards
discuss safe
document web
that browsing
defines practices,and
the principles the risks
of downloading
practices files
to follow fromOWASP
(e.g., untrustedTopsources,
10,
and the Software
Secure importance of followingLifecycle,
Development web access
control policies.
ISO/IEC 27034).
Documentation
Examples of regular
of specific secure awareness
coding practices
campaigns (e.g.,
included, such asemails, posters, internal
input validation, output
webinars) informing
encoding, proper error employees
handling,ofsecure
the risks of
malicious content
authentication on the web.
mechanisms, encryption of
Surveys
sensitiveor assessments
data, and protectionthat indicate
against common
employees understand
vulnerabilities (e.g., SQLthe importance
injection, of
cross-site
secure web browsing and the potential impact
scripting).
on the organization's security posture.
Evidence:
A developer competency framework that
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 6
defines the required skills and experience in
 Part 2: ISO 27001:2022 Requirements

Tip: Ensure that you can demonstrate that each requirement of ISO 27001:2022 has been addressed within the ISMS.

ISO 27001:2022 ISO 27001:2022 cross reference and the significant

changes from the 2013 version
4.1 Understanding the organization and its context No change: Have you determined your external and internal issues
that are relevant to and affect the ISMS?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Evidence: Yes No
Risk assessment reports that outline the
internal and external factors identified as
influencing the ISMS, such as organizational
culture, market conditions, regulatory
requirements, or technological changes.
Risk
ISO register or risk management reports
27001:2022 ISO 27001:2022 cross reference and the significant
listing the key issues impacting the changes from the 2013 version
organizations information security
4.3 Determining the scope of the quality management system Have external and internal issues and interested parties been
landscape, including environmental, legal, considered? Have interfaces and dependencies been identified and
technological, and socio-political factors. considered?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
Evidence:
met the requirements of this clause?
Minutes or reports from management review (Assessor to complete)
meetings that include discussions on both
Evidence
internal and external issues impacting Yes No
Comprehensive risk and context analysis that
information security.
identifies
Evidence internal andtaken
of actions external
as aissues affecting
result of those
the ISMS.
reviews to address or mitigate the identified
issues.
Documentation listing all identified interested
parties
ISO and their needs and expectations.
27001:2022 ISO 27001:2022 cross reference and the significant
Identification and mapping of interfaces and changes from the 2013 version
dependencies between internal and external
5.1 Leadership and commitment Can top management demonstrate their degree of leadership and
components. commitment to the ISMS.
Evidence
Analysis of compliance
of how (Client
internal and to complete)
external issues Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
and dependencies affect stakeholders.
(Assessor to complete)
Ongoing review and monitoring of
dependenciesISMS
Documented and issues.
policy signed by top Yes No
management outlining their commitment.
Risk
Activetreatment
involvementplansinthat address
the risk issues and
management
dependencies
process, impacting
including the ISMS.
endorsement of risk
treatment plans.
Establishment of measurable information
security
ISO objectives, regularly reviewed by top
27001:2022 ISO 27001:2022 cross reference and the significant
management. changes from the 2013 version
Provision of adequate resources for the
5.2 Policy Is an information security policy available and appropriate to the
implementation and maintenance of the ISMS. purpose and context of the organization and does it support the
Regular management reviews of the ISMS, strategic direction of the company?
including assessment of its performance and
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
effectiveness.
met the requirements of this clause?
Communication from top management (Assessor to complete)
highlighting the importance of information
A documented
security and accessible information
to all employees. Yes No
security
Continuouspolicy endorsed by
improvement top management.
efforts led by top
The policy is aligned
management to adaptwith
thethe
ISMSorganizations
to emerging
purpose,
threats. context, and strategic direction.
Strategic
Support for alignment of the policyactivities,
audits, compliance with the and
companys business
certifications goals,
to maintain theincluding growthof
effectiveness
and compliance.
the ISMS.
Effective communication of the policy to all
employees, contractors, and stakeholders.
Regular reviews and updates of the policy to
ensure its relevance and effectiveness.
Enforcement mechanisms and accountability
for adherence to the policy

NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 7
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
6.1 Actions to address risks and opportunities 6.1.2 Do you have a risk assessment process? Have you performed
risk assessments of your information and information storage/
processing assets?
6.1.3 Have you produced a Statement of Applicability (SOA) and is it
aligned to the new control groups and numbering system?
Is the SOA version controlled and dated?
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

A documented and established risk Yes No

assessment process for identifying, assessing,
and managing risks related to information and
information storage/processing assets.
Risk assessment reports demonstrating the
organizations evaluation of risks to its
information
ISO assets.
27001:2022 ISO 27001:2022 cross reference and the significant
A Statement of Applicability (SOA) that aligns changes from the 2013 version
with the new control groups and numbering
7.1 Resources Have resource needs been determined?
system, providing justification for the controls
Evidence
applied. of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
Evidence of version control and date stamping met the requirements of this clause?
for the SOA, ensuring it is up-to-date and (Assessor to complete)
accurate.
A documented resource planning process that Yes No
Mapping of controls
outlines how to the newidentifies
the organization control and
framework,itsshowing
assesses resourcehow theyfor
needs address
the ISMS.
identified
Resourcerisks.
needs assessment that determines
the specific human, technological, and
financial resources required for the effective
operation
ISO of the ISMS.
27001:2022 ISO 27001:2022 cross reference and the significant
Financial allocation for information security changes from the 2013 version
activities, including budget approvals and
7.4 Communication 7.4.d) Have you determined how to communicate?
reports.
Evidence
Competenceof compliance
assessments(Client to complete)
for human Has the client demonstrated they have Comments if required (Assessor to complete)
resources to ensure the right skills are in place met the requirements of this clause?
to support information security objectives. (Assessor to complete)
Identification
A documented and assessment of
communication technology
policy or plan Yes No
infrastructure
that specifies and
how external resources
internal and required
external
for ISMS implementation and support.
communication about information security will
Continuous
be managed. monitoring and review of resource
adequacy to meet
Clear internal evolving information
communication methods (e.g.,
security demands.
meetings, emails, collaboration tools) and
records
ISO showing that information security
27001:2022 ISO 27001:2022 cross reference and the significant
matters are communicated to relevant parties. changes from the 2013 version
Established external communication protocols
8.1 Operational planning and control Have you established criteria for the processes identified in Clause
for informing stakeholders such as customers, 6 and implemented control of those processes? Are these processes
partners, and regulatory bodies about security and controls documented?
incidents or policies.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Documented process criteria that specify Yes No

measurable performance metrics for each
identified process.
Records of control and monitoring systems
showing that processes are being followed
and the criteria are being met.
Documented processes (e.g., SOPs,
flowcharts, control plans) that detail the steps,
criteria, and responsibilities for process control.
Clear roles and responsibilities for process
control, evidenced through job descriptions
and RACI charts.
Management review and continuous
improvement records, including audit results
and corrective actions taken.
Risk assessment integration showing that
risks are addressed through controlled
processes.
Compliance and legal checks confirming that
processes meet applicable standards

NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 8
 ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
9.1 Monitoring, measurement, analysis and evaluation Organizations are now required to ensure that monitoring and
measuring produces valid, comparable and reproductive results.
You must also evaluate information security performance and the
effectiveness of the ISMS.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
(Assessor to complete)

Measurement protocols that ensure valid, Yes No

comparable, and reproducible results.
KPIs for monitoring and evaluating information
security performance, along with performance
reports.
Management reviews and audit reports that
evaluate
ISO the ISMS and ensure its
27001:2022 ISO 27001:2022 cross reference and the significant
effectiveness. changes from the 2013 version
Corrective actions based on monitoring
9.2 Internal audit This has been broken into sub clauses but with no significant change
results, showing continuous improvement of to the requirements.
the ISMS.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this clause?
Training records demonstrating staff
(Assessor to complete)
competence in monitoring and measurement.
Automated
Internal monitoring
audit procedure tools
andthat ensure
audit plan to Yes No
consistency
ensure and accuracy
systematic auditinginofmeasurements.
the ISMS.
Training records and competence
assessments for internal auditors to ensure
their effectiveness.
Audit reports documenting findings,
nonconformities, and corrective actions.
Follow-up action records to ensure that audit
issues are addressed and resolved.
Annex A Controls
Management review documentation showing
5. Organizational controls
that audit results are discussed by top
management.
Proper record-keeping and documentation for
ISO 27001:2022
all internal audit activities. ISO 27001:2022 cross reference and the significant
changes from the 2013 version
5.1 Policies for information security Merging of 5.1.1 and 5.1.2 – no significant change.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Information security policy document approved Yes No

by top management and aligned with
organizational objectives.
Communication records to ensure the policy is
shared with all relevant stakeholders.
Roles and responsibilities clearly defined
within
ISO the policy.
27001:2022 ISO 27001:2022 cross reference and the significant
Policy review and update records, changes from the 2013 version
demonstrating ongoing relevance and
5.8 Information security in project management Merging of 6.1.5 and 14.1.1 - more explicit requirement than the
compliance. originals.
Evidence of top management commitment,
Evidence
showing of compliance
their (Client
active support andtoinvolvement
complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
in the policy's creation and enforcement.
(Assessor to complete)

Documented project management processes Yes No

that integrate information security throughout
the project lifecycle.
Risk assessments conducted specifically for
each project with identified information
security risks and mitigation plans.
Training and awareness records for project
teams related to information security.
Supplier contracts that include information
security requirements for third parties involved
in the project.
Project documentation showing security
considerations in every phase, from initiation
through to closure.
Security control monitoring and review records
during the project.
Change management procedures that assess
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 9
the security impact of any project changes.
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
5.9 Inventory of information and other associated assets Merging of 8.1.1 and 8.1.2 - No significant change.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Asset inventory register or management Yes No

system that lists all information and associated
assets.
Asset classification and sensitivity
documentation detailing the categorization of
information assets.
Ownership
ISO 27001:2022records specifying who is ISO 27001:2022 cross reference and the significant
responsible for each asset. changes from the 2013 version
Protection measures for information assets,
5.10 Acceptable use of information and other associated assets Merging of 8.1.3 and 8.2.3 with an emphasis on procedures for
including access control, encryption, and data handling information and other associated assets.
protection strategies.
Evidence of compliance (Client to
Periodic reviews of the asset inventory tocomplete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
ensured it is up to date.
(Assessor to complete)
Audit trails or change logs for asset inventory
changes. Use Policy (AUP) that defines
Acceptable Yes No
Security measures
acceptable to ensure both
and unacceptable use ofphysical
and logical protection
information of information
and associated assets. assets in
place
Role-based access control (RBAC) and
access control policies detailing how
information and assets are accessed and by
whom.
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
Mobile device management (MDM) and BYOD changes from the 2013 version
policies ensuring secure access to
5.14 Information transfer 8.2.1 – Updated control introduces the idea of ‘transfer facilities’ and
organizational assets from personal or mobile not solely removable media.
devices.
Evidence
Informationof compliance (Client tofor
handling procedures complete)
secure Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
storage, classification, transmission, and
(Assessor to complete)
disposal of sensitive information.
Monitoring logs
Information and disciplinary
Transfer actions for
Policy that includes Yes No
ensuring compliance
secure methods with the AUP.
for transferring information via
Incident response
physical, procedures
electronic, for handling
and networked means.
misuse of information
Documentation and assets,
and usage of securealong with
transfer
clear reporting
facilities such asmechanisms.
VPNs, secure file transfer
protocols, and encryption.
Policies
ISO and controls around removable
27001:2022 ISO 27001:2022 cross reference and the significant
media, including encryption and access changes from the 2013 version
restrictions.
5.15 Access control Merging of 9.1.1 and 9.1.2 - no requirement for an Access Control
Monitoring and auditing mechanisms for Policy, however rules governing access (logical and physical,) must
tracking information transfer activities. be established and implemented.
DLP systems and end-to-end encryption
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
protocols to protect data during transfer.
met the requirements of this control?
Procedure manuals and risk assessments for (Assessor to complete)
secure data transfer processes.
Documented rules and procedures for logical Yes No
and physical access control.
Implementation of role-based access control
(RBAC) and access review processes.
Use of strong authentication and authorization
mechanisms.
Physical
ISO access controls including keycards,
27001:2022 ISO 27001:2022 cross reference and the significant
biometrics, and surveillance systems. changes from the 2013 version
Regular access reviews and audits to ensure
5.16 Identity management 9.2.1 – Now explicitly states ‘full lifecycle’ that includes registration,
proper access controls. de-registration and change.
Access control for remote users and external
Evidence of compliance (Client
parties via VPNs and restricted access.to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
Evidence of training and awareness programs
(Assessor to complete)
related to access control.
Clear processes for the registration, Yes No
modification, and de-registration of user
access.
Documented approval workflows for granting,
modifying, and removing user access.

Access review and audit logs that show

ongoing management of user access.
Training records for personnel involved in user
access management.
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 10
 ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
5.17 Authentication information Merging of 9.2.4, 9.3.1, 9.4.3 – Includes reference to advising
personnel on appropriate handling of authentication information.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Evidence. Yes No
Documented policies and procedures for
handling, storing, and transmitting
authentication information securely.
Encryption and secure storage practices for
authentication information.
Access
ISO controls governing who can access
27001:2022 ISO 27001:2022 cross reference and the significant
authentication credentials and systems. changes from the 2013 version
Training programs to educate personnel on
5.18 Access rights Merging of 9.2.2, 9.2.5, 9.2.6 – No significant change.
secure handling of authentication information.
Evidence of compliance
Multi-factor (Client
authentication (MFA)to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
implementation for critical systems and met the requirements of this control?
applications. (Assessor to complete)
Audit
No logs and
changes incident response procedures
required Yes No
for authentication-related security events.
Regular reviews of authentication information
handling practices to ensure they are
up-to-date and effective.

ISO 27001:2022 ISO 27001:2022 cross reference and the significant

changes from the 2013 version
5.19 Information security in supplier relationships 15.1.1 – This now focuses on the organization’s use of suppliers’
products and services and not simply the suppliers’ access to
organizational assets and information.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Evidence. Supplier risk assessment and Yes No

security evaluation conducted during the
selection process.
Information security clauses in supplier
contracts to define expectations.
Performance monitoring of suppliers to ensure
continuous
ISO compliance with security
27001:2022 ISO 27001:2022 cross reference and the significant
requirements. changes from the 2013 version
Supplier incident management and breach
5.22 Monitoring, review and change management of supplier Merging of 15.2.1 and 15.2.2 – No significant change.
notification procedures.
services
Access control and monitoring for supplier
Evidence
access toofsystems
compliance (Client to complete)
and data. Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
Regular security audits of suppliers and
(Assessor to complete)
remediation of identified security issues.
Training
No changesand required
awareness programs for
Yes No
suppliers on information security best
practices.
Supplier exit strategies for secure termination
of relationships and data handling.
Periodic reviews of supplier relationships to
ensure alignment with security needs.
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
5.27 Learning from information security incidents 16.1.6 – Focus is now on strengthening and improving information
security controls.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Incident reporting and analysis with Yes No

documented root cause investigations.
Corrective and preventive actions taken after
incidents to strengthen controls and prevent
recurrence.
Improvements to security controls made as a
result of incident analysis.
Structured incident handling and
communication procedures to ensure incidents
are managed efficiently.
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1
Training and awareness programs based on Page 11
lessons learned from incidents.
 ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
5.29 Information security during disruption Merging of 17.1.1, 17.1.2, 17.1.3 – Clarifies and simplifies the old
requirements.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

No changes required Yes No

ISO 27001:2022 ISO 27001:2022 cross reference and the significant

changes from the 2013 version
5.31 Legal, statutory, regulatory and contractual requirements Merging of 18.1.1 and 18.1.5 – No significant change.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

No changes required Yes No

ISO 27001:2022 ISO 27001:2022 cross reference and the significant

changes from the 2013 version
5.36 Compliance with policies, rules and standards for information Merging of 18.2.2 and 18.2.3 – No significant change.
security
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

No changes required Yes No

6. People controls
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
6.4 Disciplinary process 7.2.3 – Emphasis on information security violation and not breach.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Policy and procedures for identifying and Yes No

addressing information security violations,
including clear definitions and scope.
Disciplinary actions taken for violations, with a
documented record of actions and outcomes.
Investigation and documentation of violations,
including
ISO root cause analysis and corrective
27001:2022 ISO 27001:2022 cross reference and the significant
actions. changes from the 2013 version
Training and awareness programs to educate
6.6 Confidentiality or non-disclosure agreements (NDAs) 13.2.4 – This control now states that NDAs and CAs are to be signed.
employees on the importance of following
Evidence of compliance
security policies and the (Client to complete)
consequences of Has the client demonstrated they have Comments if required (Assessor to complete)
violations. met the requirements of this control?
Consistent application of disciplinary actions, (Assessor to complete)
with
Signedevidence that CAs
NDAs and actions
withare fairly applied to
employees, Yes No
all staff.
contractors, and third parties who handle
Monitoring
sensitive and reporting on violations and
information.
their resolution,
Regular to track
review and trends
update and measure
of NDAs and CAs
the effectiveness of the process.
to ensure they remain current and legally
Review and continuous improvement of the
binding.
disciplinary
Training andprocess
awarenessbased on audits,
programs to ensure
feedback, and lessons learned.
that employees and third parties understand
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 12
their confidentiality obligations.
 ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
6.7 Remote working 6.2.2 – This is now explicitly aimed at remote workers and not
teleworking sites.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Remote working policy that covers security Yes No

aspects of remote working.
Access control measures (e.g., MFA, VPN
access) for remote workers.
Security tools for remote work (e.g., endpoint
protection, encryption, secure communication
tools).
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
Training and awareness programs specific to changes from the 2013 version
remote working security.
6.8 Information security event reporting 16.1.2 and 16.1.3 – No distinction between events and weaknesses.
Incident management procedures for remote All events either observed or suspected are to be reported.
work-related security incidents.
Evidence
Monitoringof and
compliance (Client tofor
auditing activities complete)
remote Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
work.
(Assessor to complete)
Device and endpoint management for remote
workers.
Event reporting policy that includes clear Yes No
Data protection
processes and handling
for reporting procedures
security for
events and
remote work.
weaknesses.
Risk assessment
Defined reporting and mitigation
channels for remote
and accessible
working threats.
mechanisms for reporting incidents.
Training records showing staff are aware of

7. Physical controls
the process and understand how to report
events.
Incident management system records,
ISO 27001:2022
including tracking of reported events. ISO 27001:2022 cross reference and the significant
Procedures for handling and investigating changes from the 2013 version
events with clear escalation processes.
7.2 Physical entry Merging of 11.1.2 and 11.1.6 – No significant change.
Monitoring and auditing of the event reporting
Evidence
process toofensure
compliance
timely (Client to complete)
handling. Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
Continuous improvement activities based on
(Assessor to complete)
lessons learned from reported events.
Compliance
No changes evidence
required that shows adherence Yes No
to legal and regulatory requirements for event
reporting.

ISO 27001:2022 ISO 27001:2022 cross reference and the significant

changes from the 2013 version
7.10 Storage media 8.3.1, 8.3.2, 8.3.3, 11.2.5 – The standard now introduces the concept
of lifecycle management instead of explicit controls in the 2013
edition.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Lifecycle management policy covering all Yes No

stages of storage media.
Inventory records for storage media, including
details on location and ownership.
Secure handling procedures for storage
media, including during transport and storage.
Data
ISO sanitization and disposal procedures,
27001:2022 ISO 27001:2022 cross reference and the significant
including third-party involvement. changes from the 2013 version
Access control logs showing who can access
7.12 Cabling security 11.2.3 – Cables carrying power (but not data,) are specifically
storage media. included in the control.
Encryption and data protection measures
Evidence
during the ofuse
compliance
of storage(Client
media.to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
Vendor management records showing
(Assessor to complete)
third-party compliance for media disposal.
Compliance
Cabling evidence
security policydemonstrating
that covers both data Yes No
adherence to relevant legal and regulatory
and power cables.
requirements.
Cabling layout and management records
Audit andsecure
showing improvement
routing records showing that
of cables.
the organization
Protection measuresregularly reviews
for data and
and power
improves
cables fromits physical
lifecycle damage
management practices.
or tampering.
Separation guidelines for power and data
cables to reduce interference and improve
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 13
security.
8. Technological controls
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
8.1 User end point devices 11.2.8 – The emphasis is now on protection of the information that is
accessible by the user end point.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Endpoint security policy detailing protection Yes No

measures for information accessible via user
devices.
Configuration and hardening guidelines for
endpoints to ensure minimal vulnerabilities.
Access control mechanisms ensuring only
authorized
ISO 27001:2022users access sensitive data on ISO 27001:2022 cross reference and the significant
devices. changes from the 2013 version
Encryption policies and implementation to
8.4 Access to source code 9.4.5 – Includes development tools and software libraries.
protect sensitive data stored on endpoints.
Evidence
Endpointof compliance
monitoring and (Client
loggingtofor
complete)
auditing Has the client demonstrated they have Comments if required (Assessor to complete)
and identifying suspicious activities. met the requirements of this control?
Restrictions on endpoint devices to limit (Assessor to complete)
unauthorized actions (e.g., restricting external
storage devices).
Data loss prevention controls to prevent
Access control policy for source code, Yes No
leakage of sensitive information.
development tools, and libraries.
Device inventory and management ensuring
Access control and monitoring records
all endpoints are tracked and compliant with
ensuring only authorized personnel can
security policies.
access sensitive development resources.
User education and awareness training for
Version control logs showing changes to
employees on securing endpoints and
source
ISO code and tracking modifications.
27001:2022 ISO 27001:2022 cross reference and the significant
handling sensitive data.
Segregation of duties records ensuring proper changes from the 2013 version
Incident response plans addressing
division of responsibilities between
8.15 Logging
endpoint-related security incidents. Merging of 12.4.1, 12.4.2, 12.4.3 – No significant change.
development and review/deployment.
Evidence of compliance
Encryption policies and logs (Client to complete)
confirming the Has the client demonstrated they have Comments if required (Assessor to complete)
protection of source code and tools. met the requirements of this control?
Audit trails for monitoring unauthorized access (Assessor to complete)
or changes
Log to development
monitoring resources. active
records demonstrating Yes No
Backup
monitoringandofrecovery procedures
logs for signs for source
of suspicious
code and development tools.
activities (e.g., intrusion attempts,
Management access).
unauthorized and security of development
tools andmechanisms
Alerting libraries, including vulnerability
that notify administrators
management.
when suspicious events are detected in logs.
Third-party
Security access
incident agreements
reports showing and logs for to
responses
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
external
detectedvendors or contractors.
issues based on log analysis. changes from the 2013 version
Secure disposal procedures for deprecated
8.24 Usecode
source of cryptography
and development tools. Merging of 10.1.1 and 10.1.2 – No significant change.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

Cryptographic policy outlining the use of Yes No

cryptography for protecting sensitive
information.
Encryption standards and key management
procedures detailing the use of cryptography
to protect data.
Records
ISO of data encryption for both data
27001:2022 ISO 27001:2022 cross reference and the significant
storage and transmission, demonstrating the changes from the 2013 version
application of cryptographic controls.
8.26 Application security requirements Merging of 14.1.2 and 14.1.3 – Simplification of the existing controls.
Compliance records showing adherence to
Evidence
applicable ofcryptography-related
compliance (Client to complete)
laws and Has the client demonstrated they have Comments if required (Assessor to complete)
regulations. met the requirements of this control?
Training and awareness materials (Assessor to complete)
demonstrating that staff
Security integration are
in the educated
SDLC, on how
showing Yes No
cryptographic controls and
security requirements are embeddedtheir importance.
Audit logs and
throughout the monitoring
development reports showing that
lifecycle.
cryptographic
Secure codingcontrols
standards areand
regularly evaluated
code review
for effectiveness.
practices that ensure the applications are free
Incident
from response
common records detailing how
vulnerabilities.
cryptographic
Security testing measures weredemonstrate
records that employed to
mitigate the impact of incidents.
regular testing for vulnerabilities and the fixing
of identified issues.
NQA/ISO27001/GAP_ANALYSIS_TOOL/FEB23/V1 Page 14
Use of security tools for automating
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
changes from the 2013 version
8.27 Secure system architecture and engineering principles 14.2.5 – Introduces the requirement for secure system architecture.
Evidence of compliance (Client to complete) Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
(Assessor to complete)

System architecture documentation that Yes No

shows security is integrated from the design
phase.
Threat modeling and risk assessments
conducted to identify potential security risks in
the system design.
Implementation
ISO 27001:2022 of secure design patterns, ISO 27001:2022 cross reference and the significant
including encryption, access control, and data changes from the 2013 version
flow management.
8.29 Security testing in development and acceptance Merging of 14.2.8 and 14.2.9 – No significant change.
Penetration testing and security validation to
Evidence
verify theof compliance
security (Client to
of the system complete)
architecture. Has the client demonstrated they have Comments if required (Assessor to complete)
Redundancy and fault tolerance built into the met the requirements of this control?
system to ensure availability. (Assessor to complete)
Integration of third-party
Security testing proceduresandintegrated
cloud services
into the Yes No
with appropriate security
development lifecycle. controls.
Trainingtools
Testing and awareness programsused
and methodologies for system
to
architects to ensure secure
identify vulnerabilities duringdesign principles
development and
are followed.
acceptance.
Change
Test management
results procedures
showing identified that include
vulnerabilities
security
and review for
remediation system
actions design changes
taken.
ISO 27001:2022 ISO 27001:2022 cross reference and the significant
Security acceptance criteria and changes from the 2013 version
documentation confirming that security testing
8.32 Change management 12.1.2, 14.2.2, 14.2.3, 14.2.4 – The new combined control is less
was successfully completed before prescriptive.
deployment.
Evidence of compliance
Vulnerability management (Client to complete)
and patching Has the client demonstrated they have Comments if required (Assessor to complete)
met the requirements of this control?
records showing how security issues were
(Assessor to complete)
resolved.
Security testing integrated
Change management into and
policies agileprocedures
or
Yes No
DevOps
that workflows
define if applicable.
how changes are initiated,
approved, and tracked.
Risk assessments and impact analyses
performed before implementing changes.
Testing and validation results that show

Areas for further investigation:

changes were properly evaluated before full
deployment.
Change logs and audit trails documenting all
changes and approvals.
Post-change reviews to assess the success
and impact of changes.
Emergency change procedures and records of
emergency changes, if applicable.
Compliance checks showing that changes
meet legal and regulatory requirements.

NQA, Warwick House, Houghton Hall Park, Houghton Regis,

Dunstable, Bedfordshire LU5 5ZX, United Kingdom
www.nqa.com
T: 0800 052 2424 E: info@nqa.com @nqaglobal