Mapping Kontrol ISO/IEC 27001:2013 ke ISO/IEC 27001:2022

| Versi 2013 | Judul Kontrol (2013) | Status | Versi 2022 | Judul Kontrol (2022)
| Catatan |
|------------|------------------------------------------------------|---------------------|------------|---------------------------------------------------------
---------------------|----------------------------------------------|
| A.5.1 | Management direction for information security | Major non-conformity| 5.1 | Policies for information
security | Langsung sesuai |
| A.6.1 | Internal Organisation | Minor non-conformity| 5.2 | Information security roles and
responsibilities | Langsung sesuai |
| A.6.2 | Mobile devices and teleworking | Major non-conformity| 5.10 | Remote working
| Terpisah dari kontrol sebelumnya |
| A.7.1 | Prior to employment | Conforms | 5.3 | Information security responsibilities
before employment | Direvisi redaksi |
| A.7.2 | During employment | Major non-conformity| 5.4 | Information security
responsibilities during employment | Direvisi redaksi |
| A.8.1 | Responsibility for assets | Major non-conformity| 5.9 | Inventory of information and
other associated assets | Digabung kontrol |
| A.8.2 | Information Classification | Major non-conformity| 5.12 | Classification of information
| Langsung sesuai |
| A.8.3 | Media handling | Major non-conformity| 5.13 | Information transfer
| Digabung ke transfer & media handling |
| A.9.1 | Business requirements for access control | Minor non-conformity| 5.15 | Access control
| Direstrukturisasi |
| A.9.2 | User access management | Minor non-conformity| 5.16 | Identity management
| Kontrol baru digabung |
| A.9.3 | User responsibilities | Major non-conformity| 5.17 | Authentication information
| Diperluas |
| A.9.4 | System and application access control | Major non-conformity| 5.18 | Access rights
| |
| A.10.1 | Cryptographic controls | Major non-conformity| 5.25 | Cryptography
| |
| A.11.1 | Secure areas | Minor non-conformity| 5.8 | Physical security perimeter
| |
| A.11.2 | Equipment | Major non-conformity| 5.11 | Equipment security
| |
| A.12.1 | Operational procedures and responsibilities | Minor non-conformity| 5.28 | IT security
responsibilities | |
| A.12.2 | Protection from malware | Major non-conformity| 5.20 | Protection from malware
| |
| A.12.3 | Backup | Minor non-conformity| 5.14 | Information backup
| |
| A.12.4 | Control of operational software | Major non-conformity| 5.29 | Information systems
configuration | Digabung |
| A.12.5 | Controls against malware | Major non-conformity| 5.20 | Protection from malware
| Sama seperti A.12.2 |
| A.12.6 | Technical vulnerability management | Major non-conformity| 5.30 | Technical vulnerability
management | Langsung sesuai |
| A.12.7 | Information systems audit considerations | Cannot be assessed | 5.31 | Information systems
audit considerations | |
| A.13.1 | Network security management | Minor non-conformity| 5.22 | Network security
| |
| A.13.2 | Information transfer | Major non-conformity| 5.13 | Information transfer
| Termasuk media handling |
| A.14.1 | Security requirements of information systems | Major non-conformity| 5.32 | Secure development
lifecycle | |
| A.14.2 | Security in development and support processes | Minor non-conformity| 5.36 | Secure coding
| |
| A.14.3 | Test data | Cannot be assessed | 5.37 | Secure testing data
| |
| A.15.1 | Information security in supplier relationships | Minor non-conformity| 5.19 | Supplier relationships
| |
| A.15.2 | Supplier service delivery management | Cannot be assessed | 5.19 | Supplier relationships
| Digabung ke atas |
| A.16.1 | Management of information security incidents | Major non-conformity| 5.28 | Information security
event reporting | |
| A.17.1 | Information security continuity | Minor non-conformity| 5.29 | ICT readiness for business
continuity | Digabung dalam kontrol baru |
| A.17.2 | Redundancies | Conforms | 5.26 | Redundancy of information
processing facilities | |
| A.18.1 | Compliance with legal and contractual requirements | Minor non-conformity| 5.33 | Compliance with
legal, statutory, regulatory and contractual requirements | |
| A.18.2 | Information security reviews | Major non-conformity| 5.34 | Information security review
| |

Rekomendasi Tambahan Aktivitas ISMS (non-Appendix A)

| Area | Status |
|-------------------------------------------|---------------------|
| Scope Definition | Major non-conformity|
| Risk Assessment Approach and Execution | Major non-conformity|
| Treatment of Risks & Statement of Applicability | Major non-conformity|
| Risk Treatment Plan | Major non-conformity|
| Monitoring, Review & Effectiveness | Major non-conformity|
| ISMS Improvement (Corrective & Preventive Actions) | Major non-conformity|