Your ISMS risk assessment still works. It identifies assets, maps threats, scores vulnerabilities, and produces a risk register that feeds your Statement of Applicability. The process runs. The outputs exist. None of that matters if your ISO 27001 risk assessment methodology documentation does not confirm β in 2022-conformant terms β that asset/threat/vulnerability is your chosen approach and why it satisfies Clause 6.1.2’s methodology-neutral test.
ISO/IEC 27001:2022 removed the A/T/V identification chain as a normative prerequisite for risk identification. Organisations that transitioned from the 2013 edition and carried their methodology forward without documenting that choice now sit on an auditable gap between their risk assessment output and their SoA justification rationale.
What Clause 6.1.2 Actually Requires Under the 2022 Edition
ISO/IEC 27001:2013 Clause 6.1.2 structured risk identification around asset identification, threat mapping, and vulnerability assessment. The clause inherited this architecture from the 2005 edition β [EXT-LINK: BSI’s 2013 Transition Guide β BSI published guidance] confirms that the 2005-to-2013 revision removed the identification of assets, threats, and vulnerabilities as a prerequisite to risk identification. In practice, A/T/V remained the dominant implementation pathway throughout the entire 2013 certification cycle. Organisations built their risk registers around it. Certification bodies audited against it. Nobody documented why.
ISO/IEC 27001:2022 Clause 6.1.2 completes the structural shift. The clause requires that the organisation define and apply an information security risk assessment process producing “consistent, valid and comparable results.” No methodology is prescribed. A/T/V is absent from the normative text. The organisation selects its own approach and documents why that approach satisfies a three-part test: consistency, validity, and comparability.
This is not cosmetic rewording. Under 2013, an organisation using A/T/V followed the standard’s operative structure. Under 2022, an organisation using A/T/V is making a methodology choice β one that must be explicitly documented and justified against 6.1.2’s criteria. The difference is between inherited default and deliberate selection.
Where Organisations Fail
The failure pattern repeats across transition audits. Organisations updated their Annex A mapping to the 2022 control structure β the visible change β and left their risk assessment methodology documentation untouched. A/T/V continued operating as it had under 2013. No one wrote a methodology rationale statement confirming A/T/V as the organisation’s chosen approach under the 2022 framework. No one explained how it meets the consistency, validity, and comparability test.
Operationally present. Documentarily absent under 2022.
Transition auditors catch this by requesting the documented methodology rationale under Clause 6.1.2. When the methodology document reproduces inherited A/T/V steps with no 2022-conformant rationale, the auditor’s question is direct: where does this document confirm this is your chosen methodology, and why does it satisfy the 6.1.2 test? Absence of that statement is the nonconformity trigger.
The downstream consequence is worse. Clause 6.1.3(d) requires the Statement of Applicability to include justification for every Annex A control inclusion and exclusion β traceable to risk assessment results. The causal chain runs: risk assessment methodology at 6.1.2, then risk identification output, then control selection at 6.1.3(a), then Annex A comparison at 6.1.3(c), then SoA justification at 6.1.3(d). If the methodology producing the risk identification output is undocumented under 2022, every SoA justification row rests on a process with no documented anchor.
Auditors raise this as a Major nonconformity against Clause 6.1.3(d) with root cause observed at Clause 6.1.2. The SoA content is not wrong. It is unanchored in process.
What Audit-Defensible Methodology Documentation Looks Like
An audit-defensible ISMS under 2022 contains a methodology rationale document β standalone or as a defined section within the risk assessment procedure β that does three things.
It names the chosen methodology. A/T/V, scenario-based, CIA-impact-based, or a hybrid β the document states what the organisation uses and confirms this is a deliberate choice under ISO/IEC 27001:2022 Clause 6.1.2. Not a default. Not inherited. Chosen.
It explains how the methodology satisfies the three-part test. Consistency: repeated assessments produce comparable outputs. Validity: the methodology addresses information security risks relevant to the ISMS scope. Comparability: results across assessment cycles support trend analysis and feed management review with meaningful period-on-period data.
It connects methodology output to SoA justification. Each risk register entry traces to the documented methodology. Each SoA control inclusion or exclusion cites a risk register entry. The chain is explicit: methodology to risk to control decision to SoA justification. An auditor traces any SoA row back to its process root without hitting an undocumented step.
Practical Steps
First, draft the methodology rationale statement. Name the chosen approach. Confirm it is the organisation’s documented choice under ISO/IEC 27001:2022 Clause 6.1.2. Explain how it produces consistent, valid, and comparable results. If A/T/V is retained, state that explicitly β the standard permits it; it does not require it.
Second, audit the risk register against the documented methodology. Review every risk register entry to confirm it traces to the methodology described above. Flag entries carried forward from the 2013 process that were never re-validated under the 2022 methodology rationale. Re-validate or re-generate as needed.
Third, revalidate SoA justifications. For each Annex A control row, verify that the inclusion or exclusion justification links to a risk register entry that is output from the documented methodology. Update justification language to make the methodology-to-risk-to-control chain explicit and auditable under Clause 6.1.3(d).
Fourth, prepare for the auditor’s methodology question. It will come at Stage 2 or surveillance: show me the document that confirms your risk assessment methodology choice and how it satisfies 6.1.2. Have the rationale statement ready. Have traceability from SoA to risk register to methodology documented and retrievable. A gap assessment against the 2022 requirements can identify whether your current documentation meets this threshold before the auditor does.
A Note on Guidance Gaps
No [EXT-LINK: IAF β IAF mandatory document], UKAS, or published certification body document specifies what risk assessment methodology documentation is sufficient to demonstrate Clause 6.1.2 conformance under 2022. [EXT-LINK: IAF MD 26 β IAF mandatory document] β the mandatory transition requirements document β addresses SoA currency and control effectiveness as transition audit objectives but says nothing about methodology documentation depth. UKAS transition bulletins address certification body process timelines only.
This is not a gap in your preparation. It is a gap in the guidance infrastructure β and it means auditor expectations for methodology documentation are discretionary by certification body. You cannot point to an authoritative T1 document and confirm your documentation is sufficient. The practical consequence: document more than you think you need. A methodology rationale statement that is too thorough has no downside. One that is missing has a Major nonconformity attached to it.
Clause reference for BSI Transition Guide reflects mapped standard requirement from the 2005-to-2013 transition. The directional principle β A/T/V permissible but not required β is applied by inference to the 2013-to-2022 context. No equivalent BSI guide for the 2013-to-2022 transition has been identified. Verify against current edition before audit use.
Key Takeaway
The 2022 transition was never about remapping Annex A to 93 controls. The structural change at Clause 6.1.2 β from an A/T/V-anchored risk identification pathway to a methodology-neutral framework β requires every transitioned ISMS to contain a documented methodology rationale that did not exist under 2013. Without it, the SoA justification chain under Clause 6.1.3(d) has no process root. The audit exposure is a Major nonconformity waiting for an auditor who asks the right question.
About AEC International
AEC International provides ISO certification, training, and consultancy services at the intersection of information security, risk management, and management system governance. We support organisations across industries in achieving and maintaining ISO certification β from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc