This is not cosmetic rewording. Under 2013, an organisation using A\/T\/V followed the standard’s operative structure. Under 2022, an organisation using A\/T\/V is making a methodology choice \u2014 one that must be explicitly documented and justified against 6.1.2’s criteria. The difference is between inherited default and deliberate selection.<\/p>\n\n\n\n The failure pattern repeats across transition audits. Organisations updated their Annex A mapping to the 2022 control structure \u2014 the visible change \u2014 and left their risk assessment methodology documentation untouched. A\/T\/V continued operating as it had under 2013. No one wrote a methodology rationale statement confirming A\/T\/V as the organisation’s chosen approach under the 2022 framework. No one explained how it meets the consistency, validity, and comparability test.<\/p>\n\n\n\n Operationally present. Documentarily absent under 2022.<\/p>\n\n\n\n Transition auditors catch this by requesting the documented methodology rationale under Clause 6.1.2. When the methodology document reproduces inherited A\/T\/V steps with no 2022-conformant rationale, the auditor’s question is direct: where does this document confirm this is your chosen methodology, and why does it satisfy the 6.1.2 test? Absence of that statement is the nonconformity trigger.<\/p>\n\n\n\n The downstream consequence is worse. Clause 6.1.3(d) requires the Statement of Applicability to include justification for every Annex A control inclusion and exclusion \u2014 traceable to risk assessment results. The causal chain runs: risk assessment methodology at 6.1.2, then risk identification output, then control selection at 6.1.3(a), then Annex A comparison at 6.1.3(c), then SoA justification at 6.1.3(d). If the methodology producing the risk identification output is undocumented under 2022, every SoA justification row rests on a process with no documented anchor.<\/p>\n\n\n\n Auditors raise this as a Major nonconformity against Clause 6.1.3(d) with root cause observed at Clause 6.1.2. The SoA content is not wrong. It is unanchored in process.<\/p>\n\n\n\n An audit-defensible ISMS under 2022 contains a methodology rationale document \u2014 standalone or as a defined section within the risk assessment procedure \u2014 that does three things.<\/p>\n\n\n\n It names the chosen methodology. A\/T\/V, scenario-based, CIA-impact-based, or a hybrid \u2014 the document states what the organisation uses and confirms this is a deliberate choice under ISO\/IEC 27001:2022 Clause 6.1.2. Not a default. Not inherited. Chosen.<\/p>\n\n\n\n It explains how the methodology satisfies the three-part test. Consistency: repeated assessments produce comparable outputs. Validity: the methodology addresses information security risks relevant to the ISMS scope<\/a>. Comparability: results across assessment cycles support trend analysis and feed management review with meaningful period-on-period data.<\/p>\n\n\n\n It connects methodology output to SoA justification. Each risk register entry traces to the documented methodology. Each SoA control inclusion or exclusion cites a risk register entry. The chain is explicit: methodology to risk to control decision to SoA justification. An auditor traces any SoA row back to its process root without hitting an undocumented step.<\/p>\n\n\n\n First, draft the methodology rationale statement. Name the chosen approach. Confirm it is the organisation’s documented choice under ISO\/IEC 27001:2022 Clause 6.1.2. Explain how it produces consistent, valid, and comparable results. If A\/T\/V is retained, state that explicitly \u2014 the standard permits it; it does not require it.<\/p>\n\n\n\n Second, audit the risk register against the documented methodology. Review every risk register entry to confirm it traces to the methodology described above. Flag entries carried forward from the 2013 process that were never re-validated under the 2022 methodology rationale. Re-validate or re-generate as needed.<\/p>\n\n\n\n Third, revalidate SoA justifications. For each Annex A control row, verify that the inclusion or exclusion justification links to a risk register entry that is output from the documented methodology. Update justification language to make the methodology-to-risk-to-control chain explicit and auditable under Clause 6.1.3(d).<\/p>\n\n\n\n Fourth, prepare for the auditor’s methodology question. It will come at Stage 2 or surveillance: show me the document that confirms your risk assessment methodology choice and how it satisfies 6.1.2. Have the rationale statement ready. Have traceability from SoA to risk register to methodology documented and retrievable. A gap assessment<\/a> against the 2022 requirements can identify whether your current documentation meets this threshold before the auditor does.<\/p>\n\n\n\n No [EXT-LINK: IAF \u2192 IAF mandatory document], UKAS, or published certification body document specifies what risk assessment methodology documentation is sufficient to demonstrate Clause 6.1.2 conformance under 2022. [EXT-LINK: IAF MD 26 \u2192 IAF mandatory document] \u2014 the mandatory transition requirements document \u2014 addresses SoA currency and control effectiveness as transition audit objectives but says nothing about methodology documentation depth. UKAS transition bulletins address certification body process timelines only.<\/p>\n\n\n\n This is not a gap in your preparation. It is a gap in the guidance infrastructure \u2014 and it means auditor expectations for methodology documentation are discretionary by certification body. You cannot point to an authoritative T1 document and confirm your documentation is sufficient. The practical consequence: document more than you think you need. A methodology rationale statement that is too thorough has no downside. One that is missing has a Major nonconformity attached to it.<\/p>\n\n\n\n Clause reference for BSI Transition Guide reflects mapped standard requirement from the 2005-to-2013 transition. The directional principle \u2014 A\/T\/V permissible but not required \u2014 is applied by inference to the 2013-to-2022 context. No equivalent BSI guide for the 2013-to-2022 transition has been identified. Verify against current edition before audit use.<\/p>\n\n\n\n The 2022 transition was never about remapping Annex A to 93 controls. The structural change at Clause 6.1.2 \u2014 from an A\/T\/V-anchored risk identification pathway to a methodology-neutral framework \u2014 requires every transitioned ISMS to contain a documented methodology rationale that did not exist under 2013. Without it, the SoA justification chain under Clause 6.1.3(d) has no process root. The audit exposure is a Major nonconformity waiting for an auditor who asks the right question.<\/p>\n\n\n\n AEC International provides ISO certification, training, and consultancy services at the intersection of information security, risk management, and management system governance. We support organisations across industries in achieving and maintaining ISO certification<\/a> \u2014 from gap analysis<\/a> and implementation through audit preparation and continual improvement.<\/p>\n\n\n\n![\"Risk](\"https:\/\/aec.llc\/blog\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-Apr-22-2026-07_13_23-AM-1024x683.png\")
<\/figure>\n\n\n\nWhere Organisations Fail<\/h2>\n\n\n\n
What Audit-Defensible Methodology Documentation Looks Like<\/h2>\n\n\n\n
![\"SoA](\"https:\/\/aec.llc\/blog\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-Apr-22-2026-07_13_25-AM-1024x683.png\")
<\/figure>\n\n\n\nPractical Steps<\/h2>\n\n\n\n
A Note on Guidance Gaps<\/h2>\n\n\n\n
![\"ISO](\"https:\/\/aec.llc\/blog\/wp-content\/uploads\/2026\/04\/ChatGPT-Image-Apr-22-2026-07_13_28-AM-1024x683.png\")
<\/figure>\n\n\n\nKey Takeaway<\/h2>\n\n\n\n
About AEC International<\/h2>\n\n\n\n