Being in a business that handles sensitive data means keeping up with the latest recommendations and requirements for data security. Often, changes to best practices will develop over time. Having partners who can keep you up to date and help you understand what’s changed can keep you in compliance and keep your most sensitive information safe.
Why Is ISO 27001 Being Updated?
At least once every five years, all ISO standards are reviewed. This is a necessary part of keeping the information management standards up to date with the constantly evolving cyber threat landscape. Ongoing improvement of the framework is important to outlining the current best practices for protecting data.
What Changes Are Expected with ISO 27001:2022?
The standard is much longer than the previous version. Plus, the controls have been reordered and updated.
- Security Controls
- Control Themes
- Control Attributes
ISO 27001 2022 Security Controls
Annex A had 114 controls in 14 families in the previous version (available in ISO 27001:2013). The 2022 version has less controls in terms of functionality because unnecessary and redundant controls have been combined and/or eliminated. The new controls are as follows:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
ISO 27001 2022 Control Themes
The new version includes 93 controls divided into four themes, in place of the 14 clauses of the current edition.
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
ISO 27001 2022 Control Attributes
To make it easier to categorize the controls, there are now five main categories of ‘attributes’ in place of the previous 14 clauses:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defense, resilience)
When Does ISO 27001 2022 Go into Effect?
ISO 27002 was updated on February 15, 2022; currently the new version of ISO 27001 is expected to be available by October 2022. If the 2022 version of ISO 27001 is broadly similar to the 2013 version, a new version of Annex A will be available to work with whenever that standard is released. The controls in the new ISO 27002 will be reflected in this.
What Does this Mean for Your ISO Certification?
ISO 27001:2013 permits you to choose controls from anywhere as part of a comprehensive risk management process, as long as you compare them to Annex A and document your decisions.
If your organization is currently certified to ISO 27001:2013, you must upgrade to ISO 27001:2022 before the first surveillance or recertification audit you have scheduled in 2023. Depending on the scope of your ISMS, your organization could be required to implement new controls. Those controls must be implemented, enforced via policies and procedures, and tested prior to your audit.
Even the controls that haven’t really changed will require considerable organizational modifications since the ISO 27002 security controls have been combined and renumbered. To reflect the changes, you’ll need to rename your old papers and create an updated statement of applicability.
Although there will likely be a two-year transition period allowing certified organizations to revise their management system in compliance with the new version, it’s not recommended that your organization delay updating. Don’t put it off any longer!
Evolving from ISO 27001:2013 to ISO 27001:2017
The last major change in ISO regulations dates back to 2017. Here’s an overview of what that included and the major differences in comparison to the 2013 version.
There were actually only a few very minor changes between the two. One was simply a name change to reflect a regional update. ISO27001 was adopted as a standard at the EU level in 2017. This led to inclusion of the letters “EN” in “BS EN ISO/IEC 27001:2017.”
There were also two very minor changes to the wording regarding some of the controls in Annex A. The first applies to the assets. In the 2013 version, entities are called on to create an inventory of assets that have to do with information. In 2017, information itself is specifically named as an asset. As a result, there was a call to specifically inventory information.
The other change was strictly aesthetic. In the 2013 version, the items that go on the Statement of Applicability are presented as a list. In the 2017 version, they are presented as a series of four bulleted points. The four items on the list remained, however, unchanged. They are:
- the necessary controls
- justification for their inclusion;
- whether the necessary controls are implemented or not; and
- the justification for excluding any of the Annex A controls.
In both cases, it appears that the changes were made specifically for emphasis. They did not introduce any new requirements or practices. Rather, they called for closer attention to requirements that already exist.
Adding Information to Your Asset Inventory
ISO 27001 treats information as assets and the updated language stresses the importance of safeguarding them.
It only makes sense to treat information as assets and to safeguard it appropriately. The loss of sensitive data can be even more devastating to your business than the loss of physical assets. Data loss can lead to huge financial losses, liability and even irreparable harm to your reputation. During inventory, it it vital to assess how important a piece of information is, what the risks associated with it are and who is in charge of safeguarding that asset.
The reason for this categorization is to properly assess your risk. After all, if you have not accurately assessed vulnerabilities relating to information assets, you are at risk of failing to properly safeguard that information. Taking on an asset inventory as part of your certification helps you ensure that you’ve covered every base.
Best Practices for ISO Statements of Applicability
Many consider the Statement of Applicability (SoA) the most onerous part of certification. However, this document is an important part of the assurances for your auditors and other interested parties and gives a sense of the depth and breadth of your information security management system ISMS. It is also often used to identify controls that you need for other reasons that include contracts and managing legislation that applies to your firm.
By changing the format in the part of ISO 27001 to emphasize the four parts of this requirement, the authors make it clearer what is required. While the process of cataloging everything can be difficult, having everything neatly in place means having an information security system that is easier to implement and more likely to keep you in compliance.
Until the new version of ISO 27001 is released, your SoA (Statement of Applicability) must still refer to Annex A of ISO 27001:2013, and the controls in ISO 27002:2022 will be an alternative control set that you must compare to the existing Annex A.
Guidance for ISO Certification & Risk Assessment – Without the Anxiety
Is ISO 27001 certification right for your organization? We can help you understand the benefits, as well as the requirements for certification. Get in touch with I.S. Partners, LLC for a consultation.