What you need to know about the changes to ISO 27001
September 2022 - Nazia Mastali, GRC Practice Lead, CSO Group
If you’re not familiar with it, ISO27001 is an internationally recognised certification standard supported by a code of practice, ISO 27002. This globally recognised Information Security Management Standard is made up of a combination of policies and processes that organisations of any size or any industry can implement to protect their information in a systematic and cost-effective way. The certification is accepted across 168 countries and while not mandatory, it is highly regarded as an international standard that describes best practices for information security management.
ISO 27001 and ISO 27002 were last updated in 2013, however a new iteration of ISO 27002 was published earlier this year in February 2022, and a revised version is likely to be published in a month.
Since the February release, we’ve received many questions about the changes and wanted to address the most common of those here:
What are the differences between ISO 27001 and ISO 27002?
Before we go into what has changed, it is important to note the key differences between ISO 27001 and ISO 27002. Both are part of the same standard, however ISO 27001 is the main standard in which you can earn certification for your business, where ISO 27002 exists to provide guidance and help around implementing best security practices for the ISO 27001 certification.
When are these changes going to take place?
ISO 27002:22 was released on February 15, 2022 replacing ISO 27002:15, however the updates to ISO 27001 and Annex A are expected to be released in October 2022. These updates are expected to be consistent with the changes to ISO 27002.
What changes were implemented in February 2022?
The 2022 updates included a reduction in security controls from 114 to 93, which are now placed in four sections instead of the previous 14. While none of the previous controls were deleted, the reduction is due to many controls being merged. There are also 11 brand new controls including:
- Threat intelligence
- Information security for cloud services
- Business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The four sections that replace the previous 14 are: People, Organisational, Technological and Physical.
Further, ISO27002:2022 adds the following five attributes to each control to make them easier to categorise:
- Control type [Preventive, Detective, Corrective]
- Information security property [Confidentiality, Integrity, Availability]
- Cybersecurity concepts [Identify, Protect, Detect, Respond, Recover]
- Operational capabilities [Application security, Asset management, Continuity, Data protection, Governance, Human resource security, Identity and access management, Information security event management, Legal and compliance, Physical security, Secure configuration, Security assurance, Supplier relationships security, System and network security, threat and vulnerability management]
- Security Domains [Governance and Ecosystem, Protection, Defence, Resilience]
We want to start implementing ISO 27001, Do we wait or should we start now?
If your existing or potential client expects you to get certified, you should start as soon as possible; if your project can wait a few months then we’d recommend waiting for the updated standard.
In other words, this decision has nothing to do with standards it depends on how quickly you need the ISO 27001 certificate. If you are required to start with ISO 27001 ahead of the late 2022 updates, you should start with the existing (27001:13) controls.
We have already implemented ISO 27001, What do we need to change?
Changes in standards are mostly about reorganising controls, so no changes in technology will be needed, only the changes in the documentation. Since the changes are only moderate, it is recommended not to add new documents or delete any of the existing documents.
The best way to comply with these changes is:
To update your risk treatment process with new controls
To update your Statement of Applicability
To adopt certain sections in your existing policies and procedures.
Does the certification body need to check changes in the documentation?
If your company is certified, then yes, the certification body will need to check if you have adapted your documentation within the transition period. There will be no need to schedule any new audits since they will do this during the regular surveillance audits.
- The main part of ISO 27001 (clauses 4 to 10) are not changing.
- Only the security controls listed in ISO 27001 Annex A will be updated – changes expected in October 2022.
- The number of controls has decreased from 114 to 93.
- Controls are placed in four sections (organisation, people, physical, technological) instead of the previous 14.
- There are 11 new controls, while none of the controls was deleted, and many controls were merged.
Thinking about getting certified in ISO 27001 but don't know where to start? Visit our governance and compliance page to find out more about how we can help your organisation take the right steps toward achieving ISO 27001 certification or to simply improve GRC within your business.
At CSO Group we work with businesses of all sizes to help advise and lead cyber security strategy, governance and compliance keeping you on top of changes and requirements. For more information or if you want to speak with someone from the team, contact us directly.