If you can remember the blissful world of iPhone 5s and Obama “shockingly” campaigning via Google+, you can remember the last time ISO27001 and ISO 27002 were updated. The world of tech and cloud services advanced leaps and bounds in the last decade, and it’s time for our security frameworks to catch up.
To refresh your memory, ISO 27001 and ISO 27002 are information security certifications for businesses storing or transmitting PII. These frameworks are usually required when doing business in or with other partners in the EU, UK, and Canada.
ISO 27001 is the framework companies are certified against, while ISO 27002 is a reference standard to guide control selection, implementation, and management. Most of the updates to the framework lie in ISO 27002, as well as ISO 27001’s Annex A that references/summarizes ISO 27002.
For more information on how ISO 27001 works, you can check out our blog series.
Laika’s Head of Customer Solutions and CISO, Yossi Barkalifa, provided high-level details on the changes below.
When will the 2022 versions of ISO 27001 and ISO 27002 be required?
All expectations are that the new edition will be available in February 2022. It’s not clear when ISO 27001:2022 will be formally available, but it’s likely to be very soon after ISO 27002:2022 is released.
Notable changes to ISO 27002:22
The new version rationalizes the 114 controls formerly categorized by “domains” down to 93 controls grouped into 4 simple themes:
- Organizational controls (37 controls)
- Technological controls (34 controls)
- Physical controls (14 controls)
- People controls (8 controls)
This 2022 update includes wholly new control areas that will need to be implemented for certification.
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
Notable changes to ISO 27001:22
The changes to ISO 27001 relate to Annex A, which is pulled from the changes above to ISO 27002. These include:
Refinements and clarifications.
- For example, “mobile devices” are now “user endpoint devices,” and “password management” is now “identity and authentication management.”
Data itself must be considered an asset.
- This will require you to create a data inventory to relate controls to different data types. This substantial new requirement aligns ISO 27001 with GDPR and other privacy regulations that mandate data mapping exercises.
Controls have five types of ‘attributes’ for easier categorization
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defense, resilience)
What does this mean for organizations that are already certified to ISO 27001:2013?
There is usually a two-year transition period for certified organizations to revise their management system to conform to a new version of a standard. Companies will have a fair amount of work between the next certification or surveillance audit and the following audit cycle since the magnitude of these changes will proliferate through your ISO 27001 ISMS.
What to plan for your next ISO 27001 audit
- Gap-assess your current controls against the new control set
- Update your risk assessment in line with updated controls
- Revise Statement of Applicability based on the new risk assessment and controls
- Update security metrics per the new risk assessment and controls
- Carefully review and update all standards, policies, and procedures as needed per changes in the environment
- Evaluate and possibly adapt third-party security tools (e.g., your SIEM or GRC platform) to ensure the artifacts used to demonstrate compliance support the new requirements
- Update ISMS Internal Audit Program to reflect the changes to your ISMS
As always, please reach out to our team of experts with any questions or concerns.