This article explains the changes to the information security management standard, to help organisations understand what these changes will mean for them, and how this may affect those organisations that are undertaking re-certifications or planning to certify against ISO security standards.
Information technology changes at an ever increasing pace and it is only appropriate that information security standards must evolve too, not only to maintain their relevance, but to provide ongoing guidance for security best practices. It is worth mentioning that ISO 27001 and ISO 27002 standards were last updated in 2013, almost 10 years ago, but we are happy to see the latest version of ISO/IEC 27002:2022 has now been published.
Just like with the previous version, ISO 27002, is designed to be standalone in that it can be used by organisations not interested in ISO 27001 and who just want a set of possible information security controls to use within their organisation.
What Exactly Has Changed?
In general, the changes are only moderate and were made primarily to simplify the implementation of the controls and the basic principle is the same: it is a list of possible information security controls with guidance for each control on how to implement it.
The initial ‘code of practice’ title has been renamed and simplified to the ISO 27002:2022 which covers both security and privacy requirements.
There are now fewer controls, a total of 93, as opposed to 114 controls within the Annex A and ISO 27002, which will be categorised into 4 key domain areas:
- People (8 controls)
- Organisational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
New control domains have been added to capture key security requirements. For example, Threat Intelligence, Cloud-Services, Configuration Management, Data Leakage Prevention, Business Continuity and more.
This new structure makes it easier to understand the applicability of the controls in a high-level sense, as well as the designation of responsibilities. There are 11 new controls, none of the controls were deleted, and many controls were merged. It also includes a number of new more “modern” controls – for example “cloud security”, “threat intelligence” and “web filtering”.
Elements of Each Control
The layout for each control contains the following elements:
- Control title: Short name of the control;
- Attribute table: A table showing the attributes for information security of a given control;
- Control: Definition of requirements for a given control;
- Purpose: What is the objective of the control and what it should achieve;
- Guidance: Considerations for implementing the control;
- Other information: Explanatory text or references to other related documents.
What Will ISO27002 Changes Mean for Organisations?
While most of organisations worry about possible substantial changes that they will need to make to maintain their certification, it is worth remembering that ISO 27001 consists of two parts. The ISMS clauses which are mandatory, and Annex A which is not mandatory. It is also worth emphasising that the ISO certification standard is ISO27001 and not ISO27002, which is the Annex A implementation guidance. While the changes of the standard are related to updated controls in ISO 27002 and Annex A, the ISO27001 has not been changed or updated yet, and therefore there is no immediate impact to the organisations that are already certified to ISO27001.
Once an update is officially released for the ISO27001 standard, organisations that have already been certified to ISO 27001:2013 will have a transition period to implement the required changes to their ISMS. Previously the transition period was two years and it is expected that the same time frame will apply in this transition period.
How Will This Impact Organisations Which Are Already ISO 27001:2013 Certified?
Once the ISO27001 certification standard is officially updated, the changes related to updates to both ISO27001 and ISO27002 will very much depend on the implementation of ISMS in each organisation. While we don’t yet know the exact changes of ISO 27001 clauses, we can review the changes affecting your organisation related to Annex A.
There will be two types of organisations – those who implemented ISO 27001 using Annex A controls to mitigate the identified risks, and those who implemented ISO 27001 using a control set from a different standard, or developed their own controls and mapped them into Annex A.
If your organisation is the latter, the main effort will be to make sure that your Statement of Applicability (SOA) is updated with the new controls and that any existing controls are mapped into the SOA justifying their inclusion or exclusion. Within the ISMS, the SOA necessary to ensure that the suggested controls have not been deliberately omitted. However, it is worth noting that the information about the control implementation is still for guidance purposes and not a requirement. The new ISO 27002 version provides a mapping of the new controls into the old controls in its Annex B which helps to understand how to re-align your SOA.
If your organisation is the former, there will be more work to do to evaluate whether the new controls are relevant to identified risks within your organisation and how they are implemented. Such organisations could benefit from establishing an ISMS transition roadmap or prepare a similar planning, especially because the relevant activities may require an assessment of existing operations to identify any gaps, an implementation of some new procedures or drafting of the relevant documentation. It is suggested to plan ahead and to ensure that the new developments add value to achieving organisation’s business objectives through ISMS objectives.
How Will This Impact Organisations Implementing ISO 27001:2013?
It is expected that those organisations who are working towards their ISO27001 certification in the coming months will be required to implement the latest version of the standard and to undergo the standard certification process which we have discussed in our earlier blog posts. This is the suggested approach also because the implementation of the old ISO 27001 standard version will mean additional work to apply the requirements of the new version within the transition period.
Those who have just started their ISMS journey will have to put in some work to understand whether they want to apply the new Annex A controls, develop their own controls to be mapped into the new Annex A, or to use controls from a different standard and map those controls into Annex A. There are benefits within each choice, and the last two could be useful if an organisation must meet multiple compliance needs.
How Can Organisations Embed New ISO 27002 Requirements From the Previous Version?
Every organisation will be different in the way they operate and approach the ISMS implementation. However, the following steps should help when planning the transitional changes:
- Identify and assess the internal and external factors and changes relevant to your ISMS.
- Assess the business goals and identify if there are any new ISMS objectives to support the business goals.
- Perform a risk analysis and identify whether any additional controls are necessary to remediate the identified risks.
- Accordingly, review the relevant policies and procedures, including the SOA, and if required develop new ones.
- Communicate the changes across the business and raise awareness to the stakeholders where appropriate
- Perform internal audits to assess the readiness for the transition
How Can We Assist Your Organisations With the Changes?
Bridewell have a dedicated information security assurance practice that is experienced in cyber security, as well as leading and implement information security and assurance programs either for a specific project or across an entire group. We are able to support you during your ISMS transition and provide guidance where required.
We aim to support businesses with their governance, risk, compliance, and auditing needs. Bridewell can provide consultancy support, advice, and guidance in the following areas: