Changes to ISO 27001 are coming in 2022; arguably not a moment too soon. It has been a long time since the last update and the world has changed almost immeasurably since that time. The new version of the standard was introduced to the world on 16th February 2022.
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyses, and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and a key advantage of ISO 27001 flexible risk-driven approach.
At present the Annex A within ISO 27001 has 114 controls which cover 14 separate domains:
| A.5 – Information and Security Policies | A.10 – Cryptography | A.15 – Supplier Relationships |
| A.6 – Organisation of Information Security | A.11 – Physical and Environmental Security | A.16 – Information Security Incident Management |
| A.7 – Human Resources Security | A.12 – Operations Security | A.17 – Information Security Aspects of Business Continuity Management |
| A.8 – Asset Management | A.13 – Communications Security | A.18 – Compliance |
| A.9 – Access Control | A.14 – Systems Acquisition, Development and Maintenance |
The proposed ISO27001:2022 will have 93 controls over four domains. This represents an approximate reduction in overall controls. The new domains are now labelled as follows:
| A.5 – Organizational Controls |
| A.6 – People Controls |
| A.7 – Physical Controls |
| A.8 – Technological Controls |
Controls have been removed entirely or subject to “merge” with other controls to give us the reduced number of 93. The table below shows both the new and deleted controls to give you an idea of how ISO has perceived best practice risk controls to look moving forward.
CHANGES TO ISO27002 – New and Removed Controls:
– New Controls
| 5.7 Threat Intelligence | 8.11 Data Masking |
| 5.23 Information Security for use of Cloud Services | 8.12 Data Leakage Prevention |
| 5.30 – ICT Readiness for BCP | 8.16 Monitoring Services |
| 7.4 Physical Security Monitoring | 8.22 Web Filtering |
| 8.9 Config Management | 8.28 Secure Coding |
| 8.10 Information Deletion |
– Removed Controls (2013 Annex A Reference)
| 8.2.3 Handling of Assets | 11.2.5 Removal of Assets |
| 16.1.3 Reporting Information Security Weaknesses |
Those of you familiar with the ISO27001:2013 standard will note that there are some similarities with existing controls in the new set provided. However, there are also some stand out controls which have not been referenced prior:
- Threat Intelligence: This is information an organization uses to understand the threats that have, will, or are presently targeting the organisation. This information will be assessed to identify and prevent threats from being realised.
- Data Masking: This is a critical concept to keep data safe from breaches. Any organisation that has data which constitutes PII or Sensitive will likely seek to mask this data. Privacy by design principle which is now included in the standard.
- Information Security for use of Cloud Services: Arguably one of the more obvious requirements for any new ISO27002 control measures would be the addressing of the almost universal use of Cloud Services. Organisations must be able to identify and control risks through this practice.
In addition to new and removed controls, there are several consolidated controls. The table below shows how this looks with the new control reference numbers on the left and the 2013 version on the right:
|
5.1 Policies for Information |
5.22 Monitoring Review and Change of Supplier Services (15.2) | 8.25 Secure Development Lifecycle (14.1.1, 14.2.1) |
|
5.9 Inventory of Information and other associated assets |
5.29 Information Security During Disruption (17.1) |
8.26 Application Security Requirements (14.1.2, 14.2.3) |
|
5.14 Information Transfer |
7.10 Storage Media (8.3) |
8.29 Security Testing in Development and Acceptance (14.2.8, 14.2.9) |
|
5.15 Access Control |
8.1 UED’s (6.2.1, 11.2.8) |
8.31 Separation of Dev, Test and Production Environments (12.1.4, 14.2.6) |
|
5.16 Identity Management |
8.8 Management of Technical Vulnerabilities (12.6.1, 18.2.3) |
8.32 Change Management (12.1.2, 14.2.2, 14.2.3, 14.2.4) |
|
5.17 Authentication Information |
8.15 Logging (12.4) |
|
| 5.18 Access Rights (9.2.2, 9.2.5, 9.2.6) |
8.24 Use of Cryptography (10.1, 18.1.5) |
|
This is largely self-explanatory and shows consistency with modern working practices such as organisations having a virtual structure and the rise in working from home.
Another key feature of the proposed change is the introduction of hashtags. These will sit next to the controls and each will be tagged in five distinct areas, as shown in the example table below:
| Control Type | Information Security Properties | Cyber Security Concepts | Operational Capabilities | Security Domain |
| #Preventative | #Confidentiality #Integrity #Availability |
#Protect | #System Security | #Protection |
This extra step has been taken to demonstrate that the organisation can show an understanding of what function the control performs in the different aspects of security within the ISMS.
So what next?
We’re busy monitoring the ISO airwaves to understand when ISO27001:2022 will be finalised. This is expected in mid-to-late-2022. Following this, there will be a period of transition for everyone involved. For those organisations – including Risk Evolves, who hold the existing certification, they will need to transition from the old to the new standard, typically within 3 years of the new standard being announced. If you are a Risk Evolves client, we will work with you on every step of this journey.
If you would like to know more, then please continue to read our newsletters and follow us on social media. As part of our quarterly webinar series, we will hold webinars on Thursday 23rd June, where Helen will be joined by the newest member of the Risk Evolves family, Barri Graham.
