If you’re not aware already, then be prepared for change, because a new version of ISO27001 was published in October 2022!
It’s all very exciting! The last change to the standard was in 2017. The changes made back then were fundamentally cosmetic, with a few minor tweaks to wording. The changes barely caused a ripple and, even today, organisations are still certified to ISO27001:2013, meaning that no fundamental changes to the standard have taken place for around ten years.
A Decade of Change
They say a week is a long time in politics, but a week can be a lifetime in tech. In the last ten years, we have seen incredible changes to the technology we use and the data we curate.
The use of social media has exploded. For example, Instagram was created in 2010, and TikTok in 2016. Social media has moved from cataloguing past events, to detailing everything we do in the moment. The use of this technology by children has continued to rise, and according to research, many people spend an average of two hours a day on social media.
This has led us into a world where “Big Data” means “Big Money,” and the use of AI and machine learning to understand our behaviours and spending patterns has become an industry in of itself. The risks associated to this were highlighted in 2018, when it was revealed that Facebook and Cambridge Analytica were implicated in a massive data breach.
Of course, the speed at which we move data has also increased as we progressed from 3G to 4G, and now 5G, making us demand more of our networks and tolerating less latency (which encryption and security can sometimes cause).
The adoption of cloud technologies has been increasing over the decade, with organisations now adopting private, public, and hybrid cloud configurations. This has led to some confusion about the responsibility surrounding the security of data, with many believing that it is solely the cloud providers' responsibility for cloud security. Just to be clear – you cannot outsource risk, or accountability.
Finally, we cannot forget that the GDPR and the UK Data Protection Act were not even a consideration when ISO27001:2013 came into being. Therefore, consideration for Personal Identifiable Information (PII) is just one control in the 114 controls contained in the old standard.
It’s time for a change
Clearly we have needed this change for some time, and the time is almost upon us when the new standard arrives. But what are these changes and how can they impact you?
It’s important to state from the outset that we shouldn’t expect dramatic changes from the main body of the Information Security Management System (ISMS). The clauses go unchanged and remain as follows:
- Context of the organisation
- Performance evaluation
There are some changes to the Risk Management requirements, but these are more clarifications of the requirements than changing anything fundamental.
I believe this demonstrates that using ISO27001 to implement a security compliance program is still effective and as relevant today as it was ten years ago.
So what has changed?
The key changes to ISO27001 can be found in the Annex A controls, and, as ISO27002:2022 was released in February 2022, we already know what this looks like.
- The current 114 controls will be reduced to 93.
- 58 controls are updated.
- 24 controls are merged.
- 11 new controls are in place.
Reading through ISO27002:2022 you can see that a lot of hard work has gone into rationalising the clauses, which is why there have been so many updates and merging of clauses.
But, it is the 11 new controls that are potentially the most exciting changes of all. These are:
- Threat intelligence.
- ICT Readiness for Business continuity.
- Information security for use of cloud services.
- Physical security monitoring.
- Configuration management.
- Information deletion.
- Data Masking.
- Data Leakage Prevention.
- Monitoring Activities.
- Web filtering.
- Secure coding.
These changes have been needed for some time, and they recognise the importance of such things as threat intelligence, cloud security, and the GDPR and UK DPA.
So what now?
Here is what you should be doing now.
Firstly, don’t panic! If you are only just hearing this now, please be aware that you will have around 18 to 24 months to transition to the new standard.
But this should not stop you from looking at the new standard and the new controls. As stated above, ISO27002:2022 has been with us since February 2022.
I am already helping clients implement ISO27001 using the new Annex A controls – what would be the point in using the old, 114 Annex A controls?! It can be done. I have done it, and they are effective.
Purchase the ISO27002:2022 standard, and conduct an audit against your current ISMS (and controls) to see where the gaps are. You will have at least 11 gaps to fill, so start by auditing your organisation against the requirements of these 11 new controls.
Speak to the Certification Body you are with to understand their transition plan. They will be training their auditors on the new standard, so ask them when you can expect to be audited against the new set of controls.
Remember, ISO27001 is about continual improvement, and this is a great way to demonstrate that your ISMS is improving. ISO27001 is essentially a road map to improved security, so you should see this as a new and improved navigation system that has identified new places to visit.
ISO27002:2022 is evolutionary, rather than revolutionary. This upgrade has been needed for some time, so it’s time to apply it to your organisation.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at ConsultantsLikeUs and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from international security standards such as ISO27001 Dark Web to Cybercrime and CyberPsychology. He is passionate about providing pragmatic advice and guidance that helps people and businesses become more secure.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc