It has been a long time coming! The upgrade to the international standard for information security management systems, ISO27001:2013, is here (almost).
If you're reading this article, then there's a reasonable assumption that you know what ISO27001 is and you're not going to be too worried about the back story. But let's all be clear on a couple of points.
The current version of the Information Security Management Standard is ISO27001:2013.
The last update to the standard was 2017 when (for some reason) a committee of information security specialists were required to change about three words and add a couple of 'full-stops' (!). Yes, I'm being flippant here! I'm sure it was just an oversight and not some cynical opportunity to get professionals (like me) very excited and to rush out and spend almost £200 for nothing more than a cosmetic change! (All I'm saying is that many of our hairstyles have seen more change in the last five years than this standard.)
So… here we are. 2022. The news that has been circulating around the hallowed halls of Information Security Central is that the NEW version of ISO27001 is almost with us!
It's a Date!
It is highly anticipated that ISO27002 will be with us in January 2022 and that ISO27001 will be with us in March 2022.
Why Is This Important?
ISO27002 is the guidance on implementing the controls (normally referred to as 'Annex A Controls'), and it therefore provides us with insight into the changes.
ISO27001 is the actual certification standard for an organization.
(If anyone says that they are "ISO27002 Certified," you have my permission to smile wryly and politely move away quickly.)
What Do We Know So Far?
Ok, so you have recently been certified to ISO27001:2013. Congratulations! But now you hear about this new standard. What do you do now?
First, don't panic. There WILL be a transition period to move to the new standard. Although the exact time–frame has yet to be established. Based on past experience, I would say you'll have at least 18 to 24 months to complete the transition.
However, this does not mean 'sit-and-do-nothing-until-the-two-years-are-up.' It means you should be looking at the new standard now and preparing for transition OVER the next couple of years.
You should be speaking to your Governance, Risk, & Compliance team or the person who manages your ISO standard(s) as well as putting a plan together now rather than waiting until you have it all to do in 2024. Why? Because when we look at ISO27002, we can see there are some notable changes, and therefore, the requirements for evidencing compliance are also going to be notably different.
What Are the Scores on the Doors?
Let's take a quick look at what we know so far. We know that ISO27001:2013 (Annex A) has 114 Controls over 14 separate areas. ISO27001:2021 (as I'm calling it) will have 93 Controls over four domains. These are as follows:
- Organizational Controls (37 Controls)
- People Controls (8 Controls)
- Physical Controls (14 Controls)
- Technological Controls (34 Controls)
A number of controls have clearly disappeared, but more importantly, we have 11 new controls that reflect the world in which we live (compared to 2013). These are as follows:
- Threat intelligence (5.7)
- Information security for the use of cloud services (5.23)
- ICT readiness for business continuity (5.30)
- Physical security monitoring (7.4)
- Configuration management (8.9)
- Information Deletion (8.10)
- Data Masking (8.11)
- Data leakage prevention (8.12)
- Monitoring Activities (8.16)
- Web Filtering (8.22)
- Secure Coding (8.28)
Another significant change is that each control has five attributes assigned to them. Along with attribute values.
The attributes provided have been selected because they are considered generic enough to be used by different types of organizations, and their attribute values are not dependent on the organization.
These are as follows:
- Control Type - Preventive, Detective, Corrective
- Security Properties – Confidentiality, Integrity, Availability
- Cybersecurity Concepts – Identify, Protect, Detect, Respond, Recover
- Operational Capabilities – (See below)
- Security Domains - Governance and Ecosystem, Protection, Defense, Resilience
The Operational Capabilities section is meant to be an attribute to view controls from the practitioners’ perspective of security capabilities. Those include Governance, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance.
Conclusion: More Than Just a Name
It has taken some time, but a revision to the widely popular and effective standard, ISO27001, has had some considerable (and much needed) changes and upgrades.
There is one change, however, that might not instantly jump out at people but which fundamentally changes the standard's whole focus. This change is right there on the front cover of the standard(s).
ISO27002:2013 is called "Information technology — Security techniques — Code of practice for information security controls."
ISO27002:2021 is "Information security, cybersecurity and privacy protection — Information security controls."
Firstly, the term 'Information technology' has been replaced with 'Information Security' and then expanded to encompass cybersecurity and privacy protection. Very pointedly, the guidance highlights that the focus is not specific to technology (Spoiler; It never was.) but rather the protection of privacy AND cybersecurity.
Also, the phrase "Code of Practice" has been dropped to better reflect its purpose of being a reference set of information security controls. However, this is not a change of purpose, as the intention of ISO27002 has always been to help organizations ensure that no necessary control has been overlooked.
I believe we finally have a standard that we have needed for some time. It now incorporates information security, cybersecurity, AND privacy into the same set of controls. This is not revolutionary but simply an evolutionary change that we have been waiting for.
Personally, I can't wait for this change to come in. It's going to be very exciting to see how (and which) organizations will embrace the new standard first.
But I'm not just excited as an ISO27001 consultant. I'm excited because I am hopeful that it will usher in a renewed interest in a highly valuable and incredibly efficient security management system (when done well). Exciting times lie ahead.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.