If you blinked, you might have missed it…
On October 25th 2022, the new standard for the Information Security Management System, ISO27001 was released. Without fuss, and without fanfare.
But, to quote a famous movie, “There was a great disturbance in the force.”
ISO27001 is possibly one of the world's best-known standards for Information Security Management because it has broken out of the realms of the cybersecurity industry and into the world of business.
Ask the average business owner if they've heard of Cyber Essentials, or PCI DSS, and you may get a few nodding heads, but ask if they've come across NIST, SANS, or CIS Controls, and they will most likely think you're speaking another language.
ISO standards have been around for many years, and most organisations will have implemented, or be aware of ISO9001 (Quality), ISO14001 (Environment) or ISO45000 (Health and Safety), so it's no real surprise that the business community at large has heard of an ISO standard that focuses on security.
But this doesn't mean that it is widely understood or adopted.
ISO27001 – Time for a change
The standard has needed some changes for some time, as it hasn't had a significant update since 2013. There were some minor amendments in 2017, but largely these were structural or grammatical updates.
In 2022, things have changed dramatically, but also in very subtle ways.
For example, notice the title of ISO27001 as it currently stands:
Information Technology – Security Techniques – Information Security Management Systems - Requirements
Now compare this to the new ISO27001:2022;
Information security, cybersecurity and privacy protection - Information Security Management Systems - Requirements
The new standard is clearly making the point that the new ISO27001 standard is about three things: information security, cybersecurity, AND Privacy. It has been long debated if cybersecurity is a subset of information security, or the same thing. Well ISO27001 is very clearly making the point in the title that we need to be concerned about three aspects of security.
I find these subtle changes most exciting, but not all changes are so difficult to spot. For example, changes include:
- The new requirement for Planning of Changes (to the ISMS) (6.3)
- 114 Controls in Annex A has been reduced to 93
- 14 Control areas have been reduced to 4 (Organisational, People, Physical, Technical)
- 58 Updated Annex A controls
- 24 Merged Annex A controls
- 11 New Annex A Controls
- New “Attributes” in the Annex A Controls
With the exception of one key item, the actual body of the ISMS hasn't changed that much. But even this change is quite significant. The change here is the inclusion of 6.3, "Planning of changes", where the requirement is "When the organisation determines the need for changes to the information security management system, the changes shall be carried out in a planned manner."
This is a clear indication that if you're planning changes to the ISMS, you need to demonstrate that these changes are structured and planned, and you can provide evidence of this. This might be having a schedule showing where changes to the ISMS are pre-planned, or that changes are subject to your internal change management processes, perhaps with an audit committee or change advisory board overseeing such changes.
The most substantial changes are in the Annex A Controls. This is where the fun begins.
Annex A – “Attributes”
This entire blog could be dedicated to discussing the 58 merged controls or how and why the 24 controls were updated. Of course we could also focus on the 11 new controls, but for now, we should focus on the new “attributes” section.
What I believe is most exciting and interesting about the changes to the new standard and the new controls is the inclusion of “Attributes”. In ISO27002:2022, which offers guidance on the implementation of ISO27001, it states that:
"The organisation can use attributes to create different views which are different categorisations of controls as seen from a different perspective to the themes. Attributes can be used to filter, sort or present controls in different views for different audiences." (ISO27001:2022 – 4.2 Themes and Attributes)
There are five attributes with appropriate and corresponding attribute values, where all the values are preceded by a “#” to make them searchable. These five attributes are:
- Control Type
- Information Security Properties
- Cybersecurity Concepts
- Operational Capabilities
- Security Domains
For example, under Annex A, 5.1, Policies for Information Security, the attribute values to this control are:
- Control Type - #Preventative
- Information Security Properties – #Confidentiality, #Integrity, #Availability
- Cybersecurity Concepts - #Identify
- Operational Capabilities - #Governance
- Security Domains - #Governance and Ecosystem, #Resilience
Using attributes allows you to selectively use the Annex A controls dependent upon the audience and the need. Allowing you to view your controls based on security properties that an auditor might be interested in, or from a business perspective, you might view them in terms of operational capabilities.
This blog could easily have listed all the attribute values and would have appealed to only a select audience. The intention was to whet your appetite for delving deeper into the ISO27001 standard and carefully pick through some of the subtle and not-so-subtle changes that have taken place.
The attributes and attribute values allow you to cross-reference the Annex A controls into other control frameworks, like NIST as easily as they can be referenced in business operations.
The changes in ISO27001 are nothing short of brilliant. But, I believe it will take some organisations and consultants a little time and practice to appreciate the impact these changes can have, and the benefits they bring.
Luckily, organisations have a little time to become acquainted with the changes, as the current standard won't be withdrawn until 2025. But we all know how time flies. So my advice is, start reading and understanding now. 2025 will be with us before you know it, and auditors are already asking what plans are being made to move to the new standard.
Don't delay. Start today!
About the Author:
Gary Hibberd is the ‘The Professor of Communicating Cyber’ at ConsultantsLikeUs and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from international security standards such as ISO27001 Dark Web to Cybercrime and CyberPsychology. He is passionate about providing pragmatic advice and guidance that helps people and businesses become more secure.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.