This year has seen the first significant update to ISO 27002 since 2013. These modifications reflect in Annex A’s security controls for organizations with ISO 27001 certification. ISO 27001 is a standard for ISMS (information security management systems) that establishes global best practices for creating and maintaining an effective ISMS. Put another way, it ensures that data is always accessible and secure for businesses.
What Are the Changes in ISO 27001?
The latest ISO 27001 reduces the number of controls from 114 to 93. There are now only four chapters covering these security measures instead of the former 14. ISO 27002:2022 adds the following areas of focus:
- Organizational controls (37 controls)
- Technological controls (34 controls)
- Physical controls (14 controls)
- People controls (8 controls)
In the updated version of ISO 27001. 35 controls were kept the same, 23 were given new names, and 57 were combined into 24. One control group was split in half: There are now two controls, 8.8 (Technical Vulnerability Management) and 5.3.6 (Information Security Policy and Standard Compliance), formerly part of Control 18.2.3 (Technical Compliance Review). The most recent version now includes eleven new controls to Annex A:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The standard now includes additional controls that enhance new levels of information security. Documented operational procedures are now necessary according to the revised standard. Before, only policies were required. Your information security management system’s policies give it high-level objectives and guidelines. The operational measures you’ll take to accomplish those goals are set in procedures. The documentation portion of certification will become a more involved, thorough process due to these newly demanded standards.
It may appear that the revisions have made Annex A more difficult at this stage. Still, these significant updates also give clearer guidelines and more detailed explanations than prior standard editions. The new ISO 27002 is a much larger document, but it provides more detail on the intricacies of each control.
There is a new system for arranging the controls in this revised version. Now, there are five attributes used to order the security controls:
- Control type
- Cybersecurity concept
- Information security properties
- Operational capabilities
- Security domains
These additional attributes assist organizations in prioritizing the appropriate controls for their environment. For instance, if confidentiality is your top information security issue, you may use these characteristics to rank the controls according to that single information security feature. In conclusion, the 2022 revisions expand the scope of the ISO 27001 certification while simultaneously streamlining and organizing it.
What Impact Will the 2022 Changes Have On My Current ISO 27001 Certificate?
The new modifications do not affect your current ISO 27001 certification. To facilitate a smooth transition for organizations holding ISO 27001 certification, accrediting agencies will collaborate with certification bodies to provide a transition period. You could put the modifications into effect as soon as January 2023, depending on when your next audit is scheduled. Do not hesitate to begin. You may need to put up to 11 new controls in place, depending on the extent of your ISMS. These controls must be implemented, backed up by policies and procedures, and evaluated before your audit.
Even the controls that haven’t changed in terms of content due to the merging and renumbering of the ISO 27002 security controls will need organizational adjustments. For this reason, you will need to rename your current files and draft a new statement of applicability. In a nutshell, you can’t compromise on preparation time or resources. It’s best to get going right away. Obtaining a copy of the most current specification is an excellent start. Review the updated guidelines and conduct a new risk analysis of your ISMS in light of the changes.
You are probably already accomplishing more than you give yourself credit for. Indeed, these are generally accepted standards across the globe. You may already comply with the new requirements with a strong security culture. But once more, don’t take it for granted. You won’t realize how much effort is involved unless you delve in, understand the new controls, and evaluate your present security posture. The audit due in 2023 is your deadline.