To ensure that ISO Standards continue to meet modern business practices and needs, they are regularly reviewed and updated by the International Organisation of Standardisation (ISO). ISO 27001 and ISO 27002 haven’t been updated since 2013, which means it is now their turn for a review and update.
Information security and business practices have changed rapidly since the ISOs were last reviewed, and these changes have helped to shape the new updates to the Standards.
It is anticipated that the updated version of ISO 27002 will be published sometime in January whereas the new version of ISO 27001 is expected in springtime.
So that you know what to expect, here’s a summary of the predicted changes as well as some guidance on next steps.
What is changing in ISO 27002?
ISO 27002 is the code of practice for information security controls and helps to provide more detail and guidance for the controls laid out in Annex A of ISO 27001.
In this latest version, both the controls and their classifications will change.
Currently, there are 114 controls, but in the new update this will reduce to 93.
These will be categorised by the following four themes:
- Organisational controls
- Organisation of information security controls (people controls)
- Physical controls
- Technological controls
The reduction to 93 controls is partly due to the consolidation of some of the controls, which have therefore been removed from the list.
The following have now been absorbed into other security controls:
- 1.2 Review of the policies for information security
- 2.1 Mobile device policy
- 1.2 Ownership of assets
- 2.3 Handling of assets
- 4.3 Password management system
- 1.6 Delivery and loading areas
- 2.5 Removal of assets
- 2.8 Unattended user equipment
- 4.2 Protection of log information
- 6.2 Restrictions on software installation
- 2.3 Electronic messaging
- 1.2 Securing application services on public networks
- 1.3 Protecting application services transactions
- 2.9 System acceptance testing
- 1.3 Reporting information security weakness
- 2.3 Technical compliance review
Controls that were previously very similar or touched upon similar things have also been integrated into a single control to remove unnecessary complexity.
For instance, the policy on the use of cryptographic controls, key management, regulation of cryptographic controls, information transfer policies and procedures, and agreements on information transfer now form just one control: 8.2.4 Use of cryptography.
The ISO have also introduced 12 new controls to stay in-step with the latest information security developments. These new controls are listed below:
- 7 Threat intelligence
- 16 Identity management
- 2.3 Information security for the use of cloud services
- 30 ICT readiness for business continuity
- 4 Physical security monitoring
- 1 User endpoint devices
- 9 Configuration management
- 10 Information deletion
- 11 Data masking
- 12 Data leakage prevention
- 22 Web filtering
- 28 Secure coding
A final point of difference is the introduction of five hashtags or ‘attributes’.
- Control type (e.g.: detective, preventative, corrective)
- Cybersecurity concept (e.g.: identify, protect, respond recover)
- Information security properties (e.g.: confidentiality, integrity, availability)
- Operational capabilities (e.g.: governance, asset management)
- Security domains (e.g.: protection, defence, resilience)
What is changing in ISO 27001?
As a Standard that already conforms to the Annex SL-high level structure, the requirements of ISO 27001 remain the same in this update. The changes occur in Annex A, or the Statement of Applicability, which lists out the controls that need to be applied when relevant to the business.
This will bring it in line with the changes outlined in ISO 27002.
What are the benefits of the update?
There have been significant changes made to the types of controls that will be featured in Annex A of ISO 27001, but there are plenty of benefits to conforming to this new version.
Firstly, and most importantly, the new controls align much better with the risks that businesses are currently facing. When implemented correctly, this means that the controls will work much harder for businesses, helping to keep their information as safe as possible.
The introduction of the five attributes, including the ‘cybersecurity concept’, also means that there is alignment with the NIST Cybersecurity Framework (National Institute of Standards and Technology), which will be helpful to many organisations. These attributes can also make it easier to deal with security documentation.
What does this mean for my ISO 27001 certification?
When the ISO updates its Standards, they implement a transition period to make the switch. For companies with ISO 27001 certification, this transition period is expected to be 12 to 24 months.
This gives you plenty of time to make the necessary changes, but once you do, you can demonstrate to your customers and stakeholders that your business’ processes conform to the latest best practices when it comes to information security. For this reason, it is best not to wait until the last minute to make the switch. If you are a customer of QMS, we’ll also help you to make this transition, re-writing your management system as necessary and guiding you through the process step-by-step.
If you were looking to implement ISO 27001 now, there is absolutely nothing wrong with working towards ISO 27001:2013. By getting an information security management system set up now, you can put key controls in place to give your business the security it needs to protect its information. Delaying until the new version is published could potentially open up your business to security risks.