The threat of cybercrime for businesses cannot be understated, cybercrime in the past...
The information security management standard ISO 27001 and its code of practice ISO 27002 were last updated in 2013, almost a decade ago. However, a new iteration of ISO 27002 was published earlier this year in February 2022, and a revised version of ISO 27001 is likely to be published in October 2022.
Wondering what the changes are? This article aims to provide you with the knowledge you require to be prepared for the changes to the ISO 27001 standard’s eventual release later this year and the recently implemented changes to ISO 27002.
Here are the ten most common questions in regards to the new updates to ISO 27001 & 27002, answered:
Q1. What are the ISO 27001 and 27002 standards?
The ISO 27001 is a globally recognised standard for information security. It allows for your business to equip itself with a risk-based approach to information security that is internationally accepted as best practice.
One of the key ways it achieves this is through the introduction of an Information Security Management System(IMS). An ISMS assists businesses in identifying, assessing, mitigating, and managing the risks involved in managing corporate information and assets. ISO 27002 is a set of guidelines or controls that are designed to help you introduce and implement ISMS best practices.
Achieving ISO 27001 certification proves to your customers and partners that your business is committed to achieving an international standard of information security. The certification helps increase your credibility and reputation amongst customers and is a huge differentiating factor amongst competitors.
Q2. What is the difference between ISO 27001 and 27002?
The key difference between ISO 27001 and ISO 27002 is that, while you can earn ISO 27001 certification for your business, you cannot earn ISO 27002 certification. ISO 27001 is the main standard whereas ISO 27002 is a supporting controls that exist to provide guidance and help you implement best security practices for ISO 27001 certification. They in fact are part of the same standard.
Q3. What will change in ISO 27001:2022 later this year?
A key segment of ISO 27001, which consists of clauses 4 to 10 remain roughly the same and has been advised that few changes are being made. These clauses will still include scope, interested parties, context, information security policy, risk management, resources, training & awareness, communication, document control, monitoring and measurement, internal audit, management review, and corrective actions.
However, the security controls detailed in ISO 27002:2013 Annex A are now updated to 27002:2022 and designed to increase the convenience associated with implementation. For example, the number of controls has decreased from 114 to 93 and are placed in 4 sections instead of the prior 14. There are 11 new controls, while none of the controls were deleted, and many controls were merged.
Q4. What was changed in the newly published ISO 27002:2022?
The new standard is now significantly longer than the previous version, and the controls themselves have been reordered and updated. Some controls have been merged or removed, and some have been added:
- ISO 27002:2022 lists 93 controls rather than ISO 27002:2013’s 114.
- These controls are grouped into 4 ‘themes’ rather than 14 clauses. They are:
- People (8 controls)
- Organisational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
The completely new controls are:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience)
Q5. When are these changes going to be released?
ISO 27002:2022 was published on February 15, 2022, however, the updates to ISO 27001 are scheduled to be published in October 2022, although a definite date has not been announced.
Q6. Our company is interested in implementing ISO 27001, should we wait for the new updates later this year?
It depends entirely on the urgency in which you need to be certified e.g. if an existing or potential client is waiting for you to be certified before engaging with you, you are better off commencing your ISO 27001 implementation, because you will still have to align to ISO27001:2013 clauses, which means that your SOA (Statement of Applicability) must continue to refer to ISO27002:2013 annex controls. The option we are providing our customers is that we map the new controls to the old Annex.A controls. If getting certified is not an urgent need for your company, we suggest you start complying to the standard by implementing the controls that your business has gaps and when the ISO27001:2022 is published, commence the certification requirements.
Q7. We have decided to start our ISO 27001 implementation now, what controls should we choose to implement, given the future changes?
Due to the new ISO 27001:2022 standard not being published yet, your company should commence implementing the existing clauses as described in the ISO 27001:2013 standard. The fact that the nature of the changes later this year are moderate, means that the effort it will take to transition to the new standard will be minimal.
Q8. We are ISO 27001:2013 certified and have implemented the standard in our business, what changes can we expect to make once ISO 27001:2022 is published?
As outlined above the changes to ISO 27001:2013 are moderate, and are mainly regarding the way controls are organised. Therefore they only slightly affect your documentation and not the actual technology implemented.
When the ISO27001:2022 is published, changes to documentation we expect will be:
- Aligning your risk treatment process with the new controls
- Updating your Statement of Applicability
- Adapting certain sections in your existing policies and procedures.
Q9. Once the new changes are published as part of ISO 27001:2022, how quickly do we have to transition to it from the 2013 edition?
There is usually a two-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be ample time to make the necessary changes.
Q10. Will the certification body check the changes in the documentation?
Yes, if your company is certified, the certifying auditor will check if you have adapted your documentation within the transition period, this will take place during your regular surveillance audits.
Finally, how can StickmanCyber help with your transition to ISO 27001:2022?
Whether you are looking to achieve ISO 27001:2013 accreditation or need help transitioning to the soon to be published ISO 27001:2022, StickmanCyber is here to help. We are an ISO 27001 certified company and our consultants are certified as ISO 27001 Lead Auditors and Implementors.