3 Ways to Stay Ahead of the Impending ISO 27001 Changes
ISO 27001 is a globally recognized information security standard designed to provide organizations a blueprint for best practices to protect their critical data and comply with data protection laws and regulations.
The original framework for the standard was first published by the BSI Group in 1995 (BS 7799) and was written by the UK government’s Department of Trade of Industry (DTI). Consisting of three parts developed between 1995 and 2005, each element of BS 7799 was eventually incorporated into the standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005.
ISO 27001:2005 detailed requirements for establishing, maintaining and improving an information security management system (ISMS) with the aim of offering organizations a clear path to better securing the informational assets they hold. Organizations that meet the requirements can choose to be certified by an accredited certification body following the successful completion of an audit.
Obtaining ISO 27001 certification offers organizations proof that they adhere to best practices when it comes to safeguarding data and information. The framework has only been substantially altered once since its inception — those updated occurred nearly a decade ago in 2013.
Long overdue for revisions, the standard is now facing major revisions. What do the proposed ISO 27001 changes mean and how do they affect your pursuit of certification? To make sense of these updates, you first need to understand the current cyber crime landscape.
A New Standard for Today’s Cyber Threat Landscape
The IT security environment has developed rapidly since that last round of changes, with the advent and embrace of the cloud and the digital supply chains being built to meet demand across virtually every industry. Cyber crime has evolved significantly alongside this technology as well. For example, the FBI reports nearly $7 billion was lost to internet-enabled crimes in 2021 alone. Most businesses, no matter their size, are susceptible to social engineering attacks that act as a gateway to ransomware threats and business email compromise (BEC).
2022 is shaping up to be a huge year for regulatory changes to major security standards as seemingly everyone is adjusting to the challenges of the current landscape.
- The PCI (payment card industry) Security Standards Council issued a new version of its standards in March.
- The SEC has proposed new requirements for cybersecurity disclosures as well.
- The Cybersecurity Maturity Model Certification (CMMC) program, used to govern cybersecurity standards for defense industrial base contractors and subcontractors, is undergoing more changes.
- The newest version of HITRUST CSF (9.6), which focuses on organizations in the healthcare sector that manage data and information risk, was released in February.
Businesses of every size and in every sector need guidance to navigate this sea-change of regulatory and compliance information.
ISO 27001 Changes Alter Entire View and Scope of Standards
The update to ISO/IEC 27001 doesn’t simply add new steps, protocol or iterations to the previous standards—it completely reworks how the entire framework is discussed and diagnosed.
Key components of ISO 27001:2013 — clauses 4 to 10 — are not facing an overhaul. However, the security controls detailed in ISO 27002:2013 Annex A are being updated. The security controls of Annex A make up a good amount of the technical work behind ISO 27001 implementation. So even though only Annex A has changed, the update will impact your entire management system.
What is Changing?
1) ISO 27001:2022 overhauls Annex A and how the controls are organized and labeled. The previous version (ISO 27001:2013) contained 114 individual controls placed in one of 14 control groups.
With the update, ISO 27001:2022 Annex A now contains 93 total controls, each now grouped into one of just four different categories:
- Organizations (37 controls)
- People (8 controls)
- Physical (14 controls)
- Technological (34 controls)
2) While ISO 27001:2022 contains fewer total controls (across fewer categories), much of the decrease comes from redundant controls that have been merged with others. The updated version actually adds 11 new controls to Annex A, most of which deal with increased cybersecurity goals and threat recognition:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
3) Lastly, ISO 27001:2022 adds five ‘attribute’ tags that are used to further sort, sift and categorize the 93 controls in Annex A.
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management)
- Security domains (governance and ecosystem, protection, defense, resilience)
What Does It Mean for My Business?
The transition period for these changes has not been published yet, but typically involves a two-year period from the date of the official ISO 27001:2022 update. But every ISO 27001-certified business will face some level of extra work to comply with the updates, and they should be proactive in their approach.
Since the ISO 27001 security controls have been merged and renumbered, even the controls that haven’t technically changed will require some organizational updates. You will need to relabel your existing documents and create an updated statement of applicability to reflect the changes.
The best course of action is to start now — don’t underestimate the time and resources needed to prepare. Until businesses dive in, learn the new controls and assess their current security posture, it will be hard to forecast how involved their individual transitions to the new standard will be.
The length of the transition window does offer some flexibility. For instance, if your organization was already plotting out a certification process for 2023 — under ISO 27001:2013 — then it makes sense to embrace the new standard immediately and not waste resources in pursuit of a certification soon to be outdated. If you’ve recently become certified, and thus early in your three-year ISO audit cycle, you’ll have even more time to get in front of the changes.
When it comes to evaluating your security posture and learning the new controls, working with the right third-party managed security services provider (MSSP) — one well-versed in cybersecurity and compliance requirements — can help you decipher the changes and how you can approach your next certification.
With the right help, any business can apply ISO 27001 to keep their information protected and build trust with customers.
Inversion6 Takes You Through the Process
For more than 30 years we’ve helped our customers keep their data safe, secure and compliant. This experience isn’t just deep, it’s also broad. We bring many different perspectives to the table and our personnel know what it takes to adhere to regulatory compliance standards — and more importantly how to prove compliance through the auditing process.
It’s not too early to begin preparing for the upcoming ISO 27001 changes. Addressing those changes now will also help in setting a firm foundation for the other changes — with PCI, the SEC, CMMC, and more — on the way, improve your overall security posture, comply with data protection laws, maintain a competitive edge and more.