As anyone who has worked with ISO standards know, they can be a great tool in the right hands and ISO 27001 (the information security management standard) is no different.
In the fast-changing world of information security however, some elements of the standard and it’s controls have dated and do not quite align with modern tech. and ways of working (when reading some parts, you just know it was typed in WordStar and saved via a Novell network…). Thankfully, it does get revised by the ISO (the International Organisation for Standardisation*) every few years and the new revision is scheduled for release in Q1 of 2022.
So what’s changing?
In terms of timing, this month should see the publication of an updated version of ISO 27002 (an accompanying standard that provides guidance/detail on the security controls in the 27001 standard). The updated version of the 27001 standard itself is likely due for publication in a couple of months (so March 2022).
Key differences are:
While the new standard will be slightly longer, it has less secuity controls in it with overall the number reduced from 114 down to 93 controls, though some have been merged, some removed and additions made.
The new security controls added in to the standard clearly show modernisation, they are:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The standard has also been restructed and controls are now grouped by four themes rather than by the 14 clauses, the themes being:
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
What do we need to do?
Nothing at the moment – if you are currently implementing or preparing for an audit of ISO 27001 you should continue you as-is. Once certified, the certification under the existing standard remains valid for until the official publication of the new standard PLUS a grace period (typically a couple of years), at which point you can simply re-align with the new standard. Updating your existing ISMS to align with the updated standard is made easier by the inclusion of a comparison document in the new standard specifically for this reason.
Once the standard is published, grab a copy and review your statement of applicability against the new controls (the comparison document should help a lot).
*Why is the ISO called that if their full name is Internation Organisation for Standardisation? Because it’s not an acronym. The organisation realised that an acronym would also be confusing because of the number of lanuages amongst it’s members, as such they decided to adopt a simple three letter word based on the Greek word isos (meaning equal). A common misconception is that they are (or used to be) called the International Standard Organisation.