If your company has ISO 27001 certification, you’re probably aware that the International Organization for Standardization (ISO) is changing the structure of the ISO 27001/27002 control framework. This is significant because the current structure has survived multiple naming changes over the last 20 years (British Standard (BS) 7799 Part 1 & 2 became ISO 17799 in 2000, which evolved to ISO 27001/27002:2005, which evolved to ISO 27001/27002:2013).
ISO 27001 is likely to be released in March 2022, with the only change being the updating of Annex A to align with the new version of ISO 27002. There is a great curiosity among organizations regarding changes to ISO 27001/27002.
What’s the Difference Between ISO/IEC 27001 and ISO/IEC 27002?
Organizations can obtain ISO/IEC 27001 certification but not ISO/IEC 27002. ISO/IEC 27001 documents the requirements for establishing, implementing, maintaining, and continuously improving an information security management system, whereas ISO/IEC 27002 is intended for organizations to use as a reference for selecting controls and provides guidelines for information security management practices such as control implementation and management while taking the organization’s information security risk environment into account. Organizations can Get certified to standards that contain requirements but not to standards that provide guidance.
5 Upcoming Changes in ISO27001:2022 :
a) Main part of ISO 27001, i.e., clauses 4 to 10, are not changing
b) Only the security controls listed in ISO 27001 Annex A will be updated
c) Number of controls has decreased from 114 to 93
d) Controls are placed in 4 sections instead of previous 14
e) There are 11 new controls, while none of the controls were deleted, and many controls were merged
The controls are now grouped in 4 ‘themes’ rather than the previous 14 clauses, in order to group controls in common categories, these being:
Organizational ( 37 controls)
Technological (34 controls)
Physical (14 controls)
People (8 controls)
There are now 5 control attributes for each control:
-How to categorize – preventative, detective, corrective.
-Information security properties – confidentiality, integrity, availability.
-Cybersecurity concepts – identify, protect, detect, respond, recover.
Operational capabilities – governance, asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, information security assurance.
Security domains – governance and ecosystem, protection, defense, resilience.
Twelve new controls have been introduced in the new version of ISO/IEC 27002:
-Information security for use of cloud services
-ICT readiness for business continuity
-Physical security monitoring
-User endpoint devices
-Data leakage prevention
Should organizations planning to certify to ISO 27001 wait till the new standards are published?
No, you lose nothing by implementing an ISMS that conforms to ISO 27001:2013 and uses the existing Annex A control set, whether for direct implementation or as a reference against other controls.
Waiting till the new iteration of ISO 27001 is published will likely leave you at greater risk.
GET ISO CERTIFICATION
Is your organization looking to become ISO 27001 certified but don’t know where to start? Get in touch with 3Columns and we can help start your ISO journey in 2022.
3Columns has everything you need to implement an ISO 27001-compliant ISMS and achieve certification to the Standard.