top of page
Standards_Guru

ISO27001:2022 is here

Prepare for action!


As the new version of ISO27001 has been released, its timely for organisations take stock and prepare for any changes that may be required. Although it is probable that organisations will have around 18 months to two years before transitioning their certification, it is beneficial to use the time to review the changes and make any preparations sooner.


A gap analysis is recommended to assess whether any of these new controls applicable for your risk assessment or whether these risks have already been mitigated with other alternate controls that are equivalent to the new controls or over and above these.


Changes


Within the management system clauses (4 to 10) of ISO27001 there has been very little change with some slight amendments in layout and clause substructure.


One new subclause has been added: 6.3 Planning of Changes, which requires changes to the ISMS to be planned. Organisations with existing ISO27001 management systems should already be doing this as changes to the Information Security Management System would normally form part of change management systems, be covered under objectives (such as changing or extending the scope of an existing ISMS) and this should be a focus for regular management reviews. None of this should pose any major challenge.


The big changes are within the controls derived from ISO27002 which includes an overhaul of the structure and layout of controls as well as introducing some welcome changes to assist organisations with integrating other frameworks into their ISMS.


The changes include as follows:


· Tags for each control which now have Cybersecurity concepts. These will be familiar to organisations that use the NIST Cybersecurity framework.


· Information security properties along with each control which makes it easier to demonstrate how these controls reduce a particular risk within the organisation’s risk treatment plan by demonstrating how the control would address the confidentiality, integrity and availability of risks that have been identified as likely to impact the organisation.


· Operational capabilities are also included with each control in order to more easily categorise each type of control and integrate with other frameworks. An example would be the Cloud Controls Matrix provided by the Cloud Security Alliance which splits controls into control types or domains, for example, Governance, Risk Management and Compliance.


Eleven new controls have been introduced to address risks that have been developing since the last major iteration of the standard, some existing controls have been merged and a restructure of the controls into four categories rather than fourteen domains.


Focusing on the new controls, these include:


· Threat intelligence

· Information security for the use of cloud services

· ICT Readiness for Business Continuity

· Physical Security Monitoring

· Configuration Management

· Information Deletion

· Data Masking

· Data Leakage Prevention

· Monitoring Activities

· Web Filtering

· Secure Coding


Conclusion


The intent of the changes to ISO27001 and ISO27002 seems to be more than bringing the standard up to date to address information security risks that have been growing over the past decade and the emergence of ever stringent privacy regulations such as the GDPR. The control set appears to have been designed to be easier to integrate with other frameworks, recognising that organisations will adopt the controls required to address their own unique risk exposure and so is a welcome development.


The new versions of ISO27001 and ISO27002 are available from the BSI store or directly from ISO.



39 views0 comments

Recent Posts

See All

Comments


bottom of page