What does it entail for your business to have the most recent version of ISO/IEC 27001:2022?
On October 25, ISO/IEC 27001:2022 was released, and the new version was published to replace the 2013 version. Annex A of ISO/IEC 27001 has had the most revisions, bringing it into conformity with the latest updates introduced in the ISO/IEC 27002:2022 standard, which was released earlier this year.
What is ISO 27002?
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have released a joint standard for the protection of sensitive data called ISO/IEC 27002:2022. (IEC). Both ISO 27001 and 27002 are interrelated. It provides, in broad strokes, advice on how to create an Information Security Management System compliant with ISO 27001.
Implementation guidance based on internationally recognised best practises is included in ISO/IEC 27002, a reference set of controls for information security, cyber security, and privacy protection.
ISO 27002 is not a certifiable standard in and of itself, but following its information security, physical security, cyber security, and privacy management principles put your organisation closer to achieving the standards of ISO 27001.
What’s so crucial about ISO 27002?
There will always be information security risks and threats to be aware of if your organisation engages in data collection, usage, or processing.
An ISMS is essential to protect your data from being stolen, hacked, or otherwise compromised. Businesses that are just getting started with information security management face the daunting task of trying to grasp the whole complexity of the field. Since there is so much ground to cover in an ISMS’s implementation and upkeep, most managers are at a loss as to where to start. If this describes you, or if you just want to maintain a high level of information security, the controls outlined in ISO/IEC 27001 are a good place to begin.
Mainly, there is a new organisational framework and better security measures.
Let’s have a look at the changes.
1. 14 specialised controls down to four
While the controls were previously organised across 14 categories, they have been condensed into just 4:
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
Furthermore, there are 2 annexes:
- Annex A – Using attributes
- Annex B – Correspondence with ISO/IEC 27002:2013
2. Reduced security measures because of consolidation
Significantly fewer security controls are now in place (from 114 to 93). Their merger has led mostly to this effect. Of the 93, 58 are new controls, 24 are consolidations, and the rest are updates to existing controls.
3. What are the eleven new controls
The following security-related topics have been previously covered in depth, spanning several controls. These areas have been given separate, explicit oversight and direction in the most recent revision:
- 5.7 Threat intelligence
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
4. Three most important controls to consider:
- Secure Coding Practices: There is a growing industry of software development firms. Inadequate coding practises can lead to severe security flaws (e.g. absence of input validation can lead to XSS attacks, SQL injections, etc.). Principles of secure coding are provided in “8.28 Secure coding,” a technical control.
- Threat Intelligence: Intelligence on potential dangers is an important part of keeping your company safe. Thereafter, you may assess the potential damage from each highlighted danger and take steps to lessen it. Information security threat intelligence gathering and analysis is what is meant by “5.7 Threat intelligence” under organisational control. Intelligence about potential threats at all levels of operations (strategic, tactical, and operational) is taken into account.
- Safeguarding sensitive data while utilising cloud services: Cloud computing is becoming increasingly popular among businesses. Many businesses incorrectly attribute concerns over data security to their cloud provider. This is rarely the case, though. Guidelines for obtaining, utilising, maintaining, and leaving third-party cloud services are provided by the organization’s “5.23 Information security for use of cloud services.” There needs to be a distinct separation between what the cloud service provider is responsible for and what the business is responsible for.
5. The final significant change is the addition of five attributes.
The attributes include Control Types, Information Security Properties, Cybersecurity concepts, Operational Capabilities and Security Domains, having associated values.
Annex A, “Using Attributes,” provides a simple way to organise the 93 security controls by linking one or more values from each attribute to the controls. To improve preventative controls, a company may, for instance, receive a list of reference preventative controls by filtering on the “#Preventive” value under the “Control types” attribute.
Annex B “Correspondence with ISO/IEC 27002:2013” contains 93 security measures that are backward-compatible with the 2013 version, easing the way for the transition to the 2022 version.
How this affects your security organisation
The new security controls outlined in ISO 27002 might already be present in other standards and frameworks. Many businesses rely on ISO 27001 and 27002 as the basis of their information security management system, therefore it’s crucial that they’re aware of these changes. Conforming your security measures to the latest ISO standard (27002) represents a commitment to best practises. Thus, these new additions to the security landscape could be useful, and you should think about incorporating them into your infrastructure
The new ISO 27001 does not allow for certification to be obtained, the same as previous editions. However, it contains useful recommendations and best practises that can help businesses better comply with ISO 27001 and earn ISO 27001 certification.
The following procedures should be followed if your company already holds ISO 27001 certification and wishes to maintain it.
- First, you need to re-evaluate the breadth of your ISMS and your risk analysis.
- Second, you need to determine if any of the revised and brand-new controls are useful for reducing the risks you’ve identified.
- Finally, you need to set up these safeguards. During a transition phase, ISO 27001:2013 certifications will continue to be accepted, albeit the exact length of this period has not been made public. If past transitions are any indication, this process will take around two years.
Companies that want to be ISO 27001-certified in the future should get an early start by learning about the new standard, updating their ISMS, and identifying and prioritising the major changes that will affect their existing controls. Even before the updated certification date, internal resources like your internal audit department may want to consider examining the implementation of the new controls. In the absence of in-house specialists, it may be necessary to turn to outside resources and consulting companies for assistance.
How 10xDS can help?
Security experts at 10xDS can help and support the IT/Security team in developing actionable plans for implementing controls and integrating the organization’s security capabilities and ISMS. 10xDS assists businesses in conducting Gap Analysis to identify and comprehend discrepancies between existing controls and best practises, prioritise the most pertinent controls for each business and industry, and more.
Talk our experts and security consultants to know more!