Articles & Blogs
ISO 27001 AND ISO 27002 CHANGES FOR 2022
(ISO/IEC 27001:2022 and ISO/IEC 27002:2022)
Written by Kiran Murthy & Eishu Richariya II
Recently a publication notice was released regarding the ISO 27001 and ISO 27002 changes in 2022, which states that, “all organizations having an ISO 27001:2013 (ISMS) will be required to map and update their controls in place in accordance with the new recommendations in the revised ISO/IEC 27002:2002, considering their organizational needs and context.”
Highlight of ISO 27001 Updates
ISO/IEC 27001:2022:
All organizations having an ISO 27001:2013 (ISMS) will be required to map and update their controls in place in accordance with the new recommendations in the revised ISO/IEC 27002:2002, considering their organizational needs and context.
ISO/IEC 27002:2022:
The current version of ISO 27002 that contains 114 controls divided over fourteen chapters, and the version of ISO 27002:2022 that will contain 93 controls will all be divided over four categories/themes:
- Chapter 5 Organizational (37 controls)
- Chapter 6 People (8 controls)
- Chapter 7 Physical (14 controls)
- Chapter 8 Technological (34 controls)
THE NEW CONTROLS
The guidance section for each control have been examined and updated to reflect current advancements and practices (as necessary). Additionally, each control now has a ‘Purpose’ statement and a set of ‘Attributes’ to be used in conjunction with cybersecurity principles and other industry standards. An update to the standard also needs to factor in today’s threat landscape and security threats. The new controls are:
- Threat intelligence
- Information deletion
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Data masking
- Secure coding
- Data leakage prevention
- Monitoring activities
- Web filtering
CONTROL ATTRIBUTES
These controls have five types of ‘attributes’ to make them easier to categorize:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cybersecurity concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defense, resilience)
Timing & Enforcement:
A two-year transition period will be granted (unlike three years in several previous transitions).
FAQs ON ISO 27001 and ISO 27002
1. Will Accorian help us transition to the new revision of ISO 27001:2022?
We will assist in preparing material for the adjustments, and the organization will be able to upgrade until the 2022 revision is published, which is likely to occur soon, unless their existing ISO 27001 certificate expires after 2024, in which case, the certification bodies will conduct regular surveillance visits to ensure compliance with the new revision. If the organization’s existing ISO 27001 certificate expires before 2024, then they will need to upgrade through subsequent re-certification.
2. We have chosen to begin implementing ISO 27001 now; which controls should we apply considering future changes?
Organizations should begin applying the clauses mentioned in the ISO 27001:2013 standard until this new standard is available. This will ensure the upcoming modifications and the work required to implement the new standard will be minimal.
2.1 How to plan a transition from ISO 27001:2013 revision to 2022 revision?
Contrary to popular belief, there will be no ISO 27001:2022 but an addendum to 27001:2013 (dubbed ISO/IEC 27001:2013+A1:2022, source). Annex A will be superseded by a normative version of ISO 27002:2022’s 93 new regulations (but without the useful hashtags).
If ISO 27001:2022 is amended, organizations who have already implemented ISO 27001:2013 are undoubtedly thinking to themselves, “Oh no, now that the 2022 revision has been published, we have to start over.” This is not true — while the 2022 revision does introduce some modifications, they are quite trivial. Organizations should plan for:
- Assess the gap between the organization’s current controls and the new control set; update the organization’s risk assessment considering the their upcoming control update, and revise the organization’s statement of applicability considering their new risk assessment and new controls.
- Update organizational security metrics in accordance with the organization’s new risk assessment and control procedures
- Evaluate and alter third-party security solutions (e.g., Organization SIEM or GRC platform) to verify the artifacts used to show compliance support the new requirements.
3. Is the Auditor (certifying body) going to go through the revisions in the documentation?
If the organization is ISO 27001 Certified, the auditor will also examine documentation to determine whether the organization has made the necessary changes throughout the transition time. This will take place during regular surveillance audits.