It has been a agelong clip coming! The upgrade to the planetary modular for accusation information absorption systems, ISO27001:2013, is present (almost).
If you’re speechmaking this article, past there’s a tenable presumption that you cognize what ISO27001 is and you’re not going to beryllium excessively disquieted astir the backmost story. But let’s each beryllium wide connected a mates of points.
The existent mentation of the Information Security Management Standard is ISO27001:2013.
The past update to the modular was 2017 erstwhile (for immoderate reason) a committee of accusation information specialists were required to alteration astir 3 words and adhd a mates of ‘full-stops’ (!). Yes, I’m being flippant here! I’m definite it was conscionable an oversight and not immoderate cynical accidental to get professionals (like me) precise excited and to unreserved retired and walk astir £200 for thing much than a cosmetic change! (All I’m saying is that galore of our hairstyles person seen much alteration successful the past 5 years than this standard.)
So… present we are. 2022. Te quality that has been circulating astir the hallowed halls of Information Security Central is that the NEW mentation of ISO27001 is almost with us!
It’s a Date!
It is highly anticipated that ISO27002 volition beryllium with america successful January 2022 and that ISO27001 volition beryllium with america successful March 2022.
Why Is This Important?
ISO27002 is the guidance connected implementing the controls (normally referred to arsenic ‘Annex A Controls’), and it truthful provides america with penetration into the changes.
ISO27001 is the existent certification modular for an organization.
(If anyone says that they are “ISO27002 Certified,” you person my support to grin wryly and politely determination distant quickly.)
What Do We Know So Far?
Ok, truthful you person precocious been certified to ISO27001:2013. Congratulations! But present you perceive astir this caller standard. What bash you bash now?
First, don’t panic. There WILL beryllium a modulation play to determination to the caller standard. Although the nonstop time–frame has yet to beryllium established. Based connected past experience, I would accidental you’ll person astatine slightest 18 to 24 months to implicit the transition.
However, this does not mean ‘sit-and-do-nothing-until-the-two-years-are-up.’ It means you should beryllium looking astatine the caller modular present and preparing for modulation OVER the adjacent mates of years.
You should beryllium speaking to your Governance, Risk, & Compliance squad oregon the idiosyncratic who manages your ISO standard(s) arsenic good arsenic putting a program unneurotic now alternatively than waiting until you person it each to bash successful 2024. Why? Because erstwhile we look astatine ISO27002, we tin spot determination are immoderate notable changes, and therefore, the requirements for evidencing compliance are besides going to beryllium notably different.
What Are the Scores connected the Doors?
Let’s instrumentality a speedy look astatine what we cognize truthful far. We cognize that ISO27001:2013 (Annex A) has 114 Controls implicit 14 abstracted areas. ISO27001:2021 (as I’m calling it) volition person 93 Controls implicit 4 domains. These are arsenic follows:
- Organizational Controls (37 Controls)
- People Controls (8 Controls)
- Physical Controls (14 Controls)
- Technological Controls (34 Controls)
A fig of controls person intelligibly disappeared, but much importantly, we person 11 caller controls that bespeak the satellite successful which we unrecorded (compared to 2013). These are arsenic follows:
- Threat quality (5.7)
- Information information for the usage of cloud services (5.23)
- ICT readiness for concern continuity (5.30)
- Physical information monitoring (7.4)
- Configuration absorption (8.9)
- Information Deletion (8.10)
- Data Masking (8.11)
- Data leakage prevention (8.12)
- Monitoring Activities (8.16)
- Web Filtering (8.22)
- Secure Coding (8.28)
Another important alteration is that each power has 5 attributes assigned to them. Along with property values.
The attributes provided person been selected due to the fact that they are considered generic capable to beryllium utilized by antithetic types of organizations, and their property values are not babelike connected the organization.
These are arsenic follows:
- Control Type – Preventive, Detective, Corrective
- Security Properties – Confidentiality, Integrity, Availability
- Cybersecurity Concepts – Identify, Protect, Detect, Respond, Recover
- Operational Capabilities – (See below)
- Security Domains – Governance and Ecosystem, Protection, Defense, Resilience
The Operational Capabilities conception is meant to beryllium an property to presumption controls from the practitioners’ position of information capabilities. Those includ Governance, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance.
Conclusion: More Than Just a Name
It has taken immoderate time, but a revision to the wide fashionable and effectual standard, ISO27001, has had immoderate sizeable (and overmuch needed) changes and upgrades.
There is 1 change, however, that mightiness not instantly leap retired astatine radical but which fundamentally changes the standard’s full focus. This alteration is close determination connected the beforehand screen of the standard(s).
ISO27002:2013 is called “Information exertion — Security techniques — Code of signifier for accusation security controls.”
ISO27002:2021 is “Information security, cybersecurity and privateness extortion — Information information controls.”
Firstly, the word ‘Information technology’ has been replaced with ‘Information Security’ and past expanded to encompass cybersecurity and privateness protection. Very pointedly, the guidance highlights that the absorption is not circumstantial to exertion (Spoiler; It ne'er was.) but alternatively the extortion of privateness AND cybersecurity.
Also, the operation “Code of Practice” has been dropped to amended bespeak its intent of being a notation acceptable of accusation information controls. However, this is not a alteration of purpose, arsenic the volition of ISO27002 has ever been to assistance organizations guarantee that nary indispensable power has been overlooked.
I judge we yet person a modular that we person needed for immoderate time. It present incorporates accusation security, cybersecurity, AND privateness into the aforesaid acceptable of controls. This is not revolutionary but simply an evolutionary alteration that we person been waiting for.
Personally, I can’t hold for this alteration to travel in. It’s going to beryllium precise breathtaking to spot however (and which) organizations volition clasp the caller modular first.
But I’m not conscionable excited arsenic an ISO27001 consultant. I’m excited due to the fact that I americium hopeful that it volition usher successful a renewed involvement successful a highly invaluable and incredibly businesslike information absorption strategy (when done well). Exciting times prevarication ahead.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ astatine Cyberfort and is simply a Cybersecurity and Data Protection specializer with 35 years successful IT. He is simply a published author, regular blogger, and planetary talker connected everything from the Dark Web to Cybercrime and Cyber Psychology.
You tin travel Gary connected Twitter here: @AgenciGary
Editor’s Note: The opinions expressed successful this impermanent writer nonfiction are solely those of the contributor, and bash not needfully bespeak those of Tripwire, Inc.