Planned changes to the new ISO/IEC 27001 and ISO/IEC 27002
News:
The information security management standard ISO 27001 and its code of practice ISO 27002 were last updated almost a decade ago.
A new iteration of ISO 27002 is due to be published in January 2022, and a revised version of ISO 27001 will follow.
How is ISO 27001 changing?
Besides the changes to Annex A relating to the above, many of the ISO 27001 changes are anticipated to be refinements and clarifications. For example, “mobile devices” are now “user end point devices” and “password management” is now “identity and authentication management.”
But some other changes will have wider impacts. ISO 27001:2013 requires you to maintain an inventory of assets that relate to cybersecurity. As a new requirement, your data itself must be considered an asset. This will require creation of a data inventory so you can relate controls to different data types. This substantial new requirement aligns ISO 27001 with GDPR and other privacy regulations where data mapping is mandatory.
Another change intends to help align the standard with other cybersecurity guidance: addition of a #hashtag taxonomy.
Five #hashtags will relate to each control, one for each of five control attributes:
- Control Type (e.g., #corrective, #detective, #corrective)
- Cybersecurity Concept (#detect, #identify, #protect, #respond, #recover)—these tags align specifically with the 5 “functions” in the NIST Cybersecurity Framework, making these tags a benefit to the growing number of firms that need to align with both ISO 27001 and NIST 800-171.
- Information Security Properties (#confidentiality, #integrity, #availability)
- Operational Capabilities (e.g., #asset_management, #application_security, #governance)
- Security Domains (#protection, #defence, #resilience, #governance_and_ecosystem)
These #hashtags can be used to create custom views of the entire control set.
What are the main changes to ISO 27002?
ISO 27001:2022 refers to ISO 27002:2022 as a requirement so you will select your controls from ISO 27002:2022
Main changes:
- They have removed the term ‘Code of Practice’
- The structure of the document has changed
- Some controls have been merged, some deleted and new controls have been introduced.
The controls have now been structured into 4 domains
- Organizational Controls
- People Controls
- Physical Controls
- Technological Controls
The list of the ISO 27002:2022 Controls
ISO 27002 5 Organizational controls
ISO 27002 5.1 Policies for information security
ISO 27002 5.2 Information security roles and responsibilities
ISO 27002 5.3 Segregation of duties
ISO 27002 5.4 Management responsibilities
ISO 27002 5.5 Contact with authorities
ISO 27002 5.6 Contact with special interest groups
ISO 27002 5.7 Threat intelligence – new
ISO 27002 5.8 Information security in project management
ISO 27002 5.9 Inventory of information and other associated assets – change
ISO 27002 5.10 Acceptable use of information and other associated assets – change
ISO 27002 5.11 Return of assets
ISO 27002 5.12 Classification of information
ISO 27002 5.13 Labelling of information
ISO 27002 5.14 Information transfer
ISO 27002 5.15 Access control
ISO 27002 5.16 Identity management ISO 27002 5.17 Authentication information – new
ISO 27002 5.18 Access rights – change
ISO 27002 5.19 Information security in supplier relationships
ISO 27002 5.20 Addressing information security within supplier agreements
ISO 27002 5.21 Managing information security in the ICT supply chain – new
ISO 27002 5.22 Monitoring, review and change management of supplier services – change
ISO 27002 5.23 Information security for use of cloud services – new
ISO 27002 5.24 Information security incident management planning and preparation – change
ISO 27002 5.25 Assessment and decision on information security events
ISO 27002 5.26 Response to information security incidents
ISO 27002 5.27 Learning from information security incidents
ISO 27002 5.28 Collection of evidence
ISO 27002 5.29 Information security during disruption – change
ISO 27002 5.30 ICT readiness for business continuity – new
ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements
ISO 27002 5.32 Intellectual property rights
ISO 27002 5.33 Protection of records
ISO 27002 5.34 Privacy and protection of PII
ISO 27002 5.35 Independent review of information security
ISO 27002 5.36 Compliance with policies and standards for information security
ISO 27002 5.37 Documented operating procedures
ISO 27002 6 People controls
ISO 27002 6.1 Screening
ISO 27002 6.2 Terms and conditions of employment
ISO 27002 6.3 Information security awareness, education and training
ISO 27002 6.4 Disciplinary process
ISO 27002 6.5 Responsibilities after termination or change of employment
ISO 27002 6.6 Confidentiality or non-disclosure agreements
ISO 27002 6.7 Remote working – new
ISO 27002 6.8 Information security event reporting
ISO 27002 7 Physical controls
ISO 27002 7.1 Physical security perimeter
ISO 27002 7.2 Physical entry controls
ISO 27002 7.3 Securing offices, rooms and facilities
ISO 27002 7.4 Physical security monitoring
ISO 27002 7.5 Protecting against physical and environmental threats
ISO 27002 7.6 Working in secure areas
ISO 27002 7.7 Clear desk and clear screen
ISO 27002 7.8 Equipment siting and protection
ISO 27002 7.9 Security of assets off-premises
ISO 27002 7.10 Storage media – new
ISO 27002 7.11 Supporting utilities
ISO 27002 7.12 Cabling security
ISO 27002 7.13 Equipment maintenance
ISO 27002 7.14 Secure disposal or re-use of equipment
ISO 27002 8 Technological controls
ISO 27002 8.1 User endpoint devices – new
ISO 27002 8.2 Privileged access rights
ISO 27002 8.3 Information access restriction
ISO 27002 8.4 Access to source code
ISO 27002 8.5 Secure authentication
ISO 27002 8.6 Capacity management
ISO 27002 8.7 Protection against malware
ISO 27002 8.8 Management of technical vulnerabilities
ISO 27002 8.9 Configuration management
ISO 27002 8.10 Information deletion – new
ISO 27002 8.11 Data masking – new
ISO 27002 8.12 Data leakage prevention – new
ISO 27002 8.13 Information backup
ISO 27002 8.14 Redundancy of information processing facilities
ISO 27002 8.15 Logging
ISO 27002 8.16 Monitoring activities
ISO 27002 8.17 Clock synchronization
ISO 27002 8.18 Use of privileged utility programs
ISO 27002 8.19 Installation of software on operational systems
ISO 27002 8.20 Network controls
ISO 27002 8.21 Security of network services
ISO 27002 8.22 Web filtering – new
ISO 27002 8.23 Segregation in networks
ISO 27002 8.24 Use of cryptography
ISO 27002 8.25 Secure development lifecycle
ISO 27002 8.26 Application security requirements – new
ISO 27002 8.27 Secure system architecture and engineering principles – new
ISO 27002 8.28 Secure coding
ISO 27002 8.29 Security testing in development and acceptance
ISO 27002 8.30 Outsourced development
ISO 27002 8.31 Separation of development, test and production environments
ISO 27002 8.32 Change management
ISO27002 8.33 Test information
ISO 27002 8.34 Protection of information systems during audit and testing – new
How will this affect organizations implementing ISO 27001?
Assuming the 2022 version of ISO 27001 is broadly like the 2013 iteration, there will be a new version of Annex A to work against once that standard is published. This will reflect the controls in the new ISO 27002.
However, until the new version of ISO 27001 is published, your SoA (Statement of Applicability) must still refer to Annex A of ISO 27001:2013 and the controls in ISO 27002:2022 will be an alternative control set, which you will have to compare with the existing Annex A – just as you would do with any other alternative control set.
(ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.)
What’s next?
One advantage of implementing the new controls is that, because they are identifiable by attribute, it is easier to focus your selections, which could reduce the compliance burden or help you see how to better integrate your security processes, thereby making your ISMS (information security management system) easier to implement and manage.
If you need help with aligning your ISMS with the new ISO 27001:2022 feel free to contact us.