ISO 27001 and America’s pastime have something in common this year.
Even a historic pastime like baseball, which values tradition, changes its rules every once in a while to respond to developments in the sport and the needs of its players and fans. For 2023, pitch timers will be introduced to speed up the game, new limits on defensive shifts will help increase the batting average, and bigger bases will increase the number of stolen bases.
Teams are going to have to adapt their strategies to the new rules for next year. Likewise, it’s time for security and compliance teams to start thinking about adapting their programs to the new ISO 27001:2022 standard,
which was just published in October.
It’s the first update to the standard since ISO 27001:2017 was published in, as you might guess, 2017.
The updates to the standard will eventually affect all organizations that have or want to
obtain the ISO 27001 certification. There are three key things to know about the new standard, and how it will impact you: 1.
It’s Substantively the Same
The first thing you should know about the 2022 ISO 27001 update is that substantively, the standard hasn’t changed much.
While some of these updates will require updates to your documentation and program, none of them are groundbreaking and none of them represent big shifts. ISO 27001:2022 is the same strong cybersecurity certification that ISO 27001:2017 was.
This is a very iterative update overall.
That said, there are a few differences to take note of, and if you have an ISO 27001 compliant organization, or are seeking your ISO 27001 certification for the first time, there are some key details to know!
2. Annex Controls: Eleven new ones, lots of restructuring.
ISO 27001 has a big list of cybersecurity controls in the annex at the end of the document. It’s labeled as the “Information security controls reference,” but is commonly referred to as “annex controls.” These are all pulled directly from the ISO 27002 standard of cybersecurity controls, which was also updated this year.
Accordingly, this section saw the largest concentration of significant changes across the entire document.
All of the controls have been moved around and reorganized, reducing the number of categories to just four:
5. Organizational Controls
6. People Controls
7. Physical Controls
8. Technological Controls.
They are numbered 5-8 just because that’s how they are presented in the ISO 27002 standard. The numbering of these controls has nothing to do with the ISO 27001 standard itself.
Beyond the restructuring, there are 11 brand new controls in the ISO 27001:2022 standard.
ISO 27001:2022 New Annex Controls:
5.23 – Information security for use of cloud services: This control instructs organizations to establish processes for acquisition, use, management, and offboarding of cloud services.
5.3 ICT (Information and Communication Technology) readiness for business continuity: This control ties to Business Continuity/Disaster Recovery planning. Organizations must plan on how technology services will continue operate or be recovered in the event of a disruption.
5.7 Threat intelligence: Organizations must gather and analyze information about cybersecurity threats.
7.4 Physical security monitoring: This control requires that organizations continuously monitor their premises for unauthorized physical access.
8.9 Configuration management: Configurations of everything, including software, hardware, services, and networks, must be documented, monitored, and reviewed.
8.10 Information deletion: All data must be deleted when it is no longer required.
8.11 Data masking: Data must be obfuscated so that it provides little value to unauthorized users. Organizations can align this with their access control policies.
8.12 Data leakage prevention: This control requires organizations to implement data leakage prevention measures to anything that processes, transmits, or stores sensitive information. Sensitive is a key word here, as not all systems that handle data handle sensitive data.
8.16 Monitoring activities: Networks, systems, and applications must be monitored for anomalies. When something is flagged, action must be taken to attempt to prevent an incident.
8.23 Web filtering: This control requires organizations to manage access to external websites on company systems and networks to reduce exposure to malicious content.
8.28 Secure coding: This requires that secure coding principles be used. Note that this is in addition to an existing Software Development Lifecycle SDLC control.
Prepare to update your Statement of Applicability!
The annex controls are referenced in a big document called the Statement of Applicability (SOA). This document goes line-by-line across all of the controls in the annex and has the organization write out whether or not it applies to their organization, and how.
If you say a control isn’t applicable, you better have a good, documentable reason for the
The updates to this control list represent the biggest hurdles organizations will have to face when updating to the ISO 27001:2022 standard: they will have to implement the new controls, and update their SOA to the new structure of the list.
Key Takeaway: You have some new controls to implement, and significant updates to your SOA to make! 3.
Redline Version: Not so helpful.
To help readers understand the changes between ISO 27001:2017 and ISO 27001:2022, ISO released a “redline” version which shows the differences between the old document and the new by crossing out deleted sections and highlighting new additions.
One big problem with this particular redline document: there’s no indication for content that has simply moved!
This creates the illusion that there is more change than there actually is.
For example, the “Protection of Records” control is completely redlined in its old spot, but appears in green highlight indicating it’s a new addition elsewhere. The wording of the control has changed slightly, but not in a substantive manner. However, the fact that the old version is in a completely different section from the new one makes it harder to compare the versions than it needs to be.
The redline document would have been much more useful if there was an indication that content just moved with minimal changes.
Key Takeaway: You should probably still get the redline version, but be prepared for an annoying reading experience.
Do I need to update to ISO 27001:2022 if I’m already certified?
If you have any audit (surveillance or recertification) scheduled in the near future, you will almost certainly stay on ISO 27001:2017. If you are facing an initial or recertification audit 12+ months out from now, you will likely be using the 2022 standard.
That said, we don’t know exactly what the rollout of ISO 27001:2022 will look like. ISO is expected to publish guidance on this topic soon, which will provide some more clarity.
ISO 27001:2017 or 27001:2022 for your first audit?
It takes anywhere between several months and two years to properly prepare an organization for its first ISO 27001 audit. If you haven’t even started your
ISO 27001 compliance program yet, expect to use the 2022 standard.
If you’ve already started preparing for an ISO 27001:2017 audit and will be completing the initial certification audit in the near future, you will probably use the 2017 standard.
ISO 27001 certifications run in three year cycles. You won’t need to update until you recertify three years after your initial certification audit. When you recertify, it will almost certainly be on the 2022 standard.
No organization’s rules or standards will stay the same forever. They have to be updated to meet the changing needs of their stakeholders. This is as true for baseball as it is for cybersecurity and everything else.
No matter what your exact situation is, it will likely be a few months to a year before you will have to start actively working with the new standard. We recommend that you read it now and familiarize yourself with the changes, so that you may begin to consider how it will impact your organization.
Want to get great cybersecurity content delivered to your inbox? to sign up for our monthly newsletter, Tales from the Click. Click here