Information and digital security frameworks like FedRAMP, CMMC, and ISO 27001 are not static documents. They provide a static framework for your business to comply with and achieve, but that framework is only valid for so long. Several different forces are in play to ensure that the stipulations and security measures outlined in these frameworks remain valid over time.
For example, instead of a rule outlining the specific devices and measures you might need for user access control, the framework might specify that you need some form of access control with certain minimum capabilities. Instead of specifying which form of data encryption to use, they will simply tell you to use encryption at X level or better. This vague language is meant to both allow your business to comply in the most sensible way possible and to remain open enough that changes in technology or standards can be incorporated without needing an entire revision of the framework.
Another avenue these frameworks use is continuous monitoring and auditing. Systems like ISO 27001 set up a whole process for ensuring ongoing information security rather than leading you to a fixed state and freezing you in time. This way, as threats emerge and change, so too do your protection mechanisms. You will never end up in a situation where patching a security hole would put you out of compliance with versioning, for example.
While all of this is good, even these efforts can fall out of date over time. Most businesses today don’t need to concern themselves with the security requirements of Windows 2000, the use of SCSI devices, or the security threats that can accompany tape drives. That’s not to say these technologies aren’t in use around the world in very limited capacities, of course; it’s just that certain kinds of technologies can fall out of favor and be relegated to extremely niche cases.
From time to time, the frameworks themselves receive significant version updates. In the case of ISO 27001, the most recent update is the 2022 version; the update before that was nine years prior, the 2013 version.
What has changed between these two versions, what do you need to know about the transition, and what does your business need to do if you’re still using ISO 27001-2013? Let’s discuss.
The bulk of the changes made to ISO 27001 in the 2022 update have more to do with organization and clarity than they do with changing the tangible requirements your business needs to meet. Changes also include redefining process criteria and changing monitoring standards. Most of these changes are to clauses 4 through 10.
Additionally, there were changes to Annex A controls. Annex A is the list of classified security controls that businesses and organizations use to demonstrate compliance with ISO 27001. These are largely defined through a separate document, ISO 27002. ISO 27002 was updated earlier in 2022, and the later changes to ISO 27001 helped align it with those previous changes. These are more significant and include merging old controls, removing outdated controls, and adding new controls.
The changes made to clauses 4 through 10 range from moderately significant to relatively minor.
These changes include:
As you can see, the majority of these changes are minor and don’t affect your organization in a tangible way. What does it matter to your ISMS or your operations if the order of language in clause 10 is different? It doesn’t. All it does is make it easier to understand for organizations learning about ISO 27001 compliance for the first time.
Annex A is similar to NIST SP 800-53, in that it is the specific list of security controls that an organization must evaluate, adhere to, and comply with in order to achieve certification in the framework that uses them. ISO 27001 specifies its controls in Annex A, and ISO 27002 is effectively a reference and implementation guide.
In the update to ISO 27001:2022, four key things have happened.
Most of the changes are structural and don’t necessarily require adjustment to your ISMS, or any different thinking when developing an ISMS for the first time. Some of the merged controls may add new requirements for your organization, and the new controls must be considered.
The renamed and merged controls are largely a transition for a changing audience. The original versions of ISO 27001 controls were largely written with the expectation that IT professionals and other specialists would be the ones reading and interpreting them. The reality is that a significant part of modern ISO 27001 compliance is management overview, and a significant source of friction was the fact that most management professionals don’t understand the complex IT-based terminology. Thus, many of the new changes made to nomenclature are meant to make it understandable to management without special training.
If your organization is not yet ISO compliant and you’ve been working toward developing an ISMS using ISO 27001:2013, you will need to readjust and redefine your basis and work towards ISO 27001:2022. Since you haven’t undergone the lengthy and complex auditing process yet, this is the best time to make fundamental changes.
While you could technically continue to seek ISO 27001:2013 compliance, you would only have a limited amount of time to then change to adapt to 2022 standards, so it’s generally better to change now. Additionally, the final deadline for achieving ISO 27001:2013 compliance is less than a month from the time of this writing (October 2023), so if you’re not effectively already done with the process, it’s too late.
If your organization is already certified and compliant with ISO 27001:2013, you will need to analyze the changes made in ISO 27001:2022 and make adjustments. Here’s a sample of what you may need to do.
One of the most significant elements of ISO 27001 auditing and compliance is the process of going through every control and determining whether or not that control is applicable to your organization. Since ISO 27001 is meant to be as broadly generic and applicable to as many organizations as possible, most organizations will find that some significant portions of the security control list are simply irrelevant to their operations.
Since controls have been reorganized, renamed, removed, and added, you will need to repeat this process. For the most part, it’s easy to see which controls have been merged (necessitating little more than a name change in your statement) and which ones have been removed (and can thus be removed from your statement.) The added 11 controls will need closer review.
The 11 new security controls represent an increase and adjustment to information security necessitated by changes in technology, threats, and observation.
They are:
As you can see, some of these may or may not be applicable. If you already don’t retain data, information deletion is easy; if you don’t do coding work, secure coding is irrelevant. Reviewing and implementing these 11 controls is the bulk of the work in updating to ISO 27001:2022.
Timelines are important. There are two key dates to know.
The first is October 31, 2023. This date, mere weeks away from the time of this writing, is the final deadline for obtaining certification for ISO 27001:2013. Organizations already deep in the process can finish it up by then and obtain certification on schedule. Organizations earlier in the process will need to adjust to ISO 27001:2022 standards.
The second date is October 31, 2025. This is the end of the grace period. Any organization certified for ISO 27001:2013 has until this date to update to ISO 27001:2022. Failure to do so will result in losing certification, even if your certification’s validity would normally last longer.
In order to make this transition easier, we recommend using the Ignyte Platform. We developed our platform to help with documentation and compliance across dozens of security frameworks, to help businesses both large and small achieve compliance. You can review its features here, book a demo directly, or reach out and ask us if you have any questions, either about ISO 27001 in general or about the transition to 2022 specifically.
*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/iso-27001-2013-2022/