Information and digital security frameworks like FedRAMP, CMMC, and ISO 27001 are not static documents. They provide a static framework for your business to comply with and achieve, but that framework is only valid for so long. Several different forces are in play to ensure that the stipulations and security measures outlined in these frameworks remain valid over time.

For example, instead of a rule outlining the specific devices and measures you might need for user access control, the framework might specify that you need some form of access control with certain minimum capabilities. Instead of specifying which form of data encryption to use, they will simply tell you to use encryption at X level or better. This vague language is meant to both allow your business to comply in the most sensible way possible and to remain open enough that changes in technology or standards can be incorporated without needing an entire revision of the framework.

Another avenue these frameworks use is continuous monitoring and auditing. Systems like ISO 27001 set up a whole process for ensuring ongoing information security rather than leading you to a fixed state and freezing you in time. This way, as threats emerge and change, so too do your protection mechanisms. You will never end up in a situation where patching a security hole would put you out of compliance with versioning, for example.

While all of this is good, even these efforts can fall out of date over time. Most businesses today don’t need to concern themselves with the security requirements of Windows 2000, the use of SCSI devices, or the security threats that can accompany tape drives. That’s not to say these technologies aren’t in use around the world in very limited capacities, of course; it’s just that certain kinds of technologies can fall out of favor and be relegated to extremely niche cases.

From time to time, the frameworks themselves receive significant version updates. In the case of ISO 27001, the most recent update is the 2022 version; the update before that was nine years prior, the 2013 version.

What has changed between these two versions, what do you need to know about the transition, and what does your business need to do if you’re still using ISO 27001-2013? Let’s discuss.

How Significant are the Changes to ISO 27001:2022?

The bulk of the changes made to ISO 27001 in the 2022 update have more to do with organization and clarity than they do with changing the tangible requirements your business needs to meet. Changes also include redefining process criteria and changing monitoring standards. Most of these changes are to clauses 4 through 10.

Additionally, there were changes to Annex A controls. Annex A is the list of classified security controls that businesses and organizations use to demonstrate compliance with ISO 27001. These are largely defined through a separate document, ISO 27002. ISO 27002 was updated earlier in 2022, and the later changes to ISO 27001 helped align it with those previous changes. These are more significant and include merging old controls, removing outdated controls, and adding new controls.

What Are the Changes to Clauses 4 through 10?

The changes made to clauses 4 through 10 range from moderately significant to relatively minor.

These changes include:

• Clause 4.2, Understanding the Needs and Expectations of Interested Parties, added a new sub-clause that requires analyzing which interested party requirements will be addressed in your ISMS.
• Clause 4.4, Information Security Management System, adds new language to require organizations to identify required processes and interactions within the ISMS; effectively this requires that your ISMS include underlying processes rather than just the processes outlined in the Standard.
• Clause 5.3, Organizational Roles, Responsibilities, and Authorities, adds a small update clarifying that communication of relevant infosec roles needs to be communicated within your business.
• Clause 6.2, Information Security Objectives and Planning to Achieve Them, includes more guidance on the objectives specified, including more information about monitoring and documenting objectives.
• Clause 6.3, Planning of Changes, is a new clause that sets a new standard around, as you might guess, planning for changes. All it does is require that changes to the ISMS be planned adequately, which you would think is intuitive but apparently needed to be codified.
• Clause 7.4, Communication, simplified the fourth and fifth subclauses and rolled them together. Nothing tangibly changed, but the language is simpler.
• Clause 8.1, Operational Planning and Control, added guidance for its namesake. It requires that the ISMS have criteria for actions outlined in clause 6 and control those actions appropriately.
• Clause 9.2, Internal Audit, was slightly changed by merging the previous sub-clauses 1 and 2 into one.
• Clause 9.3, Management Review, added a new item that stipulates any management review must consider interested parties when evaluating changes. A prime example is if a private organization’s management wants to go public, they must evaluate how the ISMS would be affected.
• Clause 10, Improvement, was structurally changed to list continual improvement first and corrective action second; the specific language is unchanged.

As you can see, the majority of these changes are minor and don’t affect your organization in a tangible way. What does it matter to your ISMS or your operations if the order of language in clause 10 is different? It doesn’t. All it does is make it easier to understand for organizations learning about ISO 27001 compliance for the first time.

What Are the Changes to Annex A?

Annex A is similar to NIST SP 800-53, in that it is the specific list of security controls that an organization must evaluate, adhere to, and comply with in order to achieve certification in the framework that uses them. ISO 27001 specifies its controls in Annex A, and ISO 27002 is effectively a reference and implementation guide.

In the update to ISO 27001:2022, four key things have happened.

• 3 controls were removed entirely.
• 23 controls were renamed for more appropriate descriptions.
• 57 controls were merged for simplification and overlap reduction.
• 11 controls were added to address new developments in security.

Most of the changes are structural and don’t necessarily require adjustment to your ISMS, or any different thinking when developing an ISMS for the first time. Some of the merged controls may add new requirements for your organization, and the new controls must be considered.

The renamed and merged controls are largely a transition for a changing audience. The original versions of ISO 27001 controls were largely written with the expectation that IT professionals and other specialists would be the ones reading and interpreting them. The reality is that a significant part of modern ISO 27001 compliance is management overview, and a significant source of friction was the fact that most management professionals don’t understand the complex IT-based terminology. Thus, many of the new changes made to nomenclature are meant to make it understandable to management without special training.

What Does Your Organization Need to Do to Transition to ISO 27001:2022?

If your organization is not yet ISO compliant and you’ve been working toward developing an ISMS using ISO 27001:2013, you will need to readjust and redefine your basis and work towards ISO 27001:2022. Since you haven’t undergone the lengthy and complex auditing process yet, this is the best time to make fundamental changes.

While you could technically continue to seek ISO 27001:2013 compliance, you would only have a limited amount of time to then change to adapt to 2022 standards, so it’s generally better to change now. Additionally, the final deadline for achieving ISO 27001:2013 compliance is less than a month from the time of this writing (October 2023), so if you’re not effectively already done with the process, it’s too late.

If your organization is already certified and compliant with ISO 27001:2013, you will need to analyze the changes made in ISO 27001:2022 and make adjustments. Here’s a sample of what you may need to do.

Review and Update your Statement of Applicability

One of the most significant elements of ISO 27001 auditing and compliance is the process of going through every control and determining whether or not that control is applicable to your organization. Since ISO 27001 is meant to be as broadly generic and applicable to as many organizations as possible, most organizations will find that some significant portions of the security control list are simply irrelevant to their operations.

Since controls have been reorganized, renamed, removed, and added, you will need to repeat this process. For the most part, it’s easy to see which controls have been merged (necessitating little more than a name change in your statement) and which ones have been removed (and can thus be removed from your statement.) The added 11 controls will need closer review.

Review and Implement Any of the 11 New Controls Applicable

The 11 new security controls represent an increase and adjustment to information security necessitated by changes in technology, threats, and observation.

They are:

1. A.5.7 Threat Intelligence, a control that requires you to gather information about threats and analyze them in order to mitigate them. This includes both specific attacks and general attack trends and encompasses both internal and external information sources.
2. A.5.23 Information Security of Use of Cloud Services, a control that requires set security for cloud services, including purchasing, using, and terminating their use. Insecure cloud services may need to be upgraded or replaced.
3. A.5.30 ICT Readiness for Business Continuity, a control that requires information and communication technology to be resilient against disruption so business information can be accessed when needed. This can include things like disaster recovery plans and readiness testing.
4. A.7.4 Physical Security Monitoring, a control that requires monitoring sensitive areas and restricting access to them.
5. A.8.9 Configuration Management, a control that requires managing and reviewing security configurations to ensure proper security and prevent unauthorized changes.
6. A.8.10 Information Deletion, a control that requires deleting information that is no longer necessary to prevent its unauthorized access or distribution.
7. A.8.11 Data Masking, a control that requires masking and obfuscating sensitive and regulated data, like CUI and classified information.
8. A.8.12 Data Leakage Prevention, a control that requires implementation of preventative measures against data leaks, as well as disclosure if leaks happen, and active detection of potential leaks.
9. A.8.16 Monitoring Activities, a control that requires ongoing monitoring and oversight to detect and prevent unusual activity and implement your incident response plans properly.
10. A.8.23 Web Filtering, a control that mandates IT filtering for web access to prevent access to malicious websites or websites offering illegal materials.
11. A.8.28 Secure Coding, a control that requires establishment of secure coding principles and vulnerability reduction in development.

As you can see, some of these may or may not be applicable. If you already don’t retain data, information deletion is easy; if you don’t do coding work, secure coding is irrelevant. Reviewing and implementing these 11 controls is the bulk of the work in updating to ISO 27001:2022.

How Much Time Do You Have?

Timelines are important. There are two key dates to know.

The first is October 31, 2023. This date, mere weeks away from the time of this writing, is the final deadline for obtaining certification for ISO 27001:2013. Organizations already deep in the process can finish it up by then and obtain certification on schedule. Organizations earlier in the process will need to adjust to ISO 27001:2022 standards.

The second date is October 31, 2025. This is the end of the grace period. Any organization certified for ISO 27001:2013 has until this date to update to ISO 27001:2022. Failure to do so will result in losing certification, even if your certification’s validity would normally last longer.

In order to make this transition easier, we recommend using the Ignyte Platform. We developed our platform to help with documentation and compliance across dozens of security frameworks, to help businesses both large and small achieve compliance. You can review its features here, book a demo directly, or reach out and ask us if you have any questions, either about ISO 27001 in general or about the transition to 2022 specifically.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/iso-27001-2013-2022/