ISO 27001 Transition - The changes you need to know
The concepts and practice of information security have evolved massively since the last version of the ISO 27001 standard was released in 2013.
Among the main threats leading up to the 2013 standard that affected the security of business data was Denial of Service (DoS), malware and spyware.
Since then, the threats have developed, becoming more capable and professional in their operations. Accelerated by the pandemic, threats to businesses and data have seen a shift towards more advanced methods of ransomware by actors such as organised crime gangs and nation states.
So, what are the main changes in ISO 27001:2022?
The first change is the name: 'Information security, cybersecurity and privacy protection — Information security management systems – Requirements'.
The name change highlights the bond between information security, cyber security, and privacy. The practice of protecting critical systems and sensitive information from cyber, physical, and blended multi-vector attacks links directly into data protection, ensuring that the information you would like to keep safe as a company, stays that way.
This has always been important, but is much more prevalent now due to rapid growth in remote working and the demand for cloud-based solutions.
In clauses 4-10 of ISO 27001:2022, there is little change. However, there have been some amendments to the structure, terminology, ordering of words and in some instances, the clarity to the requirements.
For example:
Addition of sub-clause/bullets:
-
4.2 Understanding the Needs and Expectations of Interested Parties
-
6.2 Information Security Objectives and Planning to Achieve Them
-
9.3 Management Review
Clarity added:
-
5.3 Organisational Roles, Responsibilities, and Authorities. Specifically, communication within the organisation
-
6.1.3 Information Security Risk Treatment. Updated notes.
You should note that there is one new sub-clause, 6.3 Planning of Changes, which will need to be considered and implemented as part of your Information Security Management System.
The biggest change to the updated standard is to Annex A controls, which are fully addressed in ISO 27002.
The 14 original control groups and objectives no longer exist and have been replaced with four control groups:
-
Organisational
-
People
-
Physical
-
Technology
The overall number of controls have been reduced from 114 to 93.
No controls have been deleted but several have been consolidated, with 11 new controls added. The four controls groups are known as 'themes' and suggests use of attributes to further develop these, however there is no obligation to use these attributes.
The new controls added to Annex A are much needed additions and help bring ISO 27001 up-to-date, aligning them more readily to our current security climate.
These new controls include:
-
Information security for use of cloud services
-
Monitoring activities
-
Threat intelligence
-
ICT readiness for business continuity
-
Physical security monitoring
-
Configuration management
-
Information deletion
-
Data masking
-
Data leakage protection
-
Web filtering
-
Secure coding
You will probably find that you are already be doing many of these things and will just need to embed them into your ISMS.
As always, the NQA team is here to support you throughout the transition process. If you have any questions or need any help, we can support you:
-
Free webinar - Join us on the 10th March 2023 for a webinar with James Keenan, NQA's Information Security and Data Privacy Assurance Manager and David Nutbrown, NQA's Information Security Principal Assessor, who will talk through the changes in the new version of ISO 27001 in more detail – REGISTER HERE.
-
Technical analysis and guidance - NQA will be providing various additional content over the coming months. Please sign up for our newsletter to stay informed.
-
Training - NQA offers many E-Learning courses that can be taken at a time to suit you – BOOK YOUR PLACE HERE.