The information security management standard ISO 27001 and its code of practice ISO 27002 were last updated nearly a decade ago. A new version of ISO 27002 was published in February 2022, and a revised version of ISO 27001 is expected to be published in October 2022. The impact of this is limited, but it does require changes to the ISMS.
What we know so far
The set of control measures of ISO 27002 - and thus the Annex to ISO 27001 - has been shaken up considerably. From 14 areas of concern, we are down to four chapters: organizational, people-oriented, physical and technological. In addition, the total number of measures has been reduced from 114 to 93. A number of topics have been merged, and new elements such as Threat Intelligence, Data Masking and Cloud Services have been given a place within the ISO guidelines.
What is new is that measures have attributes associated with them, such as 'type of measure' (#Preventive, #Detective, #Corrective) or 'security domain' (#Governance_and_Ecosystem, #Protection, #Vdefense, #Venforcement). This provides opportunities for filtering and categorization, which in turn can help in setting up the security organization and Information Security Management System (ISMS). What has not changed is the main structure of chapters 4 through 10 of ISO 27001; the requirements for an ISMS remain unchanged.
What does that mean for your ISO 27001 certification?
For now, no reason for concern; first, the impact of the changes on everyday processes is fairly limited. However, we do expect that you will need to make some changes within the ISMS. For example, companies will need to review their risk register and applied risk treatments to ensure they are in compliance with the revised standard. In addition, they will need to update the statement of applicability to bring it in line with the updated Annex A.
Finally, we recommend that you review and update your documentation, including policies and procedures, to comply with the new set of measures. You are expected to have until 2024 at the latest to do this. Accredited bodies may issue certificates for ISO 27001:2022 starting early next year. The intent of the standard remains the same; you must still use a risk-based approach to select only the appropriate and correct measures that suit your organization.
Should organizations seeking certification to ISO 27001 wait until the new standards are published?
No, you lose nothing by implementing an ISMS that complies with ISO 27001:2013 and uses the existing Annex A checklist. If you wait until the new version of ISO 27001 is published, you are probably at greater risk.
Need help with ISO 27001?
Changing circumstances from both inside and outside your organization affect your information security. Our consultants advise on keeping your ISMS up-to-date. We are happy to answer your questions about the maintenance process, and will inform you without obligation about the possibilities Nestor offers in implementing ISO 27001.