On October 25, 2022, the International Organisation for Standardisation (ISO) released #cybersecurity standard ISO 27001 2022 (27001:2022), replacing the 9-year-old 2013 version. Read on for key takeaways and gotchas for your consideration.
Setting the scene – ‘eggshell security’ is dead: long live Zero Trust Architecture (ZTA)
Before we jump into the details of the changes to the new 2022 version of ISO 27001, let’s pause to reflect on some of the significant innovation that has disrupted the way we work and how the 2013 version of 27001 has become a bit long in the tooth.
A lot has changed in 9 years– many organisations have long since implemented their ‘cloud first’ strategies (Microsoft 365/Azure, Amazon Web Services (AWS), Oracle Cloud Infrastructure (OCI), SalesForce, etc.), while ubiquitous application programming interfaces (APIs) have made it trivial to interoperate. A never-ending pandemic has made mobility a non-negotiable business requirement. The ability to leverage all of this new capability in traditionally air-gapped architectures (e.g. data flows from Operational Technology into cloud) has also become a necessity.
All of these changes mean we no longer can be confident that we know where our data is or who has access to the data or the technology itself if we continue to follow the old-school eggshell paradigm of network security. This in particular is what motivates us towards ZTA concepts and is one good reason why ISO 27001 desperately needed a facelift. With all of that in mind, let’s take a tour of the new standard and see what’s different and whether it’s gone far enough to stay relevant.
Fancy new title – this acknowledges the need to protect cyber-systems where availability is a priority over confidentiality (e.g. Operational Technology) and of course, protecting privacy, which has become legislated across the globe. There is good alignment here with practice objectives from NIST C2M2 v2.1, for example.
Before (2013) – “Information technology – Security techniques – Information Security management systems – Requirements”
After (2022) – “Information security, cybersecurity and privacy protection – Information security management systems – Requirements”
Clause 3 – Terms and Definitions Confirming a common view. Do you see a young woman or an old woman? We often think we’re talking about the same thing, but each person is imagining something completely different.
Before engaging in the implementation or audit of an Information Security Management System (ISMS), such as 27001, it’s crucial that interested parties are all on the same page with their terms, definitions. The following links have been added to look up terms and definitions:
Mandatory Clauses 4-10 – For the most part, the mandatory clauses haven’t changed much, which is a testament to how well the standard was devised. I will only cover clauses that have changed enough to warrant comment.
4.1 – Understanding the organisation and its context. Now references ISO 31000:2018 instead of ISO 31000:2009
4.2 – Understanding the needs and expectations of interested parties. An additional requirement (4.2(c)) was added linking how the requirements of interested parties will be addressed through the ISMS.
4.4 – Information Security Management System. Added scope for the processes and interactions required to establish, implemented and maintain the ISMS.
6.2 – Information security objectives and planning to achieve them. New requirements to monitor and make available as documented information the objectives.
6.3 – Planning of changes. This is a new clause requiring changes to the ISMS to be carried out in a “planned manner”.
8.1 – Operational planning and control. Although the intent remains the same, there is significant rewording here and a requirement to establish criteria for the processes needed to meet the requirements of clause 6 (Planning/Risk Response) and then implement control of those processes.
9.1 – Monitoring, measurement, analysis and evaluation. A new requirement to make available documented evidence of the results of the evaluation of your monitoring, measurement and analysis.
9.2 – Internal audit. Requirements around the internal audit programme have been relocated into sub-clause 9.2.2, “Internal audit programme”, perhaps to highlight the need for this business process.
9.3.2 – Management review inputs. New considerations (9.3.2(c)) for changes in the needs and expectations of interested parties.
9.3.3 – Management review results. This is a new sub-clause, but is existing wording that was moved and slightly tweaked. As with 9.2.2, I suspect this is just to highlight this requirement.
That is all for the mandatory controls of ISO 27001:2022. As you can see so far, there’s not a lot to worry about if you are looking to refresh your ISMS and nothing relevant to the disruptive changes in the past decade that were described at the beginning of this post. Next, let’s briefly delve into Annex A, where there are significant changes– here’s a quick summary for now:
Annex A
The number of Annex A controls has decreased from 114 to 93 in the new version of ISO 27001. Also , these security controls are now divided into four sections instead of the previous 14.
11 new controls:
Organisational Controls
A.5.7 Threat Intelligence
A.5.23 Information Security for use of Cloud Services
A.5.30 ICT Readiness for Business Continuity
Physical Controls
A.7.4 Physical Security Monitoring
Technological Controls
A.8.9 Configuration Management
A.8.10 Information Deletion
A.8.11 Data Masking
A.8.12 Data Leakage Prevention
A.8.16 Monitoring Activities
A.8.23 Web Filtering
A.8.28 Secure Coding
