Perhaps one test of ‘best practice’ – a term often used to describe standards is longevity in use. In the case of information security standard ISO27001, it was derived from BS 7799 Part 2, first published by the British Standards Institute in 1999 and revised in 2002. The second edition (now ISO27001) was published in 2013, having been extensively revised to align with the other ISO management systems standards. And it is testament to the quality, structure, and annexes within the Standard that the 2017 revisions were barely a few words, meaning that the Standard has remained unchanged in almost ten years.
This is quite remarkable when we consider the pace and extent of technological change since 2013 – the degree to which connectivity has become ubiquitous, the rise of ultra-connected ‘smart cities’; computer chips in devices from washing machines to wind turbines, automation, and artificial intelligence, all progressing exponentially since 2013, and all posing significant challenges to the cyber security industry. So, what is changing in 2022? And what are the answers to some key questions you may be asking if you have recently certified, complied or aligned with the current standard (the new version is unlikely to be released until mid-2022)
The short answer is not a great deal! Slipstream understand that there is no large-scale rewrite of the Standard, which will be a relief to many, particularly those now used to audit to the Standard. In fact, simplification, and user friendliness are the key changes. Why not? The main reason is that that Standard itself is a framework Standard and the substantive changes come in the form of changes to the controls in sister Standard ISO27002, the update to which was published in February, and which will form one of the appendices to ISO27001.
What exactly has changed in the new version of ISO27001?
We would not wish to speculate on exact changes to the final version as this has not yet been released. But it is unlikely to include major changes to clauses 4-10. Our understanding is that it is only the security controls listed in the annexes and the already published ISO27002 in mid-February this year that will be substantially changed. Our information is that the number of controls has decreased from 114 to 93 and are placed in 4 sections instead of the previous 14. There are 11 new controls, while none of the controls were deleted, many controls were merged.
There are likely to be four new sections of controls:
Our Organisation recently completed work to align with ISO27001 – what does this mean for us?
Your recent work will remain of high value, but it may be worth a short-order engagement to ensure that it is updated to reflect the new standard. This should ideally be carried out by an ISO27001 Lead Auditor or Lead Implementer who will sign off that this work has been done for your records.
We conduct annual audits against the Standard – how will this impact our audits?
Your next annual audit will most likely need to be against the new Standard, and you will need to obtain the necessary documentation to ensure you are proceeding to audit against the new set of criteria and controls. Slipstream would advise using a certified Lead Auditor for this process.
Is now a good time to begin work with ISO27001 if it is about to change?
It is never a good idea to delay a security review and particularly not in today’s environment. Slipstream will work with you to ensure your budget for ISO alignment, compliance, or audit is well spent. Given that changes to the Standard are relatively minimal Slipstream advise that you do not delay. We will build into your program of work a review once the new standard is published to ensure any work we complete is updated. ISO 27002 was updated on February 15, 2022 (ISO – ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection — Information security controls ), and Annex A of ISO 27001 will be aligned with those changes.
For a free no obligation conversation about ISO27001 and our other Cyber Security services please contact Slipstream Cyber.