ISO 27002 will change significantly and more than 27001, which doesn't really change at all
The little things - 27001
To be precise – and because we’re dealing with a standard, we really should be precise – ISO 27001 will experience changes such as:
- Annex A will refer to controls in ISO / IEC 27002:2022
- The terms in clause 6.1.3 (c) notes have been harmonized
- The wording in 6.1.3 (d) has been revised to improve clarity and remove ambiguities
In short, the ISO 27001 is not really changing at all – but it’s a bit clearer.
The bigger things - 27002
Where ISO 27001 is to be just clarified a bit, the changes in ISO 27002 are almost revolutionary. Changes will be seen in control objectives and classifications. In the new revision, there will be less controls altogether and they are categorized into themes (instead of security domains) such as organizational controls, people, physical and technological controls.
Some new controls will be added to respond and reflect the ever-changing threat landscape. They cover topics such as threat intelligence, identity management, cloud security, business continuity, physical security, endpoint management, configuration management, information deletion, data masking, data leakage prevention, web filtering, and secure coding. As a new feature, hashtags have been added, which e.g. align to the five core Functions of the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) and also better express whether the control in question is preventive, detective or corrective in nature.
Some controls have been retired completely. The primary goal is to avoid duplicates and improve alignment with the new controls. Examples of retiring controls include mobile device policy, ownership of assets, password management system, and delivery and loading areas.
What should be done to prepare?
Following the upcoming publication of the ISO 27001, it will be advised how long a transition period will be granted from the 2013 revision — typically it will be 12 or 24 months. If the standard is actually published in March 2022, a 12-month transition period means that all certification or follow-up audits conducted after March 2023 must use the new revision.
While waiting for this certain but still slightly open release event on schedule, it is good to:
- go through existing controls in accordance with the new 27002 (e.g. in the next internal audit)
- update risk assessments and SoA, as the controls to mitigate risk will be updated as well
- ensure good compatibility of existing GRC and SIEM reporting tools with the new compliance requirements
- update metrics and monitoring to reflect new risk assessments and Annex A changes
- update the internal audit program to reflect changes to the ISMS
Segregation of duties in ISO 27001 refers to all practices where information and/or privileges required to carry out a certain process are broken into fragments. The fragments are then distributed among multiple persons or roles in such a way that a single person alone cannot perform or fully control that particular process.
The average life expectancy of an ISO standard is about five years, at a time. When the hourglass has run out of sand, a voting will take place to decide whether to maintain the ISO standard as-is, revise it or withdraw the standard altogether.