InfoSecAssure has completed an in-depth review of the changes made to ISO 27001 in 2022. We have attempted to bring seemingly boring updates to you with a little bit of flair. Grab a Chai, Wine, Coffee or Kombucha and enjoy the update.
Nine years after its last publication ISO 27001 has been updated. Like any good information security standard (of which there are many, but this is our favourite!) it must eventually be updated to reflect the will of the people and the technology of the current world.
Key Highlights - 12 changes have been made to the mandatory ISO 27001 requirements including the addition of one new requirement. In Annex A 27002 there are 7 new controls and 7 have been scrapped, a number of controls have been merged and some definitions have changed.
If you need a reminder or you don’t know, ISO 27001 is an international standard that sets out requirements for establishing and maintaining an Information Security Management System.
The standard is developed by the Internal Standards Organisation - Joint Technical Committee JTC1 - Subcommittee SC27. Thanks team SC27 for your contribution to the information security community.
The first part are the mandatory requirements for your information security management system.
The second part is lovingly referred to as 27002 or Annex A 27002 and while some think that this is the standard itself it’s actually just an Annexure of the main standard.
Now let’s move on to the main event.
In the old version of ISO 27001 there were 26 detailed requirements and in the new version there is 30. However, there are a couple of requirements in the old version which have been split out into two in the new version so upon inspection we have found there’s only one new requirement.
This requirement states that when the organization determines the need for changes to the system that they will plan the changes. Seems reasonable but also seems to be a very similar requirement to 7.1 - Resources; which states that the organization should determine and provide resources needed for the maintenance and continual improvement of the system. Surely this includes the planning of changes? Nevertheless, just in case you forget to plan changes to your ISMS you can add writing the ISMS change plan to your ISO 27001 To Do list plan. Mmmm?
Apart from that one additional requirement in ISO 27001 there are only a few other changes in the mandatory section which include:
4.1.2 - While understanding the needs of interested parties companies are now required to determine which of their interested parties requirements will be addressed through their ISMS.
4.4 - While establishing, implementing, and maintaining their ISMS organisations also now need to include processes and their interactions. Good work! Makes sense, because you won’t believe how easy it is to implement a set of policies and standards without processes to support them. So, for some businesses this will be a big change as the updated requirement will open the door for auditors to ask for copies of supporting processes and to test them. Uh oh!
5.1 l- Leadership and commitment - There’s an extra note saying the word "business" could be a broad interpretation. Ok.
5.3 - Top management still needs to ensure information security responsibilities/roles are assigned and communicated but they’ve now added a clarification that this should be “within the organization”. We assume this is just in case you’re confused about who you were assigning your information security roles to. So, no you can’t ask your gardener to manage your security alerts!
6.1.3 - Under the existing information security risk treatment requirement that states businesses should compare controls identified to address their risks with Annex A the associated note has been changed to clarify that Annex A contains “a list of possible controls”, removing the words “a comprehensive list”. A note has been removed which previously said, “control objectives are implicitly included”.
6.2 - Information security objectives must now also be monitored and be available in a document.
7.4 - This requirement was simplified with the statement changing from “you must determine who you should communicate to and the processes you will use to communicate” to “how to communicate”, makes sense, thanks SC27!
The note under 7.5.3 that relates to how documented information about your ISMS is controlled has changed from “access implies a decision” to “access can imply a decision”. Getting your implications correct is important.
In section 8.1 the organization still has to plan, implement and control the processes needed to meet the requirements and implement the actions but where in the last version they referred to just 6.1 and 6.2 now this requirement refers to all of Clause 6.
Under 8.1 the term “Outsourced services” has been replaced with “externally provided services“.
Under section 9.3 Management review inputs - the management review now needs to include the consideration of the needs and expectations of interested parties.
And that's a wrap for the 2022 changes in the mandatory section.
Like what your reading? Sign up here for our next update.
The biggest change in this part of the standard (which is actually referred to as the “document” instead of the “International Standard throughout the document) is that all of the controls have been regrouped into four categories:
So, expect to see lots of new diagrams in the coming years that look like something like this:
5.7 - Threat intelligence - This new "potential control" asks that you consider collecting and analyzing information about information security threats to produce threat intelligence.
5.23 -Information security for use of cloud services - Now this is an interesting addition because there is another standard, ISO 27017, which has a short list of information security controls related to cloud services which are noted as additions to 27002. I guess no one was reading 27017 so they’ve slipped one in here for good measure which makes sense given we are all using Cloud Services these days.
7.4 - Physical security monitoring - Great to see that physical security controls now have a monitoring aspect as previously although there was a list of physical security controls there was no mention of the actual monitoring controls so this is a great addition. Interestingly the document does not mention surveillance cameras or surveillance equipment, but I guess that’s covered by this physical security monitoring control as like many of the ISO 27001 controls they are broad enough to let businesses make their own decisions as to how to implement a control.
8.9 - Configuration management - This is a big control requirement for some. It states that the organization must “establish, document, implement, monitor and review security configurations of hardware, software services and networks”. I hope you guys are good technical writing because there is a lot of documentation to be done now. However it doesn’t say “all” configurations so maybe it will be enough to take screenshots of all your settings. Auditors will rule the day on this one.
8.10 - Information deletion - Specifically called out in this standard this control requires organizations to delete information stored anywhere when it is no longer required. We assume that regulatory /compliance requirements for retaining information in some instances well prevent this control from being implemented but it has good intent and I am sure some companies who have been breached of late wished they had deleted a bit more of the information they were hanging onto. Don’t delete this document though :-)
8.11 - Data masking - The classic data masking control. They could’ve used the word obfuscation or a number of other words the community uses to say “redact, delete or hide data but they chose Mask. In particular they called out that data masking “must be used in accordance with a topic specific policy and access control and other related topic specific policies and business requirements taking into account applicable legislation”. Does this mean we’ll have to have a “Data masking standard”? Probably not as I think most of us can cover it off in an information classification standard which sets out all the handling requirements for different types of information just add “data masking requirements” and list out what type of information and when this control should be applied. "Ssssmokin" (reference to quote in the movie The Mask FYI)
While we were able to match the control or primary intent of the control for 86 out of the 93 controls from the New Annex A to the Old Annex A there were 6 controls in the Old Annex A that were left hanging in the wind.
9.4.3 - Password management system - there is no more specific password management system requirement in the new Annex A however that doesn't mean you don't need one!
11.2.8 - Unattended user equipment - Removed from new version but most likely intent is covered by the new 7.3 physical security for offices rooms and facilities and 7.7 clear desk/ clear screen and 7.8 equipment sitting and protection.
13.2.3 - Electronic messaging - Thankfully removed because while we were all trying to secure our emails... what is email really? And what is life? Just another digital piece of data that gets sent using a certain technical protocol. There are many more channels we use to communicate with each other nowadays so it makes sense to focus the controls more broadly such as "protecting yourself from malware". But don’t turn off your spam filter yet! This is one of the additional controls that you could cleverly add to you “ISMS choose your own adventure control set”.
14.2.4 - Restrictions on changes software packages - Phew!’ this one was probably the most difficult control that any innovative business had to try and implement. Have you ever tried to get a software house to restrict people changing software packages! What did this mean anyway, was it the settings they were referring to, cracking the code or just the general gist of the software? See you later software package change restrictions and Welcome Home Secure Development Lifecycle to your rightful place!
14.2.9 - System acceptance testing - Which does sound very similar to 8.29 but it’s not because 8.29 in the new standard is "Security testing processes" not "system acceptance testing". So, like any good information security person we can now leave system acceptance testing to the technology and business teams (Unless you are a start-up or small business in which case you are probably doing all of it!)
18.1.5 - Regulation of cryptographic controls - Cryptography is now covered by 8.24 but it no longer refers to ensuring your cryptographic controls meet legislative or regulatory requirements.
18.2.3 - Technical compliance review - this one is now sort of covered by the new 5.36 but the 5.36 audit requirement in the new standard does not cover or point out that the audit or review of controls must be of a technical nature. So, ladies and gentlemen there’s nothing in the standard now that says you have to do a pen test, OK, But You Should! and maybe the Security Testing control in the. new standard is intended to cover this old control.
Our next update will be a rundown of the differences between the control requirements in the new Annex vs Old Annex A plus we will be looking at what new evidence auditors may ask you for in future certifications auditor or surveillance reviews.
Subscribe here to get Part 2 and 3 of our ISO 27001: 2022 Change Analysis.