With the recent release of ISO27001:2022, the full extent of both new and merged cyber security compliance is finally clear! Most InfoSec bloggers have pointed out the Annex A reshuffle from 14 domains to 4 clauses (Organizational, People, Physical and Technological), and the resource tables in the appendices of ISO27002:2022 map old to new controls. We covered the changes to Annex A a few weeks back.
Annex SL Controls
Changes to the requirements, or Annex SL controls, not covered in ISO 27002:2022 are minor but must be addressed, too. Here’s what you need to know:
- 4.2 – The organization shall now determine the requirements of interested parties and how the ISMS will address them.
- 4.4 The ISMS shall include the information security process and interaction requirements.
- 6.1, 6.2 There are additional actions and clarity required to address information security risk assessment and treatment processes. Information security objectives must also be documented and monitored.
- 7.4 There are minor updates to the ISMS communication plan.
- 9.1 Monitoring methods are now defined with greater clarity.
- 9.2 Greater emphasis is placed on a formal internal audit program.
- 9.3 Management review now includes a slightly increased focus on the requirements of interested parties.
- 10.1/2 These controls have been switched, but not changed.
Cyber Security Compliance Annex SL and Annex A Controls
The following steps are recommended to adjust cyber security compliance for the new and regrouped ISO 27001:2022 Annex SL and Annex A controls:
Review Both the Standard and Guidance Documents
First, review ISO 27001:2022 and identify the new and merged controls. Review the guidance provided for each changed control in ISO27002:2022. Use the reference tables in ISO27002:2022 to align your Statement of Applicability (SOA) or GRC tool references. Most SaaS GRC tools will do this for you.
Review Your Statement of Applicability
Next, review your manual SOA or ISO27001:2013 GRC Control Inventory (a digital SOA) against the new control references you added from ISO27002:2022. The SOA is a controlled document or list that details all other documents, processes, and outputs that address risks to the ISMS. The SOA is critical for comparing controlled documents (standard operating procedures, policies, etc.) and ensures that the ISMS controls are addressed within the organization. In addition, the ISMS contains a matrix between identified risks and the risk treatment plan.
If your organization has chosen to use your risk treatment process to address the new changes to ISO 27001:2022 then use this matrix to identify what controls are impacted, and what policies, procedures, or processes those changes impact. Be sure to look out for keyword changes in the controls, and not just the presence of a new control. For example, a change requiring something to be “documented” vs “identified” means that you should be capturing and storing formal records vs. just being aware of the output.
Address the Changes
Once you have included each of the new or modified controls in your scope, then your SOA becomes a work plan to address the changes to your processes and documentation and you can complete your risk treatment plan. As you work the list, you’ll see updates and changes such as Control 8.1 User endpoint devices. This control, modified from the old A.6.2 and A.11.2 controls, now includes both user-owned and corporate devices. Organizations with BYOD mobile policies will recognize this change and update their policy and risk assessment accordingly. By following this process, you’ll be able to use manual processes or GRC tools to address each change you find in a quick and traceable fashion. Check out this blog from StandardFusion to explore how GRC enables ISO27001:2022 compliance.