Cybersecurity Changes are Coming
Earlier this year, the ISO Information security, cybersecurity, and privacy protection subcommittee (ISO/IEC JTC 1/SC 27) released ISO27002:2022. This guidance document gives us some insight into what the new ISO 27001 standard will look like, and some good changes are coming. Many industry experts and consulting firms have shared their take on the new standard, and while summaries vary, the consensus is as follows:
- The Annex A controls will be reorganized from 14 domains into 4 clauses:
- Organizational controls (clause 5)
- People controls (clause 6)
- Physical controls (clause 7)
- Technological controls (clause 8)
- There will be fewer controls
- The number of “Annex” controls will drop from 114 to 93.
- 58 of the controls are updated
- 24 are merged with others
- 11 are new and focus on current information security and privacy concerns
Changes to the requirements, or “Predicate” controls, are not covered in ISO27002:2022 but will continue harmonizing with other standards such as ISO9001. Any changes here will continue to emphasize the value of using processes to address controls versus a checklist compliance model.
Finally, some new help will accompany the 2022 standard. Appendix A and the Clause control tables now use #attributes to help classify and group controls. Examples include the risk assessment favorites #Confidentiality, #Integrity, and #Availability and NIST CSF aficionados will rejoice to see: #Identify, #Protect, #Detect, #Respond and #Recover among the #attributes. As we’d expect, Appendix B provides control mapping between ISO27002:2022 and ISO27002:2013.
How to Comply with ISO27001:2022
Discover how to update your processes and systems to comply with these new changes through the following:
- Confirm your process
- Control mapping
- Close the gaps
- Clean up
Confirm Your Processes
For certified companies, the changes are significant, but there’s no need to panic. Since ISO27001 is a process-based standard, you should have everything you need to plan the updates to your Information Security Management System (ISMS). Before you scour each control and start updating your Standard Operating Procedures like a maniac, consider the larger processes you have in place to absorb the changes:
- Consider building the new controls into your Risk Assessment process. Review how they impact your objectives and physical, information and process assets, and assign risk treatment plans for how you’ll address the threats and vulnerabilities they present. If you use a GRC tool, make plans to purchase or get IT or vendor resources to import the new standard for use in your risk assessment.
- Remember to use your Change Management process to capture responses to changes to security monitoring tools and process and configuration management. Continual Improvement processes, such as CAPAs, may be helpful carrot-and-stick tools when you need others to take action.
- Yes, lots of documentation will need to change. To stay sane, leverage your Document Management System to update documents in the order they expire and address other updates by priority. Share the wealth and allow end users to maintain their own Work Instructions where suitable. Don’t forget to include end-user training!
- Perhaps most importantly, use your Management Review process to include and inform your Executive and Location-based Leadership about the upgrade! A management review will help you document the project needs, obtain commitment and resources or funding, and set accountability for others carrying the load.
Once you’ve identified the processes to get you to ISO27001:2022, it’s time for the details. The best place to start with control mapping is with the Statement of Applicability (SOA) noted in requirement 6.1.3(d). Some organizations manually track their SOA in a document using Microsoft Excel or similar. Others generate an SOA Report in their GRC tool. If you use a GRC tool, contact your vendor to see if the ISO27001:2022 update will arrive in a timely fashion and if it will automatically map to the ISO27001:2013 standard where applicable. You’ll be glad you did!
If you use a manual Microsoft Excel SOA, or you need to update your GRC tool yourself, start by adding the table Appendix B from ISO27002:2022 into your current report. There may also be a comparison table in the forthcoming ISO 27001:2022 standard. The controls will align as follows:
- Controls from ISO27001:2022 map directly to ISO27001:2013
- Controls from ISO27001:2022 map to multiple ISO27001:2013 controls
- Controls from ISO27001:2013 map to multiple ISO27001:2022 controls
- Controls from ISO27001:2022 don’t map to any older controls
- Controls from ISO27001:2013 don’t map to any newer controls
For a skilled resource, updating Microsoft Excel SOA content should be straightforward. Add columns and align the new content manually. For GRC tools, use the GRC tool import/export process to add new content and link it to existing controls, assets, and assessments. Depending on the complexity of the system, you may need to involve the GRC vendor for assistance. Check out this blog from StandardFusion to explore how GRC enables ISO27001:2022 compliance.
If you have a mature ISMS that shares common controls under multiple ISO standards or other information security and privacy frameworks such as NIST, PCI-DSS, HIPAA, or GDPR, review how the ISO27001:2022 controls map to them as well.
Close the Gaps
With the new controls identified, your processes identified, and the controls mapped into the 5 areas above, it’s time to move from Planning to Doing based on your control mapping.
Where controls are mapped directly in one-to-one, one-to-many, or many-to-one from the older standard to the new, your SOA will reveal what, if any, processes and documents need to be updated, as well as which assets, teams or 3rd parties are impacted by the new control. Manage the work as follows:
- What processes should we use to address the needed changes?
- Who is responsible for addressing the need for change?
- What processes, documents, and assets will be updated or created?
- What outputs or evidence will be generated to show compliance?
- When will the work be done?
Where you’ve identified new controls, you will need to review their content and determine if any existing processes, documentation, or assets already meet this need. We recommend using Appendix A provided #attributes to see if anything fits. Then, use the 5 questions above to assign and manage the new control work. Pay attention to resources and determine if using a 3rd party may be the most effective route.
Where older controls don’t map to newer ones, consider retiring unnecessary processes, documents, or assets. As you’ll never be penalized for doing things beyond the standard, this is a low priority if you’re moving toward recertification. Be mindful of common controls and other information security and privacy frameworks before retiring elements of your ISMS.
Once you’ve updated your ISMS to include ISO27001:2022 controls, be sure to keep the machine running. Complete the following Check and Act tasks:
- Review your core ISMS documentation in light of the control updates and update any outdated references or language.
- Close out any open corrective actions, risk treatment plans, or change controls initiated to get you to the ISO27001:2022 finish line.
- Confirm and reconfirm that both internal and external stakeholders have been trained on what you’ve updated. Do your key ISO27001 personnel have training on the new standard, too?
- Make certain any 3rd party contracts or agreements with ISO27001 references or requirements reflect your new operations.
- Review the changes with your internal auditors and confirm that they have the new standard, are trained, and have updated their reference materials and audit plans.
- When you have enough evidence, review your new metrics and monitoring reports and confirm that your new processes are working effectively. If they’re not, make changes.
- Initiate an interim Management Review to share the state of the new ISMS with your executives.
- Reach out to your registrar and advise them of your compliance with the new standard for certification