ISO 27001 & The Upcoming Updates

ISO 27001 & The Upcoming Updates

ISO/ IEC 27001:2013 has been at the forefront of cyber security standards since its last major overhaul almost a decade ago. With the everchanging landscape of the cybersecurity world, the International Organisation for Standardisation (ISO) in partnership with the International Electrotechnical Commission (IEC) are gearing up to publish the latest version of the internationally recognised standard early this year, ensuring that today’s most prevalent of threats can be mitigated against by every compliant organisation.

The Benefits and Importance of ISO 27001

ISO/ IEC 27001 has benefited countless organisations worldwide since it’s adaption from ISO 17799 in 2005. By enabling organisations to implement an Information Security Management System, often referred to as an ISMS, organisations can be confident that their own information and their client’s information is protected in terms of its confidentiality, integrity, and availability.

Our previous article on the often overlooked benefits of ISO/ IEC 27001 can be found here. Whilst this article does specifically refer to the 2013 version soon to be replaced, the overall goals of the standard and the benefits it can bring to an organisation will remain the same, if not become more recognisable as more recent cyber security threats and technologies are considered throughout.

When the Changes are Coming

If you’re not already familiar with the ISO/ IEC 27001 layout, the standard is designed to work in conjunction with the ISO/ IEC 27002 documentation. Whilst the standard allows you select controls to implement from any published standard, they need to be compared with the controls listed within ISO/ IEC 27002. In order to gain certification, the requirements of ISO/ IEC 27001 and all relevant controls listed in Annex A (ISO/ IEC 27002’s controls) need to be implemented, unless justified that they are not required.

It’s highly likely that the new version of the standard will be released in two stages, with the ISO 27002 documentation being released in February 2022, and the ISO 27001 documentation being released a month later in March 2022.

The International Organisation for Standardisation classify the status of ISO/ IEC 27002 as “under publication” with the release date of February 2022, whereas the status for ISO/ IEC 27001 is classified as “DIS registered”, meaning Draft International Standard registered, and therefore still in the development stages. Links to both documents (not currently viewable) can be found here and here respectively.

Once the newest version of ISO/ IEC 27001 has been published, the International Accreditation Forum will advise on how long the transition period will be, giving a timeline for organisations to adapt to the new version of the standard and remain certified. This is typically predicted to be between 12 to 24 months.

What the Changes are

Whilst we cannot be certain on what the upcoming changes are exactly going to be, due to the neither document being finalised and published, we expect that the vast majority of changes will be within the ISO/ IEC 27002 document, and ISO/ IEC 27001 will be released with an updated Annex A to match the changes made to ISO/ IEC 27002.

Some details are available surrounding the content and structure of ISO/ IEC 27002, which is dubbed to change dramatically. The controls, which in the current version are split into 14 different categories, are to be reshuffled considerably. The new control list will now fall into four different, and more in-depth, control areas or “themes”.

The new themes are expected to be titled as follows:

People (Containing 8 controls);

Organisational (Containing 37 controls);

Technological (Containing 34 controls); and

Physical (Containing 14 controls).

The eagle eyed amongst you will have realised that the above listed number of controls does not add up to 114, the number of current controls located within ISO/ IEC 27002:2013. This is because the updated version of ISO/ IEC 27002 will not only have some additional new controls but has merged some controls into one more detailed and comprehensive control. A reported example being the current 3 controls surrounding logging (A.12.4.1, A.12.4.2, and A.12.4.3) forming one larger and more complex control.

The additional new controls are to be sorted into the four new theme groups, with most seemingly falling under the Organisational and Technological titles. The controls which are to be added to the standard are as follows:

Secure Coding

Web Filtering

Monitoring Activities

Data Leakage Prevention

Data Masking

Information Deletion

Configuration Management

Physical Security Monitoring

ICT Readiness for Business Continuity

Information Security for Use of Cloud Services

Threat Intelligence

Whilst we are not yet aware of the exact new requirements of the additional upcoming controls (keep an eye out for more articles soon!), we can report the on a new feature to be implemented within the updated version of ISO/ IEC 27002, control attributes.

Control attributes will be added to each control via the use of hashtags, with the aim of aiding organisations in understanding what the control should do as part of the wider ISMS being implemented / maintained.

The control attributes will provide information surrounding the control’s type (preventative, detective, or corrective), it’s protection properties (confidentiality, integrity, and availability) linking back to the basic CIA triad, and related cybersecurity concept (Identify, protect, detect, respond, and recover). There will also be control attributes for operational capabilities (asset management, human resource etc.) and security domains (protection, defence, resilience, etc.).

What Should My Organisation Do Next?

As previously mentioned, there will soon be a confirmed transition period length decided up, which is typically 12 to 24 months, so if your organisation is already certified against ISO/ IEC 27001:2013, don’t rush and start making changes. We recommend waiting for both documents to be fully published and then beginning the process with a gap analysis against your current ISMS.

If your organisation is currently in the process of implementing an ISMS, or thinking about beginning the process, Bruce & Butler recommend continuing the process, and not waiting for the new standard. By waiting for a new standard that could potentially be delayed, you’re leaving your organisation open to the risks that made you consider ISO/ IEC 27001 and an ISMS in the first place. Implementing against the ISO/ IEC 27001:2013 version will also make adapting to the new standard versions considerably easier than starting from scratch.

Contact Us

Looking for more information on the upcoming versions of ISO/ IEC 27001 & ISO/ IEC 27002, or help beginning the journey towards certification? Contact Bruce & Butler today through our Contact Us page or alternatively by emailing any questions to [email protected].

Luke Green
Cyber Security Advisor