CONTACT US
CONTACT US

ISO 27001 & The Upcoming Updates

ISO 27001 & The Upcoming Updates

ISO/ IEC 27001:2013 has been at the forefront of cyber security standards since its last major overhaul almost a decade ago. With the everchanging landscape of the cybersecurity world, the International Organisation for Standardisation (ISO) in partnership with the International Electrotechnical Commission (IEC) are gearing up to publish the latest version of the internationally recognised standard early this year, ensuring that today’s most prevalent of threats can be mitigated against by every compliant organisation.

The Benefits and Importance of ISO 27001

ISO/ IEC 27001 has benefited countless organisations worldwide since it’s adaption from ISO 17799 in 2005. By enabling organisations to implement an Information Security Management System, often referred to as an ISMS, organisations can be confident that their own information and their client’s information is protected in terms of its confidentiality, integrity, and availability.

Our previous article on the often overlooked benefits of ISO/ IEC 27001 can be found here. Whilst this article does specifically refer to the 2013 version soon to be replaced, the overall goals of the standard and the benefits it can bring to an organisation will remain the same, if not become more recognisable as more recent cyber security threats and technologies are considered throughout.

When the Changes are Coming

If you’re not already familiar with the ISO/ IEC 27001 layout, the standard is designed to work in conjunction with the ISO/ IEC 27002 documentation. Whilst the standard allows you select controls to implement from any published standard, they need to be compared with the controls listed within ISO/ IEC 27002. In order to gain certification, the requirements of ISO/ IEC 27001 and all relevant controls listed in Annex A (ISO/ IEC 27002’s controls) need to be implemented, unless justified that they are not required.

It’s highly likely that the new version of the standard will be released in two stages, with the ISO 27002 documentation being released in February 2022, and the ISO 27001 documentation being released a month later in March 2022.

The International Organisation for Standardisation classify the status of ISO/ IEC 27002 as “under publication” with the release date of February 2022, whereas the status for ISO/ IEC 27001 is classified as “DIS registered”, meaning Draft International Standard registered, and therefore still in the development stages. Links to both documents (not currently viewable) can be found here and here respectively.

Once the newest version of ISO/ IEC 27001 has been published, the International Accreditation Forum will advise on how long the transition period will be, giving a timeline for organisations to adapt to the new version of the standard and remain certified. This is typically predicted to be between 12 to 24 months.

What the Changes are

Whilst we cannot be certain on what the upcoming changes are exactly going to be, due to the neither document being finalised and published, we expect that the vast majority of changes will be within the ISO/ IEC 27002 document, and ISO/ IEC 27001 will be released with an updated Annex A to match the changes made to ISO/ IEC 27002.

Some details are available surrounding the content and structure of ISO/ IEC 27002, which is dubbed to change dramatically. The controls, which in the current version are split into 14 different categories, are to be reshuffled considerably. The new control list will now fall into four different, and more in-depth, control areas or “themes”.

The new themes are expected to be titled as follows:

People (Containing 8 controls);

Organisational (Containing 37 controls);

Technological (Containing 34 controls); and

Physical (Containing 14 controls).

The eagle eyed amongst you will have realised that the above listed number of controls does not add up to 114, the number of current controls located within ISO/ IEC 27002:2013. This is because the updated version of ISO/ IEC 27002 will not only have some additional new controls but has merged some controls into one more detailed and comprehensive control. A reported example being the current 3 controls surrounding logging (A.12.4.1, A.12.4.2, and A.12.4.3) forming one larger and more complex control.

The additional new controls are to be sorted into the four new theme groups, with most seemingly falling under the Organisational and Technological titles. The controls which are to be added to the standard are as follows:

Secure Coding

Web Filtering

Monitoring Activities

Data Leakage Prevention

Data Masking

Information Deletion

Configuration Management

Physical Security Monitoring

ICT Readiness for Business Continuity

Information Security for Use of Cloud Services

Threat Intelligence

Whilst we are not yet aware of the exact new requirements of the additional upcoming controls (keep an eye out for more articles soon!), we can report the on a new feature to be implemented within the updated version of ISO/ IEC 27002, control attributes.

Control attributes will be added to each control via the use of hashtags, with the aim of aiding organisations in understanding what the control should do as part of the wider ISMS being implemented / maintained.

The control attributes will provide information surrounding the control’s type (preventative, detective, or corrective), it’s protection properties (confidentiality, integrity, and availability) linking back to the basic CIA triad, and related cybersecurity concept (Identify, protect, detect, respond, and recover). There will also be control attributes for operational capabilities (asset management, human resource etc.) and security domains (protection, defence, resilience, etc.).

What Should My Organisation Do Next?

As previously mentioned, there will soon be a confirmed transition period length decided up, which is typically 12 to 24 months, so if your organisation is already certified against ISO/ IEC 27001:2013, don’t rush and start making changes. We recommend waiting for both documents to be fully published and then beginning the process with a gap analysis against your current ISMS.

If your organisation is currently in the process of implementing an ISMS, or thinking about beginning the process, Bruce & Butler recommend continuing the process, and not waiting for the new standard. By waiting for a new standard that could potentially be delayed, you’re leaving your organisation open to the risks that made you consider ISO/ IEC 27001 and an ISMS in the first place. Implementing against the ISO/ IEC 27001:2013 version will also make adapting to the new standard versions considerably easier than starting from scratch.

Contact Us

Looking for more information on the upcoming versions of ISO/ IEC 27001 & ISO/ IEC 27002, or help beginning the journey towards certification? Contact Bruce & Butler today through our Contact Us page or alternatively by emailing any questions to [email protected].

Luke Green
Cyber Security Advisor

Our Core Values

At Bruce & Butler, we have a few messages that we try to convey to all our partners. These are our core values that run through the way we work and right through each engagement.

Be Real

This is about authenticity. Like people, every business is different and understanding what your organisation represents helps us to support you and the values you hold dear in the best way possible. We actively encourage our team to be themselves, have a personality and express themselves in a respectful way.

Be Brave

Being brave is about taking ownership and having a voice. We are not the sort of cyber security firm who will just say “yes” for speed or simplicity. We will have a voice, we will present challenge where appropriate and we will dig into core issues when required. This is not about being reckless, but about understanding the wider risk landscape and taking appropriate actions in an efficient and effective manner.

Be Open

Put simply, there will be no surprises. Transparency and communication are both key to ensuring that any challenges we face are tackled appropriately and are overcome as efficiently as possible. You will always be updated and informed – but not badgered.

We, not me

There is no “I” in team. We share in each other’s success and learn from each other’s opportunities to improve, but at the end of the day, everyone is always supported. That is something we believe creates a better service and ensures optimal results. Being accountable and securing your data is very important and requires a collaborative approach to get the best results.

Contact Us

Unit 13
92 Burton Road
Sheffield, S3 8BX

Cyber Security
Data Protection
Penetration Testing
Facebook Instagram Linkedin Twitter Youtube