What You Need to Know About the ISO 27001 Revisions: A Webinar Recap
In October of 2022, the latest revisions to the ISO 27001 framework were published. Although there is still time to transition to the revised framework, this process can feel overwhelming, and the changes can seem confusing. That’s why we partnered with SDG for a webinar covering what you need to know about the updated ISO 27001 revision.
During the webinar, one of our expert auditors, Chris Paradise, and SDG’s Managing Director of Cybersecurity, Jaike Hornreich, discussed some of the key ISO 27001 revisions and how your organization can prepare for them.
Note: This is a high-level overview of our webinar What You Need to Know About the ISO 27001 Revisions. For more insight into the revisions and what they might look like for your organization, make sure to listen to the full recording here.
What is ISO 27001?
ISO 27001 is the only internationally accepted standard for governing an organization’s information security management system (ISMS). The ISO 27001 standard tells organizations how to create and run an effective information security program through policies and procedures, as well as associated legal, physical, and technical controls that support an organization’s information risk management processes.
What’s changing and why?
There have been significant changes in technology, frameworks, vulnerabilities, and attack vectors since the ISO framework was last updated in 2013. ISO has made revisions to their framework to address some of these changes.
One of the main goals of this revision was to streamline the framework. ISO 27001: 2013 had some complexities that were difficult for users. The framework has gone from 114 to 93 controls and now groups areas of focus so companies can identify the most relevant controls more easily.
Using simpler language and a clearer structure, ISO 27001: 2022 allows users to focus on the implementation of controls instead of wasting time trying to figure out what the controls are asking for.
Clause Changes
Clause 4.2(c)
Which requirement will the information security management system address?
Clause 4.2 is about understanding the needs and expectations of interested parties. An important aspect of this clause is identifying interested parties (customers, employees, anyone involved in your ISMS, regulatory bodies, investors, auditors and stakeholders that utilize or support your services).
This new clause makes sure you define the requirements of your stakeholders so you can prioritize the requirements that need to be addressed through the ISMS. It’s important to note which requirements are most important even if it seems logical. By identifying those requirements, you’re improving your stakeholder engagement because they know they are being listened to and know that the controls and processes that you’re putting in place are there to build trust.
Clause 4.4
Added a requirement to establish, implement, maintain, and continually improve processes and their interactions.
Processes have always been critical to ISO but not well documented. However, you want to make sure you understand the relationships between your different processes. You want to understand if the processes are implemented in a secure manner and that they align with your policies and standards. Depending on how those processes are designed, there may be an introduction of additional risk or a violation of policy within those processes which can then cascade down to all your processes.
This alignment of processes, policies, and standards is important because, without it, it’s easy to forget about risk, but the risk will come back at some point if it is not properly addressed.
Clause 6.3
When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.
Change management is important for all security frameworks. For ISO, the focus is to make sure that when you make a change, whether it be an organizational change or a security change, you communicate those changes to interested parties. The changes should be planned, communicated, and evaluated for risk. You need to fully consider the risks associated with any change to your entire environment before implementation, including minimizing the impact when you introduce any new risk.
Annex A Changes
The Annex A controls have been reduced from 114 to 93 in an effort to streamline requirements into cloud specific groupings that make more sense within the context of ISO.
In general, a majority of the controls in ISO 27001: 2022 are the same as they were in the 2013 version, but they are presented in a more understandable way. Some controls that were very similar have been merged. The goal of ISO’s changes was to help understand risk holistically and give greater flexibility. There may be some controls that may not be appropriate to every organization, but by having fewer controls, you can look at them as a control set for multiple approaches.
That’s what ISO is about: understanding your business and understanding your risk and then implementing the controls that are relevant to your business. It’s not asking you to fit these particular controls within your workflows and your processes if they’re not aligned with your goals and specific risk.
ISO 27001: 2022 includes 11 new requirements to better address emerging security challenges.
- 5.7: Threat intelligence
- 5.23: Information security for the use of cloud services
- 5.30: ICT readiness for business continuity
- 7.4: Physical security monitoring
- 8.9: Secure configuration management
- 8.10: Information deletion
- 8.11: Data masking
- 8.12: Data leakage prevention
- 8.16: Monitoring activities
- 8.23: Web filtering
- 8.28: Secure coding
For more information on each of these requirements, make sure to listen to the full webinar recording.
5.7: Threat Intelligence
Organizations need to gather information about security threats proactively and mitigate that risk. You should be collecting information from various sources like government agencies and other threat-related websites. Then, you should assess the impact of those threats on your particular business. The level of threat intelligence that’s necessary for an organization can greatly vary depending on the industry and scope of operations. There’s a wide variety of what different organizations need to be concerned about.
Another important aspect of threat intelligence is sharing this information with your stakeholders. You need to have processes and policies in place regarding how you share findings and ensure appropriate and widespread awareness.
5.23: Information Security for Use of Cloud Services
Since the last revision of ISO in 2013, cloud adoption has increased quite a bit. ISO wanted to ensure that people had a plan in place for adopting cloud services and weren’t going through this process in a non-defined way. It’s essential that organizations have policies and procedures in place to understand how to engage not only large cloud providers like AWS and Azure, but also smaller SaaS companies securely.
8.28: Secure Coding
While development has always been a part of ISO, it hasn’t been defined well in the past, so secure coding practices are one of the key additions to ISO 27001: 2022. The expectation is that you’re going to develop secure codes. What that means for ISO is that organizations want to have security throughout the entire application development system, specifically for secure code.
Auditor Tip: By reading ISO 27002, you’ll glean great information about how to implement some of these ISO 27001 controls. ISO 27002 provides strategies for meeting these requirements. If you have any questions about specific controls, that’s a great resource to reference to gain more information on what the framework really expects for you to meet those requirements.
What’s the transition timeline?
Certifications based on ISO 27001: 2013 will no longer be issued after May 31, 2024, and certificates based on ISO 27001: 2013 will expire on October 31, 2025. Organizations can transition their existing ISO 27001: 2013 certification to ISO 27001: 2022 during their next surveillance audit, but no later than October 31, 2025.
So, if you’re currently looking to get ISO, you could still get the 2013 standard, but that’s not our recommendation. We recommend moving to the newest standard, so you don’t run into any issues down the road. By moving to the new standard now, you’ll have everything you need to have in place by the time the transition deadline rolls around.
Helpful Tip: Transitioning to the new standard can feel overwhelming. It’s been a decade since the last update, so make sure you’re partnering with someone who is able to answer your questions and help you ease into this important transition.
The expectation with ISO isn’t that you’re perfect. The expectation is that you’ve documented where you’re not perfect and that you have a plan in place to remediate those imperfections.
Recommendations for the Biggest Changes
We know that all of these changes can feel overwhelming. Here are our recommendations for the biggest changes that accompany this update:
Threat intelligence
While you may not have to make considerable investments in threat monitoring technologies, you do need to have processes and personnel in place to effectively manage, identify, and stay up to date on threats. You need to continually update your threat intelligence every day, stay on top of new threats, and make sure you’re documenting those threats as they apply to your services and to your business.
Secure Application Development
Make sure you have a secure development policy that’s clear and concise. It needs to define user responsibilities and establish guidelines for secure coding practices, testing deployment, and incident management.
Training is an important part of secure coding, so make sure your developers are up to date and trained on the latest best practices for security development. It’s also important that you can integrate security throughout your entire development process. You can do this by conducting security reviews, deployment analysis, code reviews, and automated testing and scanning tools where appropriate.
Information Security for Cloud Services
Define your security requirements when you engage a cloud service. You need to understand that they are offering and what you need. When choosing a cloud service provider, check that they meet your organization’s security requirements. Make sure you’re doing your general due diligence just as you would with any other security vendor.
Partner with KirkpatrickPrice to Transition to ISO 27001: 2022 Successfully
We understand that perusing an ISO 27001 certification can feel intimidating on its own, but the added pressure of transitioning to a new framework can feel completely overwhelming. That’s what we’re here for! KirkpatrickPrice would love to partner with you as you make the transition from ISO 27001: 2013 to ISO 27001: 2022. We are here to answer your questions and help you get ready. If you would like to talk to one of our experts or are ready to start your ISO 27001 audit, connect with us today.