Last Updated on March 4, 2023
ISO 27001:2022—How Does It Impact Related Standards?
All the standards within the ISO 27000 “family,” including the ISO 27701 “privacy extension” and the ISO 27017 controls for cloud service providers, relate back to the Annex A control set in ISO 27001. How does the new ISO 27001:2022 version, as well as the new ISO 27002:2022 control guidelines, impact these other standards? And what about non-ISO cybersecurity frameworks that reference ISO 27001, such as CSA STARS?
To cover all the implications of ISO 27001:2022 for companies seeking or maintaining certification, a recent episode of The Virtual CISO Podcast features Ryan Mackie and Danny Manimbo, principals at Schellman. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
The other ISO 27000 “family members” basically provide additional guidance for special cases beyond what is in ISO 27001 or ISO 27002. For example, ISO 27018 describes privacy controls best practices for PII processors, many of which are cloud-based.
“Without those standards subsequently being updated, they’re basically pointing back to what will eventually be a standard that has been superseded by ISO 27001:2022,” Danny notes.
For registrars like Schellman that will be auditing some clients against ISO 27001:2013 and others against ISO 27001:2022, this dictates a need for “reverse mapping” to align the audit process to the correct standard. If control X in a client environment maps to control Y in the 2013 version, auditors need to know it maps to control Z in the 2022 version.
“This is not going to impact our clients and we haven’t received any guidance that it would put their certifications at risk in any way,” reassures Danny. “We can continue to deliver for our clients who do ISO 27701, ISO 27017, ISO 27018, and other extension standards. But we need to do a little mapping on the backend, should they pivot to ISO 27001:2022.”
ISO 27017, which specifies additional controls for cloud security, will likely be the first member of the ISO 27000 family to be updated to align with the new ISO 27001:2002. A draft standard for ISO 27017 was recently released and will hopefully be finalized sometime in 2013.
“ISO is going through the revision process right now just to get those associations updated,” adds Ryan. “The challenge with anything ISO is ‘It’s a process.’ They have to pass it along for Q&A, get comments, incorporate feedback… So, it moves a little slow. But everything is in the process of getting updated.”
Impacts on other frameworks
How are other leading frameworks, such as the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) or HITRUST, morphing in response to the new ISO 27001 version? Or how about the AICPA’s mapping of the SOC 2 criteria to ISO 27001?
Until those mappings are updated “officially,” teams need to cross-map against ISO 27001:2013 as described above.
“We’re in this zone of having to manually cross-map between standards,” Ryan reiterates.
John further notes that companies using GRC platforms might face some friction if they’re ready to shift their ISMS to ISO 27001:2022 and the GRC platform hasn’t yet incorporated the 2022 guidance.
To hear this podcast episode with Ryan Mackie and Danny Manimbo from Schellman in its entirety, click here.
Curious about attributes in ISO 27002? Here’s what you need to know: The Value of Attributes in the New ISO 27002:2022