October 19, 2021

Last Updated on January 15, 2024

If your organization is ISO 27001 certified, you are likely aware that the International Organization for Standardization (ISO) is changing the structure of the ISO 27001/27002 control framework.  This is notable because the current structure has persisted for the last 20 years, through multiple naming changes (British Standard (BS) 7799 Part 1 & 2 became ISO 17799 in 2000, which evolved to ISO 27001/27002:2005, which evolved to ISO 27001/27002:2013).

The changes are significant. While neither document has been finalized, here is what is expected:

  • ISO 27002 is likely to be released in January 2022, and its structure will be notably different than the current version (details below).
  • ISO 27001 is likely to be released in March 2022, with the only change being the updating of Annex A to align with the new version of ISO 27002.
  • Shortly after the release of ISO 27001, the International Accreditation Forum and accreditation bodies will advise on how long a transition period will be granted.  The prevailing thought is that it will be 12 or 24 months.  If we assume 12 months, that means that any ISO 27001 certification or surveillance audit taking place after March 2023 will need to use ISO 27001:2021 (or will it be called ISO 27001:2022?).

Changes to ISO 27002

Both the controls and their classifications will change for ISO 27002. We will go from 114 controls categorized by Information Security Domains to 93 controls categorized by themes: Organizational Controls (37), People Controls (8), Physical Controls (14), and Technological Controls (34).  Personally, it reminds me of the way HIPAA themes its controls into Physical, Technical, and Administrative safeguards.

Among the 94 controls, there will be 12 new controls that reflect the changing technical and threat landscapes: Threat intelligence, Identity management, Information security for the use of cloud services, ICT readiness for business continuity, Physical security monitoring, User endpoint devices, Configuration management, Information deletion, Data masking, Data leakage prevention, Web filtering, and Secure coding,

Another addition is that each control will be assigned hashtags that align with 5 control attributes:

  • Control Type (e.g., Detective, Preventative, Corrective).
  • Cybersecurity Concept (e.g., Identify, Protect, Detect, Respond, Recover). These tags align with the NIST Cybersecurity Framework.
  • Information Security Properties (e.g., Confidentiality, Integrity, Availability). I was surprised not to see non-repudiation.
  • Operational Capabilities (e.g., Governance, Asset Management, Identity & Access Management, etc.)
  • Security Domains (e.g., Protection, Defense, Resilience). This attribute is a bit fuzzy for me at this moment. Hopefully, I will gain clarity when the new release is available.

Besides these additions, we will bid a fond farewell to some existing controls as they are consolidated into other controls: Review of the policies for information security, Mobile device policy, Ownership of assets, Handling of assets, Password management system, Delivery and loading areas, Removal of assets, Unattended user equipment, Protection of log information, Restrictions on software installation, Electronic messaging, Securing application services on public networks, Protecting application services transactions, System acceptance testing, Reporting information security weakness, and Technical compliance review.

What’s in it for Me?

Let’s start with the bad news. You will have a fair amount of work to do between your next certification (or surveillance audit) and the one following, as a change of this nature and magnitude will propagate logically through your ISO 27001 ISMS. These are the most significant changes you should expect:

  • You will need to Gap Assess your current controls against the new ISO 27002 standard. A cost-effective way to do this would be to include the effort in your next ISO 27001 ISMS internal audit.
  • Revisit your Context—which you really should be doing at least once per year anyway.
  • Update your risk assessment as the controls you will be used to mitigate risks have been updated.
  • The risk assessment updates plus the changes in the new Annex A will require you to redo your Statement of Applicability (SOA).
  • Many of your Policies/Standards/Procedures will need to be updated to reflect the new ISO 27002 changes.
  • You may need to implement new Policies/Standards/Procedures to address the ISO 27002 changes.
  • You may need to make changes to key tools in your environment (e.g., a GRC platform, SIEM reporting, etc.) to ensure that artifacts used to demonstrate compliance are aligned with the new requirements.
  • Your Security Metrics should be updated to reflect your risk assessment and Annex A changes.
  • Your ISMS Internal Audit Program will need to be updated to reflect the changes to your ISMS.

While the effort required to align with ISO 27001:2021 may be significant, I think there are some benefits to the new version as well:

  • The new controls align well with new risks. Well implemented, the controls will better protect your business from harm.
  • Alignment with the NIST cybersecurity Framework and its “5 functions” (Identify, Protect, Detect, Respond, and Recover) should benefit many. With an increasing number of companies subject to FedRAMP, CMMC, NIST 800-171, and the Presidential Executive Order, this will simplify maintaining an environment aligned with both ISO 27001 and NIST guidance.
  • The hashtags within ISO 27002 provide an additional taxonomy that can make security documentation much easier to work with.

 

I’ll post an update when the new ISO 27002 is available to share more guidance.

What’s Next?

If your organization is ISO 27001 certified, you might also want  to check out this “consultation-in-a-podcast:”  EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security