ISO27001:2022 - What's Ahead

It has been confirmed that the Final Draft International Standard (FDIS) of ISO27001 has been submitted to all ISO member bodies for voting. With voting set to end in Sep 22, the ISO27001:2022 Standard will likely be published in Oct/Nov 2022. The Standard, along with its Annex A controls will be updated.

Read on as we delve into the details around the proposed changes and what you should be considering right now. 

What is changing between 2013 and 2022?

• ISO27002:2013 listed 114 controls
• ISO27002:2022 will list 93 controls
  • People – 8 controls
  • Organisational – 37 controls
  • Technology – 34 controls
  • Physical – 34 controls
•  New controls will include:
  • Threat Intelligence
  • Information Security for use of Cloud Services
  • ICT readiness for Business Continuity
  • Physical security monitoring
  • Configuration Management
  • Information deletion
  • Data masking
  • Data Leakage/Loss Prevention (DLP)
  • Monitoring
  • Web filtering
  • Secure Coding – which also includes Static Analysis (SAST)
• Controls are attributed in five types, not just CIA:
  • Control Type – Preventative, Detective or Corrective
  • Information Security Properties – Confidentiality, Integrity and Availability
  • Cyber Security Concepts – Identify, Protect, Detect, Respond and Recover (NIST)
  • Operational Capabilities – such as Governance, Asset Management, Risk Management
  • Security Domains – Governance and ecosystem, Protection, Defence and Resilience
    

What if you are not yet certified to ISO27001?

Until the new standard is released, and UKAS Accredited Bodies are auditing against the new standard, our advice is to continue to align to the Clauses and Controls in the 2013 version. However, you should consider the addition of the new control areas above, when producing your new Policies, Standards and Processes.

We have known instances of organisations which have pre-empted the new controls, and have received Non-Conformances by their external auditor, for not meeting the previous (2013) Standard.

The new Standard is expected to be released in Oct / Nov 2022, however, there may be factors which could delay the operation.

If you are under business or commercial time constraints to achieve ISO27001, then feel free to reach out to our team for quick and tailored advice (info@tmc3.co.uk).

What if you are already certified to ISO27001:20113?

If you are already certified to the 2013 standard, and are mid-way through your three year cycle, don’t panic.

Depending on the certification body you are using, they may have a different approach – however, time is on your side.

On a recent release, we were informed that organisations will be given two years to transition to the new Standard. However, working with a leading UKAS certified body, we were informed that their guidance is to allow the cycle to run through to fruition, which could give up to three years, if recently certified.

Considerations

• Engage with your certification body once the new standard is released, to understand when you will need to transition to the 2022 standard.
• Train your resources, which manage the Information Security Management System (ISMS), on the new standard in good time. We are not affiliated but can recommend suppliers in this space.
• Consider the Clauses and Controls of the new standard, as soon as you can, to identify gaps in your compliance, which may need additional action, resource or funding. Plan for these in good time.
• Make sure you keep aligning with the 2013 controls, until you know you need to transition to the new Standard.
• Don’t leave your transition, audits or resourcing efforts to the last minute - as you can imagine all organisations with ISO27001 certification will be reaching out for guidance, expertise, training and auditors, over the next two years.
• Key Suppliers – monitor your key suppliers, such as AWS, Microsoft etc, to ensure that they are transitioning to the new Standard. This will be required for you to ensure your Third Party Supplier compliance, against the 2013 and 2022 Standard.
• If you develop software, then you will need to deploy automated security scanning solutions, such as SAST, into your Secure Software Development Lifecycle. We are partnered with industry leading vendors, which will allow us to deploy this technology efficiently and cost effectively.
  
  

Where can I get further guidance or support?

At tmc3, we have supported customers across all sectors and industries, with regards to implementing, updating and managing an ISMS, certified to ISO27001.

Get in touch with our expert team, who can give you pragmatic and practical input, guidance and support.