A revised model of ISO 27001 is anticipated this fall. When requirements change, it’s pure for organizations to wonder if it’s going to affect their operations and compliance. Organizations about to undertake an ISO 27001 audit might hesitate till the brand new requirements are revealed.
In truth, the adjustments to ISO 27001 won’t have a direct affect on compliance, and there’s no purpose to postpone audit preparation. Nevertheless, a brand new model of ISO 27002 was revealed earlier this 12 months. The included adjustments can be replicated within the upcoming revisions to Annex A of ISO 27001, affecting future compliance efforts.
On this article, we’ll discover what ISO 27001 is, the way it’s totally different from ISO 27002, and the doubtless affect of the revised ISO 27001 and ISO 27002 requirements.
What’s ISO 27001?
ISO/IEC 27001 is a world data safety customary. It was developed as an answer to the issue of ad-hoc data safety implementation. Organizations would implement controls to patch safety in response to incidents, however they’d not implement an overarching system that adequately accounts for potential dangers.
ISO 27001 describes safety controls that, when applied, represent a complete data safety administration system. It additionally gives a framework that auditors can use to certify that a company complies with broadly accepted requirements for data safety.
The usual consists of sections that define expectations for data safety implementation. For instance, Clause 4.4 requires a company to ascertain, implement, and regularly enhance an data safety administration system. Clause 6.1.2 requires organizations to determine, analyze, and consider data safety dangers.
Along with the clauses, ISO 27001 consists of Annex A, which lists particular management targets and controls. There are dozens of paired targets and controls, however let’s take a look at a number of to get a transparent concept of what’s anticipated.
- A.9.4.3 — Goal: Password administration system. Management: Password administration methods shall be interactive and shall guarantee high quality passwords.
- A.10.1.1 — Goal: Coverage on the usage of cryptographic controls. Management: A coverage on the usage of cryptographic controls for the safety of data shall be developed and applied.
- A.12.1.2 — Goal: Change administration. Management: Adjustments to the group, enterprise processes, data processing services, and methods that have an effect on data safety shall be managed.
Essentially the most substantial adjustments within the up to date model of ISO 27001 are to the Annex A controls. We’ll see which controls have modified in a second, however first, let’s take a look at the connection between these controls and ISO 27002.
What Is the Distinction Between ISO 27001 and 27002?
ISO 27001 is the usual that organizations will be licensed in opposition to. However, as we’ve simply seen, the targets and controls included in ISO 27001 Annex A are obscure and non-specific. They don’t embody any implementation particulars. That’s as a result of organizations can select the right way to implement the controls, supplied their implementation meets the necessities, and doc how the applied controls map to the targets in Annex A.
ISO 27002 consists of the “lacking” implementation steerage. It lists the identical controls as ISO 27001 however gives extra data and steerage to these looking for to implement the relevant controls. The implementation steerage doesn’t get into the technical particulars, but it surely does define clear and detailed necessities for any compliant system. Within the earlier part, we quoted the password administration system goal from ISO 27001 (A.9.4.3). ISO 27002 has an equal part that goes into better element about what’s anticipated. The password system should implement the usage of particular person IDs, enable customers to alter passwords, not show passwords on the display screen, retailer passwords in a protected type, and so forth.
It’s essential to know that a company doesn’t must comply with the implementation tips in ISO 27002. It will probably use totally different data safety requirements, supplied they are often mapped to the controls in ISO 27001 Annex A. That’s one purpose there isn’t a such factor as an ISO 27002 certification. ISO 27002 is a supplementary customary to assist organizations adjust to ISO 27001 and obtain certification.
How Did ISO 27001/ISO 27002 Change in 2022?
ISO 27002 was up to date at first of 2022. New controls and management classes had been added, and a few management classes had been consolidated. ISO 27002 gives implementation steerage for the controls included in ISO 27001 Annex A, so the updates necessitate adjustments to align Annex A with the controls within the implementation steerage.
What Are the New Controls for ISO 27001?
There are 11 new controls in ISO 27002:2022, so we are able to anticipate the identical new controls in Annex A of ISO 27001. They embody:
- Menace intelligence
- Data safety to be used of cloud providers
- ICT readiness for enterprise continuity
- Bodily safety monitoring
- Monitoring actions
- Internet filtering
- Safe coding
- Configuration administration
- Data deletion
- Information masking
- Information leakage prevention
Though controls have been added, the whole quantity has lowered from 114 to 93. That’s as a result of a number of controls have been merged. The classes have additionally been consolidated and merged. In ISO 27001:2013, the controls had been divided into 14 totally different areas. In ISO 27001:2022, there can be 4 domains.
- Individuals controls: distant work, confidentiality, non-disclosure, screening, and so forth.
- Organizational controls: organizational data insurance policies, cloud service use, asset use, and so forth.
- Bodily controls: safety monitoring, storage media, upkeep, services safety, and so forth.
- Technological controls: authentication, encryption, information leak prevention, and so forth.
To see a full checklist of the adjustments anticipated in ISO 27001: 2022, seek the advice of the controls and steerage in ISO 27002:2022.
How To Put together for ISO 27001:2022
Your group doesn’t must make fast adjustments, though it’s best to familiarize your self with the brand new and revised controls. In case your data safety administration system is predicated on the implementation steerage in ISO 27002, it’s best to put plans in place to replace controls, if required. In the event you use a distinct set of requirements, you can be anticipated to supply documentation mapping out of your chosen controls to the controls in ISO 27001:2022 Annex A.
Ought to My Group Delay ISO 27001 Certification?
There’s little purpose to delay ISO27001 certification till the up to date model is launched. In case your group or its prospects require an ISO 27001 audit or certification, ready is probably not helpful to your enterprise. There’s more likely to be a three-year transition interval earlier than documentation edits and management implementation are required to conform.
Work With KirkpatrickPrice to Obtain Your ISO Certification
KirkpatrickPrice presents ISO 27001 audits and consulting providers that assist our shoppers to attain ISO 27001 compliance. We’ll assist you to to determine, qualify, and catalog data safety dangers in your surroundings and supply the help you could implement a compliant data safety administration system. Contact an data safety specialist to be taught extra about our ISO 27001 compliance providers.