In October 2022, the new version of ISO 27001 was published. The Standard has undergone a far more substantial overhaul than the previous update from the 2005 to the 2013 version. While the management system clauses have received a relatively minor makeover in order to make some of the requirements more explicit and align ISO 27001 with other Annex SL standards, Annex A has been completely restructured with some controls being merged with others as well as introducing 11 new ones.
The aim of this blog is not to detail every single change, but to focus on those areas, both within the management system clauses and Annex A controls, which our team of ISO 27001 consultants believes are likely to be the most challenging to those organisations looking to transition from ISO 27001:2013 to ISO 27001:2022.
We will be drawing upon almost two decades of experience in assisting organisations to achieve and maintain ISO 27001 certification and will be sharing our thoughts and advice on meeting the more challenging requirements of transitioning to ISO 27001:2022.
Meeting Requirements of Management System Clause
Although the main management system clauses have remained largely consistent with ISO 27001:2013, there are some interesting additions and revisions that must be carefully considered to ensure a smooth transition to the new Standard.
A new item has been added to Clause 4.2, asking you to determine which of your interested parties’ requirements will be met through your ISMS. A description of where within your ISMS the requirements of your interested parties are being dealt with allow you to conform this requirement. Within this description, it would probably be worthwhile linking to or referencing not only the policies, processes and procedures that enable conformance, but also the records or systems that would provide evidence that your organisation is meeting the requirement.
A more significant revision can be found, however, in Clause 4.4. Previously, it was possible to achieve certification without directly addressing Clause 4.4, i.e., if the rest of the Standard’s requirements were being met, Clause 4.4 would automatically be met. As such, this clause would rarely be assessed independently in an ISO 27001 internal audit or an external assessment. However, the addition of ‘the processes needed and their interactions’ in the new version of the Standard has added a new dimension.
Now, the audited organisation must demonstrate an understanding of how its management system works, and of the interrelated processes that need to exist for it to perform as expected. You must be able to identify those processes and explain how they relate to each other. This will require you to evidence your understanding by providing more documentation around how your ISMS works, and answer questions around the processes, what they do, and how they interact, e.g., how the output from incident management processes should be used as input into risk assessments and audits.
Another of the more significant changes relates to the addition of Clause 6.3, which requires any changes to the ISMS to be carried out in a planned manner. It is entirely possible to use existing operational change management processes to adhere to this clause, as well as vehicles such as management review meetings.
The transition from the 2013 to the 2022 version of the Standard is a perfect opportunity to demonstrate conformance with this new clause. You’ll need to raise the changes that are going to take place in a change management context, ensuring individuals are aware of what changes are coming. Then you’ll need to review the impact of the changes and have them authorised by the appropriate people. Following such a process will allow you to meet the requirements of Clause 6.3 within the transition process.
There have been two additions to Clause 8.1 to ensure that organisations define the criteria for performing the processes associated with Clause 6, and that the processes are implemented according to the criteria. This seems to be primarily aimed at ensuring repeatability and consistency in the processes when they are implemented.
Here, the first thing you will have to identify are the different processes associated with Clause 6. The criteria you subsequently set should establish what steps need to be taken for you to be able to confirm each process is complete. It may help to think of this as a checklist that gets ticked off as you work through the process.
Once these criteria have been established, you need to ensure you implement the processes based on those criteria. This will ensure that wherever within the organisation the processes are implemented, they are done so in a consistent manner, meaning that the results of the processes are always reliable and repeatable. This allows for meaningful comparisons to be made across the business when it comes to risk management, the setting of objectives and ISMS change management.
Meeting Requirements of Annex A Controls
Across the entire Standard, it is Appendix A that has seen the most substantial revision. The 114 controls of the 2013 version of the Standard have been slimmed down to 93. Where the controls used to cover 14 domains, there are now only 4. However, it would be incorrect to look at this change as a simplification. 24 controls have been merged to reduce the overall number, and there are 11 new controls, while none have been removed. As well as this, 58 of the controls from the 2013 version have been updated and some titles have changed, but these are effectively the same controls. It is worth checking the ISO 27002:2022 Standard (sister Standard to ISO 27001) which provides guidance on implementing an ISO 27001 ISMS. For some controls, you may find some additional guidance being provided in the latest version of ISO 27002 which will help you to further mature certain controls. A potential consequence of this is that you may find external certification body assessors raising opportunities for improvement (OFIs) in terms of additional guidance being provided in the latest version of ISO 27002.
Not every control, old or new, will be applicable to every organisation. But it is a mandatory requirement of the Standard that all 93 are considered, and no necessary controls are overlooked. Let us look at some of the new controls which in our opinion will require greater consideration.
5.7 Threat Intelligence
The introduction of control 5.7, threat intelligence, in our estimation requires careful consideration. For certified organisations which are required to conduct a risk assessment under Clause 6.1, information security threats will implicitly need to be considered. As such, the selection of 5.7 in your Statement of Applicability is, therefore, virtually unavoidable.
In order to fully conform to this new control, it will probably no longer be adequate to stick to the iterative risk assessment review approach, you will now need to adopt a more responsive and dynamic approach in order to achieve conformance. Risks will need to be updated in response to any threat intelligence received, and complacency in this area is likely to be something assessors will be looking for.
However, this does not necessarily mean your organisation will need to spend exorbitant sums of money on a threat intelligence service. There are plenty of free websites and forums you can access that will provide you with solid threat intelligence. Many vendors are also extremely on the ball in terms of notifying their users about any security threat information they become aware of. The important thing is not to spend excessive amounts on threat intelligence, but to be proactive about identifying and responding to any threats as they appear.
5.23 Information security for use of cloud services
Control 5.23 is applicable to almost every organisation. Ultimately, the use of a cloud service is the same as any other third-party supplier. The key, therefore, to establishing best practice processes when working with them is ensuring you have a robust contract in place.
Here, the major challenges arise when agreeing who is responsible for which controls, and dealing with major organisations that may not be able to offer you a bespoke contract. As with all the controls in the Standard, the guidance laid out in ISO 27002 is critical in navigating through any issues.
7.4 Physical security monitoring
Within the physical controls section, 7.4 is a standout control and is very distinct from the controls detailed in the 2013 version of the Standard. Many organisations may believe they are already implementing this control through physical security measures, such as CCTV and door access control mechanisms. However, simply having these tools is not enough. You also need to utilise the information they gather to actively monitor your premises. For example, you need to review door system logs and keep track of CCTV footage in order to identify security risks. Ensuring you have all the appropriate resources to maintain this proactive monitoring approach will be a challenge for some organisations.
8.10 Information deletion
While information deletion may be simple when destroying hard copies, it is much less straightforward to demonstrate digital information has been completely deleted. It’s therefore important to have appropriate processes in place to ensure information you are attempting to delete has actually been removed. Organisations will need to carefully consider all of the places where information might reside, e.g., shared drives, databases, portable storage, backups, cloud services etc. The techniques required to delete the information from all of these places will be varied and some may not be straightforward.
8.11 Data masking
Data masking hinges on the concept that information should only be shared with individuals on a need-to-know basis. Information access controls and data redaction can both be considered forms of data masking. Data redaction, as an example, includes the obfuscation of personal or identifying information from a document when responding to data subject access requests (DSARs) under the General Data Protection Regulation (GDPR).
It might be worth noting that if your organisation regularly receives a significant volume of DSARs, it will most likely be necessary for you to select this control and implement a formal process for redaction. Data redaction is a simple process to follow when dealing with explicitly personal information, but it can be tricky to discern which information indirectly identifies another individual. Many organisations choose to hire a redaction service for this process to avoid unintentional noncompliance.
8.12 Data leakage prevention
When implementing data leakage prevention, it may be difficult to identify every channel associated with leakage. WhatsApp, email, and the numerous instant messaging systems, used at both an organisational and individual level, are all potential routes for information to leave your organisation. On top of this, organisations need to determine what information they don’t want to leak in order to define processes for identifying it within each channel when it does.
8.23 Web filtering
The introduction of web filtering aims at reducing the likelihood of negative impacts to the organisation that could occur if users visit certain types of website, such as gambling, pornography and warez sites, as it is generally sites of this nature that are more commonly associated with malware infections. It is also a good idea to prevent access to web-based email systems in order to prevent information leaking via this channel. Many organisations already have this implemented or have the capability to do so. But, for those that do not, the cost of the associated tools may present a challenge.
8.16 Monitoring activities
Working in conjunction with web filtering monitoring activities, control 8.16 is all about establishing what ‘normal use’ of your systems looks like for different individuals in your organisation. Doing so will make anomalous behaviour, such as an individual accessing files or downloading information they usually wouldn’t, much easier to spot. By identifying normal behaviour, you will be able to identify spikes and irregularities, and put processes in place to deal with them. However, the costs associated with the technology required in order to conduct this sort of monitoring may be prohibitive for some organisations.
Threat Intelligence and Risk Assessments
It is likely that most organisations will need to repeat their risk assessments in order to not only accommodate the new controls in Annex A of the Standard, but also to take into consideration the new guidance provided in ISO 27002 for controls they already have in place. This is because the maturity of some of these controls may not be as high as previously thought which in turn may have an effect on the priorities of different risks.
Often, risk assessments have been treated as an annual event and this iterative approach still needs to take place as all risks will need to be periodically reviewed to ensure that nothing has changed. Therefore, the process of conducting a risk assessment will remain the same, but you must also have processes available to respond to any new threat intelligence you receive. Whenever you identify new threats or changes to existing threats, it is vital to react immediately, rather than waiting until the next review.
This dynamic approach will probably mean you need to take more information into consideration than was previously available. If all your risk assessment information is stored in a spreadsheet, it can be difficult to adjust this in response to new threat intelligence you’ve gained. You may need to consider instead using tools to ensure you can update your risk assessment on a day-to-day basis. Automated reporting and alerting are also effective means of keeping abreast with threat intelligence.
The introduction of attributes in ISO 27002:2022 (description) may also influence your approach to risk assessments in your transition to the new standard. Attributes can be defined as a characteristic of a control. Within ISO 27002:2022, 5 suggested attributes of controls are detailed:
- Control types (e.g., preventive, detective, corrective)
- Information security properties (e.g., CIA)
- Cybersecurity concepts: identify; protect; detect; respond; recover
- Operational capabilities: (e.g., governance; asset management; information protection; human resource security; physical security; system and network security and other recognised areas of specialism within IS)
- Security domains: governance and ecosystem; protection; defence; resilience.
- It should be noted that the attributes are overlapping, and not alternatives. Controls can be categorised using the applicable attribute values from all 5 attributes. Equally, you can introduce your own attributes.
While it is not a requirement to use them, attributes are an incredibly useful tool for demonstrating awareness of risk management to an assessor. Using the attributes to select appropriate controls can show a thorough understanding of your risk management programme, risk assessment process and control selection methodology. They also enable you to show that you have considered every control and selected accordingly, as per the requirements of the Standard.
Early Transitions: Lessons Learned
Whilst at the time of writing this blog many organisations are yet to transition to the new Standard, and hence the sample size is quite small, our consultants have already identified a few common themes and focuses that seem to keep popping up in certification body assessments.
In response to the clausal changes and additions, the key to conformance is frequent and well-documented management review meetings. These will enable you to cover off, for example, the addition of item d in Clause 6.2, reviewing objectives more frequently than the typical once a year, which would no longer meet the requirement of the Standard. Meanwhile, a simple way to meet the requirements of the new Clause 6.3 is the consistent inclusion of change management as a point of discussion in your management review meetings, and always ensuring you document these discussions.
When adopting the new controls, there will be consistent links to your risk assessment. While a certain control may be applicable, the way it is applied, and the process maturity wrapped around it, will be directly proportional to the risk identified.
When approaching controls that appear to be a combination of 2 or more previously separate controls, your initial instinct may be to simply merge your existing controls and rely on your previous control maturity. However, this approach can lead to errors and oversight. It is extremely important to review all of your controls as there is a lot of additional and more up-to-date guidance provided in ISO 27002 that needs to be considered when determining the maturity of controls you have already implemented. While a particular control may have been reasonably mature through the lens of the 2013 Standard, your control maturity may decrease due to the updated and additional guidance in ISO 27002. We always advise organisations to thoroughly consider the guidance laid out in ISO 27002, as this can assist you in identifying the missing pieces.
How URM Can Help
As one of the first UK organisations to achieve certification to ISO 27001:2022, our understanding of the challenges associated with ISO 27001 transition is drawn from first-hand experience. Our experienced ISO 27001 consultants can assist you with your transition including conducting a gap analysis where we will assess the status of your current ISMS against the requirements of ISO 27001:2022 and identify any gaps both in terms of mandatory management system clauses and Annex A controls. We can also assist transition your risk assessments by using our automated risk assessment tool, Abriska 27001 which is populated with all the new controls, as well as allowing you to take advantage of the new attribute functionality. Having conducted a risk assessment, URM’s consultants can help you implement any required controls, policies and processes and then conduct ISO 27001:2022 internal audits ahead of any external assessments.
By attending our 2-day online ISO/IEC 27001:2022 Transition Course, you will not only learn from URM’s experienced and practising ISO 27001 consultant what the key changes are to the Annex A controls and management system clauses, but more importantly, how to transition from ISO 27001:2013 to ISO 27001:2022. Having been introduced to all the major management system and control changes, a major focus will be on how to update your risk assessment and Statement of Applicability, along with the different approaches you can take to transitioning to the new control set. You will also learn how to use, link and present the new attributes.
Book FREE Consultation
URM provides some top tips for achieving an effective and successful information security management system implementation
Broadly speaking, information security is held up by three pillars – People, Process and Technology. It is widely accepted that humans are the weakest link