The ISO/IEC 27001 standard has been updated. What’s new?
Reducing controls and adding “attributes”.
October 25, 2022 was released new standard ISO 27001 information security management systems.
ISO/IEC 27001 is one of the world’s best-known information security management standards as it has moved from the realm of cybersecurity to the business world.
The standard needed to be changed for a long time, as it has not undergone significant updates since 2013. Minor amendments were made in 2017, but mostly they were structural or grammatical updates.
In 2022, the standard received dramatic changes, starting with the name:
- Old name:
Information Technology – Security Practices – Information Security Management Systems – Requirements;
- New name:
Information security, cyber security and privacy protection – Information security management systems – Requirements;
The new ISO27001 standard is about 3 things: information security, cybersecurity and privacy. There has long been a debate about whether cybersecurity is a subset of information security or is it the same thing. The name ISO27001 clearly indicates that companies should be concerned about three aspects of security.
- a new requirement for planning changes to the ISMS (Information Security Management System) (clause 6.3);
- 114 controls have been reduced to 93 (Appendix A);
- 14 management areas were reduced to 4 (organizational, personnel, physical, technical);
- 58 updated controls (Appendix A);
- 24 combined controls (Appendix A);
- 11 new controls (Annexes A);
- New section “attributes” in controls (Appendix A).
With the exception of one key element, the actual text of the ISMS has not changed much. But even this change is significant. The change here is in clause 6.3 “Planning for change”, where the requirement is: “When the organization determines the need for changes in the information security management system, the changes should be carried out in a planned manner.”
This is a clear indication that if you are planning changes to the ISMS, you need to demonstrate that these changes are structured and planned, and you can provide evidence of this. This could be a timeline showing where changes to the ISMS are pre-planned, or that they are subject to your internal change management processes, possibly with an audit committee or change advisory board overseeing such changes.
The most significant changes affected Appendix A.
Appendix A – “Attributes”
The new standard received a new “Attributes” section, which states:
“An organization can use attributes to create different views – different categories of controls. Attributes can be used to filter, sort, or present controls for different audiences.” (ISO27001:2022 – 4.2 Topics and Attributes).
There are 5 attributes with corresponding values (preceding the values with a “#” symbol to make it easy to find):
- Control Type #Preventative;
- Information Security Properties #Confidentiality, #Integrity, #Availability;
- Cybersecurity Concepts #identify;
- Operational Capabilities #governance;
- Security Domains #Governance and Ecosystem, #Resilience.
Using attributes allows you to selectively use Application A controls based on your audience and needs. Attributes and their values allow you to refer to Application A controls in other control frameworks, such as NIST, as easily as they can be referenced in business operations.
Organizations and consultants have time to study the changes until 2025 – then the next changes and updates to the standard will follow. Organizations can now evaluate the impact that changes to the standard can have and the benefits they bring.