ISO27001 is one of the most recognised and widely used information security standards out there, and has been for several years. Any experienced information security professional will almost certainly have made reference to it at some point.
However, despite ISO 27001 being such a pillar within the sector, it has been widely accepted that there are some issues with the way the Standard is written and formatted, occasionally creating issues during audits and implementation.
The Annex A controls, for example, have been seen as convoluted and repetitive. The rapid emergence of new technologies has also meant that some controls appear to be outdated.
A new and improved version of the standard is now available, and many organisations are already making the transition.
The good news is that a lot of the changes are editorial, and the previous principles mostly remain the same. However, there are some new aspects to pay attention to:
Annex A Controls
An organisation seeking to transition to the new standard will almost certainly need to revamp their Statement of Applicability to align with the new controls. These have now been condensed to 93, from the previous 114.
The structure has also been consolidated to 4 key areas:
- Organisational Controls
- People Controls
- Physical Controls
- Technological Controls
This contrasts with the 14 areas that formed the previous version of the Standard. Some controls have been removed, while 24 controls have been merged, and 58 have been revised. The new controls you should be aware of are:
- A.5.7 Threat intelligence
- A.5.23 Information security for use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
By introducing these new controls, the ISO Committee is aiming to improve applicability of the standard with current technologies. As ever, the ISO 27002 guidance document is in place to provide further detail on each of these.
What Remains the Same?
The ISO 27001 clauses 4-10 are largely the same, and most organisations shouldn’t expect to change too much of what they already have. A new clause under 6.3- “Planning of Changes” has been introduced, which will be familiar to those who have used other ISO standards, such as ISO 9001.
How Can You Transition?
Caladium Cyber have certified ISO 27001 Lead Auditors within their Consultancy team, who are here to guide you through the process of aligning to the new standard. For companies of all sizes and sectors, we will be able to provide you with a bespoke support package that suits your needs.
Contract us for more information on how we can help you and your organisation.
Comments