At the end of 2022, the international standard ISO 27001:2022 replaces the last version dating from 2013. The purpose of this text is to (re)define the standards and requirements for establishing your company's information security management system. Widely used in all types of organizations, this new version inevitably raises questions about the changes it implies. What are the major evolutions of this version? And what impact can you expect on your organization?
ISO 27001: an international standard for information security
Published in 2005 and revised in 2013, the international standard ISO 27001:2013 sets the framework for establishing an Information Security Management System (ISMS). This standard addresses security through the prism of managing the risks to your data, around a simple concept that can be summed up in one phrase: "prevention rather than cure".
Generally speaking, prior to this text, organizations applied security measures in response to incidents, but did not have an assessment tool to define requirements for the operational and security maintenance of their IS.
By defining security requirements to respond to threats of intrusion, loss, theft or alteration of your data, it is considered, along with standard 27035 (Information Security Incident Management), to be a benchmark in information security management.
According to the International Organization for Standardization (ISO), it " helps organizations secure their information assets, which is vital in an increasingly digitized world. ". Divided into compliance requirements, this quality standard covers everything from regulations on personal data protection tosecure access to buildings and IT infrastructures.
But almost a decade separates us from its last update in 2013. Since then, threats have evolved considerably. On the one hand, our lifestyles and our relationship with digital technology have been turned upside down, offering an ever-wider surface for attack:
- rapid acceleration of digital transformation;
- adoption of teleworking and hybrid work modes at full speed ;
- predominance of the cloud, with the need to be connected everywhere, all the time...
At the same time, cyber-attacks are on the increase (+125% in 20211), with the professionalization of attackers and the democratization of compromise techniques. It has never been easier to carry out an attack: ready-to-use ransomware kits, attacker franchises... Cybercriminal networks have structured themselves and market malware and initial access on demand.
These developments made it increasingly complex to secure organizations. The ISO standard had to adapt to this new reality. And it all began with a change in the standard's name. The very title of the standard, "Information technology", became " Information security, cybersecurity and privacy ".
The new ISO 27001:2022 version
What impact will this new text have on your organization? What influence will it have on your compliance obligations? Is your ISO 27001 certification in jeopardy? Here are some answers.
On the whole, the changes made to the standard's content contribute to improving the performance of your ISMS. But some of the changes are simply, as Chris Hall, an ISO 270012 expert, puts it , " things we need to do to maintain ISO 27001 certification ". So the stage is set!
Richard PlantierGRC Expert at Tenacy, comments on the change in the standard's title, stressing that: "This lexical change does not reflect any additional requirements concerning personal data or privacy. This lexical change does not reflect any additional requirements concerning personal data or privacy. On the other hand, it does indicate that the focus is now a little more technical, as the appearance of cloud, threat intelligence and secure coding (among others) among the controls listed in ISO27002 would suggest. "
There have also been several changes in terminology:
- " teleworking "is replaced by " telework ";
- "documented procedure becomes " documented information .
But beyond the wording, this version announces real structural changes.
The changes in this new normative version mainly concern Annex A, which is itself derived from the new version of ISO 27002:2022 published in February 2022. This annex is no longer considered to be a detailed and exhaustive list.
In the text of the ISO 27001:2013 version, the measures were divided into 14 different areas. They have now been merged into 4 categories.
- People-related controls : remote working, confidentiality, non-disclosure of information, filtering...
- Organizational controls organizational information policies, use of cloud services, use of assets...
- Physical controls : safety monitoring, storage media, maintenance, plant safety...
- Technological controls : authentication, encryption, data leakage prevention....
Another highlight was the appearance of 11 new controls on the following aspects:
- threat intelligence (A.5.7),
- security of information hosted in the cloud (A.5.23),
- preparation of ICT for business continuity (A.5.30),
- physical security monitoring (A.7.4),
- monitoring / surveillance activities (A.8.16),
- web filtering (A.8.23),
- secure code design (A.8.28),
- configuration management (A.8.9),
- information suppression (A.8.10),
- data masking (A.8.11),
- data leakage prevention (A.8.12).
Despite the addition of controls, the number of domains fell from 114 to 93 as a result of consolidations and mergers.
What concrete impact does it have on the organization?
The evolution of the standard puts the emphasis on procedures, criteria and controls, which, it is recalled, are an integral part of the ISMS. Objectives must now be documented and monitored, and changes to the ISMS must be planned.
In concrete terms, for ISMS to comply with this new ISO standard, organizations will have to go through a transitional phase over the next two or three years.
As a reminder, certification means meeting all the requirements of the standard, and in particular clauses 4 to 10. What's more, you need to have been audited by an external party to ensure that your approach is sustainable. Organizations already certified to ISO 27001:2013 will have two years to comply with the new 2022 version.
The main change is the declaration of applicability (DoA ) and the evidence of comparison between the two versions of ISO 27001. Several tasks need to be planned:
- update of politique and translation into certification requirements;
- revision of the risk management plan;
- revision of the WSIS communication plan ;
- updating procedures and checklists used for internal or external audits.
Whether you're a certified company or not, you'll need to assess the necessary adaptations to your third-party security tools. Fortunately, at Tenacy, we're ahead of the game, and politique requirements are already up to date on the platform (and require no intervention on your part!). You can rest assured that the records you use to demonstrate compliance meet the new requirements!
In conclusion
As you know, adopting a cyber-resilient approach means being aware of the threats and vulnerabilities of your information system. Application and compliance with this new version of ISO 27001 will be phased in as soon as the text comes into force.