The International Organization for Standardization (ISO) is making significant changes to ISO 27001:2013. We at Semper Sec are watching these changes closely; our watchfulness will help keep our customers' operations certification-current!
ISO changes are expected early this year, 2022. Though this is quickly approaching, implementing the changes will take an additional 12-24 months. Therefore, it is important to take the update seriously, but not be alarmed as there is time to keep you ISO certified.
ISO 27002 is the 'reference library' of the ISO 27001 compliance certification process, technically called "ISO/IEC DIS 27002 Information security, cybersecurity, and privacy protection — Information security controls." This is where the 'controls,' are prescribed and guidance is given on how to implement them. Controls are the individual things a company does to keep its systems as secure as possible, not to forget keeping its systems certified! Yes, you do the controls because you want to keep your ISO 27001 certification, but also because they are good for your company.
Cybersecurity compliance standards and frameworks regularly update their certification requirements to keep ahead of threats to company data and IT systems. Originally published in 2013, ISO 27001:2013 was updated for technical corrigendum (errors) in 2014 and 2015. The 2022 improvement will be much more significant.
Currently, ISO has the changes in its approval process. While the clauses will largely remain the same, the overall process is quite detailed. There are currently 114 ISO 27001:2013 controls. We expect the improvements to involve consolidations, better family groupings, and the adding of eleven controls on threat analysis.
To add some color, the additional controls will focus on threat intelligence. For example dark web scanning, how would an organization handle their employees’ username and password ending up on the internet? The consolidation will involve reorganization into four security domains, reducing redundancy.
The approaching changes of ISO will affect organizations differently. The difficulty level in terms of bridging the gap between the old and new will depend on the program(s) being implemented. As mentioned earlier, Semper Sec customers are not to fear. Upon the final release of the new and improved ISO 27002, new controls will be assessed during the next internal audit.
Some reading this might be in the middle of becoming ISO 27001 certified, and to that, we say: keep on keeping on! Anything you are currently doing to become certified will still need to be done when the new ISO is published. Nothing is final until it is final so first get certified and when needed, adjustments can be made. Without a doubt, our team can ensure your organization will be up to date within the necessary timeframe.