Since the new ISO27002:2022 was published in March, we have been getting a lot of questions from the market. When is the new ISO27001 coming? Do we need to build a new ISMS? How will this affect my NEN7510 certification? When will we be audited according to the new standard? What all changes in the standard? Will my certificate expire on the old version? In the article below, we answer these key questions. And of course, there will be an ample transition period, during which there will be time to make the appropriate adjustments.

Standards are regularly reviewed

In the same way you review the documents in your ISMS, ISO standards are also reviewed with some regularity. This is important because otherwise they will be overtaken by all kinds of developments in technology and new insights into business operations. After all, the standard must be appropriate to the current times and, in the case of ISO 27001, help you secure your information. Typically, this is done on a five-year cycle.

Implementation directive first

On 15 February, the first to go was the implementation directive. This dated back to 2013. The new one has become available as ISO27002:2022. This guideline gives you guidance on how to implement the control measures (Annex A) linked to ISO 27001. ISO 27002 is not certifiable, but we can already see from this what is going to change in ISO27001.

And then the ISO 27001

At the moment, ISO has chosen not to release a new version of the standard, but only replace Annex A. This will be published as a supplement and will be called ISO/IEC 27001:2013 /AMD 1:2022. For the English-language version, this is likely to happen in May or June of 2022. The Dutch version will come out a few months after this. It will most likely be named NEN-EN-ISO/IEC 27001:2017+A12:2022 en

The adjustments

Where we are now used to 114 management measures, this changes to just 93 management measures. But if one starts looking at this in terms of content, one will discover that the content has mostly been merged.

The number of chapters is also changing. There will be only four now, namely:

Chapter 5 - Organisational controls: This chapter contains all management measures that do not fit into the 3 following chapters (i.e. those that do not deal with people, physical security or technology).

Chapter 6 - People: Here you will find all management measures that deal with people, such as awareness, working conditions, etc.

Chapter 7 - Physical controls: This chapter contains all measures regarding physical security of the site(s), but also how maintenance of equipment is arranged.

Chapter 8 - Technological controls: All management measures related to technology can be found in this chapter. For example, how to secure your network and information processing systems, how to deal with logging, and how to make sure your developers work safely.

What's new

To a large extent, these chapters will contain the measures you are already familiar with. Some will have been merged but will remain the same in terms of content.

In addition, 11 new measures have been added:

5.7 Thread intelligence: The way information is gathered on new and existing threats, and in what way they are responded to.

5.23 Information security for use of cloud services: This management measure describes the way you have secured your information in cloud services you use with regard to its use, management and also when leaving this service.

5.30 ICT readiness for business continuity: This involves creating, implementing and testing an ICTCP (ICT Continuity Plan). How is the availability of information processing systems arranged in case of a disaster or very large disruption.

7.4 Physical security monitoring: In what way is the business premises guarded against unauthorised third-party access? Here the focus is on buildings with critical systems such as server rooms, important utilities, administration, etc....

8.9 Configuration management: This management measure deals with the implementation and maintenance of proper configuration of hardware and software, in conjunction with the overall security policy.

8.10 Information deletion: When implementing this management measure, ensure that information is not kept longer than necessary. This is to avoid unnecessary risks to relevant information.

8.11 Data masking: This should be implemented to avoid unnecessary exposure of sensitive data. Consider encryption, nulling, data replacement, etc...

8.12 Data leakage prevention: This management measure describes the prevention of data leaks through leaking channels. Think e-Mail, file transfer, links, etc...

8.16 Monitoring activities: This involves measures taken to detect deviant behaviour. The manner and extent should be determined in advance by the organisation.

8.23 Web filtering: This management measure is about filtering employees' web traffic. Think here, for example, about blocking unwanted websites.

8.28 Secure coding: A process for secure software development should be established. This process should be monitored for compliance.

What does this mean for you and your management system?

To make the transition to the new Annex A manageable for organisations, there will be a transition period. During this transition period, both versions will be valid and certifiable. This means that if you want to switch to the new set of control measures quickly, you can of course do so, but you can also have peace of mind that your next (control) audit can still be performed on the old version. In the meantime, you will then have all the peace and quiet you need to adapt your organisation and processes to the new control measures. How long this transition period will be is not yet known, but it is usually several years.

What about the NEN 7510 or the BIO?

Naturally, organisations being audited on the NEN 7510 or the BIO are wondering what will happen to them. Both NEN 7510 and BIO consist of additional control measures added to ISO 27001 Annex A. Therefore, if the basic control measures are going to change, the NEN 7510 and the BIO will also have to be adapted. It is expected that the publication of a new NEN7510 and BIO could also take another 2 years.

For organisations that also have NEN7510 certification and/or have to comply with BIO requirements, it is therefore also most logical to wait with the transition to the new control measures until NEN 7510 or the BIO have also been amended. Because otherwise the old Annex A and new Annex A control measures will get mixed up in your management system. Think of your risk analysis and consistency with Annex A and your VVT, 2 versions next to and mixed up. It can be done, of course, but it does not make it simple so that everyone will still understand it internally.

Conclusion

So there are some pretty exciting changes ahead, which are going to be well aligned again with current threats, knowledge and technology. But there is no need to worry, as there is plenty of time to prepare your organisation well for this new version of the standard.