Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • ISO27001:2022 – A New Way of Working
  • Data Breach
  • Vulnerabilities

ISO27001:2022 – A New Way of Working

4 years ago Tripwire Guest Authors
ISO27001:2022 – A New Way of Working

It has been a long time coming! The upgrade to the international standard for information security management systems, ISO27001:2013, is here (almost).

Hallelujah!

If you’re reading this article, then there’s a reasonable assumption that you know what ISO27001 is and you’re not going to be too worried about the back story. But let’s all be clear on a couple of points.

The current version of the Information Security Management Standard is ISO27001:2013. 

The last update to the standard was 2017 when (for some reason) a committee of information security specialists were required to change about three words and add a couple of ‘full-stops’ (!). Yes, I’m being flippant here! I’m sure it was just an oversight and not some cynical opportunity to get professionals (like me) very excited and to rush out and spend almost £200 for nothing more than a cosmetic change! (All I’m saying is that many of our hairstyles have seen more change in the last five years than this standard.)

So… here we are. 2022. Te news that has been circulating around the hallowed halls of Information Security Central is that the NEW version of ISO27001 is almost with us!

It’s a Date!

It is highly anticipated that ISO27002 will be with us in January 2022 and that ISO27001 will be with us in March 2022.

Why Is This Important?

ISO27002 is the guidance on implementing the controls (normally referred to as ‘Annex A Controls’), and it therefore provides us with insight into the changes.

ISO27001 is the actual certification standard for an organization.

(If anyone says that they are “ISO27002 Certified,” you have my permission to smile wryly and politely move away quickly.)

What Do We Know So Far?

Ok, so you have recently been certified to ISO27001:2013. Congratulations! But now you hear about this new standard. What do you do now?

First, don’t panic. There WILL be a transition period to move to the new standard. Although the exact time–frame has yet to be established. Based on past experience, I would say you’ll have at least 18 to 24 months to complete the transition.

However, this does not mean ‘sit-and-do-nothing-until-the-two-years-are-up.’ It means you should be looking at the new standard now and preparing for transition OVER the next couple of years. 

You should be speaking to your Governance, Risk, & Compliance team or the person who manages your ISO standard(s) as well as putting a plan together now rather than waiting until you have it all to do in 2024. Why? Because when we look at ISO27002, we can see there are some notable changes, and therefore, the requirements for evidencing compliance are also going to be notably different.

What Are the Scores on the Doors?

Let’s take a quick look at what we know so far. We know that ISO27001:2013 (Annex A) has 114 Controls over 14 separate areas. ISO27001:2021 (as I’m calling it) will have 93 Controls over four domains. These are as follows:

  • Organizational Controls (37 Controls)
  • People Controls (8 Controls)
  • Physical Controls (14 Controls)
  • Technological Controls (34 Controls)

A number of controls have clearly disappeared, but more importantly, we have 11 new controls that reflect the world in which we live (compared to 2013). These are as follows:

  • Threat intelligence (5.7)
  • Information security for the use of cloud services (5.23)
  • ICT readiness for business continuity (5.30)
  • Physical security monitoring (7.4)
  • Configuration management (8.9)
  • Information Deletion (8.10)
  • Data Masking (8.11)
  • Data leakage prevention (8.12)
  • Monitoring Activities (8.16)
  • Web Filtering (8.22)
  • Secure Coding (8.28)

Another significant change is that each control has five attributes assigned to them. Along with attribute values.

The attributes provided have been selected because they are considered generic enough to be used by different types of organizations, and their attribute values are not dependent on the organization.

These are as follows:

  • Control Type – Preventive, Detective, Corrective
  • Security Properties – Confidentiality, Integrity, Availability
  • Cybersecurity Concepts – Identify, Protect, Detect, Respond, Recover
  • Operational Capabilities – (See below)
  • Security Domains – Governance and Ecosystem, Protection, Defense, Resilience

The Operational Capabilities section is meant to be an attribute to view controls from the practitioners’ perspective of security capabilities. Those includ Governance, Asset Management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance.

Conclusion: More Than Just a Name

It has taken some time, but a revision to the widely popular and effective standard, ISO27001, has had some considerable (and much needed) changes and upgrades.

There is one change, however, that might not instantly jump out at people but which fundamentally changes the standard’s whole focus. This change is right there on the front cover of the standard(s).

ISO27002:2013 is called “Information technology — Security techniques — Code of practice for information security controls.”

ISO27002:2021 is “Information security, cybersecurity and privacy protection — Information security controls.”

Firstly, the term ‘Information technology’ has been replaced with ‘Information Security’ and then expanded to encompass cybersecurity and privacy protection. Very pointedly, the guidance highlights that the focus is not specific to technology (Spoiler; It never was.) but rather the protection of privacy AND cybersecurity.

Also, the phrase “Code of Practice” has been dropped to better reflect its purpose of being a reference set of information security controls. However, this is not a change of purpose, as the intention of ISO27002 has always been to help organizations ensure that no necessary control has been overlooked.

I believe we finally have a standard that we have needed for some time. It now incorporates information security, cybersecurity, AND privacy into the same set of controls. This is not revolutionary but simply an evolutionary change that we have been waiting for. 

Personally, I can’t wait for this change to come in. It’s going to be very exciting to see how (and which) organizations will embrace the new standard first.

But I’m not just excited as an ISO27001 consultant. I’m excited because I am hopeful that it will usher in a renewed interest in a highly valuable and incredibly efficient security management system (when done well). Exciting times lie ahead.

About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology.

You can follow Gary on Twitter here: @AgenciGary

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” ISO27001:2022 – A New Way of Working” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Cloud, Compliance, Encryption, Privacy, TripWire

Continue Reading

Previous See No Evil, Hear No Evil: The Use of Deepfakes in Social Engineering Attacks
Next Hackers Using New Malware Packer DTPacker to Avoid Analysis, Detection

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks

48 mins ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

5 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

16 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

18 hours ago [email protected] (The Hacker News)

Recent Posts

  • APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks
  • Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox
  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group
  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT