ISO/IEC 27001:2022 was released in October. In this cyBARR Chat, Director of Cyber Risk Advisory Angela Redmond discusses what the new updates are and how they might impact your organization.
[00:00:00] Claire McKenna: Hello everyone, and welcome to today’s episode of Sidebar Chats. Today we’re joined by director of Bars at Test Services Angela Redman to discuss ISO 27,001 2022, a new addition of the standard that was issued earlier this year. ISO 27,001 is the leading international standard for information security, and the last edition of the standard was released back in 2013.
So, Angela, today we’re gonna dive into, uh, what some of these changes mean. But to get started, why does the International Accreditation Forum release new additions to the standard?
[00:00:41] Angela Redmond: So at least once every five years, all ISO standards are reviewed and potentially updated standards are updated to remain current, and the ISO 27,001 standard has been updated to reflect new and evolving security challenges.
[00:01:02] Claire McKenna: Got it. Well, with so many different security challenges in the industry. That definitely makes sense. So what are some of these major changes from ISO 27,000 1, 20 13 and this new 2022 edition?
[00:01:18] Angela Redmond: Yeah, so the changes can really be broken down into two parts. The first being changes to the management system clauses, and the second being changes to the annex a control.
So with the changes to the management system clauses, these really have been overall pretty minor with the biggest changes being to clauses 4.4 and 8.1. Clause 4.4 adds to the context of the organization, the requirement to identify necessary process and their interactions within the ism. Clause a 0.1 adds a requirement to define process criteria.
Additionally, minor clarifications and specifications have been made to a handful of the management system clauses. The changes to the annex A controls are relatively moderate and have been derived from ISO 27,002, version 2022, which was released earlier this year. Organizationally, the former 14 Control families of Annex A Controls have now been focused to just four themes.
Most of the controls have stayed the same or have been remained. Another group of controls were merged to reduce the total number of controls, but the requirements within those controls are almost the exact same. The biggest change has been the addition of 11 new control. Got it. Can
[00:02:51] Claire McKenna: you describe the new controls that have been added to the standard?
[00:02:56] Angela Redmond: Yeah, so as mentioned earlier, these 11 new controls have been added to reflect new and evolving security areas, and specifically the control categories for the new controls are as follows, Threat intelligence, information security for the use of cloud service. Information and communications technology for business continuity, physical security monitoring, configuration management, information deletion, data masking data leakage prevention, monitoring activities, web filtering, and secure coding.
And for further details and descriptions of each of these controls, we recommend that you purchase ISO 27,001 and ISO 27,002, and reviewing them with your.
[00:03:49] Claire McKenna: Got it. So my next question is, is there a transition period?
[00:03:54] Angela Redmond: Yes. So there is a three year transition period for organizations to conform to the new version of ISO 27,001, All ISO 27,001 2013 Virgin certificates will expire or be withdrawn no later than October 31st, 2025.
For organizations that are currently working towards a certification, these companies are eligible to certify against the 2013 version up until October 31st, 2023. Got
[00:04:31] Claire McKenna: it. So that brings me to my next question, Angela. What recommendations do you have for organizations that currently have an active ISO 27,001 certification or are currently working
[00:04:44] Angela Redmond: towards?
So for organizations with an active certification, there is plenty of time to make the necessary changes and transition your certification. Start out by reviewing the standards and updating your ISMS and your statement of applicability to align with the revised requirements. Incorporate this into your risk assessment and management review so that key parties at your organization are on board with the change.
Reach out to us for guidance on the logistics of the transition. We’re happy to help for organizations working towards a certification start incorporating the new standards into your preparations. Today, certification bodies will be required to be ready to certify against the new standard by April 30th, 2023.
The most will be ready to certify prior to that.
[00:05:40] Claire McKenna: Got it. Those are great recommendations. That brings me to my last question, Angela. Is there just anything else that you’d like to add?
[00:05:48] Angela Redmond: Yes, please don’t hesitate to reach out to us for any assistance. Standard updates in the associated transition process can sometimes feel a bit taunting, but we are more than willing to walk your teams through the process and hopefully reduce some of the burden.
[00:06:07] Claire McKenna: Absolutely. Well, Angela, thank you so much for such valuable insight into the new changes into ISO 27,001, and to our audience, like Angela mentioned, please do reach out to us, contact us with any further questions that you might have about this new release. Thank you so much for tuning into sidebar chats, and we look forward to seeing everyone next time.