The ISO 27001 and 27002 standards are certainties in nearly all information/cyber security professionals' lives. Most companies and government organisations throughout the world in some way align with it or are certified in terms of it.
Some of us have used it for more than 20 years and I personally have directly and indirectly made a business and spent hours training, consulting, auditing, and implementing the standard in exotic locations ranging from my home office to large swathes of Africa and Europe, many of the Stan’s in Asia and remote islands in the Indian and the Atlantic Ocean. Each one of those trips taught me a little more about the nuances of the standard and its adoption and of course the wonderful countries themselves.
Time for Change?
During my courses, we always get asked when the new version is coming out and we normally work backward, as the last change occurred when the 2013 version took over from the 2005 version. That makes eight years folks and that means that 2021 is now eight years later and a new version should be coming soon. Maybe it is a little sad that so many of us were “eagerly” awaiting a new version of this standard. But hey, that’s just the way it is!
A New Version
So, it was not that much of a surprise when a new version was suddenly available last month as a version for comment, but not yet of ISO 27001 but rather 27002 and labelled ISO 27002:2020. This new version is still being voted on and the voting closes at the end of April so it might change from what I am writing about here, but I am quietly confident it won’t change too much.
Controls
The controls in 27002 are the fundamental thing for many people who do not worry that they are just a small part of the overall ISMS because the controls were written first before the management system came later. So, therefore, these controls drive many a security function and their evolution is widely considered, reviewed, and commented on.
Now here is where it gets interesting, as the controls contained in A5-A18 have largely stayed the same for 20 years and even the numbers which don’t start at A1 for a historically forgotten reason, but rather at A5 are understood and remembered by many of us. So A5 is about policies and A9 of course is all about Access controls.
These controls have been rewritten, made less specific, and updated over the years but in the main have stayed similar since the last century. So is it time for a change or just small edits? Remembering that between 2013 and 2021 there have been massive changes in socio-political and information (or is it cyber?) security.
Interesting Changes
Opening it up immediately you see they decided that this is far more then Information Security and have renamed the document:
“Information security, cybersecurity and privacy protection — Information security controls”
This is a fundamental movement in terms of all controls focusing wider then the traditional Infosec areas and bringing the newer focus on all three areas as a collaboration.
The Major Differences
So, without further ado here summarised are the major differences:
- The old control areas, numbers and structure have been removed and replaced with four large themed categorised into new clauses namely:
- There are options to present controls in different views for different audiences, through:
- each control in this document has been associated with four attributes (with corresponding attribute values (preceded by “#” to make them searchable), as follows:
- a) Control Types (#Preventive, #Detective, #Corrective)
- b) Information Security Properties (#Confidentiality, #Integrity, #Availability)
- c) Cybersecurity Concepts (#Identify, #Protect, #Detect, #Respond, #Recover)
- d) Operational Capabilities
- e) Security Domains (#Governance_and_Ecosystem, #Protection, #Defence, #Resilience)
- The number of controls have gone down from 114 to 93. Some controls have been collated into higher level controls and other have been discarded.
- There are new controls including Information Deletion, Data Masking and Data Leakage Protection which are linked nicely to PI requirements of course but other areas are more Cyber focused or aligned to how risks are changing.
- The old controls have been updated and rewritten. Some of these are a complete face-lift and others are less dramatic, but all the controls have been looked at in terms of the changes brought by the areas above and attempted to be aligned with 2021 and where we currently are (Even with a nod to the working remotely changes and mobility which have always been there but now are of a much higher importance then what they were in 2005 or even 2013.
Summary
Well, for the most part I like it and believe that anything that simplifies while making sure that the critical control objectives are still met is the way to go. The controls that were removed do not seem to be too controversial in the main, but more about that in the next article. The Themes are an easy way to position the controls as there is an appendix showing how everything matches to the previous version for those who want to keep things the same or migrate slower.
The Technology Controls are the main aspect which has been evolving over the versions as we realise that the information landscape and security is complex and almost impossible to manage with manual controls, so technology controls become critical to defend against these threats. But of course, this section can be debated on in terms of specific controls selected and what was left out.
Next Time
This is just an overview folks so what I will do is dive deeper and the next article will be focused more on the first theme – Organisational Controls, what they are about and how they are different to the old way.
Thanks for your support and until next time.
Bevan Lane | Founder | Infosec Consulting ZA
Infosec Consulting ZA is a certified partner of Hicomply