The ISO Upgrade Project
What is ISO 27001, and what’s changed?
The ISO 27001 Information Security Management Standard was updated to ISO 27001: 2022, and renamed “ISO 27001 Information Security, Cybersecurity and Privacy Protection.”
That’s a lot of words.
A brief history of ISO 27001 and 27002 …
Both ISO 27001 and 27002 focus on information security, and information security management systems, so share similarities. But they are separate standards: an organisation can only be certified against ISO 27001.
ISO 27001 is an information security management system standard. It was first published in early 1990’s as (fun fact, might come up in a pub quiz one day) ... ISO/IEC 17799. It was revised in 2005, and renumbered to 27001, and revised again in 2015, 2019 and 2022.
ISO 27001 provides guidance to assist organisations in establishing, implementing, maintaining and improving their information security management systems.
ISO 27002 is closely related to 27001 – and is part of the ISO/IEC 2700 family. ISO 27002 can be used to shape the ISMS into the context of the organisation. It provides guidance to help businesses select and implement relevant ISMS security controls – all of which are listed in the good ol’ Annex A. ISO 27002 provides (very) thorough information on each of these controls.
Another fun fact (!) an organisation cannot be certified against ISO 27002, only 27001.
So what’s new?
Well, when ISO 27001 was revised in 2022, the powers that be got together and decided to align the standard with the other ISO standards out there. As a result, there’s a bit of re-numbering to be seen across the clauses of the standard. Asides from that, there are just a few changes:
A requirement to define the processes needed for implementing the ISMS, and their interactions;
A requirement to communicate the organizational roles relevant to information security within in the organization;
A brand new clause 6.3 – Planning of Changes;
A new requirement to ensure the organization determines how to communicate as part of clause 7.4;
And new requirements to establish criteria for operational processes and implementing control of the processes.
There have been some changes made to ISO 27002 as well. The structure of the Annex has been consolidated from fourteen into just four key areas:
People (8 controls)
Organisational (37 controls)
Technological (34 controls)
Physical (14 controls)
Easy!
The number of secure controls listed have decreased from 114, to 93; because some controls have been merged. All but 35 of the controls have been updated, and there are 11 new controls.
Those new controls are:
Threat intelligence
Information security for the use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding
So this is all very exciting.
Project Kick Off …
Galaxy had a support meeting with their external auditor at the start of June. We discussed the requirements of the revised standard and what Galaxy needed to do to upgrade their ISMS prior to their external audit in November 2023.
The work requires a formal change management approach; which Fran will oversee. The Project has been called Project Hash Brown giving a nod to both encryption, and Rendevous’ famous breakfast hash browns (highly recommended).
Follow our Blog as we begin our upgrade adventure …