How Can Organisations Transition to ISO 27001:2022?

Posted on

Addressing the new Annex A control set

Organisations with ISO/IEC 27001:2013 certification must transition to ISO/IEC 27001:2022 by 31 October 2025.

The biggest change for organisations is Annex A, which has been overhauled and includes 11 new controls.

How can organisations best approach this new control set? What changes to the main clauses of the Standard tend to get overlooked? And what are common mistakes to avoid when transitioning?

Our head of GRC (governance, risk and compliance) consultancy, Damian Garcia, explains.

In this interview

Are the new controls in ISO 27001:2022 applicable?

Where do organisations start when transitioning from ISO 27001:2013 to ISO 27001:2022?

First, look over the 2022 Standard, and understand the changes to the previous version. Particularly to the controls in Annex A – that’s where the big changes are, including 11 new controls:

  • 5.7: Threat intelligence
  • 5.23: Information security for use of Cloud services
  • 5.30: ICT readiness for business continuity
  • 7.4: Physical security monitoring
  • 8.9: Configuration management
  • 8.10: Information deletion
  • 8.11: Data masking
  • 8.12: Data leakage prevention
  • 8.16: Monitoring activities
  • 8.23: Web filtering
  • 8.28: Secure coding

Organisations should look through those new controls, and determine whether or not they’re applicable. When I conduct a transition gap analysis, the first question I ask is whether the new controls are relevant.

For example, I recently did a gap analysis for a client that has all their systems in the Cloud, and all employees work from home. So, physical security monitoring, one of the new controls, was an ‘easy win’ – we could quickly establish that control wasn’t relevant for them.

But for controls that are relevant to the client, I establish what measures they already have in place to help them meet the requirements of those controls.

Challenges for control 5.23: information security for use of Cloud services

Many organisations already had some of the new ISO 27001 controls in place before the 2022 Standard was published – information security for use of Cloud services [5.23], for example. Do those also offer ‘quick wins’?

Again, you need to pay attention to the requirements of those controls – what exactly does the Standard say?

To take Cloud security as an example, control 5.23 says:

Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements. [Emphasis added.]

First, note that the Standard uses “shall” there, meaning that these are all requirements, not guidance.

Many organisations have measures in place for the acquisition, use and management of Cloud services, but lack an exit strategy. In other words, if you ever wanted to leave a provider for any reason, how would that work? How would you get your data out of the Cloud and potentially transferred to another provider?

I’ve done a few audits where I’ve had to issue a nonconformity for this control because the organisation simply hadn’t thought about their exit processes.

Why is that problematic?

Many Cloud service providers have a ‘sticky’ business model. They make it easy for you to put data into their service, but difficult for you to get the data out again.

So, before engaging your service provider, check for red flags in their terms of service.

And with small providers, consider the risk of them going out of business, or significantly changing their working practices such that the service no longer meets your requirements. How will you be getting your data out in those situations?

Think about your exit strategy and processes.

Challenges for control 5.30: ICT readiness for business continuity

So, even if you already had Cloud-related measures in place, make sure they’re sufficient to meet the requirements of ISO 27001:2022.

What other new controls might have a similar problem, where organisations are doing ‘something’ about the control, but not enough to satisfy the Standard’s requirements?

Control 5.30: ICT readiness for business continuity.

I’ve seen lots of organisations with big, solid business continuity plans – particularly if they’ve previously worked with a consultant. But ISO 27001 says:

ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. [Emphasis added.]

Often, organisations haven’t tested their plan to make sure it works as intended – meaning that, if they ever needed to invoke it, they’d have no idea whether it’ll work.

They don’t know whether they’d actually be able to bring back their ICT services within their business continuity objectives.

What sort of evidence would you need to be able to present in an audit in terms of testing your BCP [business continuity plan]?

I’d expect the organisation to be able to talk the auditor through some past tests and, at a minimum, have something in writing about the lessons learned and implemented.

The organisation should also have a written test plan.

Challenges for control 5.7: threat intelligence

Which of the other new controls can present implementation challenges?

Threat intelligence [5.7] is another one. What does the Standard say?

Information relating to information security threats shall be collected and analysed to produce threat intelligence. [Emphasis added.]

Just signing up to a few newsletters isn’t enough. You need to collect the information and be able to show you’re analysing it:

  • Is the information relevant to your organisation?
  • Does it highlight threats that could exploit vulnerabilities within your environment?
  • If so, how do you communicate that information to the right people so that appropriate action can be taken to protect the organisation?

When auditing this control, what sort of evidence would demonstrate that the organisation is analysing their threat intelligence?

As the auditor, I’d ask the person responsible for that control – let’s say the information security manager – about what sort of intelligence they’re collecting.

Then, I’d ask how often they review it, and what evidence they have of follow-up actions. That doesn’t need to be anything formal – just an email to the process owner, telling them they need to install a patch, would do. Or evidence of a call or a service ticket – anything like that.

As an auditor, I just need some proof you’re fulfilling the requirements of the Standard, and you’re addressing your risks.

Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.

Subscribe now

Challenges with existing controls

This pattern of partially implemented controls – is it just an issue with the new controls, or also the merged controls? [ISO 27001 merged 56 controls from the 2013 Standard into 24 controls in the 2022 Standard.]

It has much more to do with human nature than specific versions of the Standard.

We’ll often read the start of a sentence, then gloss over the rest. We make an assumption about how the sentence ends. But that’s not something you can do when working with a prescriptive ISO standard.

The classic example is information backup [control 8.13 in ISO 27001:2022]. Everyone says they do backups – great! But can you also restore them? Do you test your backups to make sure you can actually use them when needed?

Likewise, with threat intelligence, just collecting the information isn’t enough. You also need to analyse it to establish its relevance and, if necessary, take follow-up action.

Climate change and ISO 27001

What about the main clauses [Clauses 4–10]? Have you noticed common oversights there in terms of transitioning to ISO 27001:2022?

The one that frequently gets missed – because it wasn’t in the original ISO/IEC 27001:2022, but published as a bulletin by UKAS that amended all ISO management system standards – is climate change.

Organisations must now, as part of their management system, determine whether climate change is a relevant issue for the ISMS, or if relevant interested parties have requirements related to climate change.

But for the overall transition, the biggest change – the one most likely to give people a headache – is aligning the old to the new control set.

Gap analysis and action plan

What concrete steps should ISO 27001:2013-certified organisations take, to prepare for their first ISO 27001:2022 audit?

Ideally, you’d first understand what the changes are, then arrange for a gap analysis, which forms the basis of your action plan.

When we conduct a transition gap analysis, we focus on the 8 key changes made to the main clauses in ISO 27001:2022 and the 11 new controls in Annex A. We then document our findings in a report, going into detail for each of those key changes and new controls.

Here are some redacted examples from a recent client:

But, again, with the controls, the first step is to establish whether the controls are relevant to the client.

In other words, is there an information security risk that requires those controls to be in place?

Because, at the end of the day, a control is a tool for mitigating a risk in terms of its likelihood, impact, or both. And to address that risk, you ideally want to implement multiple controls to achieve defence in depth.

Where does the action plan come into things?

Our reports include a table that lists all actions the client needs to take to become compliant with ISO 27001:2022, and the estimated number of days needed for each action:

Separate to the above, the report will also outline a suggested project plan.

Want to learn more about our ISO 27001 Transition Gap Analysis?

Embark on a seamless transition to ISO 27001:2022 with our dedicated consultancy service, delivered by an experienced consultant such as Damian:

Get started

About Damian Garcia

Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.

He has an MSc in cyber security risk management and maintains various professional certifications.

As our head of GRC consultancy, Damian remains deeply committed to safeguarding organisations’ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.

We’ve previously interviewed Damian about selecting effective security controls, common cyber security and ISO 27001 myths, cyber resilience and defence in depth, the insider threat, and more.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.

Alternatively, explore our full index of interviews here.

We first published a version of this blog in October 2022.

The post How Can Organisations Transition to ISO 27001:2022? appeared first on IT Governance UK Blog.

Leave a Reply

Related Posts