Practical insight from an ISO 27001 consultant
With ISO 27001:2013 certification now unavailable, organisations must transition to the 2022 standard for their ISO 27001 certification to remain valid.
What are some of the challenges organisations face? And how can they overcome them?
We put these questions to Matthew Peers, who helps our clients implement and prepare for ISO 27001 certification.
In this interview
Tackling the new Annex A control set
The importance of documenting your processes
When documentation is and isn’t required under ISO 27001
Other evidence types you can present to your auditor
ISO 27002 benefits/use cases: the “good ideas book”
The usefulness of the ISO 27002:2022 attributes
What are the challenges of transitioning to ISO 27001:2022?
One challenge I’ve been seeing is updating all the documentation to match the new Standard.
In ISO 27001:2013, Annex A contained 14 groups of controls. Now, we just have four [themes]. ISO 27001:2022 also introduced new controls, and merged many of the existing ones. So, organisations must update their documentation to reflect that.
Depending on the organisation, that can predominantly mean updating their SoA [Statement of Applicability], which must reflect the current Annex A control set. However, the same principles apply now as they did in 2013: if the control isn’t relevant to you, you can exclude it.
For example, if you’re a 100% remote organisation, you can exclude most, if not all, physical controls. Or if you don’t do software development or testing, you can exclude those controls [e.g. secure coding (8.28) and security testing in development and acceptance (8.29)].
So, the key thing to pay attention to is the new control set?
That is by far the biggest change to the new editions, yes.
ISO 27002 was completely overhauled in 2022, whereas the main clauses of ISO 27001 [Clauses 4–10] saw comparatively minor updates, largely to align them to the latest Annex SL.
Interviewer note: ISO 27002 and Annex SL
ISO 27002 is the companion standard to ISO 27001, offering guidance on the Annex A controls. ISO 27002 was updated in February 2022, eight months before ISO 27001:2022 was published.
Annex SL provides a common structure for ISO management system standards, making it easier for organisations to use their resources more efficiently by operating an integrated management system.
Do you see organisations struggling with the new controls?
Not particularly, because many organisations already had versions of those controls in place. Though they’re new to ISO 27001 and ISO 27002, those controls weren’t particularly novel in the wider landscape.
Don’t forget: the previous version of the Standard was published in 2013 – the cyber world has changed a lot since then.
In any case, ISO 27001 has never prevented organisations from adding their own controls to their ISMS [information security management system]. Organisations can even use a different control set entirely, so long as they then map it against Annex A to give auditors [and other stakeholders] a clear point of reference.
What are some examples of controls new to ISO 27001 that organisations were already using?
‘Information security for use of Cloud services’ [control 5.23] is something organisations have already been doing. Or at least, those with ISO 27001:2013 certification – a sample that is, of course, biased towards more security-aware organisations.
‘Web filtering’ [8.23] is another one. Clients can tell me: “Yes, we’ve been monitoring and managing access to external websites.” Or they show me: “Here’s how we get alerts for unusual activity, and this is how we follow up on them.”
Then you’ve got ‘threat intelligence’ [5.7]. I’ve seen organisations that were already following a handful of sources, or subscribed to a few newsletters.
But the big change is that organisations must now formalise and document their existing practices, and make sure they meet the standard set by ISO 27001 and ISO 27002. And this is a very good thing about the new Standards: they raise awareness for these security best practices.
Why is documenting your processes so important?
For one, this gives organisations a good reference point. Suppose a key person left the organisation. Or is on holiday or sick. Documenting their knowledge means others will know what to do, and how to do it. It ensures consistency.
Another benefit is that it focuses the mind. Writing things down gives clarity. It’ll also make you inclined to reduce or simplify things where you can, particularly if you also review your documentation at least annually.
For example, ISO 27001 requires you to determine the interested parties relevant to the ISMS [Clause 4.2.a]. Well, that list is prone to changing, so if you review it every year, you’d very likely find that you can take names off that list, or need to add new ones.
Even if the list of names remained unchanged, their expectations likely did change. With all these regulatory changes, like the introduction of DORA, and the DPDI Bill falling through, that’s virtually inevitable.
[DORA (Digital Operational Resilience Act); DPDI (Data Protection and Digital Information) Bill.]
The Standard doesn’t always explicitly require documentation. How can organisations determine when they should and shouldn’t document a process?
That’s crystal clear when ISO 27001 says “shall”. For example, Clause 4.3 says:
The scope shall be available as documented information. [Emphasis added.]
Or Clause 5.2.e, which says:
The information security policy shall be available as documented information. [Emphasis added.]
But the note in Clause 7.5.1 explicitly points out that the extent of documented information for the ISMS differs per organisation depending on its complexity and size. [Notes in the Standard are for clarification purposes only; they’re not requirements.]
Plus, you get requirements like Clause 10.2, which requires organisations to do various things around nonconformities and corrective actions.
However, the only documented information that “shall” be available are on the nonconformities and corrective actions themselves, and the results of those actions. Not on the processes around reacting to and evaluating nonconformities.
But it’s still a good idea to document those processes, right? How can organisations balance best practices against the reality that resources are finite?
Where the Standard doesn’t explicitly require a document, ask questions like whether anyone else other than [John Smith] knows how to do something.
Where the answer is ‘no’, that’s a sign that you probably should document it.
What about from an evidence perspective in an audit?
Documentation generally offers a practical way of providing evidence in an audit, yes. But it doesn’t have to be formal, where the Standard doesn’t require it.
You could provide screenshots to show that you’re carrying out a process. Or you can have software automatically generate records.
Documentation is fundamental to any ISO management system, but definitely not the only way of generating evidence to prove your compliance.
Finding this interview useful? To stay in the loop on our latest
interviews, blogs, webinars, and more, why not subscribe to
our weekly newsletter: the Security Spotlight? It’s free!
We’ve touched on ISO 27002 a few times. What are the benefits of referring to it?
I refer to ISO 27002 as the ‘good ideas book’.
If you’re struggling with how to implement a given control, look at the guidance in ISO 27002. It’ll jog your memory, or spark some ideas to get you on the right track.
Or you might come at it from the other direction: ‘This is how we’ve previously done it; is there a better way of achieving that?’ Then you’d refer to ISO 27002 to see if you can borrow ideas.
It can also trigger ideas by reminding you of things you need to achieve, even without being specific about how to achieve them.
Can you give us an example?
Control 6.5 – ‘responsibilities after termination or change of employment’ – says to establish various processes following a change of employment or someone leaving the organisation, without specifying what those processes should look like.
But how do you remind people of their contractual obligations [e.g. around non-disclosure and intellectual property] after they hand in their notice? Well, you could:
Prepare a leaver’s checklist, which includes security requirements; and
Send the leaver an email or a letter, reminding them of the relevant clauses in their contract.
This simple approach meets the requirements of the Standard. But it’s not the only approach – you could also, for example, mention it during a formal exit interview. I recommend having some kind of physical proof though – i.e. something in writing.
The 2022 version of ISO 27002 introduced attributes. Do you find them useful?
Yes, they give a practical, quick overview of what the control is meant to achieve. Whether the control is targeting confidentiality, integrity and/or availability; whether it’s preventive, detective and/or responsive; etc.
They’re just useful reminders about what the control is and isn’t intended for.
When you take the overall control set an organisation has implemented for its ISMS, do you think the ISO 27002 attributes give a good overview on whether the organisation has taken a balanced approach to security?
Yes, I suppose the attributes could be used in that way.
That said, if you have experience with ISO 27001 and ISO 27002, that balance will probably already be there. Or rather, the balance will be right for your organisation.
Remember that information security isn’t ‘one size fits all’, and ISO 27001 reflects that. If you’ve selected the controls your organisation needs, and can justify why you’ve excluded the controls that you have, you should be meeting the Standard’s requirements.
As a consultant, it’s my job to figure out what’s right for the client, based on its specific organisational context, like its size, sector, complexity, and so on.
And if the client’s happy, and ready to have its ISMS certified – happy days, job done!
Looking to automate ISO 27001 compliance?
CyberComply simplifies the transition to ISO 27001:2022, automating your compliance needs.
This software helps you:
Identify risks by selecting assets, threats and vulnerabilities, and apply controls to treat and manage those risks;
Create auditable logs of data privacy and security incidents, including affected assets, responsible users and estimated losses; and
Select relevant legislation and meet your legal, contractual and regulatory obligations in line with Clause 4.2 of ISO 27001.
Furthermore, CyberComply hosts all our documentation toolkits, including the ISO 27001 Toolkit.
This toolkit comprises an expertly curated collection of ISO 27001 documentation templates, so you don’t have to start from scratch.
What do our customers say?
Josh Pribanic:
We needed a way to expedite and simplify our risk assessment process and CyberComply became a clear choice after testing other solutions in the market. Customer support for the product is fantastic.
Adam F.:
Using this for our ISO 27001 system, very easy to use and new features being added all the time. Support though is where this product excels!
About Matthew Peers
Matthew is one of our GRC (governance, risk and compliance) consultants, who specialises in ISO 27001 and ISO 9001.
He has a background in intelligence and security, having served in the British Army Intelligence Corps for 12 years, providing intelligence and security advice to personnel and their families in the UK and abroad. This included deployments to Iraq, Afghanistan, the Falkland Islands and Ukraine.
Previously, we’ve interviewed Matthew about ISO 27001 and physical security.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.
The post ISO 27001:2022 Transition Challenges and How to Use ISO 27002 appeared first on IT Governance UK Blog.
