Last week's release of a completely restructured ISO/IEC 27002:2022 has naturally prompted a rash of questions from anxious ISO27k users around the world about the implications for ISO/IEC 27001:2013, particularly around certification since '27002:2022 no longer aligns with '27001:2013 Annex A.
The situation, today, is that ISO/IEC 27001:2013, plus the associated accreditation and certification processes, remain exactly as they were:
- Organisations that choose to adopt the standard are required to use Annex A of '27001:2013 to check that they have not accidentally neglected any relevant/necessary information security controls, documenting the associated justified decisions to include/exclude the controls in a Statement of Applicability.
- Accredited certification bodies are required to confirm that clients comply with the mandatory obligations in '27001:2013, including that SoA requirement among others, both during the initial certifications and any subsequent interim audits and re-certifications.
In other words, it's business as usual ... but looking forward, there are of course changes afoot.
A formal amendment to ISO/IEC 27001:2013 is currently being prepared:
- A draft of the amendment is already available through ISO if you can't wait for it to be finalised and released - which I understand is expected to happen in the next few months, possibly as late as August 2022 but hopefully sooner.
- The draft amendment essentially replaces Annex A with an equivalent that references and summarises the controls from ISO/IEC 27002:2022. It is likely to retain the succinct tabular format of the original Annex A i.e. it will reference each control by its '27002:2022 clause number prefixed with "A." (for Annex A), then state the control's title, followed by a single sentence outlining the control. As before, it will not elaborate on that outline: readers should consult '27002 for the supporting explanation and implementation advice - typically half a page of detail per control - and/or look to other sources of guidance, of which there are many.
- There may also be minor wording changes in the main body clause about the SoA, specifically in the notes for clause 6.1.3. More specifically:
- Note 1 may drop the word 'comprehensive' since Annex A is patently not a totally comprehensive list of information security controls. The very fact that '27002:2022 adds 11 new controls puts the lie to that. This change underlines the point that organisations may need controls not even outlined in Annex A or described in '27002:2022.
- Notes 1 and 2 may drop references to 'control objectives'. Those have been morphed into 'control purposes' in '27002:2022. Moreover, it has been claimed that some users of the standard struggle with the very concept that information security controls are intended to achieve something useful for the business [! Personally, I feel it is a shame to have dumbed-down the standard and further weakened the link between information security controls, information risks and information of value to the business ... but it was a committee decision, not mine.]