Welcome to the SecAware blog

I spy with my beady eye ...

25 Feb 2022

Transition arrangements for ISO/IEC 27001

Last week's release of a completely restructured ISO/IEC 27002:2022 has naturally prompted a rash of questions from anxious ISO27k users around the world about the implications for ISO/IEC 27001:2013, particularly around certification since '27002:2022 no longer aligns with '27001:2013 Annex A.

The situation, today, is that ISO/IEC 27001:2013, plus the associated accreditation and certification processes, remain exactly as they were:

  • Organisations that choose to adopt the standard are required to use Annex A of '27001:2013 to check that they have not accidentally neglected any relevant/necessary information security controls, documenting the associated justified decisions to include/exclude the controls in a Statement of Applicability.
  • Accredited certification bodies are required to confirm that clients comply with the mandatory obligations in '27001:2013, including that SoA requirement among others, both during the initial certifications and any subsequent interim audits and re-certifications.

In other words, it's business as usual ... but looking forward, there are of course changes afoot.

A formal amendment to ISO/IEC 27001:2013 is currently being prepared:

  • A draft of the amendment is already available through ISO if you can't wait for it to be finalised and released.
  • The draft amendment essentially replaces Annex A with an equivalent that references and summarises the controls from ISO/IEC 27002:2022. It is likely to retain the succinct tabular format of the original Annex A i.e. it will reference each control by its '27002:2022 clause number prefixed with "A." (for Annex A), then state the control's title, followed by a single sentence outlining the control. As before, it will not elaborate on that outline: readers should consult '27002 for the supporting explanation and implementation advice - typically half a page of detail per control - and/or look to other sources of guidance, of which there are many.
  • There may also be minor wording changes in the main body clause about the SoA, specifically in the notes for clause 6.1.3. More specifically: 
    • Note 1 may drop the word 'comprehensive' since Annex A is patently not a totally comprehensive list of information security controls. The very fact that '27002:2022 adds 11 new controls puts the lie to that. This change underlines the point that organisations may need controls not even outlined in Annex A or described in '27002:2022.
    • Notes 1 and 2 may drop references to 'control objectives'. Those have been morphed into 'control purposes' in '27002:2022. Moreover, it has been claimed that some users of the standard struggle with the very concept that information security controls are intended to achieve something useful for the business [! Personally, I feel it is a shame to have dumbed-down the standard and further weakened the link between information security controls, information risks and information of value to the business ... but it was a committee decision, not mine.]
The release of that amendment will formally trigger the process of revising the direction given to certification bodies by their accreditation bodies about how to audit clients to the amended standard - including, I anticipate, guidance on the transitional arrangements for clients who are seeking or maintaining certification against ISO/IEC 27001:2013 - either with or without the amendment. Previously, similar changes have led to a grace period of up to two years, hence organisations may be able to continue using the original Annex A as the basis of their SoA for some while. Meanwhile, they can, as at present, use '27002:2022 or other control catalogues for inspiration if they feel other controls are appropriate or necessary to mitigate unacceptable information risks. Again, nobody is required to use the Annex A controls, nor are they constrained by it. That key point will not be affected by the changes ahead [unless something dramatically changes, which I doubt.]
Strictly speaking, there is nothing to stop organisations stating in their SoAs that NONE of the ISO/IEC 27001:2013 Annex A controls are applicable, justifying that extreme position "because the reference standard ISO/IEC 27002 has been updated" (or words to that effect) ... but if so, they should still anticipate the need to convince the certification auditors that they have, in fact, duly considered all the Annex A controls but chose to adopt others (e.g. those from '27002:2022 and/or other sources) to mitigate unacceptable information risks.

The situation is a bit messy because ISO does not formally get involved in accreditation and certification: there is a deliberate division of responsibilities between generating standards and certified compliance, apart from ISO's Conformity Assessment Committee that bridges the gap. The accreditation bodies take their direction from the International Accreditation Forum. So, if this blog piece leaves you confused over the transitional arrangements, I suggest contacting your national accreditation body or certification body, or the IAF (not me, not ISO!) for more details.
Certification and SoA aside, I recommend using ISO/IEC 27002:2022 as one of several sources of good security practices. The latest revision to '27002 brings it bang up to date, as much as a formal product from a busy international committee can ever be cutting-edge anyway! If you are into, say, IoT or AI, you should look elsewhere for additonal information security guidance. For the rest, though - the basics - '27002 does very nicely thank you.

1 comment:

  1. Great piece. Succinct and straight to the point. I will take my questions to IAF as advised.