Welcome to the SecAware blog

I spy with my beady eye ...

8 Jun 2022

Third edition of ISO/IEC 27001 coming

An ISO/IEC JTC 1/SC 27 meeting last night was informed that the planned amendment to ISO/IEC 27001:2013 is to be absorbed into a new third edition of the standard to become ISO/IEC 27001:2022.

Apparently, the new 2022 version of '27001 will have minor editorial corrections in the main body text (including one of the two corrigenda published previously), a small but valuable clarification to the notes on subclause 6.1.3, and a complete replacement for Annex A reflecting ISO/IEC 27002:2022.

The transition arrangements are still uncertain but this is my understanding:

  • Nobody will be able to use ISO/IEC 27001:2022 formally until it is published, hopefully on October 1st;
  • The International Accreditation Forum will publish a mandate for the national accreditation bodies (such as IANZ here in New Zealand) at the same time, with details of the 3 year transition period:
    • Accreditation and certification bodies will be required to update their processes, and train and prepare auditors for accreditation and certification against the new standard within a year of its release;
    • Organisations may wish to be certified against the new standard as soon as the certification bodies are ready to do so, or may (continue to) use the old standard for up to three years beyond its release, meaning a full certification cycle;
  • Already (right now), organisations are free to declare any or all of the controls in ISO/IEC 27001:2013 Annex A inapplicable in their Statement of Applicability, instead opting to use an appropriate selection of controls e.g. from ISO/IEC 27002:2022, NIST SP800-50, NIST CSF, ISF, COBIT, CSA, GDPR, PCI-DSS and whatever other sources they like (including entirely custom control sets) in accordance with the current ISO/IEC 27001:2013 clause 6.1.3 note 2, which says in part "The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed."
  • Regardless of where the controls come from, organisations must:
    • Use '27001 Annex A as a checklist to confirm that they have not neglected controls that are in fact applicable and necessary to mitigate their information risks;
    • Justify the exclusion of controls from Annex A;
    • Justify the inclusion of 'necessary' controls in the ISMS SoA on the basis that they are required by the organisation to treat its unacceptable information risks; and
    • Indicate their status i.e. implemented or not.

It is worth knowing that ISO/IEC 27001:2013 Annex A can be entirely excluded since it is at least partially out of date and an incomplete reference set of information security controls. ISO/IEC 27002:2022 is considerably improved, but even so it remains incomplete and weak in some areas, hence may well need to be supplemented by other controls that are relevant to each organisation's information risks.

Furthermore, the certification bodies should already be capable of certifying organisations that declare the current Annex A controls inapplicable, opting for other control sets instead. I'm not clear why they and the accreditation bodies would need up to a year to prepare for ISO/IEC 27001:2022 Maybe they will be ready sooner, especially given that their primary job is to confirm the mandatory management system elements against the '27001 main body clauses (which are to remain substantially the same as now), rather than conducting an in-depth audit of the information security controls.

No comments:

Post a Comment