ISO 27001 Update: What it Means for You
ISO reviews all standards every five years. This change ensures they stay relevant in an ever-changing world. They don't have to make any changes, but they have to review them. And if they do decide to make some changes, that will add a few more years before a new version is released. That is why we typically see standards change in 7-8 years.
ISO 27002 is about information security controls. Controls to keep your information secure. They're often thought of as Cyber Security controls, but they are much more. IT holds most of our information these days, but the cause of problems can be physical, human, and even documentation. So 27002 is a comprehensive list of controls that might apply to you and should be considered a minimum set of controls to consider if you want to be assured you have information security under control. Note that none of the management and topics are mandatory for you to implement – only if they are relevant. But rightly, you should consider and justify them all.
Because of the ever-changing information security environment, it is necessary to update these controls regularly, and thus 27002 is an easy target to expect it to be changed. And that just happened. ISO 27002 has been reissued following some substantive changes. This is good because it allows us to take a more relevant look at our information systems. That's never a bad thing, and nothing in 27002 is mandatory, so it will be about reviewing, checking, and deciding.
And while looking quite quickly will be beneficial, certification bodies will likely give one to three years to make any changes. It doesn't make sense to delay looking, but there is no panic. Further, the process of "looking" at these new controls is governed by ISO 27001, which has not been updated…..OK, it has been updated, but it's not been reissued yet. The expected changes in 27001 are not thought to be very significant. It is assumed that the references to 27002 will be updated to reflect the changes in that standard, and maybe some minor changes to its primary processes but nothing too challenging.
Probably the best approach is to wait for both standards to be formally issued, gather resources, review and plan the update. Make any adjustments to the management system relevant to you (27001). Then, use that solution to check new security controls and see if any changes to your security posture are necessary (your call).
Your certification body will likely take a little while to get organized to conduct audits to the new standard, so you don't need to rush. If you are about to or have just gotten certified, then wait to formally upgrade to the latest versions of the standard for as long as they will let you – but make sure it's planned. If you have a more mature system, it's a great tool to look at sooner rather than later.
Cavendish Scott can help you with your 27001 solution. The management system is the key even if you have to address DFARS, NIST 800 53/171, CMMC, etc., the management system is the key. If you are already ISO 27001 then get an internal audit from Cavendish Scott – you won't get a better internal audit, including consulting, advice, risks, and opportunities. Contact us here for questions answers, and to discuss your situation.
Cavendish Scott is a management system and process expert, designing and implementing solutions to meet and certify to ISO 27001. We guarantee success. Colin Gray has been working with ISO management systems for over 30 years and has seen thousands of successful certifications. He is a consultant, trainer, and auditor, having audited for many certification bodies. His focus is on practical, meaningful, and easy-to-maintain solutions.