New ISO/IEC 27001 revision 2022

Cloud security, business continuity management and thread monitoring as focus points of the revised ISO/IEC 27001

New ISO/IEC 27001 revision 2022

The ISO/IEC 27001 standard for information security management has been revised after five years. It provides protection against threats from the Internet.

This is achieved by introduction of suitable measures (“controls”) for the organization following a risk analysis.

A total of almost 100 such measures are planned, which must be continuously maintained in the sense of ongoing quality management (Kaizen, PDCA).

The introduction of ISO/IEC 27001, like cybersecurity in general, must be supported and borne by the management. The result is an information security management system that represents the best possible protection against cyber risks.

ISO/IEC 27001 provides for the possibility of auditing for an organization or an organizational unit.

Summary

  • ISO/IEC 27001, as one of, if not the most important standard for cyber and information security, has been reissued in a revised version.
  • Basic concepts such as information security management system, risk management and measures (controls) are retained.
  • New are focal points for current threats such as Ransom Ware:
    • Cloud Security,
    • Business Continuity and
    • Thread monitoring (at strategic, tactical and operational levels).
  • The newly accentuated controls for business continuity and thread monitoring in particular will generate an increased need for evaluation and implementation from a management perspective.
  • The new structure of the controls into four groups appears clear, but together with the slightly adapted structure, it will create a need for adaptation and integration in existing ISO/IEC 27001 implementations.

Details

  • The ISMS remains as the control center for the measures (controls).
  • The PDCA cycle for continuous quality improvement remains in place.
  • The basis for all measures is still risk management, the methodology of which can be freely selected (e.g. ISO/IEC 27005, OCTAVE, FAIR or IT-Grundschutz 200-3 for elementary hazards).
  • The annex is aligned with ISO/IEC 27002 and is now divided into four subject areas, into which the previous 114 controls have been consolidated to 93:
    • “Personal measures” with 8 controls is aimed at individual persons;
    • Physical measures" with 14 controls addresses measures for physical safety;
    • Technical measures" with 34 controls, and
    • “Organizational measures” with all remaining 37.
  • The following controls are new
    • 5.30 “ICT Readiness for Business Continuity”, for ensuring the availability of information systems in the event of disruptions (BCM, cf. ISO/IEC 22301);
    • 5.23 “Information Security for Use of Cloud Services”, which provides for dedicated cloud security policies, among other things;
    • 5.7 “Threat Intelligence”, which calls not only for network monitoring but also for comprehensive strategic, tactical and operational monitoring of the threat situation.
  • The Annex is still based on ISO/IEC 27002, which provides for this modified structure:
    • Title, Attributes, Measure(s) Description, Purpose, Guidance for Implementation, Further Explanatory Information and Reference to Co-applicable Documents.
  • Attributes have been added for better management, but the Control Objectives for structuring have been dropped and replaced by the Purpose Description, so that the assignment of the controls to business areas must now be made freely.
  • For existing use, the Statement of Applicability (SoA) must be reworked.
  • Furthermore, references to TISAX (automotive) or B3S (for KRITIS) or EnWG must be adapted.
  • The requirements for BCM and threat analysis can be complex to implement.

References