ISO 27001 Has Changed: What’s new?
The international information security management system (ISMS) standard ISO/IEC 27001 was originally published in 2012. And much has changed in the ecosystem since then – too much to track in one article anyway. That’s exactly why last year, its authors gave the standard a refresh. What are some key updates?
Holdovers from the original ISO 27001
Well, the short answer is many of the controls in ISO 27001 have changed.
But before we get there, remember that ISO 27001 itself suggests generic methods and practices of implementing information security in organizations. Not much changed there.
What’s more, the standard also provides a means of enabling secure, reliable communications of security risk, while emphasizing the necessity of adequate training as a prerequisite for implementing then communicating security procedure.
Even with updates, that procedure must be continuously monitored, checked on, and improved upon, to ensure the effectiveness and efficiency of the ISMS.
Here, the standard continues to task senior management – not just top executives but business line owners, as well – with the control of the end-to-end certification and implementation process.
That process, in its entirety, consists of determination of security policy, definition of roles and responsibilities, recruitment, and preparation of necessary personnel and material resources, as well as decisions on risk management.
ISO 27001 gets a refresh
Despite these continuities, there are clear differences.
For one, the new ISO 27001:2022 more clearly emphasizes process orientation in information security management. Another major change: the increased centrality of risk management. And that’s demonstrated by the below:
- Adaptation to the so-called Harmonized Structure
- Emphasis on best practices for managing various information security vulnerabilities
- Highlighting the significance of process orientation, a feature shared by all HS-based management systems
Security management is all about execution, though. That’s where controls come in.
The original standard included an appendix replete with detailed security controls for multiple security risk points. The updated standard does, as well, revising many of the earlier controls for an era of increased security risk.
Specifically, the updated standard adds 11 new controls. Meanwhile, 24 existing controls get combined, and 58 controls get modifications.
Focus on changes to physical security controls
Where do physical security controls (including people) factor among these changes?
Information assets, as they’re known, exist in physical space, manipulated by personnel. That basic reality leaves those assets vulnerable despite the most stringent (purely) information security measures.
And so, like the original, the updated standard dedicates time to discussing physical and environmental security control objectives and controls as well as the role of people. But unlike the original, the updated standard singles out physical security monitoring.
The recommended control to effect serious physical security monitoring is to continuously monitor all premises for unauthorized physical access.
What are some other controls for physical assets and people, recycled from the original or otherwise? To get the comprehensive list, download our Guide to ISO/IEC 27001:2022.