With the recent revisions of the ISO 27001 standard, it’s important for firms to understand the key changes and next steps to ensure transition to adhering to the standard.
With over 20 years of experience as an ISO 27001 consultant and cyber security expert, Andy Brophy, Founder of Inavate Consulting, has led hundreds of independent audited ISO 27001 implementations so he is well placed to talk about the new standard.
Andy recently wrote an article for Security Journal UK with his advice on the changes to be aware of with the new ISO27001 standard. Here is what you need to know.
Andy Brophy, Founder, Inavate Consulting
What do you think about the new Standard?
The time was right for the Standard to be updated. People tried to shoehorn out-of-date controls to manage risks, particularly when it came to the cloud and hybrid working.
Having gone through many certifications and transitions to reach new versions of the Standard. We’ve been doing this for so long we’ve seen it evolve from BS7799 to ISO2701:2005, then ISO27001:2013 /17 and now 27001:2022. As always, there appears to be differing views between the auditing bodies and, in fact, sometimes, between auditors within the same certification body.
This can be frustrating from an implementation point of view, but it’s good to see different interpretations as long as the auditor’s interpretation is aligned with the Standard.
Over the years I’ve worked with hundreds of firms to get them to ISO 27001 certification, you could say I am possibly one of the most audited people around when it comes to 27001, and I still learn from every single project we deliver, and audit we attend.
What are the key changes to ISO 27001?
Key changes from the information security management system perspective include:
- Updating your list of interested parties to indicate which of their requirements are addressed by the Information Security Management System. This becomes particularly important if you have multiple standards and integrated management systems.
- Defining processes for maintaining and improving the Information Security Management System and, importantly, their interaction. One way to view this is to consider the management system an ecosystem and show how, for example, data from incidents, threat intelligence, audits, suppliers, and measurements can be included within the risk assessment. Or if the business is on an acquisition spree how the new companies are integrated into the ISMS. The ISMS section of the Standard only refers to the “risk assessment and risk treatment processes”, so implement the ISMS processes that you feel will add value and assist in managing and maintaining the ISMS, not process for the sake of processes. You will of course need to implement applicable control-based processes and procedures.
- You also need to now define the “criteria” for the processes and their implementation. It’s worth getting a copy of ISO27022, information technology guidance on information security management system processes. It’s based on the previous version 27001 but does give a good starting point for understanding this requirement. Of course, tailor the processes to your business.
- You must also define how you control “externally provided” products and services relevant to the information security management system and link them to, for example, your vendor/supplier management processes or activities/functions provided by Group / out-of-scope teams/departments.
- There is a new requirement for addressing changes to the information security system, and you might want to, for example, include how changes to the needs and expectations of interested parties, suppliers, scope, context, legal compliance requirement, governance structures, roles etc., are identified, managed and propagated through the ISMS.
- Don’t forget to update the agenda items for the management review to explicitly include “changes and needs and expectations of interested parties that are relevant to the information security management system”.
What are the next steps once the ISMS is updated?
Once you have updated the Information Security Management System, you must review and update the current risk assessment.
To map to the new control numbering and, if relevant, select controls from the new set of controls to manage existing or new risks, not forgetting to create new policies and, where applicable, update existing documents and implement technical solutions to meet the new controls. You can use 27002 or other standards as a source for what should be covered.
Then, update the SOA
Create a new SOA (Statement of Applicability) with new controls that include the justification for the control, for example referring to the risk assessment, compliance needs, and so forth and for ease of use we recommend that it refers to supporting policies, process etc.
Not forgetting, as with the old version of 27001 you need to indicate if the control is “implemented or not”. I have to say I am not a fan of this binary rating in the Standard. It is easy if the control is not applicable, or has not been implemented, but, for example, when a customer has identified a risk and partially implemented the Data Leakage Prevention control within the scope or focused on the detect attribute, it’s a bit of a grey area; some certification bodies appear to accept a partial rating, some a percentage, others just yes or no. So, I usually discuss it with the auditor and take their lead.
Are there any other changes to be aware of?
There is also the additional requirement to “monitor” objectives. As a consultancy, this is something we’ve always done, which is good news for our existing clients as they don’t need anything. Our whole 5D implementation methodology is based upon an organisation defining its security objectives, and we work with them to implement them within business-as-usual activities.
You will need to update your audit schedule to include the new ISMS and control numbering, as well as any ISMS processes, and we recommend that you conduct audits on the ISMS changes and new controls.
What is the 5D methodology?
5D is our method of implementing 27001: define, design, deploy, demonstrate, develop. Without going into a massive rabbit hole or substantiating the view that I am a complete 27001 anorak, our 5D approach shows how we link mandatory requirements and controls into an ISMS and forms part of our compliance without the complication ethos.
Where should people start?
It’s most important for a firm to get copies of the new versions of ISO27001, ISO27002, and also, if relevant, a copy of ISO27022, conduct a gap assessment, and then update the ISMS, risk assessments, SOA, policies, procedures, and technical controls.
But before doing that, hold a management review with the leadership team to explain the changes, get their agreement on the update and then go with it.
Key takeaways
A key message to get across is to wrap 27001 around your business. There’s no value in taking a tick-box approach to the Standard; it’s got to work for you.
We recently worked with an organisation of 50 people whose ISMS comprised over 200 separate documents – which made understanding of functionality or what value it provided a challenge. We did fix it for them, and they ran solo at the audit with no non-conformities. It’s more challenging to make things simple, and that’s what we are good at.
If you’re seeking to smooth your transition to the updated standard, it’s essential to stay proactive, to not only implement but understand the nuances. The standard has evolved, and so must our approaches ensuring resilience and integrity of our data-driven world.
And, of course, if you need support, we are here for you.
You can read Andy’s article in the April issue of Security Journal UK.
