The ISO 27001:2013 is about to be replaced by an updated and improved version. This version will introduce new categories and controls for ISMS. These changes have not been finalized, hence the information provided is still subject to change
The majority of the changes are in the Annex A controls which have now been grouped into four main control areas as opposed to the 14 controls in the current version.
In the current version, the standard required organizations to make an inventory of relevant assets to their information systems. The new version will require information to be classified as an asset and an inventory will be created for the information in an organization. This is a significant change to the standard.
A number of new controls have also been introduced in the new version to address the ever-changing threat landscape and emerging technologies. These include:
- Information security for use of cloud services
- Controls around threat intelligence
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
The standard now has 93 controls which are less than the previous 114 controls as some of the controls have been merged together. For example, the 3 logging controls (A12.4.1, A12.4.2, A12.4.3) have been merged into 1 control. Also, the ‘Removal of Assets’ (A11.2.5) control has been completely removed from the standard.
Hashtags have been introduced in the version to give it a better look and feel. Each control is hashtagged in 5 different areas in order to highlight the element or function that the control performs in different aspects of Cybersecurity within the ISMS. The areas include:
- Control Type
- Cybersecurity Concept
- Operational Capabilities
- Security Domains
What this means for Organizations
The new standard is expected to be made public by the end of 2021 or in early 2022 thus, organizations are advised to not make any changes until the new standard has been published. For organizations that currently certify to the ISO27001:2013, there will be a transition period (probably 2 years) during which they will be able to update their ISMS with the new controls. After which they will have to be recertified by their certification body. There will be a cut-off point (expected by 2023) after which no new certifications to the old version will be permitted.