In October 2022, ISO/IEC 27001 was revised and the 2020 edition published. On behalf of the CQI, Richard Green CQP FCQI, JTC1/SC27 committee member, has reviewed Part 1 and Part 2. Here, in Part 1, Richard focuses on why information security and controls are important.
The objectives of IS management
The three principal objectives of information security (IS) management are to preserve the confidentiality, integrity and availability of an organisation’s information assets.
- Confidentiality prevents the release of sensitive company and client information to those who would use it to do harm, and the release of commercially valuable information to competitors and other, undesirable, third parties.
- Integrity prevents information from being deliberately tampered with, or unintentionally altered, in order that it can be relied upon when making important judgements and decisions.
- Availability of information, where and when it's needed, in an appropriate format for the recipient, ensures that processes and procedures can operate efficiently, without delays.
Irrespective of the type of information asset, it will benefit from the application of the protections above.
Examples of information assets
An information asset can be regarded as ‘a definable piece of information, stored in any manner which is recognised as 'valuable' to the organisation’. Information assets come in many guises:
- business strategies and marketing plans
- customer lists and patents
- operating procedures and project management records.
The inventory can run to many pages.
he first important thing to note about information assets is that they're not all owned by the IT department. In fact the majority will belong to other departments in the organisation. Secondly, many of the information assets will be held as paper records. It's not just electronic records we're concerned with here. Lastly, the information assets an organisation holds will change regularly over time as new document types are brought on line and old document types are withdrawn. This all adds up to the need to proactively manage, monitor and maintain information assets in a similar manner similar to that employed to manage assets such as infrastructure and equipment.
Protecting information assets
Protection of information assets start with compiling a list of the information assets held. Once the organisation has an inventory of the information assets it holds, it can then move on to consider those threats that would compromise the confidentiality, integrity and or availability of each asset. On identifying these threats, controls (a measure that modifies risk), can be considered to mitigate, or ideally remove entirely, each threat. The organisation then applies the controls it has identified and makes a determination as to how the threat has been impacted. Has the control had its desired effect, or has it made no difference? Has the application of the control actually made things worse? Even if the control appears to have worked it needs to be periodically revisited as threats evolve over time and new threats come to pass.
The protection process needs to be applied again whenever a new information asset is identified.
The ISO/IEC 27002 controls
For organisations seeking to implement an ISO/IEC 27001:2022 based IS management system, help is on hand when it comes to specifying controls.
ISO/IEC 27002:2022 contains 93 individual controls grouped into four themes:
- organisational controls
- people controls
- physical controls
- technological controls.
The organisation must determine which of these controls it can apply to its operation based on the products or services it delivers and the method of production and service delivery it uses. When an organisation chooses not to adopt an ISO/IEC 27002:2022 control it must provide a justification for its non-applicability. Controls which have been adopted and any that have been rejected are incorporated into a Statement of Applicability, one of the most important pieces of documented information an ISO/IEC 27001:2022 organisation is tasked with maintaining.
As well as the mandatory controls set out in ISO/IEC 27002:2022, the organisation is free to develop its own additional controls should it so wish. In addition, whilst ISO/IEC 27002:2022 contains controls relating to cloud services customers, it doesn't include controls incumbent on cloud services providers. Cloud service providers therefore need to add ISO/IEC 27017’s control set to the 27002 set.
Implementing the controls
Having determined the controls that need to be applied, the organisation then needs to determine what's required to put each control on place. Is new equipment necessary, do we need to revise a procedure or is the solution hiring a new employee? These are important (and sometimes expensive) decisions, so it's not surprising that it can take the organisation a lot of time to complete this exercise. And this is where the recent move from the 2013 to the 2022 edition of the standard will consume the most effort – migrating from the current control set to the new controls and the introduction of any revised arrangements necessary to implement them.
Where has my existing control gone?
The 114 controls which appeared in the 2013 edition have been reduced to just 82 in the 2022 edition. This has been achieved by the practice of merging several old controls into a single new one. In such instances, although the controls have been carried across, care is still needed as the new control is liable to have been reworded, necessitating at least a review to ensure the organisation continues to meet it.
Annex B of ISO/IEC 27002:2022 contains two very helpful tables. The first explains where 2013 controls have been moved to in the 2022 edition. The second table details the reverse, how 2022 controls have been built from which 2013 controls. For those seeking to update their own organisations Statement of Applicability, these tables are indispensable.
Then there are 11 new controls. Most organisations will need to plan to address these comprehensively, starting at the beginning of the process.
Moving between the control sets
The good news is that certified organisations will have three years to transition to the 2022 edition (by October 2025). Whilst that is some time away, don't leave it until the last minute to transition. Your certification body will need time to book you in for a visit.
For more on ISO 27001 and the implications of the changes, read the second article on IS and the importance of IS controls from Richard Green
ISO 27001, a transition
For more on ISO 27001 and the implications of the changes, read the second article on Information Security and the importance of Information Security controls from Richard Green