ISO27001: What do you need to know about the changes?

The new versions of ISO 27001 and 27002 were released this year and resulted in the biggest changes to the controls section since they were first introduced back in the 90s.

For most security professionals and even users, this change has been well received. Some of the controls were long in the tooth, not always relevant, and/or missing specifics related to our data, remote working, and cloud-based environments standpoint.

One of the journeys since the first controls were hatched back in the days of standalone PCs and dial-up modems have been to make them less specific and prone to new threats and environmental changes.

How have they changed?

One of our ‘favourite’ legacy controls of the late ’90s was about “preventing and/or managing logging in outside of office hours” and for years the concept of stopping people logging in after working hours was a core security concept where administrators would block users from logging in after 6 pm until the next morning. Oh, how many of us wish for those days. It is a splendid example of how society has changed and when that control was removed in 2013 no one noticed as it had long since stopped being relevant to how we work.

Each iteration of 27002 has resulted in controls becoming bundled together and made less specific. The current version has taken numerous stand-alone controls and bundled them into single controls, such as network segmentation being bundled into network security and key management is integrated into encryption controls.

The concept of integrating specifics into one control and allowing you to understand your context, risk, and select control components has obvious benefits but also can lead to mistakes so experience and logic must always be used when making these decisions.

So, what has changed?

The main change to the ISO 27001 and 27002 control sections is that the groups and numbering have all been completely revamped and simplified.

For years we had the strange situation of the first control area in 27002 starting with the number 5 instead of 1 due to the ISMS (Information Security Management System) originally being labelled sections 1-4. The general community became used to this numbering so there was an unwillingness to change because everyone knew that A5 was security policies, A9 was access controls and A18 was compliance.

There were previously 114 controls in 14 groups and 35 control categories, with some groups having 2 controls, like Encryption, and others having more than 15, like Security Operations. This

was complex, and each area had various controls, which in our experience, many users found too similar or unclear.

But now for the 2022 version, we have a clean start. The controls have been reduced from 114 to 93 and are contained within 4 clauses based on the following themes:

1. Organisational controls – This is the largest set of 37 controls, all of which do not fit neatly into the remaining themes. Although there are some new controls here, the majority are derived from the previous standard and have been amalgamated into a simpler set of controls.

2. People controls – This is a set of 8 controls involving or relating to people's behaviours, activities, roles and responsibilities, and links back to HR (Human Resources) and user controls in the previous standard.

3. Physical controls – This set is an attempt to bring together physical security and other tangible controls. It includes 14 specific tangible controls.

4. Technological controls – This is a set of 34 controls involving or relating to mostly IT (Information Technology) technologies, including new and old areas such as Data Leakage, Threat Hunting, Vulnerability Management, and Security Operations centre (SOC).

It is now easier than ever to find controls if you understand where it fits in terms of the clauses/themes. It is also easier to understand how certain controls which have a reliance on one another are linked within the standard so that, for example, you can implement processes in conjunction with the relevant Technological and People controls.

What do we think?

We personally like the changes, but we also agree with many people who see that the latest version is linked to the wave of Cyber security thinking and wording. We do think that having specific technological controls will mean they will need to adjust as technology changes, and it also goes against the concept of making the controls less specific.

We do however agree that most of the revised and additional controls make sense and are quite simple to find and understand (and hopefully to implement). Overall, we’re looking forward to our first implementation and/or audit projects as we unpack and discover the nuances of implementing the new versions of ISO 27001 and 27002.