ISO 27001/2: A Welcome Change is coming!

I’ve seen the transition over my career of the ISO Information Security Standards, from its humble beginnings as BS7799 (published almost 30 years ago) through to becoming an internationally recognised standard ISO 27001 back in 2005, with minor changes applied since, up to now.   

Now we see an evolution and maturity of both the ISO 27001 and ISO 27002 standards that embrace how businesses and the industry have changed, incorporating the importance of the resiliency framework that comes through NIST (National Institute of Standards in Technology) and the increasing emphasis and importance of Privacy on a Global scale.   

This year will see the most significant refresh of both ISO 27001 and ISO 27002 giving us: 

ISO 27001:2021 (TBC) Rumored for release March/April 2022 

and 

ISO 27002:2021 Information security, cybersecurity and privacy protection — Information security controls. 

We are eagerly anticipating the release of ISO 27002, which provides the reference set of controls and scheduled for release this month (Feb 2022). This is an important first release as it changes some of the key Information Security Management System (ISMS) Artefacts and will require some effort to bring your ISMS up to speed to the new requirements. 

I have an ISMS what do I need to do? 

For those with a current ISMS the changes imposed by the Standards can be managed through your formal Management Review process, as one of its objectives is to identify any changes (internal or external) that may impact the operations of the ISMS and establish a plan to manage the change. 

This should be completed once the Standards have been released.  Do not wait for your next annual check up as there will be a lot of work involved.  We anticipate that the updates will trigger: 

  • Full review and update to your Statement of Applicability (SOA) 
  • Risk Assessment 
  • Review and update of policies and procedures 
  • Creation of new policies and procedures to address the new controls 
  • Review and update of tools used 
  • Update to security metrics to reflect the refreshed risk assessments and Annex A changes 
  • Update to the internal audit program.

Don’t worry though, those certified under the old standard will have a transition period to become certified to the new standard so no need to panic or rush anything through, however, at the very least your certification body will want you to have recognised the impact on your ISMS and have a plan to address it in your next surveillance audit. 

If you’re unsure of the requirements of a Management Review or would like an independent review of your ISMS to bring it up to speed and drive change, we can help.