An interview with Tim Kemper
The revised version of the ISO 27001 standard for information security was published in October 2022; the previous version of this certification was as recently as 2017. To make sure your organization can make a good choice and determine the best time to move to the revised version of the ISO 27001 standard, we had a conversation with colleague Tim Kemper. We take in you in this blog, happy to take you by the hand and address the following questions:
What are the changes in the new ISO27001:2022?
What are the main changes in the Harmonized Structure and management measures?
What does the GAP analysis involve?
How can you as an organization prepare for the transition to this updated version of the standard?
As an organization, how do you transition to the revised version for the ISO 27001 standard and how can Protify help your organization?
When is the best time for my organization to transition, right now or upon recertification?
What is the impact for your organization?
What are the changes in the new ISO 27001:2022?
The main changes in the new standard from the version published in 2017 are as follows:
The High Level Structure (HLS) has been renamed Harmonized Structure (HS) and a number of standard sections have been modified.
The structure of the control measures has been modified and now consists of only four instead of 14 chapters. The number of management measures has been reduced, from 114 to 93. Some control measures have been merged; 11 new ones have also been added.
Read more about the changes in our blog (only in Dutch) New standard ISO 27001 version 2022.
What are the main changes to the Harmonized Structure (HS)?
It should be described which needs and expectations of stakeholders are met through the ISMS.
The HS includes a new paragraph on change management. Changes to the management system should be implemented in a planned manner.
Information security performance and effectiveness of the ISMS should be evaluated.
Changes in stakeholder expectations should now also be assessed in the management review.
What are the biggest changes in the management measures?
The biggest changes involve the control measures, which are explained in the topics below. For each topic we indicate by means of a number of questions what you as an organization should think about. By going through these questions you can prepare your organization for the new version of the ISO 27001 standard:
Cloud services: As an organization, what have you agreed with cloud service providers about the acquisition, use, management and termination of cloud services? For example, about an exit strategy (e.g., who retains ownership of the data)?
Threat intelligence: How is your organization kept up to date on information security threats, vulnerabilities and other issues? How do you respond to and deal with these as an organization?
Preventing data leaks: What information does your organization have, where is it stored? What measures has your organization taken to prevent a data leak?
Deleting information: How long do you need information within your organization? After that, how do you make sure it is not freely accessible or deleted? Think about a logical time limit for keeping data (available)?
Software development, secure coding, or secure development: As an organization, what do you consider in the development process? What are the secure coding principles, how does testing take place? As an organization, how do you ensure data masking, i.e. that live data, but representative and realistic test data are used
Configuration management: How do you ensure that the IT infrastructure of your organization is configured in an appropriate manner, appropriate to the desired security level, taking into account standards? As an organization, how do you ensure that the configuration is also permanently appropriate, can only be adjusted according to a fixed process and that no one can independently make major changes just like that? Do you ensure that any changes are also registered
Additional monitoring requirements:
Web filtering: How do you ensure that you block harmful websites within your organization?
Vulnerabilities: As an organization, how do you ensure that you are informed about vulnerabilities, for example by organizations that specialize in them?
Data backup policy: What is the retention period for data?
Supplier registration: How are suppliers registered?
GAP analysis: how can your organization comply with the new version of ISO 27001?
Does your organization want to transition to the new version of ISO 27001? Then the certification body (CB) must perform a transition audit. This transition audit usually takes half a day and consists of the following components:
Assessing how your organization has implemented the new and amended requirements of the standard. This is considered most important during this audit.
How have these changes been incorporated into the management system (ISMS)?
Assessment of the new Declaration of Applicability (CoA).
Are there any changes to the risk management plan.
In short, this transition audit focuses on how your organization has implemented the new standard requirements and how this is applied in the ISMS. When you have a transition audit performed, these are additional costs that your organization would not otherwise have.
How can Protify support your organization with the transition to ISO 27001: 2022?
We offer two sessions of 2.5 to 3 hours:
GAP analysis and introduction of new standard: What are the changes in the new ISO 27001? We will discuss HS versus HLS and the changes in control measures. What do these changes mean and what does this mean for your organization? Perform GAP analysis that will be reviewed during the transition audit. We use this GAP analysis to see how your organization has met the new standard in your ISMS and what steps you may need to take to comply. If your organization is not yet certified, the GAP analysis is not necessary.
Implementing the new ISO 27001-2022: how do we together implement the new parts of the standard? Here we mainly look at the new control measures, how they should be worked out and adapted.
Based on these two sessions, we create a set-up in the management system, included in the ProActive Compliance Tool (PCT), in which the new parts are included and existing parts are supplemented. This is presented to your organization for review so that it can then be finalized. Based on this, it will then be determined if your organization is ready for the external audit. Also make sure to make an appointment with CI in time when you want to (re)certify.
"Change to the new version of ISO 27001 at the end of the audit cycle or re-certification or before the end of 2025."
When is the best time to switch to the new standard?
"We advise our customers who are currently still in their certification cycle not to switch to new version of ISO 27001. But rather to switch at the end of the audit cycle (at recertification). As an organization, you can continue to use version from 2017 until the end of your audit cycle. Although there are differences in the versions of the standard, the current market does not yet consider which version of the standard your organization is certified to. If you switch now as an organization, you will incur additional costs, namely half a day for the analysis from the CB.
So our advice is: switch when you have to; either at the end of the audit cycle or recertification or before the end of 2025." said Tim Kemper.
What is the impact for your organization to switch to the new standard?
If your organization is already certified for ISO 27001, the impact is not very big, of course there are new controls that you as an organization have to implement. But if you prepare yourself, for example by planning the ISO 27001:2022 sessions with us, we can support your organization to switch to the new standard at the right time. It involves supplementing your current management system and adding a number of components.
Want to learn more about ISO 27001:2022 and how and when your organization can best transition?
Contact us and we will be happy to tell you what the best choice is for your organization.