What can we expect from the new revision of ISO / IEC 27001 and ISO / IEC 27002

The revision process of ISO/IEC 27001 and ISO/IEC 27002 is currently underway (the current version was published in 2013). Organizations that focus on a systematic approach to information security management have certainly registered this innovation.
 

ISO/IEC 27002 is again designed to provide a framework for information security management (similar to, for example: NIST CSF).
 

The main changes that the new version brings is the merging of measures into 4 groups:

1. Organizational arrangements
2. Personnel measures
3. Physical measures 

4. Technical measures
 

There are also several areas that will require management and action (if applicable in the organization), such as:

Threat Management (Measure: Information related to information security threats should be collected and analyzed to create threat management.)

Information security when using cloud services (Measure: The processes for acquiring, using, managing and terminating cloud services should be designed in accordance with the organization's information security requirements.)

ICT readiness for business continuity (Measure: ICT readiness should be planned, implemented, maintained and tested on the basis of business continuity objectives and ICT continuity requirements.)

Physical security monitoring (Measure: Premises should be monitored continuously to prevent unauthorized physical access.)

Configuration Management (Measure: Configurations, including security, hardware, software, services, and network configurations, should be created, documented, implemented, monitored, and controlled)

Erasing information (Measure: Information stored in information systems and devices should be erased when it is no longer needed.)

Data masking (Measure: Data masking should be used in accordance with the organization's access control policy and business requirements, taking into account legislative requirements.)
 

Data leakage prevention (Measure: Measures to prevent data leakage should be applied to systems, networks and terminal equipment that process, store or transmit sensitive information.)

Monitoring activities (Measure: Networks, systems and applications should be monitored for unusual behavior and appropriate measures should be taken to evaluate potential information security incidents.)

Web filtering (Measure: Access to external websites should be controlled to reduce exposure to malicious content.)
 

Secure Encryption (Measure: Software development should be subject to secure encryption policies.)

The publication of the new standards is expected at the end of 2021 or at the beginning of 2022.
 

Subsequently, a transitional period will begin. During this period, new requirements will need to be implemented if your organization has a certified information security system.
 

Author: Martin Kašša, ISO/IEC 27001 auditor
 

(sources used: ISO/IEC DIS 27002 Information security, cybersecurity and privacy protection)