What can we expect from the new revision of ISO / IEC 27001 and ISO / IEC 27002

CATEGORY
|
AUTHOR

 

The revision process of ISO/IEC 27001 and ISO/IEC 27002 is currently underway (the current version was published in 2013). Organizations that focus on a systematic approach to information security management have certainly registered this innovation.
 

ISO/IEC 27002 is again designed to provide a framework for information security management (similar to, for example: NIST CSF).
 

The main changes that the new version brings is the merging of measures into 4 groups:

1. Organizational arrangements
2. Personnel measures
3. Physical measures 

4. Technical measures
 

 

There are also several areas that will require management and action (if applicable in the organization), such as:


Threat Management (Measure: Information related to information security threats should be collected and analyzed to create threat management.)


Information security when using cloud services (Measure: The processes for acquiring, using, managing and terminating cloud services should be designed in accordance with the organization's information security requirements.)


ICT readiness for business continuity (Measure: ICT readiness should be planned, implemented, maintained and tested on the basis of business continuity objectives and ICT continuity requirements.)


Physical security monitoring (Measure: Premises should be monitored continuously to prevent unauthorized physical access.)


Configuration Management (Measure: Configurations, including security, hardware, software, services, and network configurations, should be created, documented, implemented, monitored, and controlled)


Erasing information (Measure: Information stored in information systems and devices should be erased when it is no longer needed.)

Data masking (Measure: Data masking should be used in accordance with the organization's access control policy and business requirements, taking into account legislative requirements.)
 

Data leakage prevention (Measure: Measures to prevent data leakage should be applied to systems, networks and terminal equipment that process, store or transmit sensitive information.)


Monitoring activities (Measure: Networks, systems and applications should be monitored for unusual behavior and appropriate measures should be taken to evaluate potential information security incidents.)

Web filtering (Measure: Access to external websites should be controlled to reduce exposure to malicious content.)
 

Secure Encryption (Measure: Software development should be subject to secure encryption policies.)

 

The publication of the new standards is expected at the end of 2021 or at the beginning of 2022.
 

Subsequently, a transitional period will begin. During this period, new requirements will need to be implemented if your organization has a certified information security system.
 

Author: Martin Kašša, ISO/IEC 27001 auditor
 

(sources used: ISO/IEC DIS 27002 Information security, cybersecurity and privacy protection)

Recommended training:

Similar articles

Vocational trainings

Proposed changes to ESG and voluntary standards

At the end of February this year, the European Commission issued a proposal to ease ESG reporting obligations. The aim of the proposal is to reduce the administrative burden on businesses associated with sustainability reporting. The proposal responds to the need to strengthen EU competitiveness and align regulation with the real opportunities for businesses.

Vocational trainings

What changes does the current version 6 of MMOG/LE bring to the automotive supply chain?

AIAG members and Odette - together with established industry partners and stakeholders have decided to release a new version of MMOG/LE, in order to support the following objectives for a more stable and predictable supply chain.

ISO norm

The ISO / IEC 17025 standard ensures exclusivity for your laboratory!

ISO / IEC 17025 is a standard that applies to laboratories in various industries and ensures that standards for laboratory testing and calibration are followed in practice.