Cybersecurity Advisory Modular framework

The Cybersecurity Advisory uses a modular framework that spans the entire lifecycle of security. Each module identifies gaps in your information security management policies, standards, processes and technologies that pose a risk to your organization’s security posture and provides a recommendation and prioritized roadmap for improvement.

Understanding the physical security controls outlined in the ISO/IOC 27001 standard

International standards prescribe a baseline against which digital and physical assets can be secured. ISO (International Organization for Standardization) standard 27001 on information security management systems focuses in particular on ensuring the security of information assets, but also provides physical security controls. First, there is a small background: the ISO 27000 series is a set of IS management standards focusing on information system management. ISO 27001, originally known as BS7799, was eventually included in an ISO standard when the organization started adding ISMS standards.

What is the specific definition of ISO 27001? The standards set out the methods and practices for implementing information security in the organizations and provide flexible guidance on how to implement these methods and practices — for all sectors and for companies of all sizes. The standards are also intended to provide a means by which security risks can be transmitted safely and reliably. The standards include the requirements that ISMS must meet in order to obtain certification. But these specifications are very broad. Universal standards do not require specific requirements, as they apply to all enterprises in all sectors. As with ISO standards in general, requirements are left to individual firms for development and implementation, and ISO 27001 provides supplementary guidelines.

ISO 27001 outlines the broad requirements for planning, implementation, operation and continuous monitoring and improvement of process-oriented IMSs. It calls on organizations to identify and assess risks and identify control objectives (for physical security among other matters).


ISO/IEC 27001 – What are the main changes in 2022?

The new ISO/IEC 27001:2022 is currently under the publication stage and will be published very soon. Some of the main new updates of ISO/IEC 27001:2022 include the update of Annex A and a change in the title of the standard.

The latest version of ISO/IEC 27002 has been published at the beginning of 2022, and its latest changes have also impacted ISO/IEC 27001.

The new changes of ISO/IEC 27001:2022

At a time when the world is facing new and evolving security challenges, the internationally accepted ISO/IEC 27001 standards aimed at protecting the confidentiality, usability and integrity of the organizations’assets are being updated, and up-to-date edition is expected to be published in October, 2022.

Unlike ISO/IEC 27001:2013, the full title of the new version will be ISO/IEC 27001:2022 on information security, Cybersecurity and Privacy Protection.

The part that will go under the most significant changes is Annex A of ISO/IEC 27001 which will align with the ISO/IEC 27002:2022 updates, published earlier this year.

As in other parts, articles 4 to 10 are expected to remain the same as in the previous version of 2013. These provisions include scope, normative references, terminology and definitions, organizational context, leadership, planning, support, operations, performance evaluation and improvement.


What are the main control changes in Annex A?

Annex A of ISO/IEC 27001:2022 will contain changes in the number of controls and their grouping.

The number of control measures in Annex A will be reduced from 114 to 93. The decrease in the number of control measures is mainly due to the consolidation of many control measures.Thirty-five control measures remained unchanged, 23 control measures were renamed, 57 control measures were merged into 24 control measures and one control measure was divided into two. The 93 controls have been restructured into four control groups or sections.

The new control groups of ISO/IEC 27001:2022 are:

Organizational controls –  Clause 5, contains 37 controls
People controls – Clause 6, contains 8 controls
Physical controls – Clause 7, contains 14 controls
Technological controls – Clause 8, contains 34 controls

ISO/IEC 27001:2022 and the following 11 new controls have been added to Annex A:

Threat intelligence
Information security for the use of cloud services
ICT readiness for business continuity
Physical security monitoring
Configuration management
Information deletion
Data masking
Data leakage prevention
Monitoring activities
Web filtering
Secure coding

When should organizations start implementing the new ISO/IEC 27001?

Since the changes will be moderate and there will be no changes in technology, organizations can start applying changes in the documentation. For example, they can begin to familiarize themselves with the controls of ISO/IEC 27002:2022, update their risk treatment processes with the new controls, adapt their documents accordingly, update and optimize their Statement of Applicability, and adapt certain sections in their existing policies and procedures.

Will ISO/IEC 27001:2022 changes affect my current ISO/IEC 27001 certificate?
The new changes in ISO/IEC 27001:2022 will not affect the current ISO/IEC 27001 certificate, therefore, if interested to certify against it, you should not wait for the new edition to be published.

ISO/IEC 27001 and ISO/IEC 27002

ISO/IEC 27001 and ISO/IEC 27002 are both related to IT security and information security management system, hence they seem to be quite similar. However, they are not the same.

ISO/IEC 27001 is an information security management system standard that provides a list of compliance requirements against which organizations and professionals can be certified. It helps organizations establish, implement, maintain, and improve an information security management system (ISMS).

This standard was first published in 2005. To keep up with the developments in technology and be more relevant to the latest security threats, ISO/IEC 27001 was revised in 2013 and a new version was published. In 2019, the standard experienced another revision, but the same version remained current, until now.

Another standard, also part of the ISO/IEC 27000 ISMS family of standards, closely related to ISO/IEC 27001, is ISO/IEC 27002. This standard is used to tailor information security management systems to the specific context of organizations by providing guidelines for selecting and implementing proper information security controls.

ISO/IEC 27001 is an information security management system standard that provides a list of compliance requirements against which professionals can be certified. On the other hand, considering that ISO/IEC 27002 is a supporting standard containing guidance and not requirements, organizations cannot be certified against it, only professionals can. This supplementary standard presents a set of guidelines that will assist in implementing information security controls listed in Annex A of ISO/IEC 27001. Furthermore, ISO/IEC 27002 offers much more detailed and thorough information regarding these controls.

What can Yokamos do to help?

Yokamos ISO/IEC 27001 and ISO/IEC 27002 Consultants enable aspiring professionals to gain the expertise, skills, and competencies needed to help organizations ensure information security, cybersecurity, and privacy protection. Using both a theoretical and practical approach to qualitative education, professionals can learn a lot about these two standards and will obtain the necessary expertise to support an organization in planning, implementing, and managing information security controls.