Understanding the ISO 27000 Series Changes

David Bowie once sang, “ch-ch-ch-changes, turn and face the strange.” While the changes to ISO 27000-series may look strange, they’re primarily a configuration and modernization of the same standard you already know. The standard’s format looks entirely different, but most of your current controls will remain the same. 

When you understand the underlying philosophical shift, you can pivot your compliance posture to address the ISO 27000-series changes more effectively and efficiently. 

Understanding the Philosophical Shift

The International Organization for Standardization (ISO) provides a detailed introduction to ISO 27002:2022 that addresses how companies can use the standards. When comparing all three standards, only ISO 27002:2022 provides insight. While the previous publications mentioned the need for risk assessments, they 

Focus on Risk

Significantly, while the 2013 publication focuses on asset-based language and inherent vulnerabilities, the 2022 update notes that technical measures provide limited security capabilities. Organizations need the appropriate supporting management activities and organizational processes. Further, ISO 27002:2022 explains that companies need to pay careful attention to details when carrying out risk treatments and plan controls accordingly. 

Definition of Controls

While the 2013 publication discussed controls and their selection, it never provides a definition. 

With this release, ISO places greater focus on the risk assessment process, updating the definition of control to:

a measure that modifies or maintains risk

For example, policies are controls that maintain risk while compliance with the policies can modify the risk. 

Focus on Business Impact

While the previous publication provided little insight into how organizations should select controls, ISO 27002:2022 explains that organizations must balance the following:

• Resources deployed for implementing controls
• Investment necessary to implement and operate the control
• Potential business impact arising from a security incident without having the controls 

Overview of the high-level changes across the 27000-series

As ISO shifted its overarching approach to managing information security risk, it made changes across all three standards, realigning them with these new initiatives. 

ISO 27001:2022

Most of ISO 27001:2022 looks the same as the standard you know, with changes focusing primarily on documentation and audit. At a quick scan, ISO added a few sections within some categories

• Planning: Risk Assessment (6.1.2) and Risk Treatment (6.1.3)
• Support: General Documented Information (7.5.1), Creating and Updating (7.5.2), and Control of documented information (7.5.3)
• Performance evaluation: General internal audit (9.2.1), Internal audit programme (9.2.2), General management review (9.3.1), Management review inputs (9.3.2), Management review results (9.3.3)

The biggest change in 27001 is the formalization of the internal audit program, requiring companies to consider processes and previous audit outcomes. When reviewing inputs, management needs to consider how “interested parties” use systems and expect to use systems, taking into account how internal and external users rely on cloud resources. 

ISO 27002:2022

When you open the cover of ISO 27002:2022, your first thought might be, “this is a whole new standard!” Most of these changes are organizational and cosmetic. 

All controls now fall into one of four main control categories or “themes”:

• People: governing individuals
• Physical: governing physical objects
• Technical: governing technology
• Organizational: anything that doesn’t fall into one of the other three categories

Reflecting ISO’s new focus on risk and outcomes, the standard organizes controls differently. 

Each control description has five main attributes:

• Control type: Preventive, Detective, and/or Corrective risk modification
• Information security properties: Whether it preserves information Confidentiality, Integrity, and Availability.
• Cybersecurity concepts: Mapping to the ISO TS 27110 cybersecurity framework across Identify, Protect, Detect, Respond, and Recover.
• Operational capabilities: Incorporating practitioner’s perspective of information security capabilities.
• Security domains: Viewed across the information security domains of Governance and Ecosystem, Protection, Defense, and Resilience.

To better organize the controls themselves, ISO also implemented the following format for each control:

• Control title: Short name
• Attribute table: Control’s assigned attribute values
• Control: What it is
• Purpose: Why it helps
• Guidance: How to implement it
• Other information: Text or references to related documents 

ISO 27005:2022

With the overall update focusing primarily on risk, ISO 27005:2022 gives you ways to perform the risk management activities. Within ISO 27005:2022, you’ll find an introduction to risk scenario concepts that include event-based and asset-based approaches. 

Risk scenarios are defined as events that occur or change a set of circumstances. They can be:

• Expected but not occur
• Unexpected and do occur
• Happen once or more than once
• Have more than one cause or consequence

A consequence is an event outcome that affects objectives in any of the following ways:

• Certain or uncertain
• Positively or negatively
• Directly or indirectly
• Qualitatively or quantitatively
• Cascading or cumulative

Event-based risk identification considers events and consequences at a business or strategic level, reviewing:

• Risk sources
• How risk sources use or impact interested parties
• How interested parties reach their objectives

Asset-based risk identification reviews assets, threats, and vulnerabilities, considering:

• Primary assets
• Supporting assets
• Dependencies between primary and supporting assets
• Interactions between assets, risk sources, and interested parties

New Controls for the 2022 Update to ISO 27000-series

Although ISO 27000-series looks new and shiny, most of the controls remain the same. While a few got a little bit of a rewrite to eliminate the tarnishing, only a few are net-new controls:

• 5.7 Threat intelligence
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 7.4 Physical security monitoring
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding

Graylog Security: The Flexible Security and Compliance Platform

With Graylog Security, you have the flexible, scalable cybersecurity monitoring and compliance reporting platform you need to achieve your business objectives. Built on the intuitive Graylog platform, Graylog Security gives you features that reduce your security team’s alert fatigue, help them answer critical incident investigation questions, and enable team members of all skill levels. 

By using our pre-built dashboards, your security team can monitor security and schedule automated compliance reporting. With our anomaly detection ML and UEBA, your team can quickly learn what “normal” looks like in your unique environment, so that they can more efficiently identify anomalous behavior at scale while continuously fine-tuning and improving over time. 

To learn how Graylog Security can help your company keep pace with changing security and compliance requirements, contact us today.