Last Updated on June 13, 2024
2 “Gotchas” to Avoid on Your Move to ISO 27001:2022
As orgs upgrade their information security management systems (ISMS) to conform to the new ISO 27001:2022 standard, what misconceptions and other “gotchas” are they facing?
On a recent episode of The Virtual CISO Podcast, ISO 27001 audit experts Ryan Mackie and Danny Manimbo from Schellman talked about areas where they see clients confused and/or struggling.One: Misinterpretation of control guidance
It’s not uncommon for people to have a “knee jerk reaction” when a change is introduced. Among the new ISO 27001:2022 controls, the one Ryan has seen cause trouble most often is 8.12, which focuses on data leakage prevention to safeguard personal and health data.
“Data loss prevention is one that I’ve had more than one client tell me immediately is not going to be applicable to them,” Ryan recounts. “And when I ask them why, they say it’s because they have to implement a DLP [solution]. Because that’s the only way they can demonstrate compliance. And if anybody knows ISO 27001, there’s not one tool or technology that that is required to meet a control. They’re so high level. And if you read the implementation guidance in ISO 27002, it’s paragraphs and paragraphs. If there was one thing that you needed, it would just say that.”
But protecting sensitive personal data takes more than a DLP tool. Are you encrypting backups to secure them from unauthorized access? Are you encrypting data in transit? To get the deeper context you need to understand the new ISO 27001:2022 controls, Ryan recommends reading the ISO 27002 implementation guidance—that’s what it’s for.
Two: Inadequate transition planning
Ryan further advises that businesses moving to ISO 27001:2022 get a copy of Mandatory Document (MD) 26, a free publication from the International Accreditation Forum (IAF) that describes the transition process for ISO 27001 certification bodies, such as Schellman. MD 26 can offer insight into what external auditors will focus on.
For example, MD 26 specifies that auditors need to assess an organization’s gap assessment as well as their overall transition plan. So, if you transitioned to ISO 27001:2022 and didn’t conduct a gap assessment or have no evidence that you did, that could create challenges during your audit. Evidence of a robust risk assessment is also critical in the context of transition planning.
“I would definitely recommend to anybody that’s listening to this to understand, what is the delta [between the 2013 and 2022 ISO versions]?” Danny emphasizes. “Then, what is relevant to your management system? And then what’s your timeline? What’s your plan to transition? Do you have the right people? Have you gone through the right steps?”
What’s next?
To listen to this episode with Ryan Mackie and Danny Manimbo from Schellman all the way through, click here.
Focused on ISO 27001 controls? This blog post suggests a view change: ISO 27001 Top Tip: Focus on Process, Not Controls