Published by Jeremy Martin – Director, 27k1 Ltd
24th July 2020
Cyber security is becoming evermore sophisticated, the criminals are increasingly devious and the IT skills required to both understand new modes of attack and ensure a robust defence are becoming harder to secure.
ISO 27001 has been in its present format since 2013, with a number of improvements being adopted in 2017. ISO 27001 practitioners are used to implementing and auditing according to this standard, but a major revision in 2023 will test their IT skills and abilities, with some unable to adapt to a new level of professional competence.
Get ready, change is coming:
In April 2020, I received an email from Krystyna Passia of the International Standards Organisation. Krystyna is the Committee Manager for JTC 1/SC 27, the committee that manages ISO 27001 and associated standards that cover Information Security, Cybersecurity and Privacy Protection: https://www.iso.org/committee/45306.html
I had requested her comments on a number of revisions to ISO 27001 that are in the discussion stage, in particular changes to the Technical Controls which in future, may cover Operations Security; Communications Security; Access Controls; Cryptographic Controls and Development Security.
If one examines the work being undertaken by this committee, it’s clear that in the near future, ISO 27001 practitioners will face an increase in demand from the skills and abilities required to undertake implementations and audits. Indeed, many are likely to be stumped by the Technological Controls, given a lack of IT systems knowledge, training and understanding.
This is particularly apparent, when one reviews: “Information security, cybersecurity and privacy protection? Evaluation criteria for IT security? Part 1: Introduction and general model” – https://www.iso.org/obp/ui/#iso:std:iso-iec:15408:-1:dis:ed-4:v1:en
ISO/IEC 15408 (all parts) permits comparability between the results of independent security evaluations. ISO/IEC 15408 (all parts) does so by providing a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. These IT products may be implemented in hardware, firmware, or software …..
Consequently, the fact that an IT product has been evaluated has meaning only in the context of the security properties that were evaluated and the evaluation methods that were used. Evaluation authorities are advised to carefully check the products, properties, and methods to determine that an evaluation will provide meaningful results. Additionally, purchasers of evaluated products are advised to carefully consider this context to determine whether the evaluated product is useful and applicable to their specific situation and needs.”
Clearly, the “evaluation authorities”, the auditors and implementers, will be required to possess an in depth knowledge of IT systems and products which may be beyond their present ability.
New Controls within ISO/IEC 27001 – 2023
It has been suggested that within the revision to ISO 27001 that there are 14 new controls that cover:
1. Threat Intelligence
2. Information security for cloud services
3. ICT continuity planning
4. Digital rights management
5. Physical security monitoring
6. Configuration management
7. Information deletion
8. Data masking
9. Data leakage prevention
10. Monitoring activities
11. Vulnerability disclosure & handling in delivering ICT products & services
12. Web filtering
13. Data integrity protection
14. Secure coding principles
The ISO’s timetable:
Krystyna Passia stated that ISO/IEC 27002 is currently being revised and is now at “committee draft stage”, with publication scheduled by 2022-03.
How should ISO 27001 practitioners prepare?
Given the requirements of compliance to the current standard, ISO/IEC 27001:2013, there is no immediate need to seek additional IT training. However, “the writing is on the wall “. For those who recognise that change is overdue and who anticipate the future skills required to adapt and thrive in this sector, they should reflect on their IT proficiency through undertaking a personal gap analysis.