International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) are working to update the ISO/IEC 2700x family. ISO/IEC 27001:2022 is expected to be published between May and October 2022 – the revised ISO/IEC 27002:2022 has been available since February 15, 2022. There will also be changes for verinice users who operate an ISMS according to ISO 27001 using the open source ISMS tool from SerNet GmbH.
Foreseeable for ISO/IEC 27001:2022 is already: while the management requirements for the ISMS in chapters 4 to 10 offer little that is new, Annex A has been extensively revised with now four chapters and 93 instead of 114 normative controls.
The "ISO 27002:2022 Information security, cybersecurity and privacy protection – Information security controls", published in mid-February 2022, now contains guidelines for the implementation of the controls on organizational, physical, personnel and technical aspects in 4 instead of 14 chapters. The decisive factor here is that no control remains unchanged compared to the previous version. Specifically, one control has been dropped, 56 controls have been combined into 24 controls, 11 controls are new and all others have been reformulated. Also new in Annex A is the consideration of attributes for Control Type, Information Security Properties, Cybersecurity Concepts, Operational Capabilities and Security Domains, Annex B finally contains a mapping of the old to the new controls.
The verinice.TEAM is working on the implementation in verinice. Yet, this cannot be done comprehensively until the certifiable ISO/IEC 27001 is published. After the final release of the new versions, a transition period will apply to bring the ISMS up to date. However, the verinice team recommends that all those who operate an ISMS in accordance with ISO 27001 deal with the updates at an early stage and, if necessary, involve the verinice partners in the migration in a supportive manner.
