The typical lifespan of an ISO standard is five years. After this period, it is decided whether the norm can stay valid, needs revision or should be retracted. In 2018, it was decided that ISO 27002:2013 should be revised. The draft is currently under review (source) and is expected to be published by the end of 2021.
As Annex A of ISO 27001 is based on ISO 27002, it is expected that this standard will soon follow, after which it will be possible to certify against the new standard.
ISO 27002:2013 contains 114 controls, divided over 14 chapters. This is going to be restructured.
ISO 27002:2021 will contain 93 controls, divided over 4 chapters:
- Chapter 5 Organizational (37 controls)
- Chapter 6 People (8 controls)
- Chapter 7 Physical (14 controls)
- Chapter 8 Technological (34 controls)
Next to that, the controls will be (hash) tagged by control type (#preventive, #detective, #corrective), classification (#confidentiality, #integrity, #availibility), NIST concept (#identify, #protect, #detect, #respond, #recover) and operational capabilities (#governance, #asset_management, #information_protection, #human_resource_security, #physical_security, #system_and_network_security, #application_security, #secure_configuration, #identity_and_access_management, #threat_and_vulnerability_management, #continuity, #supplier_relationships_security, #legal).
As you may notice, the operational capabilities can be mapped to the current chapters almost seamlessly.
Does my ISMS need to be updated?
Not immediately, no. As ISO 27002 is just a code of practice, it is not possible to certify against it. We will have to wait for ISO 27001 to be updated accordingly.
When that happens, it will remain possible to (re) certify your ISMS against the current version for a prolonged period of time. You will most likely only need to update your ISMS before the next certification cycle.
Once the new version of ISO 27001 becomes available, not only will we update Instant 27001 immediately, we will also release an update kit for existing customers. This update kit will contain the following:
- A new Annex A structure containing all 93 controls
- The implementation field of which will be linked to the existing documents where possible
- The (hash) tags will be added as Confluence labels
- New policies or procedures will be added as necessary
- Instructions how to import and merge with your existing ISMS
Existing clients can also opt to receive a new, empty, version of Instant 27001 at a reduced price.
- ISO 27001:2021 update kit € 495
- Instant 27001 Complete ISMS € 995 (for existing Instant 27001 clients)
Depending on your location, local taxes may apply (read more).