Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

How to Prepare for the Changes to the ISO Standards

Home
Industry Insights
How to Prepare for the Changes to the ISO Standards

Blog Article Published: 04/09/2022

The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores the STAR Program, CSA best practices, research, and associated technologies and tools. This blog is part of a series where we edit key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews Ryan Mackie of Schellman and Eric Hibbard of Samsung, both members of SC27, to discuss the most critical changes to the ISO standards already released, and those yet to come.

Listen to the full podcast here.

ISO Changes: An Overview

John DiMaria: I have two guests today: Ryan Mackie who is Principal at Schellman, and Eric Hibbard who is the Director of Product Planning for Samsung. To start off, Eric, if you could give us an overview of the major changes following the latest ISO standards.

Eric Hibbard: As we speak today, there is an amendment underway for 27001 that will essentially replace Annex A, which is the scope of that amendment. This is expected to be approved around May, roughly speaking. With this, we anticipate a minor revision of 27001. And instead of the three years you would normally see a standard go through an update, this will be completed in roughly eight weeks. This is because there are no technical changes, just minor editorial kinds of things.

We see within subcommittee 27 that there could easily be 30 projects that are being impacted. Other activities such as IoT, artificial intelligence, healthcare and standards reference the 27001 and 27002 documents. From a security and privacy perspective, this is a busy time. The main thing to keep in mind is that because there was no major update, just the Annex replacement of 27001, we might see a full-blown update later this year.

What About the Cloud Controls Matrix?

JD: So we are in the middle of the transition from the Cloud Control Matrix v3.0.1 to v4. Ryan, from an assessment perspective, how is the transition to v4 affected by 27001?

Ryan Mackie: Yeah John, it’s a stressful time. As you think you’ve accomplished one goal, there’s another one staring right at you. So unfortunately, timing can be against us. For those organizations that have 27001 certifications and are either currently STAR certified or undergoing STAR certification, the updates, as Eric mentioned, will soon be in the new version of 27001 and are pretty sweeping.

For organizations undergoing the transition to CCM v.4, it’s not really going to have that much of an impact. You have one new control domain and 30 semi-additional controls. Going through that and getting assessed against those controls is going to be the same. So I wouldn’t push the panic button just yet.

The Future of ISO 27018

JD: Eric, will 27018 become irrelevant at some point?

EH: I think that’s a true statement. If you look at the timeframe that it was written, 27017 and 27018 were written about in the same period. On the heels of that, the work on 27701 occurred later, and can be used for certification purposes, which is not what 27017 or 27018 were for, making it likely to supersede that.

RM: On that topic, Eric, do you think there is still an audience out there for it if they decide to revise the 27018?

EH: That’s something I would love to hear about as well. If there was an audience for the refresh, that would be important to know, because I think a lot of experts are going to be looking to the bigger picture of 27701.

JD: 27018 is not an accredited certification. What if one or two things happen, if it gets replaced, or if they decide that maybe it’s worth keeping around and turning it into a specification? What would happen to the people who are claiming so-called certification to the 27018? Are they going to get credit for that or just have to go through a full-blown recertification?

EH: From an ISO perspective, the standards are essentially prepped and have been identified as standards to be used for certification purposes. They go through a whole different level of scrutiny and approval. With the ISO 27001 and ISO 9000 series, the level of effort required to get them to that stage once published is significant. Specifically, I’m not aware of any efforts to look back at 27017 and 27018 to do that same sort of coverage.

Cloud Computing Terminology

JD: One last topic. Eric, could you touch on the ISO/IEC 22123 vocabulary that is a point of reference for many people, especially research firms? There’s going to be a couple documents that are going to go away.

EH: SC38 undertook an effort to essentially update the terminology and produced part one of 22123, which includes cloud computing vocabulary. The first edition was published a year ago and we are in the late stages of a second update to that document. In addition, there is a Concept Standard part two that approaches the late stages as well. We’ve also started work on part three, which is a new reference architecture. This means that there have been lots of adjustments to definitions. So these new standards will have a ripple effect. But because it’s behind the scenes, unless you are worrying about specific definitions, it may not be so much front and center.

JD: Thank you both for your time, I appreciate it.

For further questions and connections, contact Ryan Mackie and Eric Hibbard.

Click here for more information regarding STAR certification and the different levels of STAR.
Cloud Controls MatrixComplianceSTAR

Share this content on your favorite social network today!

Latest from CSA
AI Organizational Responsibilities
Take a Survey: State of Multi-Cloud Identity
The Six Pillars of DevSecOps
Trending This Week
#1 AI Safety vs. AI Security Navigating the Commonality and Differences
#2 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
#3 Generative AI Proposed Shared Responsibility Model
#4 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#5 Six Pillars of DevSecOps
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
It’s Time to Throw Away the Manual with Evidence Collection

Published: 05/20/2024

Navigating Cloud Security Best Practices: A Strategic Guide

Published: 05/15/2024

Building Trust Through Vendor Risk Management

Published: 05/15/2024

The Importance of Securing Your Organization Against Insider and Offboarding Risks

Published: 05/14/2024