How to Prepare for the Changes to the ISO Standards
The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores the STAR Program, CSA best practices, research, and associated technologies and tools. This blog is part of a series where we edit key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews Ryan Mackie of Schellman and Eric Hibbard of Samsung, both members of SC27, to discuss the most critical changes to the ISO standards already released, and those yet to come.
Listen to the full podcast here.
ISO Changes: An Overview
John DiMaria: I have two guests today: Ryan Mackie who is Principal at Schellman, and Eric Hibbard who is the Director of Product Planning for Samsung. To start off, Eric, if you could give us an overview of the major changes following the latest ISO standards.
Eric Hibbard: As we speak today, there is an amendment underway for 27001 that will essentially replace Annex A, which is the scope of that amendment. This is expected to be approved around May, roughly speaking. With this, we anticipate a minor revision of 27001. And instead of the three years you would normally see a standard go through an update, this will be completed in roughly eight weeks. This is because there are no technical changes, just minor editorial kinds of things.
We see within subcommittee 27 that there could easily be 30 projects that are being impacted. Other activities such as IoT, artificial intelligence, healthcare and standards reference the 27001 and 27002 documents. From a security and privacy perspective, this is a busy time. The main thing to keep in mind is that because there was no major update, just the Annex replacement of 27001, we might see a full-blown update later this year.
What About the Cloud Controls Matrix?
JD: So we are in the middle of the transition from the Cloud Control Matrix v3.0.1 to v4. Ryan, from an assessment perspective, how is the transition to v4 affected by 27001?
Ryan Mackie: Yeah John, it’s a stressful time. As you think you’ve accomplished one goal, there’s another one staring right at you. So unfortunately, timing can be against us. For those organizations that have 27001 certifications and are either currently STAR certified or undergoing STAR certification, the updates, as Eric mentioned, will soon be in the new version of 27001 and are pretty sweeping.
For organizations undergoing the transition to CCM v.4, it’s not really going to have that much of an impact. You have one new control domain and 30 semi-additional controls. Going through that and getting assessed against those controls is going to be the same. So I wouldn’t push the panic button just yet.
The Future of ISO 27018
JD: Eric, will 27018 become irrelevant at some point?
EH: I think that’s a true statement. If you look at the timeframe that it was written, 27017 and 27018 were written about in the same period. On the heels of that, the work on 27701 occurred later, and can be used for certification purposes, which is not what 27017 or 27018 were for, making it likely to supersede that.
RM: On that topic, Eric, do you think there is still an audience out there for it if they decide to revise the 27018?
EH: That’s something I would love to hear about as well. If there was an audience for the refresh, that would be important to know, because I think a lot of experts are going to be looking to the bigger picture of 27701.
JD: 27018 is not an accredited certification. What if one or two things happen, if it gets replaced, or if they decide that maybe it’s worth keeping around and turning it into a specification? What would happen to the people who are claiming so-called certification to the 27018? Are they going to get credit for that or just have to go through a full-blown recertification?
EH: From an ISO perspective, the standards are essentially prepped and have been identified as standards to be used for certification purposes. They go through a whole different level of scrutiny and approval. With the ISO 27001 and ISO 9000 series, the level of effort required to get them to that stage once published is significant. Specifically, I’m not aware of any efforts to look back at 27017 and 27018 to do that same sort of coverage.
Cloud Computing Terminology
JD: One last topic. Eric, could you touch on the ISO/IEC 22123 vocabulary that is a point of reference for many people, especially research firms? There’s going to be a couple documents that are going to go away.
EH: SC38 undertook an effort to essentially update the terminology and produced part one of 22123, which includes cloud computing vocabulary. The first edition was published a year ago and we are in the late stages of a second update to that document. In addition, there is a Concept Standard part two that approaches the late stages as well. We’ve also started work on part three, which is a new reference architecture. This means that there have been lots of adjustments to definitions. So these new standards will have a ripple effect. But because it’s behind the scenes, unless you are worrying about specific definitions, it may not be so much front and center.
JD: Thank you both for your time, I appreciate it.
here for more information regarding STAR certification and the different levels of STAR.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.