The New ISO/IEC 27001:2022 Standard’s Impact on the CSA STAR Certification
Published 11/18/2022
Written by Ashwin Chaudhary, CEO, Accedere.
Introduction
The most awaited third edition of ISO/IEC 27001:2022 was published on 25th October 2022, after the publication of ISO 27002:2022 in February 2022. If you are planning on transitioning to the newly updated standard, then your major focus should be on the new controls, which are now grouped into four themes instead of the previous 14 categories. Also, new attributes have been introduced to help companies reflect on their security posture, covering different criteria. If you are certified with CSA STAR incorporating ISO/IEC 27001 Certification, then it is imperative for you to transition as per the newly updated standard.
Impact on the CSA STAR Certification Due to the Change in ISO 27001
While there are no changes to the STAR Program itself, organizations must get themselves transitioned to the new standard. Get evaluated for the CCM controls by CSA STAR auditors for STAR Level 2 (ISO 27001 + CCM).
Key Changes to the New Standard
- The title has been modified.
- Incorporates the Technical Corrigenda ISO/IEC 27001:2013/Cor 1:2014 and ISO/IEC 27001:2013/Cor 2:2015. Aligned with the harmonized structure for Management System Standards (MSS) and ISO/IEC 27002:2022.
- The structure of the document has been changed, presenting the controls using a simple taxonomy and associated attributes.
- No. of themes/domains reduced from 14 to 4.
- No. of controls reduced from 114 to 93:
- 11 New Controls
- 24 Merged Controls
- 58 Revised Controls
- 21 Removed Controls
Change in Title
The title of the ISO/IEC 27001:2022 Standard, “Information Technology - Security Techniques,” has been replaced with “Information Security, Cybersecurity and Privacy Protection” to have a wider coverage of security controls.
Change in Themes / Domains in Annex A Controls
Themes/domains were reduced and made more concise into the following controls:
- Organizational Controls
- People Controls
- Physical Controls
- Technological Controls
The layout for each control contains the Control title, Attribute table, Control, Purpose, Guidance, and other information.
Control Attributes
- Control types
- Preventive, Detective, and Corrective
- Information security properties
- Confidentiality, Integrity, and Availability (CIA Triad)
- Cybersecurity concepts
- Identify, Protect, Detect, Respond, and Recover
- Operational Capabilities Governance
- Asset management, information protection, human resource security, physical security, system and network security, application security, secure configuration, identity and access management, threat and vulnerability management, continuity, supplier relationships security, legal and compliance, information security event management, and information security assurance (used mainly by practitioners)
- Security domains
- Governance and Ecosystem, Protection, Defense, and Resilience
New Controls
Organizational Controls | Physical Controls | Technological Controls |
5.7 Threat Intelligence | 7.4 Physical Security Monitoring | 8.9 Configuration Management |
5.23 Information Security for use of Cloud Services | 8.10 Information Deletion | |
5.30 ICT Readiness for Business Continuity | 8.11 Data Masking | |
8.12 Data Leakage Prevention | ||
8.16 Monitoring Activities | ||
8.23 Web Filtering | ||
8.28 Secure Coding |
Implementation Requirements
As there are changes to the controls, here are the implementation requirements:
- Change in Statement of Applicability (with 93 new Controls)
- Change in Risk Register (change in the existing and mitigating controls)
- Change in Documented Information
- Implementing relevant People, Process, & Technology controls
Key Timeline for Transition
- Companies can get themselves certified for ISO/IEC 27001:2013 certification till 31st October 2023
- Companies can get certified for ISO/IEC 27001:2022 as of 25th October 2022
- Certified clients can get transitioned to ISO/IEC 27001:2022 before 31st October 2025
Organizations and certification bodies can mutually discuss and arrive at the mode and timeline for transition. Transition can be planned in conjunction with the surveillance audit/recertification audit/separate audit.
What is CSA STAR and How Does the New Update Impact CSA STAR Certifications?
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry created by the Cloud Security Alliance (CSA) that documents the security and privacy controls of popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Submitting a self-assessment, certification, or attestation to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. A STAR submission reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.
CSA STAR Certification can be obtained either by conducting a SOC 2 Type 2 assessment or getting certified in ISO/IEC 27001. Since many organizations choose the route of ISO/IEC 27001 for their CSA STAR Certification, the new update in the standard directly affects their CSA STAR Certification, as they need to ensure that they implement the new controls as per the updated ISO/IEC 27001:2022 Standard.
About Accedere Inc
Accedere Inc. is a global provider of Assurance services for cybersecurity compliance. Accedere Inc. is a Colorado CPA firm registered with PCAOB with a focus on Cloud Security and Privacy and empaneled Cloud Security Alliance (CSA) auditors for conducting assessments for CSA STAR Level attestation and certification requirements. As an ISO/IEC certification body, Accedere Inc has the relevant expertise in supporting ISO /IEC 27001 + STAR certification process also.
Ashwin Chaudhary is the CEO of Accedere. He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, Privacy, IoT, Governance Risk, and Compliance. Learn more about us at www.accedere.io.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024