V 6.5.1.45 December 12, 2024
We are excited to announce that updated ISO 27001:2022 and NIST CSF 2.0 are frameworks available in myITprocess.
Key Highlights of Updates from ISO 27001:2013 to ISO 27001:2022
ISO 27001:2022 is not significantly different from ISO 27001:2013, but there are some notable changes.
Context and Scope
- Must now identify the “relevant” requirements of interested parties and determine which requirements will be addressed through the Information Security Management System (ISMS).
- The ISMS must now explicitly include the “processes needed and their interactions.”
Planning
- Information security objectives must now be monitored and “be available as documented information.”
- There is a new subclause on planning changes to the ISMS. This does not specify any processes that must be included, so the company should determine it can demonstrate that changes to the ISMS have indeed been planned.
Support
- The requirements to define who will communicate, and the processes for effecting communication, have been replaced by a requirement to define “how to communicate.”
Operations
- The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with the criteria.
- Organizations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just processes.
Annex A
- Annex A has been revised to align with ISO 27002:2022. Several of these controls have been merged, while eleven (11) controls have been added. The Annex A controls are grouped into four (4) themes rather than fourteen (14) clauses and are discussed below.
Section 5 - Organizational (37 controls)
- Organizational Information Policies
- Cloud Service Use
- Asset Use
Section 6 - People (8 Controls)
- Remote Work
- Confidentiality
- Non-Disclosure
- Screening
Section 7 - Physical (14 Controls)
- Security Monitoring
- Storage Media
- Maintenance
- Facility Security
Section 8 - Technological (34 Controls)
- Authentication
- Encryption
- Data Leakage Prevention
The completely new controls are:
- A.5.7 – Threat Intelligence
- A.5.23 – Information Security for Use of Cloud Services
- A.5.30 – Information and Communications Technology (ICT) Readiness for Business Continuity
- A.7.4 – Physical Security Monitoring
- A.8.9 – Configuration Management
- A.8.10 – Information Deletion
- A.8.11 – Data Masking
- A.8.12 – Data Leakage Prevention
- A.8.16 – Monitoring Activities
- A.8.23 – Web Filtering
- A.8.28 – Secure Coding
Key Highlights of Updates from NIST CSF 1.1 to NIST CSF 2.0
The NIST CSF has undergone significant updates from version 1.1 (V1.1) to version 2.0 (V2.0). These updates aim to address current and future cybersecurity challenges and improve the framework's effectiveness in managing cybersecurity risk. The total number of controls in NIST CSF V1.1 is 108 subcategories from 22 categories, in comparison to 23 categories and 106 subcategories in NIST CSF V2.0. This indicates a slight reduction in the number of controls from V1.1 to V2.0, however the scope and effectiveness of NIST CSF V2.0 has significantly increased in comparison to NIST CSF V1.1. Below are the key updates.
A. Introduction of GOVERN Function
- NIST CSF V2.0 introduces a new function called GOVERN, which includes categories such as Organizational Context, Risk Management Strategy, Roles, Responsibilities, Authorities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management.
B. Refinement of Categories and Subcategories
- Many existing categories and subcategories have been refined for better clarity and alignment with current cybersecurity practices. For instance, Identity Management, Authentication, and Access Control (PR.AA) have been separated from Identity Management and Access Control (PR.AC).
C. Addition of New Subcategories
- To address emerging cybersecurity needs, new subcategories have been added across various functions. Examples include subcategories in GOVERN like GV.RM-07 (Strategic opportunities) and GV.SC-10 (Supply chain security practices integrated into cybersecurity programs).
D. Enhancements in Existing Functions
- Existing functions such as Identify, Protect, Detect, Respond, and Recover have seen enhancements with new subcategories and better structuring of existing ones to improve usability and comprehensiveness.
E. Enhanced Profiles and Tiers
- NIST CSF V2.0 also expands on the concept of Organizational Profiles and Tiers. These tools help organizations describe their current and target cybersecurity postures and assess their progress. The Tiers characterize an organization’s cybersecurity practices rigor, with a clear path from "Partial" to "Adaptive" practices.
Supply Chain Risk Management
- There is a stronger focus on supply chain risk management. The framework provides detailed outcomes for identifying, managing, and mitigating risks throughout the supply chain.
- Continuous Improvement and Integration: The framework now emphasizes continuous improvement and better integration with enterprise risk management (ERM). This aligns cybersecurity risk management more closely with broader organizational risk management practices.
Expanded Scope and Flexibility
- Broader Applicability: NIST CSF V2.0 expands its scope to include a wider range of sectors and organizational sizes, emphasizing its relevance to various industries beyond critical infrastructure. This is designed to make the framework more universally applicable.
- Flexibility and Customization: There is increased emphasis on tailoring the framework to different organizational contexts, providing more flexibility in its application to meet specific organizational needs.
Other Updates:
- The content in QBR Report Builder is now generated dynamically
- Minor bugs related to QBR Report Builder are fixed
- We removed the character limit in the Business Analytics field in the Recommendations.
- We’ve updated the Idea Portal page link. Now, to suggest a feature or to provide the feedback, please follow this link: https://community.kaseya.com/ideas/categories/myitprocess-ideas-portal