Information technology is growing at a rapid rate, so it is only natural that information security standards should also increase in order to remain relevant and continue to offer guidance for security best practices.
The energy behind value-added business processes comes from information and data. The exchange of information is essential to the operation of our digital economy. As a result, it is crucial for companies of all sizes to safeguard their intellectual property, critical data, and information-driven daily operations from online threats.
In the age of industrialised cyberattacks, it is essential to build enterprise resilience quickly and adaptably because information security risks are ever-growing. According to the 2022 cost of a data breach report from IBM and the Ponemon institute, the average cost of a data breach has increased to a record high of US$4.35 million. In this context, the newly revised ISO/IEC 27001:2022, which emphasises a culture of continuity in information security management, is very valuable.
It’s critical to remember that the ISO 27001 standards were last revised nine years ago. Nonetheless, we are glad to discover that the most recent versions, ISO/IEC 27001 and ISO/IEC 27002:2022, are now available. First, it’s crucial to remember that ISO 27001:2013 and ISO 27001:2022 are not drastically dissimilar.
What exactly is ISO/IEC 27001?
Information security management systems (ISMS) can be implemented in any size, structure, or perspective of a company thanks to the framework provided by ISO/IEC 27001. Cyber threats are constantly evolving and seeking out new openings in organisations to target and sabotage information flows and, consequently, business operations. In light of the risks this mechanism presents, the three main protection objectives in information security, which are confidentiality, integrity, and availability need to be understood and managed.
What about ISO 27001 is changing?
The fundamental concept has not changed: it is a list of prospective information security controls with implementation guidance for each control. The modifications were largely designed to streamline the controls’ implementation and are, in general, quite modest.
The new Annex A of ISO/IEC 27001:2022
Instead of the 114 controls in ISO 27002:2013, 93 are included in ISO 27002:2022. Instead of having 14 clauses, these controls are divided into 4 “categories.” These are:
- People (8 controls)
- Organisational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
In the recently updated ISO 27001, 24 controls were created by combining 57 controls, 23 controls were renamed, and 35 controls stayed the same.
The new 11 controls are:
- Threat intelligence
- Information security for the use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
In order to make the controls easier to categorise, the new ISO 27001:2022 now has five different categories of “attributes”:
- Control type
- Operational capabilities
- Security domains
- Cybersecurity concepts
- Information security properties
We have implemented ISO 27001:2013 in our company and have received certification for it. How will the changes affect my business?
As previously mentioned, the small adjustments to ISO 27001:2013 mostly concern how controls are organized. As a result, they have a minimal impact on your documentation and not the technology itself.
With the newly updated ISO/IEC 27001 version published, we advise organizations to implement the following;
- Organizations need to tailor their risk management strategy to the new controls.
- Organizations need to update their Statement of Applicability.
- Organizations need to modify a few parts of their current policies and procedures.