Information security benchmark ISO 27001 – what has changed?

What is ISO 27001?

ISO 27001 is an internationally recognised benchmark for information security. It provides a comprehensive framework for managing information security across your whole organisation (or group of organisations) as opposed to exclusively focusing on IT security. With cyber insurance premiums soaring, certifying to ISO 27001 demonstrates to insurers you have appropriate safeguards in place to reduce the risk of a data breach.

Why has it been updated?

A lot has changed in the world of information security over the last decade and the 2013 iteration was in danger of falling behind the times. The latest revision (ISO/IEC 27001:2022) pulls the standard into the modern era with increased focus on the security challenges of today. To reflect this, the standard has been updated to now include cyber security. This shows a shift in focus to align to the pressures of today’s technologically advanced world. It’s ensuring the standard continues to remain relevant, but also an attempt to future proof it.

What has changed in the standard?

There are a total of 114 controls in the 2013 version and this has now been reduced to 93. The reduction of these controls does not mean there are less requirements, on the contrary 57 have been merged and there has been an introduction of 11 brand new controls.

The wording and structure of the controls have been revised to make the standard more accessible to management and the ‘non-technical’ person. This has been achieved by simplifying the technical language and grouping the controls into four easier to understand sub-sections: organisational, people, physical and technological. Previously, the standard had 14 sub-domains which were designed IT professionals in mind.

The standard has now been updated to include cloud computing. You are now required to implement a robust due diligence process for the acquisition, use, management of, and exit from cloud services. Vendor due diligence is increasingly important with increased supply chain security attacks in the last 12-18 months. Implementing this process can be a big step if your organisation is trying to achieve ISO 27001 certification for the first time, or if you don’t currently have a formal process in place.

Seven of the new controls relate to additional technical requirements. An example is a new requirement to ensure you adhere to secure coding principles within your software development process, or another to implement a proactive approach to monitoring your network and devices for security threats. These controls can be challenging, particularly if you don’t have the required IT knowledge in house to implement them.

Have any of the clauses changed?

There are minor editorial changes to clauses 4-10 of the standard. The changes include the requirement to formally track the progress of your organisation’s security objectives and to ensure any changes to your information security management system (ISMS) are clearly planned.

You will now start to define the security needs of your interested parties making sure their requirements are met within your ISMS. An interested party can be anyone from an individual, organisation or stakeholder who is affected by your ability to prevent a data breach. This is of particular importance if you are storing or processing data on behalf of others. This is inextricably linked to GDPR. Understanding whether you are a data controller or processor will help with this process.

Have ISO 27002 and 27017 been updated?

ISO 27002:2022, which provides detail on the implementation of the controls in ISO 27001, has been updated to reflect the changes to the 27001:2022 standard.

ISO 27017:2015 is an extension to 27001 which provides additional security controls and guidance for cloud computing. It is a security standard, primarily designed for cloud service providers and covers topics such as asset ownership, data storage and recovery plans if the provider is dissolved. ISO 27017 certification cannot be achieved independently; you must first implement an effective ISMS and certify to 27001. ISO 27017 is currently under review.

How we can help

Our qualified lead auditors can provide you with varying levels of support to help you prepare for an upcoming certification, or surveillance audit. The standard doesn’t provide a lot of information on how to implement a control effectively. This can make it difficult for organisations to identify areas of non-compliance. We can conduct a detailed gap analysis, which will map your current security controls to the requirements of the standard, providing a set of recommendations on how to achieve compliance.

We can conduct any of your internal audits. This will provide you with a detailed set of recommendations to drive the continuous improvement of your ISMS. If you aspire to achieve ISO 27001 certification but are not yet ready to implement a comprehensive ISMS, obtaining the IASME Cyber Assurance (CA) certification can serve as an excellent steppingstone. As a CA certification body we can support you throughout this process, no matter the size of your organisation or the number of incremental steps you take towards these certifications.