ISO Updates Standard 27001
On October 25, 2022, the International Organization for Standards (ISO) announced revisions to its ISO/IEC 27001 standard, which aims to protect the integrity and confidentiality of an organization’s data through an information security management system (ISMS).
As the global standards-setting body and one that provides important certifications for many businesses, it is important to stay on top of what has changed and how it can impact you moving forward.
Let’s dive in.
The ISO is a worldwide federation of national standard-setting bodies. It covers a wide range of practices— for example, environmental management or occupational safety. Importantly, it contains provisions related to IT and cybersecurity.
Relevant to today’s news, ISO 27001 details the requirements for an ISMS. It contains a set of clauses, 4-10, that establish the management system, and an Annex A that defines controls.
A version of ISO 27001 has existed since the early ‘90s. It has undergone several revisions over the years, most recently in 2019.
This year’s change represents another step by the organization to remain current in the face of evolving cybersecurity threats.
ISO 27001 is not significantly changed, but there are a few notable modifications:
- Updated Control Set – the standard’s controls (referred to as “Annex A”) were reconfigured to match the “themes” of standard 27001. These include “Organizational,” “Physical,” “People,” and “Technological.” The purpose is to simplify controls and group them by responsibility.
- Scope – businesses must now identify “relevant” requirements of interested parties and the ISMS must explicitly include the “processes needed and their interactions.” This makes the standard broader than the previous iteration.
- Planning – businesses must monitor information security objectives and make them “available as documented information.”
- Retitling – the standard is now IS27001:2022. Previously, it was ISO 27001:2013 (although revised in 2019, the title did not change at that time).
- Operation – the requirement for planning to achieve InfoSec objectives has been replaced with a requirement to establish criteria for implementing Clause 6 (the clause covering actions organizations must take to address risks).
- Evaluation – methods of measuring ISMS effectiveness must be comparable and reproducible.
How It Affects You
In the wake of notable updates, it is important to take stock and evaluate how this may impact your business.
While there may be many areas affected, VENZA would like to highlight a few:
- Changes in ISO 27001:2022 do not immediately affect the status of businesses that hold a current ISO 27001 certificate. Those currently certified to ISO 27001:2013 will have three years to transition to the updated standard. Written transition materials are already available for those looking to get an early start on this process.
- Businesses should closely review their current ISMS to ensure their controls align with the updated set in ISO 27001:2022’s Annex A. Businesses must have controls of each type (preventive, detective, and corrective) in place. The advice of an expert consultant, such as VENZA’s Security Team, can assist in your evaluation.
- The “themed” approach of ISO 27001:2022 matches a principle that has long been taught by VENZA—that information security requires both a technological and a human-based solution. It is equally important that you invest in quality IT tools, like those offered by CyberTek MSSP, and harden your human firewall through VENZA’s security awareness training. Each of these measures work together to collectively reinforce your security.
Feeling overwhelmed? Don’t be. VENZA and CyberTek are here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success team.
Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.
Take VENZA’s free Phishing Test to assess gaps in your human firewall today!
Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.