What Does the ISO 27001 Update Mean for Your Business?
If you’re reading this right now, then you are likely aware of the recent ISO update and are looking for resources to help ease you into the changes. We’re here to help.
Intelligent Technical Solutions (ITS) adheres to the highest security standards, and we want our clients to be as well. Therefore, we help them through compliance by making sure their network security is up-to-date and guiding them throughout the certification process. Here’s what you’ll learn in this article:
- What is ISO 27001?
- Why is ISO 27001 being updated?
- How can ISO 27001:2022 benefit your business?
- How to prepare for ISO 27001:2022 certification
After reading, you’ll know what you need to do and prepare for your ISO certification.
What is ISO 27001?
ISO 27001 is an information security standard created by the International Organization for Standardization (ISO), which provides businesses and other organizations with a framework and guidelines for establishing, implementing, operating, and improving an information security management system (ISMS).
In particular, ISO 27001 includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. As with other regulatory standards, the goal of ISO 27001 is to help organizations protect their critical information assets and comply with applicable requirements.
Originally, ISO 27001 served only as a recommended set of guidelines for businesses to protect their data, and conformance used to be voluntary. But the recent update has been slowly requiring most businesses to comply. Ed Griffin, one of our partners here at ITS, said,
“Not all businesses need to comply with the new version immediately. But they have to start preparing since many organizations are likely still in flight on their previous ISO certifications and are too far along to course correct to the new version.”
Why is ISO 27001 being updated?
Technology has since evolved profoundly since the last ISO update nine years ago. Along with this, the risks to cybersecurity have also significantly grown.
Therefore, the old version of ISO 27001 has been revised to reflect the current state of cybersecurity and information technology–giving birth to the new ISO 27001:2022.
So, what changed?
There aren’t many significant changes in the Mandatory Clauses of ISO 27001:2002, with its focus mainly on documentation and management. There is, however, a major revision and reconstruction in its companion document, ISO 27002 Annex A.
From the previous 114 security controls, it has been reduced to 93, combining several previously existing controls and adding 11 new ones. Most of the new controls are geared towards bringing the standard in line with modern technology, such as Cloud.
Further changes are seen in the division of the controls, from fourteen down to only four, in an attempt to make the standard more concise.
The new Sections and Controls of ISO 27002:2022 are:
- Section 5: Organizational (37 controls)
- Section 6: People (8 controls)
- Section 7: Physical (14 controls)
- Section 8: Technology (34 controls)
35 controls remained unchanged, 23 controls were renamed, 57 existing controls were merged to form 24 controls, and the following 11 new controls were added:
- 5.23 Information security for the use of cloud services
- 5.30 ICT readiness for business continuity
- 5.7 Threat Intelligence
- 7.4 Physical security monitoring
- 8.1 Data masking
- 8.9 Configuration management
- 8.10 Information deletion
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
From the outset, implementing the updated ISO 27001:2002 can improve your business’ cybersecurity practices. But that’s not all. Complying with the standard may also bring forth the following benefits:
1. Improve the reputation of your organization
When you exert effort in strengthening your cybersecurity by adhering to the ISO 27001:2022 certification, it will reflect on your brand and gain the trust of existing and potential clients. At length, customers will recognize you as an organization that takes IT security seriously.
2. Gain competitive edge
Since ISO 27001:2022 compliance is becoming mandatory for most businesses, you will greatly benefit from taking the initiative early to avoid missing out commercially. This will also ensure that you are a step ahead of your competitors.
3. Lessen downtimes and remediation costs
Attacks on your network mean business disruption and downtime, which almost always proves costly for an organization. Therefore, you can never be too complacent with your security measures. Complying with ISO 27001:2022 can help with cybersecurity efforts, since it requires you to take the correct steps preemptively to save money in the long run.
4. Bring light on security awareness
Often, an organization’s weakest point is the employees. No matter how sophisticated your IT infrastructure is, one compromised user credential can lead to data breaches. But if users were more aware of the nature of the threats they face and how they can act on it, they could lessen the risks and do their part to protect the network. ISO 27001:2022 offers clear and logical steps to educate users on cyber risks.
How to prepare for ISO 27001:2022 certification
Since ISO 27001:2022 certification is well on its way to becoming a requirement for most businesses, it would help to start preparing for it as soon as possible if you want your business certified.
Using the steps below, organizations like yours can ensure that you are properly prepared for the certification:
Step 1. Build an ISO 27001:2022-compliant ISMS.
Step 2. Identify risks, and develop risk treatment strategies.
Step 3. Implement ISO 27001:2022-compliant processes and controls.
Step 4. Have an ISO-accredited certification body assess compliance.
Step 5. Monitor your ISO 27001:2022 compliance regularly.
Following the updated standard can significantly reduce the risk of data breaches and other security incidents, protect critical information assets, and comply with applicable legal and regulatory requirements.
Ready to comply with ISO 27001:2022 certification?
The updated ISO 27001:2022 was presented to the public in October of 2022, but there’s no need to panic if you haven’t started your preparation yet. Griffin stated that businesses that are already ISO-certified based on the 2013 version have until early 2024 before regulatory bodies will be ready to offer the new certification. Since it will be a lengthy process on both ends, there will likely be a two-year transition period after the new standard’s publication before the old version is fully retired.
But for organizations that have not yet begun their ISO 27001 certification journey, Griffin recommended targeting the newest 27001:2022 standard to make the process more relevant and efficient. By 2025, all ISO 27001 certifications must be based on the latest ISO 27001:2022 baseline.
Needless to say, you still have ample time to prepare if you start now.
As a Managed Security Service Provider (MSSP), ITS has the necessary tools and assets to help assess and create a security roadmap to back your certification requirements. In addition, ITS also helps monitor the process, resolves issues, and provides detailed reporting so you will be kept in the loop on the progress. Learn how we can help with your compliance, or schedule a free network assessment today.