The international standard ISO/IEC 27001 is a fundamental standard for information security. It defines requirements for establishing, implementing, and maintaining an information security management system (ISMS) and serves as the basis for certification.
An ISMS assists in maintaining the protection objectives, confidentiality, integrity, and availability of information and provides assurance to third-party organizations and customers that risks within information security are being adequately addressed through certification.
October 2022 saw the release of the latest edition of ISO/IEC 27001, following the update of ISO/IEC 27002 in April. The standard was published under the amended name “Information security, cybersecurity and privacy protection — Information security management systems — Requirements ” and includes some changes to bring the standard up to date with the current state of technology (ISO/IEC 27001:2022). Since the previous version was published in 2013, a revision was due to reflect today’s issues. In addition to adapting existing measures, new measures were also added to the standard.
What Is New About ISO/IEC 27001 and Why Was It Changed?
In the title of the new ISO/IEC 27001:2022 standard, the name change is immediately noticeable, as the term “data protection” was introduced. A transformation can be observed overall, whereby the area of data protection is increasingly included in the standard. Other changes in the main part of the new standard are primarily linguistic, combined with some clarifications. However, Annex A of ISO/IEC 27001 and, accordingly, ISO/IEC 27002 contain significant changes. ISO/IEC 27002 was first updated at the beginning of 2022, and serves as an aid to implementing the measures in Annex A of ISO/IEC 27001 in response to current events.
Despite 11 new measures in Annex A of ISO/IEC 27001, which bring new considerations into play, the total number has been reduced from 114 to 93. Also, instead of the previous 14 categories, there are now only the following 4: “People”, “Organizational”, “Technological” and “Physical”. This has also changed the arrangement of the measures. The following measures are new:
- Threat Intelligence: Gathering and analyzing threat information to gain insights.
- Use of cloud services: Procedures for acquiring, using, managing, and exiting cloud services should be defined (in line with the information security requirements of the organization)
- Business continuity: Plan, implement, maintain, and test ICT readiness based on business continuity objectives and ICT continuity plans.
- Physical security monitoring: Premises should be constantly monitored for unauthorized physical access.
- Configuration management: (Security) configurations of hardware, software, services, and networks should be defined, documented, implemented, monitored, and reviewed.
- Deletion of information: Information stored in information systems, devices, or other storage media should be deleted when no longer needed.
- Data masking: Data masking should be used in accordance with the organization’s subject-specific access control policies, other related policies and business requirements and in compliance with applicable legislation.
- Data Leakage Prevention: Data Leakage Prevention measures should be applied to systems, networks, and any other devices that process, store, or transmit sensitive information.
- Monitoring: Networks, systems, and applications should be monitored for abnormal behavior and appropriate measures taken to prevent potential information security incidents.
- Web filtering: Access to external websites should be managed to reduce exposure to malicious content.
- Secure Coding: Secure coding principles should be applied to software development.
Why Is This Standard So Important?
The main reason to choose ISO/IEC 27001 certification is to avoid security threats. Furthermore, meeting the standard’s requirements demonstrates that the information security issue is taken seriously in your company.
The specified guidelines also create a system that ensures all employees know their responsibility toward information security.
The relevance of the new edition of the standard for already certified companies lies in the fact that they must adapt their ISMS to the new standard within a specified period to maintain their certification. This primarily means that the 11 new measures must be checked for relevance and, if necessary, introduced. In addition, the references of already created documents, such as policies and the Statement of Applicability (SoA), and their content must be adapted to match the new structure of the standard.
What Does the ISO/IEC 27001 Update Mean for Organizations?
If you still need to get the ISO/IEC 27001 certification and are seeking it, it is best to implement an ISMS immediately, along with the new measures. As of October 2023, certification bodies will only perform initial certifications in accordance with the new standard.
For already certified companies, this means keeping an eye on the deadlines and dealing with the new measures as soon as possible. In concrete terms, this means adapting and updating them and drawing up a project plan for migration. Because implementing new measures and adapting references takes time, this should not be underestimated. The IAF (International Accreditation Forum), to which the Swiss Accreditation Service (SAS) is also subject, prescribes a transition period of 36 months. This means that already certified companies must have implemented the new standard by October 2025.
The update of the standard contains some adjustments to the wording but does not require an entirely new approach to the topic of information security. The all-encompassing approach, which the new standard aims to achieve, is also reflected in the motivation of Oneconsult AG; to approach information security holistically.
Are You Striving for ISO/ICE 27001 Certification and Could Use Support?
If you are certified according to ISO/IEC 27001:2013, you have already laid a good foundation for the new certification and will be able to implement it well if you follow the guidelines accordingly. There are still three years left before the new features need to be implemented. However, since the certification will expire unless they are implemented, the update should be planned early.
If you are not yet certified at this point in time, or are in the middle of the process, it makes sense to follow the new standard.
We are happy to support you in implementing the new ISO/IEC 27001 standard or necessary adaptations – regardless of whether you are already certified or not. Our specialists will be happy to advise you on the new ISO/IEC 27001:2022 standard. We look forward to hearing from you: