The ISO/IEC 27001 has seen leaps and bounds from the erstwhile era of BS17799 to the present standard. The stringent nature and the difficulty of the certifying organisations make it incredibly hard for tech companies and the related organisations to maintain compliance and manage programs that sufficiently minimise risk and raise the bar on security. On 02 Nov 2022, British Standards Institution (BSI) has officially launched the revised ISO/IEC 27001:2022, Information security management systems. The updated standard helps companies secure their information assets – crucial in today’s world where the number and complexity of cyberattacks are rising.
ISO/IEC 27001:2022 Information security management systems is the flagship of the ISO/IEC 27000 family of standards, which was first published over 20 years ago. These standards have been able to keep the industry and the certified organisation at good health with respect to Information Security Compliance. It also paves way for good tools at the organisational level to mitigate the risks of breaches and cybercrime by implementing a robust information security management system (ISMS). Their adoption can help inspire trust in business and provide opportunities to train staff, leading to a more productive way of working.
While the standard’s focus is identifying and managing information security risks, adopting its guidance offers much broader benefits to business than just protecting data. It can help organizations:
- Reduce the likelihood of a data breach, which could result in reputational damage or fines
- Built trust with existing clients and customers and appeal to new ones by boosting your reputation
- Improve efficiency and productivity across the entire organization
- Ensure business continuity in the event of an attempted cyber attack
- Reduce information security costs by assessing risks and employing a more selective approach
What are the key changes to ISO/IEC 27001 and why do they matter?
Triggered by the revision of ISO/IEC 27002:2022 Information security controls in February 2022, ISO/IEC 27001 has been revised to bring its guidance up to date with the current technological landscape. While there are no major technical changes in this latest version of the standard, the amendment introduces several key business benefits. These include:
- Reinforced resilience
- Change: The guidance of ISO/IEC 27001 continues to be under a process of constant evolution.
- Business benefit: The technology used by cybercriminals has come a long way in the five years since ISO/IEC 27001 was last updated. This latest iteration of the standard has the up-to-date consensus of industry experts to ensure that its guidance remains as effective as ever in keeping your information assets resilient against today’s risks. These frequent revisions ensure that it remains one of the most relevant risk management tools for fighting off the millions of attacks that occur globally each year.
- A catalyst for conformance
- Change: Some editorial changes have been made in ISO/IEC 27001 to fix text that is out of line with the latest version of the ISO/IEC Directives Part 1, 2022.
- Business benefit: This change ensures the conformance of ISO/IEC 27001 on a global level. For businesses, this means that using the ISO/IEC 27001 specification can help give your organization a reputation for digital trust – assuring your clients that your information security management system has been developed to the highest standards.
- Continuous control
Change: The guidance in ISO/IEC 27001 has been realigned to the updated content in ISO/IEC 27002: 2022 Information security controls, including a revision to Annex A.
Business benefit: This change to the specifications in ISO/IEC 27001 ensures your ISMS is operating to up-to-date control management best practices. It gives you continuous protection of your assets by making your security controls relevant to the current technology landscape and threats, reducing the risk of a cyber breach occurring, and making your processes more robust.
- Effective implementation
- Change: There has been a reordering of clauses in ISO/IEC 27001 to ensure alignment with the harmonized structure for management system standards.
- Business benefit: This change ensures that ISO/IEC 27001:2022 continues to fit the high-level structure used in all management system standards (e.g. ISO 9001, ISO 14001, etc.). This has been put in place to help organizations that are implementing more than one management system standard at a time, achieve effective adoption of these processes.
Current users of ISO/IEC 27001:2017 will need to conform with the newly published 2022 revision, as the previous version will be withdrawn after a short transition period.