ISO 27001: The international standard for information security

Why is ISO 27001 important?

ISO 27001 is a vital standard for organizations seeking to safeguard their information assets and maintain a robust security posture. The standard promotes a holistic approach to identifying, assessing, and managing information security risks.

ISO 27001 encourages organizations to proactively identify and address weaknesses that will safeguard against security breaches, data breaches, and cyber threats. The standard also focuses on continuous improvement and risk mitigation which has a positive impact on operational efficiency and resilience.

When organizations demonstrate compliance with the ISO 27001 standard, they can instil confidence in their stakeholders and prove their commitment to information security. This all helps in building a competitive advantage and a positive business reputation.

ISO 27001:2022 – important changes

ISO 27001 was first launched in 2005 and underwent a major update in 2013. Since then, new technologies have changed the business landscape and resulted in new security challenges. The latest revision to ISO 27001, called ISO 27001:2022, was released in October 2022 and more accurately reflects the state of cyber security today, with a view to improving and managing an organization's resilience to modern cyber threats and vulnerabilities.

The standard is currently going through a transition period, which refers to the phase where organizations are moving from the previous version of ISO 27001:2013 to the latest revision ISO 27001:2022. Organizations have been given three years to make these changes and they will need to be implemented by 2025.

Here’s what you need to know:

• The number of controls has been reduced from 114 to 93
• The 93 controls have been restructured into 4 sections
• 11 new controls have been added to Annex A
• Clauses 4 to 10 have undergone several minor updates

Clauses 4 to 10 are mandatory requirements that must be satisfied by your ISMS before it can be ISO/IEC 27001:2022 certified. These clauses are as follows:

ISO 27001 Clauses 4-10

Restructuring of controls

You also need to be familiar with Annex A, which now defines a set of 93 controls that your organization can implement to meet those requirements.

Annex A has undergone the biggest change during the update to the newest version of ISO 27001. The controls have been restructured and consolidated to reflect the current cyber security challenges and modern risks businesses face today.

The 93 controls now sit in 4 sections instead of the previous 14. The new categories are:

• People (8 controls)
• Organisational (37 controls)
• Technological (34 controls)
• Physical (14 controls)

The main reason for reducing the controls and categorising them into four groups is to make it easier to understand and implement an effective ISMS. Separating the controls can make it easier for implementation teams to determine who in the organization is responsible for each category.

The 11 new controls that sit within Annex A are:

• Threat intelligence
• Information security for the use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

Who needs ISO 27001?

The requirement for ISO 27001 certification is determined by a number of factors, including:

• Industry and sector: Industries such as finance, healthcare, and government, have strict regulatory requirements for data protection and security. The ISO 27001 certification may be necessary to demonstrate compliance with these regulations.
• Risk profile: Organizations that handle sensitive information, such as personally identifiable information (PII), financial data, or intellectual property, may choose to implement ISO 27001 as a proactive measure to manage and mitigate information security risks.
• Customer requirements: In some cases, businesses may be required by their clients or partners to have the ISO 27001 certification as a condition for collaboration or to ensure the secure handling of shared information.
• Business objectives: Organizations that have prioritised information security as a strategic objective may opt for the ISO 27001 certification to establish a robust security management system and gain a competitive edge in the market.

If you are considering the ISO 27001 certification, it is critical that you assess your organization's specific needs, risks, and regulatory requirements to understand the benefits. It would be beneficial to consult with information security professionals to make an informed decision about whether ISO 27001 is the appropriate framework for your business.

It's also worth noting that, while ISO 27001 provides a comprehensive framework, you can implement controls based on your specific needs and risk tolerance. The standard emphasises a risk-based approach, allowing your company to tailor your information security management system to your specific needs.

What value does ISO 27001 bring?

Adopting and implementing ISO 27001 can bring several benefits to your organization.

Here are some of the key benefits:

• Increased customer trust and confidence: ISO 27001 allows you to demonstrate to customers that your organization is taking security seriously. It showcases your robust security measures and your commitment to safeguarding sensitive data.
• Gain new business: Due to the nature of the threat landscape, more companies are requiring ISO 27001 certification as a minimum for their suppliers and partners as part of their due diligence checks. This means you could risk losing out on certain contracts if you do not have the certification.
• Improved incident response and recovery: ISO 27001 requires organizations to establish incident management processes and procedures. This enables you to respond effectively to security incidents, minimise their impact, and facilitate the recovery process. By having a well-defined incident response plan, your organization can reduce downtime and mitigate the financial and reputational damage caused by security breaches.
• Improved efficiency through enhanced systems and processes: The standard helps establish a framework which leads to a more structured approach to managing information. It defines clear roles and responsibilities which reduces ambiguity and it promotes effective communication about information security risks and controls throughout the business.
• Reduce cyber insurance costs: ISO 27001 demonstrates to insurers that you have implemented effective cyber security measures, which can contribute to favourable premiums. It’s important to note that each insurance provider has its own risk assessment criteria so it would be advisable to consult with your insurer to understand how ISO 27001 may influence your premium. Read more about cyber insurance.
• Adopt more targeted, risk-based spending on cyber security: The nature of ISO 27001 allows your organization to understand specific risks in depth, which helps to understand resource allocation and priority. By identifying critical assets, vulnerabilities, and threats it allows you to make more informed decisions about your cyber security spending.
• Support compliance: ISO 27001 provides a solid foundation for your organization to meet the requirements defined by regulations such as GDPR and PCI DSS.

How can Defense.com™ help?

Defense.com helps you address multiple ISO 27001 requirements from a single platform, helping you effectively maintain your ISMS.

Here are just some of the features we offer to help you achieve your controls:

For more information about how Defense.com™ can help you stay compliant contact us.