A new and Improved version of ISO/IEC 27001 to enforce digital trust
You may have heard of the international standard ISO/IEC 27001, but what is it? And more importantly, what does it mean for your business?
ISO/IEC 27001 is an information security management system (ISMS) standard that was first released in 2005. It provides a framework for organizations to manage and protect their digital assets. The standard was revised in 2013 and again in 2022, with the most recent update in October.
The new version, ISO/IEC 27001:2022, is intended to help organizations respond to the ever-growing threat of cybersecurity and privacy incidents. It includes new requirements for risk management, incident response, data protection, and more.
If you’re looking to improve your organization’s information security posture, ISO/IEC 27001:2022 is a good standard to consider.
Why ISO/IEC 27001 Is Important?
An ISMS is a set of policies and procedures that helps an organization protect its sensitive data from unauthorized access, use, disclosure, or destruction by identifying and mitigating risks. For the more curious readers, we have published a white paper on cyber governance!
You may be wondering why this is important. Well, consider the fact that we now live in a digital world where almost everything we do is online. We bank online, we shop online, we socialize online. We even vote online. And as more and more of our lives move online, the need for robust information security becomes more and more critical.
That’s where ISO/IEC 27001 comes in. By implementing an ISMS based on this standard, organizations can protect their data from cyberattacks and data breaches, which can have devastating consequences for both individuals and businesses.
What has changed in the New version of ISO/IEC 27001:2022?
So what’s new in ISO/IEC 27001:2022
Well, for starters, the title has changed to reflect the fact that information security, cybersecurity and privacy protection are all vitally important in today’s digital world. The standard has also been updated to reflect the latest technologies and threats.
Summary of the main ISO27001 changes:
1 New clause
- ISO 27001:2022 Clause 6.3 Planning Of Changes:
“When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.”
5 New sub clauses
- ISO/IEC 27001:2022 Clause 9.2.1 General:
“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: a) conforms to 1) the organization’s own requirements for its information security management system; 2) the requirements of this document; b) is effectively implemented and maintained.”
- ISO/IEC 27001:2022 Clause 9.2.2 Internal audit programme:
“The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: a) define the audit criteria and scope for each audit; b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process; c) ensure that the results of the audits are reported to relevant management;
- ISO/IEC 27001:2022 Clause 9.3.1 General,
- ISO/IEC 27001:2022 Clause 9.3.2 Management review inputs,
- ISO/IEC 27001:2022 Clause 9.3.3 Management review results
→ Instead of a single clause, the elements have been divided into 3 sub clauses for enhanced clarity.
2 clauses has swapped
- ISO/IEC 27001:2022 Clause 10.1 Continual improvement
- ISO/IEC 27001:2022 Clause 10.2 Nonconformity and corrective action
→ The clauses remain the same but the number has changed. 10.1 become 10.2 and vice versa
The biggest change is ISO/IEC 27001:2022 Clause Annex A (normative) Information security controls reference → ISO 27002: 2022 new version
What Are the Benefits of Implementing ISO/IEC 27001:2022?
So, what are the benefits of implementing ISO/IEC 27001:2022?
Well, more than a compliance exercise, it can help you build trust with your customers and stakeholders. By proving that you have a robust information security management system in place, you’re telling them that their data is safe with you.
It can also help you stay ahead of the curve when it comes to cybersecurity and privacy protection. With ever-evolving threats, it’s crucial that your organization has a framework in place that can adapt to these changes.
ISO/IEC 27001:2022 is also one of the best ways to become compliant with the General Data Protection Regulation (GDPR) and New Federal Act on Data Protection (nFADP) in Switzerland. So if your organization is looking to become GDPR-compliant, then this is the framework for you!
How Can Organizations Get Started With Implementing ISO/IEC 27001:2022?
The best way to get started with ISO/IEC 27001:2022 is to partner with an experienced and qualified consultant. They can help you every step of the way, from developing a comprehensive security policy to implementing the required technical controls.
But don’t take our word for it. You can buy the standard yourself and read it. Here are some tips from the International Organization for Standardization (ISO) on how to get started:
- Establish a team or steering group to oversee and manage the project.
- Identify the business’s information security needs.
- Draw up an action plan and timeline.
- Assess your current security posture.
- Implement the new security controls and measures.
- Review and test the effectiveness of your security measures.
- Maintain your ISO/IEC 27001:2022 certification
The new ISO/IEC 27001:2022 is a revamped version of the original standard that takes into account the latest advances in technology and security threats. It’s just an evolution with very few changes. It is important to note that the standard is not just for large companies – any business can benefit from using it.
We provide an easy-to-implement ISO27001 cockpit that will allow you to continuously monitor and optimize your cyber risk management. This dedicated cockpit will help you achieve greater performance and meet certification objectives. Contact us to learn more about how we can help you get started!