ISO 27001: The New 2022 Version and Why It’s Essential to Every Business’ Cyber Security

ISO 27001 Background:

ISO 27001 is the international standard for information security. It sets out the specification for an effective ISMS (information security management system). ISO 27001's best-practice approach helps organisations manage their information security by addressing people, processes and technology. The focus of the standard is to protect and safeguard the confidentiality, availability and integrity of information.

ISO 27001:2022, the latest version of the standard, was published in October 2022.

ISO 27001:2022 – Why the Change?

Management system standards are reviewed periodically to ensure they remain relevant and up to date with business needs and challenges. For information security management systems, technology is a rapidly changing area, and so are the threats, and as such, the minimum controls needed for security and privacy also need to evolve to remain current.

The new version of the ISO 27001 addresses duplication by merging several controls in the 2013 version of the standard to simplify the process of implementing and maintaining an ISMS. By 31st October 2025 (3 years after publication of ISO 27001:2022) all organisations that are already certified must have completed the transition to the updated version ISO 27001 and hold an updated ISO 27001:2022 certificate. From the 31st of October 2023, (12 months after publication of ISO 27001:2022), any new certificates issued must be to ISO 27001:2022.

More information on Centre for Assessment’s approach to transition can be found in the ISO 27001:2022 Transition Information Guide and FAQs – Click Here 

Key Changes at a glance:

The key changes in the standard are within Annex A, which include:

• The merging of 24 controls
• The revision of 58 controls
• The addition of 11 new controls

114 controls have now been reduced to 93 and organised into:

• Organisations (37 controls, A5)
• People (8 Controls, A6)
• Physical (14 Controls, A7)
• Technological (34 Controls, A8)

Many of the controls in ISO 27001:2022 can be mapped to ISO 27001:2013 controls, but the following are seen as new controls that will require specific focus:

• Threat intelligence – understanding attackers and their methods in the context of your IT landscape.
• Information security for the use of cloud services – the introduction through operation to exit strategy regarding cloud initiatives now needs to be considered comprehensively.
• ICT readiness for business continuity – the requirements for the IT landscape should be derived from the overall business processes and the ability to recover operational capabilities.
• Physical security monitoring – the use of alarm and monitoring systems to prevent unauthorised physical access has gained more emphasis.
• Configuration management – hardening and secure configuration of IT systems.
• Information deletion – compliance with external requirements, such as data protection deletion concepts needs to be implemented.
• Data masking – using techniques that mask data, such as anonymisation and pseudonymisation, to bolster your data protection.
• Data leakage prevention – taking steps to help prevent sensitive data from being leaked.
• Monitoring activities – monitoring network security and application behaviour to detect any network anomalies.
• Web filtering – a focus on preventing users from viewing specific URLs containing malicious code.
• Secure coding – the use of tools, commenting, tracking changes, and avoiding insecure programming methods to ensure secure coding.

ISO 27001:2022 - Why It’s Essential to Every Business’ Cyber Security:

Cybercrime is highly professionalized and continues to advance, exploiting vulnerabilities on a large scale and posing immense challenges to businesses, governments, and individuals alike. Implementing an ISMS and having it certified to ISO 27001:2022 ensures that you have the tools in place to strengthen your organisation across the three pillars of cyber security: people, processes and technology.

Information Security in the context of ISO 27001 is relates to producing a framework that enables the continued confidentiality, integrity and availability of information as well as legal compliance.

Implementing an effective information security management system helps to manage and mitigate potential security threats, including:

• Cyber crime
• Personal data breaches
• Vandalism / terrorism
• Fire / damage
• Misuse
• Theft
• Viral attack

ISO 27001 helps you to avoid financial costs associated with data breaches. The cost of a data breach can be substantial, from both a financial and reputational perspective. The standard also helps you to identify and manage compliance obligations, as organisations are required to assess current processes and identify gaps in their ability to meet regulatory standards. Part of the ethos of ISO 27001 is it strives to keep its users ahead of the latest changes in technology. In the ever-evolving world of cyber security, this is a weight off your shoulders as you are reassured that, with the help of ISO 27001, you will always be able to meet new requirements and obligations.

Another major benefit of becoming ISO 27001 certified is the benefits to your reputation. This standard is internationally recognised, conveying to the business world that you are a credible and trustworthy organisation. Certification to ISO 27001 can also help to attract new clients and retain existing business by sending a clear message to stakeholders that you are committed to safeguarding the confidentiality, integrity, and availability of information held and processed within your organisation, thus enabling you to meet the requirements and expectations of your customers from an information security perspective. It will automatically improve customer confidence through its demonstration of your commitment to cyber security and compliance with legal requirements. It’ll help you win new business by keeping you ahead of other organisations who are not certified, opening you up to new industries and contacts.

ISO 27001 is designed to help organisations identify what security measures they should have in place, so they can focus on making their organisations better, not just more secure. It helps improve the structure, focus and address security flaws, making it easier to evaluate current processes and strategies, which helps to improve them. Through implementation, you’ll understand your own security landscape and the most up-to-date defence mechanisms. The certification process will also help you create documentation and a framework that can be used as a guide and updated for years to come.