ISO 27001 – The situation explained
ISO 27001 is a widely recognised Standard for establishing, implementing, maintaining, and continually improving Information Security Management Systems (ISMS). The Standard includes requirements for the assessment and treatment of information security risks and is supplemented by Annex A, Control Objectives and Controls.
The current version of the ISO 27001 Standard was released in 2013, since when the world has experienced significant developments and acceleration in both technology and methodology for information security risk management. The update to ISO27001:2013, scheduled for late 2022, seeks to address these developments.
Additional guidelines for information security controls can also be found in ISO 27002 (Information Security Controls). ISO 27002 (Information Security Controls) was updated in February 2022, and it is widely expected that the planned updates to ISO 27001 Annex A will align and reflect the changes seen in ISO 27002: 2022.
ISO 27002: 2022
Key takeaways from the revised ISO 27002: 2022 (Information Security Controls) include:
- Recognition of changes in the threat landscape, specifically with regards to cloud infrastructure
- Merging of 24 separate controls where measures complemented each other
- Implementation of 58 new or updated controls to reflect modern information systems
- An annex to map controls recommended in 2013 version to present state
Proactive organisations should update their existing ISMS’s to align with the revised ISO 27002 Standard. This will stand them in good stead in meeting the requirements of and maintaining compliance with the revised ISO27001.
Whilst there will be a transition period for implementation (possibly to late 2024), Information Security Managers and their organisations will benefit from starting their implementations early, identifying gaps to the new requirements and undertaking any necessary remedial actions. Starting their programmes earlier will also allow for a wider choice when selecting implementation partners where this may be required. Customers, partners, and suppliers will value the assurance derived from dealing with an organisation that takes its information security obligations seriously.