By Alan Calder, Founder and Chief Executive Office, GRC International Group and IT Governance
The International Organization for Standardization (ISO) is releasing a new version of ISO 27001, which is expected to be launched in September.
The first iteration of the Standard was released in 2005 to provide organisations with an international standard for information security. ISO 27001 has a review cycle of five to seven years, but it has been nine years since the last iteration in 2013.
The Standard takes a risk-based approach to information security, requiring organisations to identify information security risks and select appropriate controls to tackle them. The latest changes bring subtle updates to the framework to allow organisations to effectively implement the Standard and identify controls to prevent emerging threats.
What’s new in ISO 27001:2022?
In the grand scheme of things, there is little new in ISO 27001:2022. The majority of changes apply to the control selection, which better reflects modern threats and information environments. This is reflected in ISO 27002:2022 – the companion standard to ISO 27001 – which was released in February.
What we do know of changes to ISO 27001 is that they are subtle and should present little difficulty to organisations with an existing information security management system (ISMS) built to ISO 27001 specifications.
How can businesses comply with the 2022 version?
Once the 2022 version is published, organisations certified to ISO 27001 will have a two-year period to transition to the new version. This means that organisations won’t have to comply with ISO 27001:2022 until 2024.
For organisations that already have good information security processes in place, achieving certification can be fairly straightforward – it is simply a matter of conducting a gap analysis to identify gaps against the new version of the Standard and potentially implementing new controls and measures.
For organisations implementing ISO 27001 for the first time, it will require a fundamental shift in approach: a willingness from the board and senior management to not only build the right framework but also get new processes embedded in the business, and improve people’s awareness and understanding of good information security behaviour.
How can ISO 27001 benefit businesses?
The world is changing – and the ability to demonstrate a high level of information security is directly related to an organisation’s reputation, trust, and ability to offer secure products and services. This ability is threatened by cyber criminals, increasingly dispersed workforces and growing regulatory burdens.
Avoiding regulatory fines is just one small aspect of business risk; it is accompanied by risks to an organisation’s fundamental need to sell products and services. The ability to attract customers and safeguard information throughout a supply chain will increasingly depend upon robust and – critically – certified security postures. ISO 27001 is a baseline for information security that enables your business to demonstrate its cyber security commitment to customers and business partners alike.