ISO 27001: Beware the threat landscape in information security

It is rightly asserted that standards, certification, testing, inspection and accreditation help businesses to reduce costs, increase productivity and access new markets.

The latest ISO survey containing the number of valid certificates worldwide shows quality, environmental, health and safety, and information security are the most popular. In London, ISO 27001 Information security, cybersecurity and privacy protection – ‘Information security management systems – Requirements’ has the most growth among certificates.

ISO/IEC 27001 is the standard for information security management systems (ISMS) and their requirements. Additional best practices in data protection and cyber resilience are covered by more than a dozen standards in the ISO/IEC 27000 family.

The World Economic Forum’s Global Cybersecurity Outlook report indicates that cyber-attacks increased 125% globally in 2021, with evidence suggesting a continued uptick through 2022. In this fast-changing landscape, leaders must take a strategic approach to cyber risks.

ISO/IEC 27001: what’s new in IT security

ISO 27001:2022, was released in Q4 last year, the first update to the standard since 2017. The previous standard contained 14 security control clauses, collectively containing 35 main security categories and 114 controls.

Key changes in the latest revision come in Annex A, reflecting the changes made in ISO/IEC 27002:2022. These changes are as follows:

• The structure has been consolidated into four key areas – organisational, people, physical and technological.
• Controls listed have decreased from 114 to 93. Some are new, merged, removed or updated.
• The concept of attributes has been introduced (this allows controls to be seen from different perspectives).

Implementing an ISMS

Information security is achieved by applying the following ISMS principles and benchmarking against a set of control objectives and controls. The source is ISO 27000.

• Awareness of the need for information security.
• Assignment of responsibility for information security.
• Incorporating management commitment and the interests of stakeholders.
• Enhancing societal values.
• Risk assessments determining appropriate controls to reach acceptable levels of risk.
• Security incorporated as an essential element of information networks and systems.
• Active prevention and detection of information security incidents.
• Ensuring a comprehensive approach to information security management.
• Continual reassessment of information security and modifications as appropriate.

"Information security is achieved through the implementation of an applicable set of controls."

Gary Ruffhead CQP MCQI, Director and Principal Lead Auditor at Lead Auditor-as-a-Service

Using controls

Information security is achieved through the implementation of an applicable set of controls. These controls are selected through the risk management process, and it is expected that controls are seamlessly integrated within business processes.

Examples of primary threats that need to be risk assessed, and which potentially require risk treatment plans, include: ransomware, malware, cryptojacking, threats against data, threats against availability and integrity, disinformation, misinformation, and non-malicious threats.

We know that information is subject to threats and, therefore, vulnerabilities. It can also be considered as an asset that has a value, which requires protection against loss of availability, confidentiality and integrity.

The following three concepts should be used together: the plan-do-check-act method; the process approach; and risk-based thinking to achieve best-practice implementation.

Guidance and interpretation of the above are well documented and will assist in future-proofing the design of your management system.

Summary of changes to ISO 27001  

In summary, the key changes to ISO 27001 include continued harmonisation with other management systems standards, such as ISO 9001, ISO 14001 and ISO 45001.

The main change is with Annex A controls (also known as ISO 27002), which was released in Q1 2022, but there are no significant changes to the bibliography other than ISO 27002.

It is worth noting that it will take certification bodies several months to be accredited by UKAS and they need to confirm their approach to transition. The costs of the standards can vary as well, so it is worth taking advice on selection and use.