ISO/IEC 27001 – the old and the new

When it comes to improving cybersecurity and data protection, it is often difficult to know where to start. But the answer can be found in the same place – the international standard for Information Security Management Systems, ISO/IEC 27001:2013 Information Security Management. 

What is ISO/IEC 27001:2013? 

In simple terms, you can think of ISO/IEC 27001:2013 as a road map to improving your organisation’s security and data protection practices so that your organisation can demonstrate its commitment to customers, thereby elevating you above your competition. 

We are increasingly living in an ‘always on’ society. Individually and collectively, we spend most of our lives online, creating and sharing data and information about ourselves. It’s difficult to imagine a single business or operation that does not rely on technology to conduct its business. 

Rather than focusing on ISO/IEC 27001 as an end goal, it is better to focus on the journey towards stronger cybersecurity and data protection, using ISO/IEC 27001 as the roadmap.

As this stampede to move online continues, the number of data breaches and cybersecurity incidents will continue to rise. And with this online world, one key question is becoming the most important of all: “who can we trust?” 

ISO/IEC 27001:2013 demonstrates that an organisation is trustworthy and can provide confidence to the board, investors, and the teams, underlining that the operation cares about protecting investment in its business. 

What does ISO/IEC 27001:2013 cover? 

There are two parts to this standard. The first is the management system itself and this covers seven separate areas: 

• context of the organisation 
• leadership 
• planning 
• support 
• operation 
• performance evaluation 
• improvement.  

The management system provides a framework for understanding your organisation, the leadership in place, risks to you and your customers, and, importantly, evaluating performance. 

The second part of the standard is contained within an annex of controls, often referred to as Annex A. These controls outline specific requirements that must be considered carefully and which will require the appropriate controls to be applied against them. These Annex A controls are: 

• information security policies 
• organisation of information security 
• human resource security 
• asset management 
• access control 
• cryptography 
• physical and environmental security 
• operations security 
• communications security 
• system acquisitions 
• supplier relationships 
• information security incident management 
• information security aspects of business continuity 
• compliance. 

If it is not clear how to implement the controls set out in ISO/IEC 27001:2013, ISO/IEC 27002:2022 provides guidance on what can be put in place. The fundamental difference between the two is simply this:  

• ISO/IEC 27001:2013 states what you shallput in place (mandatory) 
• ISO/IEC 27002:2022 states what you should put in place (discretionary).

A new standard 

A new version of ISO/IEC 27002:2022 was unveiled recently, and it was long overdue. The key changes to be aware of are that, while ISO/IEC 27001:2013 is unlikely to change too much, the ISO 27001 Annex A controls are changing quite dramatically as a result of the updates to ISO 27002:2022. 

The key changes to this are:  

• the 114 controls have been reduced to 93  
• 58 controls have been updated 
• 24 controls have been merged 
• 11 new controls are in place. 

The main implication of these changes is that there is work to be done. Organisations will need to look closely at their current Annex A controls and map them to the new controls.  

Organisations will begin to be asked about their approach to the new standard and how, or if, they plan to adopt the new controls. If you are not aware of the changes, now is the time to learn, because the questions will come.  

For quality professionals, there may not be a great deal of change, as the main focus of change is on the Annex A controls. However, we may start to see additional risks being highlighted, because of the new controls being introduced. 

For example, the 11 new controls include: 

• 5.7 - threat intelligence 
• 5.30 - ICT readiness for business continuity 
• 5.23 - information security for use of cloud services 
• 7.4 - physical security monitoring 
• 8.9 - configuration management 
• 8.10 - information deletion 
• 8.11 - data masking 
• 8.12 - data leakage prevention 
• 8.16 - monitoring activities 
• 8.23 - web filtering 
• 8.28 - secure coding 

Risks associated with the quality of CCTV, which would fall under physical security monitoring, could be an area of concern for quality professionals.  Additionally, how systems are monitored is also likely to highlight additional quality risks, particularly those associated with the integrity and security of the monitoring methods. 

Preparing for change  

Firstly, don’t panic! There will be a transition period of around 18 to 24 months following the changes to the standards. But organisations looking at ISO/IEC 27001:2013 would do well to go to the new set of controls in ISO/IEC 27002:2022 now, to avoid having to move over further down the line. An organisation certified to the standard should consider performing a gap analysis against the current and future Annex A controls, as well as running a risk workshop to identify any risks associated with the newly introduced controls. 

Rather than focusing on ISO/IEC 27001:2013 as an end goal, it is better to focus on the journey towards stronger cybersecurity and data protection, using ISO/IEC 27001:2013 as the roadmap.