New Standards in Information Security: ISO/IEC 27001 (2022)
ISO/IEC 27001 at a Glance
ISO/IEC 27001 is the key guideline for information security, setting standards for the protection of sensitive data. This globally recognized standard helps organizations systematically secure information and manage risks. With clear requirements, ISO/IEC 27001 aims to safeguard sensitive information. Certification demonstrates: „Security is our top priority!“
What’s New in the Latest Version?
ISO/IEC 27001 has been updated from its 2013 version to the 2022 edition to meet the growing demands of information security. The change is evident in the new title: „Information security, cybersecurity, and privacy protection – Information security management systems – Requirements. “ The revision addresses modern threats and helps businesses improve their security measures. The updated standard provides organizations with the opportunity to optimize their information security strategy and strengthen their position in the market.
Why Was an Update Necessary?
Since 2013, the digital landscape has drastically changed. Cyber threats have become more complex and numerous, while the technological means to counter such attacks have improved. Therefore, an update to ISO/IEC 27001 was necessary to address these new challenges and better protect organizations.
What’s New in the 2022 Version?
The requirements in ISO/IEC 27001:2022 have been made more precise. While the 2013 version allowed for more flexibility, the new version demands more specific measures: companies must now implement both technical and organizational safeguards.
- Additional Measures: Organizations must intensify their efforts to effectively counter cyber threats.
- Combined Measures: Technical and organizational measures must be implemented in parallel.
- Increased specificity: Less flexibility for interpreting the standards.
New Structure of the Annex
The number of information security controls has been reduced from 114 to 93 and divided into four main categories: organizational, people, physical, and technical measures. This improves clarity and focus.
The 11 New Security Measures at a Glance
Although some existing measures have been consolidated, there are 11 new measures:
- Threat Intelligence: Gathering and analyzing threat data to develop appropriate protection strategies.
- Cloud Services: Secure handling of onboarding, use, management, and termination with cloud providers.
- Business Continuity (ICT Readiness): Recovery measures with a stronger focus on technical solutions.
- Physical Security Monitoring: Measures like burglar alarms and surveillance systems to prevent unauthorized access.
- Data Masking: Anonymizing and pseudonymizing sensitive data to enhance security.
- Data Leakage Prevention: Systems to monitor and detect data loss.
- Activity Monitoring: Proactive monitoring and analysis of unusual activities.
- Web Filtering: Blocking dangerous websites that contain malware or extract data unlawfully.
- Secure Coding: Developing secure code to avoid vulnerabilities.
- Configuration Management: Ensuring correct and secure configurations of IT systems.
- Information Deletion: Includes both the physical destruction of storage media and logical deletion, such as in cloud environments.
Technical and Organizational Measures
Previously, there was often a choice between technical protection measures or employee training. Now, ISO/IEC 27001:2022 predominantly requires both. Companies must secure their systems and regularly train their employees to maintain a high level of security.
Examples:
Topic | Content |
Technical Measures |
|
Organizational Measures |
|
Expanded Thematic Coverage
The updated ISO/IEC 27001:2022 now covers aspects that were previously underemphasized, such as business continuity management and data loss prevention. The goal is for companies to continue operations even during cyberattacks or other disruptions. The standard also addresses potential environmental impacts and corresponding countermeasures, considering the effects of climate change.
Examples:
Topic | Content |
Business Continuity Management |
|
Data Loss Prevention |
|
Webfiltering |
|
Audit Plan: Why the Old Standard Version is Still in Use
Despite the updated requirements and measures, it may still be useful in some cases to reference the old standard. The previous version had a clear chapter sequence that offers a suitable foundation for audit plans. Thus, companies can rely on the established structure while incorporating the new content and requirements of the updated standard.
Long-term Benefits of the New Standard Version
Implementing the new ISO/IEC 27001:2022 brings sustainable benefits to organizations. In addition to improved protection against modern threats, the new standard significantly enhances customer trust, as the elevated security standards and the company’s commitment to data protection become evident.
Transitioning to the New Standard: Common Challenges
Transitioning to the new ISO/IEC 27001:2022 can present extensive challenges for companies:
- Implementing New Requirements: The new guidelines require comprehensive adjustments to existing systems and processes, often leading to uncertainty in correct implementation without prior experience.
- Reduction and Re-categorization: The reduction from 114 to 93 controls and their re-categorization into four main categories requires precise adjustments to ensure no content is lost and that new measures are also met.
- Awareness: The topic of awareness is becoming increasingly important. Successfully conveying content and ensuring that policies are genuinely followed proves to be an unexpected challenge for many companies.
To ease the transition to the new ISO/IEC 27001:2022, EFS Consulting offers expertise and extensive experience in:
- Setting up an ISMS (Information Security Management System).
- Assisting with analyzing the current state and implementing required content throughout the preparation process for an upcoming audit.
- Supporting the preparation of necessary measures in the case of identified non-compliances during an audit.
Conclusion: A Step into the Future
ISO/IEC 27001:2022 offers businesses better protection against modern cyber threats. However, it also brings challenges during implementation. With more precise guidelines and new focuses such as business continuity and physical security, the revised standard ensures that organizations raise their security standards and prepare for future challenges. Through careful preparation, coordinated transition, and regular ISMS reviews, these challenges can be effectively managed.