As the cybersecurity threat landscape and its innumerable risk vectors expand daily, businesses are in need of foundational principles and guidance to ensure a defendable security posture cannot be penetrated.
In October 2005, the International Organization for Standardization (ISO) released its first framework, the 27001, that outlined a cybersecurity foundation for businesses. If followed, implemented, and attested to, companies following the standards could obtain certification of the practice while also bolstering their digital security posture.
The ISO 27001 was updated in 2013 and, with much anticipation, the joint organization has published its first update to the framework in nine years.
“In my opinion, these updates are long overdue,” said Kevin Liu, Director of Information Security at OneTrust. “The ISO: 27001:2013 was a good starting point but it is dated and does not address key risks we face today with operating in the cloud. The new sections: Information security for cloud services, ICT readiness for business continuity, configuration management, information deletion, etc. are good requirements to help OneTrust enhance our security posture. I think most mature organizations, Including OneTrust, are performing these new requirements already. We will need to assess and update our control inventory to align with ISO 27001: 2022. In addition, we may need to update procedure and process documents to support ISO 27001: 2022.”
Building or expanding your business’s Information Security Management System (ISMS) is a critical component to cybersecurity success. Learn more in this webinar.
What are the ISO 27001 updates?
The number of annex controls has decreased from 114 to 93 and are situated in four sections, instead of the previous 14. That decrease isn’t due to removals, rather a result of mergers. There are minor changes to clauses four to 10 as well.
A high-level look at the changes includes:
Clauses four to 10 — Minor changes in the clauses below:
Clauses divided into sub clauses
“The ISO update is a good opportunity for CISOs to readdress information security and risk management controls across their enterprise,” said Justin Henkel, VP of Security, OneTrust. “ISO’s updated risks and associated controls bring the framework into better alignment with today’s operational threat environment and mitigation strategies. Organizations looking to up-level their information security management system (ISMS) should look at ISO to improve their security posture.”
What are the next steps for your business?
If your organization follows the ISO 27001 standard it will also need to update its processes to remain certified. There will be a two-year transition period for certified organizations to revise their management system to conform to the new version of the standard. Businesses currently in the process of working toward certification should continue to do so and implement an ISMS.
Beyond just having a checklist for your internal analysis and remediation, take a look at the simple steps needed for technology and automation to enhance your business’s ability to put best practices into action:
Learn more about constructing your ISMS and how OneTrust can help with a demo. Request one here.