2024-09-11
The use of information and information systems has become an integral part of most organizations as they offer various benefits. However, the increased reliance on information technology comes with the responsibility of ensuring effective governance and management of these resources.
Organizations need to implement effective security practices that facilitate business growth and enable the achievement of the desired results. These practices can help optimize costs by preventing data breaches or any information security incident. Additionally, these practices help organizations fulfill regulatory obligations, which are necessary to avoid costly penalties and damage in reputation. Good security practices also help organizations protect customer data, which in turn enables organizations to build trust and loyalty with their clients and increase their satisfaction. The management system model defined in ISO/IEC 27001 can be used to implement effective processes and controls. Adhering to the requirements of ISO/IEC 27001:2022 demonstrates organizations’ commitment to preserve the confidentiality, integrity, and availability of their information.
According to an IBM report comprising data from 17 countries and regions and 17 industries, the average cost of a data breach in 2022 reached an unprecedented level at $4.35 million¹. The most common type of attack remains ransomware, although during the first quarter of 2022 there was a decrease of ransomware attacks when compared with the year prior.² A ransomware attack can cause severe disruptions to the organization’s operations and seriously damage its reputation. Thus, safeguarding information is of utmost importance for organizations.
ISO/IEC 27001 is an international standard that provides the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). An ISMS is a set of policies, procedures, and controls that are established to systematically manage sensitive information. The main objective of an ISMS is to ensure information security by establishing adequate measures to address information security risks.
An ISMS based on the requirements of ISO/IEC 27001 demonstrates that the organization has established a comprehensive and systematic method for managing information security which supports its business objectives. Compliance with ISO/IEC 27001 can also help organizations meet the requirements of various other standards and regulations related to information security such as General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Cloud Security Alliance (CSA), HIPAA Security Rule, and NIST Cybersecurity Framework. In addition, compliance with ISO/IEC 27001 can help organizations that are within the scope of the new EU Directive 2022:2555 which requires implementing a framework to protect systems and data.
In order to keep pace with technological advancements and remain pertinent to current information security risks, ISO/IEC 27001 was revised and the latest edition of the standard was published in October 2022. ISO/IEC 27001:2022 is now aligned with the updated version of ISO/IEC 27002 published earlier in 2022. The most significant changes in ISO/IEC 27001:2022 are noticed in the information security controls of Annex A, whereas in clauses 4 to 10 the changes are less significant.
ISO/IEC 27001 is a widely recognized international information security standard that can be used by any organization, regardless of its size or the complexity of its processes. The development of ISO/IEC 27001 began in the late 1990s, as a need for better processes, practices, and controls to manage information security became apparent. The first version of the standard was ISO/IEC 17799, a code of practice for information security management that was created based on BS 7799-2. These standards were later replaced by ISO/IEC 27001 which was initially published in October 2005 and revised in 2013. The latest and current version of ISO/IEC 27001 was published in 2022.
ISO/IEC 27001 is a widely recognized international information security standard that can be used by any organization, regardless of its size or the complexity of its processes. The development of ISO/IEC 27001 began in the late 1990s, as a need for better processes, practices, and controls to manage information security became apparent. The first version of the standard was ISO/IEC 17799, a code of practice for information security management that was created based on BS 7799-2. These standards were later replaced by ISO/IEC 27001 which was initially published in October 2005 and revised in 2013. The latest and current version of ISO/IEC 27001 was published in 2022.
ISO/IEC 27001 provides a robust framework through its requirements outlined in clauses 4 to 10 and a comprehensive list of information security controls that enable effective information security management. The standard promotes a risk-based approach which requires organizations to identify, analyze, and evaluate information security risks and implement adequate controls to treat them. After the initial implementation is completed, the standard requires organizations to monitor and review the ISMS regularly, to ensure its ongoing effectiveness in protecting information assets.
ISO/IEC 27001 follows the harmonized structure of International Organization for Standardization (ISO) and is aligned with other management system standards, such as ISO 9001, ISO 14001, and ISO 37001, allowing for easy integration with other management systems. The requirements specified in clauses 4 to 10 of the standard, expressed with the verb “shall”, must be met by any organization that aims to get certified against ISO/IEC 27001. As for the information security controls of Annex A, on the other hand, each organization planning to pursue an ISO/IEC 27001 certification must determine whether the controls are applicable and justify in the Statement of Applicability (SoA) the inclusion or exclusion of each control, as well as their implementation status.
Clause 4 Context of the organization of the standard provides the requirements regarding the organization’s context, the needs and expectations of interested parties, and the scope of the ISMS. These requirements are particularly important because organizations must identify all assets that need to be protected and also align their information security objectives with the interests of relevant interested parties.
Clause 5 Leadership specifies the requirements regarding top management's involvement and commitment in the implementation of the ISMS, establishing the information security policy, and defining the roles and responsibilities related to information security. The top management must understand the importance of the ISMS implementation, as the level of support from senior-level managers will have a direct impact on the outcome of the project.
Clause 6 Planning outlines the actions needed to address risks and opportunities, including the requirements for planning the risk assessment and risk treatment processes. Among others, this clause requires organizations to produce a Statement of Applicability, establish and document information security objectives at relevant functions, and plan changes properly.
Clause 7 Support specifies the requirements for the resources, competence, awareness, communication, and documented information necessary for the effective establishment, implementation, maintenance, and continual improvement of the ISMS.
Clause 8 Operation outlines requirements regarding the operational planning and control, risk assessment, and risk treatment. The requirements of this clause are built upon the requirements of clause 6. In a nutshell, what was planned when addressing the requirements of clause 6 must be put into action to address the requirements of clause 8.
Clause 9 Performance evaluation specifies requirements regarding the necessary processes to determine the effectiveness of the ISMS. Such processes include monitoring, measurement, analysis, evaluation, internal audit, and management review.
Clause 10 Improvement provides requirements regarding the continual improvement of the ISMS, the nonconformities, and the corrective actions that should be taken to treat the identified nonconformities.
Note: Information regarding the controls of Annex A is provided below (section V. Overview of Annex A of ISO/IEC 27001).
The past decade has witnessed a remarkable transformation in technology which significantly affected organizations and their information security management. Some of the technological changes that caused this transformation include cloud computing, the Internet of Things (IoT), Artificial Intelligence (AI), and blockchain. While these technologies provide better solutions for storing and processing data, they have also introduced new security concerns. As technology evolved, so did cyber threats. As such, organizations need to update their existing security practices to reflect the technology developments and current security threats.
ISO standards are usually revised at least once in every five years to ensure they remain adequate and relevant. The ISO/IEC 27001 was mainly revised to adapt to the ever-evolving information security challenges, which is why the most important changes were made in the information security controls listed in Annex A. The changes in clauses 4 to 10 are minor and were made mainly to ensure alignment with the harmonized structure for management system standards established by ISO and with the latest version of ISO/IEC 27002 published in 2022.
The title of the standard was changed to Information security, cybersecurity and privacy protection – Information security management systems – Requirements to align with the that latest edition of ISO/IEC 27002. The title of the revised standard now reflects its comprehensive scope, which includes both information security and cybersecurity. It is worth noting that while information security generally focuses on protecting information of all formats from unauthorized access, use, or modification, cybersecurity focuses on protecting digital assets from various threats, such as malware, hacking, and cyberattacks.
