The most important security standard received an update

Cyber-attacks, disrupted supply chains, cloud usage––in an increasingly volatile environment, the demands that must be met by IT security are growing rapidly. Very often those organizations that define those standards are relatively slow in adapting these changes, as interests from various parties need to be aligned – and, of course, companies need time to adjust to the new standard as well. One of the leading cybersecurity standards, ISO 27001, has now updated their versions to reflect the dynamics in the cybersecurity industry.  

The international standards ISO/IEC 27001 and ISO/IEC 27002 form the basis of information security in companies. However, the new structure and the new measures introduced in the ISO/IEC 27002 standard, published in early 2022, have also necessitated changes to the annex to the ISO/IEC 27001 standard. As a result, the IT security standard received a long overdue update in terms of IT security measures, data protection, and concrete measures for cloud security. Depending on their current certification cycle, companies certified to ISO27001:2013 have around three years to transition to the new standard. Nevertheless, companies are advised to familiarize themselves with the new requirements as soon as possible, as these are of major importance for information security.

The key changes to ISO27001 are related to the controls:

  • The current number of 114 controls will be reduced to 93.
  • 58 controls are updated.
  • 24 controls have been merged.
  • 11 new controls were introduced.

The cloud and its consequences

The number of cloud applications that are integrated into business processes, systems, and workflows is rising, making IT attacks on cloud processes more interesting and lucrative for hackers. Cloud solutions and services that were used selectively in the past are now being integrated directly into everyday business processes, rendering them critical for business continuity.

Hence, as one of the new controls, ISO27001 introduces “Information Security for Use of Cloud Services” to take the trend to moving to cloud services into account. The new control essentially outlines the process that is required for using cloud services in relation to the security requirements of a company.

Data Protection is now officially important

Regulations pertaining to data privacy and protection are changing worldwide, potentially subjecting large cloud providers to regulations that may not be in line with their customers’ wishes. Depending on the country in which the cloud provider is located, for example, different local laws apply, which may even grant authorities access to personal data. A topical example in this context is the issue of whether use of the Microsoft Teams program and the Office 365 suite at German schools is lawful and in compliance with the General Data-Protection Regulation. In view of this, commercial users of cloud services should make sure to consider the associated risks and liability issues in advance.

Not surprisingly, therefore, that another focus of the updated standard is data protection. Two new controls are worth mentioning: Data Leak Prevention and Data masking. While the former was probably a measure any company taking security seriously had already implemented already, the later comes as a surprise. Masking data (as opposed to encrypting it) has not been a requirement of regulations such as the GDPR, but is now included in ISO27001 – which might necessitate some unplanned efforts for companies who intend to keep certified.

Related:   Pig butchering: Proving the Luddites right

What should be protected and how?

An information security management system (ISMS) must look at more than the technology and digital infrastructure used. To achieve the ultimate goal of ensuring information security throughout the company, a good ISMS starts at process level. In a first step, even before ISMS implementation commences, the experts must analyze which information will have to be protected and how. The factors considered in this assessment include the type of information, compliance regulations, and the potential damage involved. The experts will look at the confidentiality of the data but also at its integrity and availability. The results and the resulting actions likewise will have to be reviewed. To ensure continual improvement, this process is repeated.

However, ISMS quality is not only measurable, it can also be audited and certified in accordance with the ISO/IEC 27001 standard by an impartial third party. Third-party certification results in a significantly lower liability risk, as the ability to prove conformity with established standards provides a solid foundation in a legal dispute. In addition, the most important bond that a company can build with its business partners is trust. This applies equally to information security.

With the updated standard, the International Organization for Standardization acknowledges the trends that have shaped the cybersecurity in the past few years and – quite literally – sets the standards for years to come. For companies who want to get (or stay) certified to ISO27001 this potentially translates into quite some effort to incorporate the new controls into their ISMS. On the other hand, doing so will enable them to keep the trust of their business partners.

Founder and Editor at 

Patrick Boch has been working in the IT industry since 1999. He has been dealing with the topic of cybersecurity for several years now, with a focus on SAP and ERP security.

In recent years, Patrick Boch has published various books and articles as an expert, especially on the subject of SAP security. With his extensive knowledge and experience in the areas of SAP compliance and security, Patrick Boch has served as product manager for several companies in the IT security sector since 2013. Patrick is Co-Founder and Editor of Cyber Protection Magazine.

Global Product Performance Manager IT at 

Leave a Reply

Your email address will not be published. Required fields are marked *