Changes to ISO 27001

ISO 27001 is the gold standard for information security management systems. It's a framework that helps organisations identify, assess, and manage risks to their data. The standard was first published in 2005 and has been updated twice since then, most recently in 2022.

But why would you need it?

Many regulations, such as the General Data Protection Regulation require companies to implement certain information security controls. ISO 27001 certification help companies demonstrate compliance, this can help attract new, bigger, customers and partners. By implementing controls they can even involve themselves in new products & verticals as it will firmly demonstrate a real commitment to information security opening doors to higher security-cleared operations.  

So what are the changes?

The 2022 update includes a focus on risk-based thinking, a more flexible approach to controls, a stronger focus on people, and a more streamlined approach to certification. These changes are designed to make the standard more relevant and effective in the face of the ever-evolving threat landscape.

The new standard emphasizes the importance of organisations understanding security risks and taking steps to mitigate those risks as a culture. This is a significant change from the previous version of the standard, which focused more on implementing controls without considering the risks they were designed to mitigate. This gives organisations more flexibility in implementing controls to mitigate risks because there is no one-size-fits-all approach to information security.

Organisations need to be able to tailor their controls to their specific needs & recognise that people are a key part of any information security management system. The reality is, people can be & often are the weakest link in an organisation's security defences.

The new standard also includes requirements for organisations to train their employees on information security and to create a culture of security within the organisation from top to bottom. The idea is that security is everyone’s concern, not just allocated job titles. This is due to several factors, including the consolidation of some controls, the removal of controls that were considered redundant, and the addition of new controls to reflect the latest security threats.

Wait, there are changes to Annex A controls?

Yeah. But don’t worry, it’s a lot less daunting than it sounds! The controls have been grouped into four overarching themes: organisational, people, physical, and technological, as opposed to 14 previously. This makes it easier for organisations to understand the controls that are relevant to their specific needs. Each control has been assigned an attribution taxonomy. This taxonomy provides information about the purpose of the control, the risks that it addresses, and the resources that are required to implement it. Self-explanatory? Well, it depends on who you ask. It’s been designed to be easier, but the bar is still set high. As is the nature of cybersecurity frameworks. Companies looking to obtain ISO 27001 will need to part ways with a lot of time, money & resources to implement these changes adequately and support them on an on-going basis.


How do I go about getting it?

Get in-touch;