Latest News

The ISO standards provide a set of guidelines and requirements that can be trusted across the business world. Putting together these standards is a huge body of work that involves a consensus-based approach that draws together the work of dozens of interested parties from a range of backgrounds.

The standards are regularly reviewed by these parties. And where changes need to be made to reflect changes in the real world, they are made so that the standards remain relevant to businesses and their customers. 

The ISO27001 and ISO27002 standards have seen some recent updates, and this article will go through the most relevant ones and explain how they benefit those businesses that adopt them.

What Has Changed? 

The ISO 27001 and ISO 27002 standard last underwent a major update in 2022. This update replaced large parts of the previous standard which was released in 2013, and periodically refined with more minor updates. According to ISO, the updated document is ‘to be used as a reference for determining and implementing controls for information security risk treatment’ and is designed to be flexible enough to adapt to industry and business-specific uses.

The document also includes a number of important updates. These changes include the addition of new controls and clarifications to existing controls to reflect changing technologies and security threats. Here is a summary of the major changes:

1. The previous standard was grouped into 14 subdomains. The 2022 update contains just four major themes instead. These are: organisational controls, people controls, physical controls and technological controls.
2. The number of security controls have been reduced from 114 to 93. This is the result of merging similar controls from the previous document. From a practical point of view, for businesses seeking the certification, these refinements make the process of complying with the framework more streamlined.
3. Some examples of specific cyber security controls introduced include standalone controls to deal with threat intelligence, information security for the use of cloud services, ICT readiness for business continuity and information deletion. We’ve highlighted these examples because we believe that they are the most specific to the type of reader who will be reading this article, and the type of business that they work in. 
4. The last major point we were most interested in when the update came out was the introduction of some major attributes that had not been previously included. They include core cyber security concepts that will be relevant to almost all organisations as more of our business and communication is conducted online. 

Why Should Businesses Adopt These Changes?

Businesses that adopt these changes are able to demonstrate through practical actions how they are keeping pace with the evolving business environment. In 2000, few businesses had websites. In 2010, social media was dominated by ‘personal’ use cases, with businesses largely on the sideline. Each year brings about small changes in the best practices and norms of any business. But over longer time periods, these changes accumulate. It can be hard to determine which changes are long-lasting and which are simply fads.

But long-established and highly respected standards like those published by the ISO are a reliable reference point for businesses and managers to rely on.

How do ISO 27002 and ISO 27001 Work Together?

ISO 27002 and ISO 27001 are related standards, but they serve different purposes.

• ISO 27001 is a standard for information security management systems (ISMS). It provides a framework for businesses to manage and protect their information assets by establishing and implementing policies, procedures, and controls based on risk management. ISO 27001 is designed to help organisations maintain the confidentiality, integrity, and availability of their information.

• ISO 27002 is a code of practice for information security management. It provides guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. ISO 27002 offers a comprehensive set of controls and best practices for information security, which can be used to support the implementation of an ISMS in accordance with ISO 27001.

In practice, the two standards are complementary and often used together. If used in conjunction, they can help an organisation to develop a more robust information security program.

How Can An ISO27001 or ISO27002 Implementation Run More Smoothly?

While there is no playbook that can apply in every scenario, the following principles can be adapted to the specific needs of your business in any ISO implementation.

1. Assign roles and responsibilities: Clearly define the roles and responsibilities of individuals involved in the implementation process. This includes, at a minimum, a project manager to co-ordinate the implementation.
2. Conduct a risk assessment: Conducting a risk assessment is essential to determine the potential threats and vulnerabilities that they may face in changing pre-existing processes to put in place the new standard.
3. Develop policies and procedures: Develop specific policies, procedures and a robust information security management system (ISMS).
4. Rollout: Conduct regular employee training and awareness programs to ensure that employees are aware of any changes to existing ways of doing things and address those concerns.
5. Monitor, review improve: Regular monitoring and review of the implementation process is essential to ensure that the standard is being effectively implemented and that any issues are identified and addressed in a timely manner.

Key Takeaway

The ISO standards are internationally recognised and rigorous. As a result, they can confer additional trust and relationship benefits to your business. If you’d like to talk about how you can work towards implementing ISO in your business, CyberUnlocked can help. We are certified ISO Lead Auditors with extensive experience in ISO 27001 and ISO 27002 readiness and implementation of ISMS in preparation for ISO certifications.