Contact

What are you looking for?

The Importance of ISO/IEC 27001 and Its Evolution

Quality InsightsJanuary 20, 2023

Escalating threats, innovative technology and greater connectivity mean that organizations, individuals and nations must keep pace with the evolution of cyberattacks and implement the latest protection measures.

The evolution of cyber threats

With Industry 4.0 and the Internet of Things (IoT), cyber threats have become more sophisticated and nearly a daily occurrence. These attacks do not just affect the targeted enterprise, but their business partners, suppliers and customers.

Organizations, individuals and nations must keep pace with the evolution of cyber threats and implement the latest protection measures to avoid data loss, lawsuits and reputational damage, among other factors.

Defining threats

Information security

Information security, also known as InfoSec, refers to the processes and tools used to protect sensitive business information from modification, disruption, destruction and inspection.

Cybersecurity

Cybersecurity is the practice of protecting systems, networks and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing or destroying sensitive information, extorting users’ money or interrupting normal business processes.

Privacy protection

Privacy protection is keeping personal information from getting into the wrong hands, such as hackers. The definition varies from person to person.

The importance of ISO/IEC 27001 certification

Adopted by tens of thousands of organizations, ISO/IEC 27001 certification demonstrates an organization’s commitment to information security and provides assurance to clients and other partners that it is serious about protecting information under its control.

The standard is technology agnostic, so it does not matter what technology environment you have. It is written in such a way that any organization, from small businesses to large multi-billion dollar enterprises, can use it.

ISO/IEC 27001 specifies the requirements to establish, implement, maintain and continually improve an information security management system (ISMS) for safety and security. It also includes requirements for assessing and treating information security risks, tailored to your needs.

Because it is a management system standard, it aligns with other globally recognized standards like ISO/IEC 27701 (privacy management), ISO/IEC 20000-1 (IT service management) and ISO 22301 (business continuity).

This alignment allows you to implement the requirements of several of these standards within your organization with minimal effort while benefiting from the synergy effects.

What are the key benefits?

ISO/IEC 27001 can lead to:

  • Enhanced credibility
  • Reduced risk of fraud, information loss and disclosure
  • Demonstration of integrity to your system
  • Business culture transformation and greater awareness of the importance of keeping information secure
  • New business opportunities with security-conscious customers
  • A stronger notion of confidentiality throughout the workplace
  • Better preparedness for the unavoidable – the next security event or incident

Evolution to meet the threats

ISO/IEC 27001 was last updated in 2013 and the cyber world and threats to it have dramatically evolved, becoming increasingly complex with more innovative technology, cloud operations and online business. The standard has had to follow suit and is malleable to accommodate updates.

February 15, 2022 was a crucial day. ISO/IEC 27002:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Controls – was published. Due to this, ISO/IEC 27001 Annex A needed updating to align with ISO/IEC 27002:2022’s controls.

The main changes in ISO/IEC 27001:2022

The title

The name has changed to reflect the standard’s true scope. It is ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements. This also aligns with ISO/IEC 27002:2022’s new title.

Clause numbering

New subclauses have been introduced to further harmonize the document’s structure with other management system standards, such as ISO 9001 and ISO 22301.

Two subclauses – 10.1 and 10.2 – have also been interchanged. 10.1 is Continual Improvement while 10.2 is Nonconformity and Corrective Action. There are no changes in their requirements.

New text

Although new text has been added and some rearranged, these changes only clarify the requirements and do not add new ones to the standard.

Annex A

Annex A’s title is now Information Security Controls Reference and the controls have been revised to align with ISO/IEC 27002:2022. In the 2013 edition, only the descriptions of the controls are derived from ISO/IEC 27002.

Other changes

There have been some updates to several clauses.

Conclusion

ISO/IEC 27001 is the go-to standard as cyber threats evolve. Many reasons, including intensifying threats, technology advancements and superior connectivity, such as 5G, could make your business a target for cybercriminals.

These changes do, indeed, beget changes. A key strength of ISO/IEC 27001 is its ability to keep pace in an ever-changing cyber world.

Although 2022’s updates make the documentation and guidelines heftier, and add more responsibilities, there are clear and detailed explanations of each control.

As expected, the most significant change is Annex A’s revisions to align with ISO/IEC 27002:2022 security controls.

Changes to Clauses 4–10 are minor editorial changes to further harmonize the structure with other management system standards.

If your organization is already ISO/IEC 27001 compliant, no changes in technology are needed, just updates in the documentation. You might need to revise internal policies, according to the new subclauses and modified requirements. Your risk assessment result and risk treatment plan(s) should also be reviewed and Statement of Applicability (SoA) updated.

The transition period is three years from when ISO/IEC 27001:2022 was published, so you should have ample time to comply. Your ISO/IEC 27001 certificate remains valid until this period ends.

How we can help

We can support you whether you want a smooth transition or first certification to ISO/IEC 27001:2022. We have created a suite of services and materials, including transition training and guidance documents on ISO/IEC 27001 and ISO/IEC 27002 updates.

We can ensure that you have adapted the documentation within the transition period. Therefore, no new audit(s) need to be scheduled because this will take place during your regular surveillance audits. Furthermore, additional time to assess the successful transition will be required as per the International Accreditation Forum’s (IAF) MD 26:2022 document.

However, when you renew your certification during the transition period, you could work to the new controls to avoid leaving it until the eleventh hour.

Whether a current client or new to ISO/IEC 27001, we can support you through the changes and certification process. 

For further information, click here or please contact:

Jason Hulbert
Associate Marketing Manager
Knowledge
t: +44 (0)7912 426878

About SGS

We are SGS – the world’s leading testing, inspection and certification company. We are recognized as the global benchmark for quality and integrity. Our 96,000 employees operate a network of 2,700 offices and laboratories, working together to enable a better, safer and more interconnected world.

News & Insights

  • SGS Headquarters

1 Place des Alpes,

P.O. Box 2152,

1211, Geneva, Switzerland