Why the updated ISO 27001 standard is important for the security of any business

On the morning of August 4, 2022, Advanced, a UK National Health Service (NHS) supplier, was hit by a major cyber-attack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls. To protect themselves, organizations should look to ISO 27001.

ISO 27001 is an internationally recognized standard for information security management systems. It was first published in 2005 to help companies implement and maintain a solid information security framework for managing risks such as cyber-attacks, data breaches and theft. As of October 25, 2022, it has been updated in several important ways.

The standard consists of a set of clauses (clauses 4 to 10) that define the management system and Annex A that defines a set of controls. The clauses include risk management, scope, and information security policies, while the Annex A controls include patch management, anti-virus, and access control. It’s worth noting that not all controls are mandatory; companies can choose to use the ones that suit them best.

Why is ISO 27001 being updated?

It’s been nine years since the standard was last updated and the technology world has changed dramatically in that time. New technologies have come to dominate the industry, and this has certainly made its mark on the cybersecurity landscape.

With these changes in mind, the standard has been reviewed and revised to reflect the current state of cyber and information security. We have already seen that ISO 27002 (the guidance on how to apply the Annex A controls) has been updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.

Many of the new controls aimed to bring the standard in line with modern technology. For example, there is now a new management system for cloud technology. When the controller was first created in 2013, the cloud was still emerging. Today, cloud technology is a dominant force in the tech industry. The new control system therefore helps to keep the standard up to date.

In October, ISO 27001 was updated to align with the new version of ISO 27002. Companies can now meet the updated 2022 checks and self-certify as meeting this new standard, instead of the now outdated 2013 list.

How can ISO 27001 certification benefit your business?

Implementing ISO 27001 brings a host of information security benefits that companies benefit from right from the start.

Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies focused on their customers’ needs should want to address the general sense of insecurity in the minds of their users.

In addition, ISO 27001 is becoming mandatory as part of the increasingly strict due diligence processes that many companies now carry out. Therefore, organizations will benefit from taking the initiative early to avoid losing out commercially.

In the case of cyber defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly to an organization, both in terms of reputation and finances. Therefore, we can see ISO 27001 as a form of cyber insurance, taking the right preventive steps to save organizations money in the long run.

There is also the issue of education. Often the weakest point of an organization, and therefore the most targeted point, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the chances of their credentials being compromised would decrease significantly. ISO 27001 provides clear and compelling steps to educate users about the risks they face.

Ultimately, whatever drives a company to choose ISO 27001, the key to getting the most out of it is embedding the processes and procedures into their day-to-day operations.

Overcome the challenge of ISO 27001 certification

Many companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. At first glance, it may seem that they have already achieved a higher level of cybersecurity throughout their organization as a result. However, what they still lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, linked to a continuous improvement cycle, and part of normal operations.

While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming certification obstacles is far from easy. Here are some steps you can take to address two of the biggest issues facing organizations seeking ISO 27001 certification:

• Resources — time, money and manpower: Companies will ask themselves: How can we find the extra budget and spend the limited time of our employees on a project that could take six to nine months? The key here is to place your trust in the industry experts within your company. They are the people who will implement the standard day after day and they should be put in the driver’s seat.

• Lack of internal knowledge: How can companies that have no prior experience implementing the standard get it right? In that case, we recommend calling in third-party expertise. External specialists have done all this before: they’ve already made the mistakes and learned from them, which means they can come right into your organization and focus on implementing what works. In the long run, getting it right from the start is a more cost-effective strategy, as certification will be achieved in a shorter amount of time.

Next steps towards a successful future

While it may seem daunting to accomplish all of this for your business, with the right plan, companies can quickly take advantage of all that ISO 27001 certification has to offer.

It is also important to recognize that October this year was not the end point for companies to achieve certification for the new version of the standard. Companies have a few months before certification authorities are ready to offer certification, and there will likely be a two-year transition period after the release of the new standard before ISO 27001:2013 is retired completely.

Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable to businesses looking to build their reputation as trusted and secure partners in today’s hyper-connected world.

Nicky Whiting is director of consulting at Defense.com.