In its Global Security Outlook 2023, the World Economic Forum reported that 91% of business leaders said they believe a far-reaching and catastrophic cyber event is “at least somewhat likely in the next two years.”
They’re wise to be aware.
Six out of 10 of businesses who suffer a cyberattack go out of business within six months, according to Forbes.
To help organizations protect their critical data assets from digital threats and vulnerabilities, ISO (International Organization for Standardization), a leading standard for information security management (ISMS) and their requirements, created a set of guidelines called ISO 27001.
Since its start in 1995, ISO/IEC 27001 has become the common language for IT security management across all industry sectors and is used by organizations like Microsoft, Apple, Google, Intel, and IBM. It is a powerful tool to build cyber resilience to technical systems, operations, and teams.
And for nine years, ISO 27001:2013 stayed the same until last October, when ISO published its new ISO/IEC 27001:2022 with a few changes.
“The key improvements in the revision are in the structure, giving companies greater freedom to design their own view, present, or arrange the controls for various audiences or viewpoints,” said ISO’s Communication Coordinator, Sandrine Tranchard.
The transition to ISO 27001:2022 needs to be completed by October 31, 2025, and certification bodies must start certifying companies against it by October 31, 2023.
All ISO 27001:2013 certificates issued after October 31, 2022 will expire on October 31, 2025.
The top 3 updates from ISO 27001:13 to ISO 27001: 2022 are:
- Control changes: 35 controls remain unchanged, 57 have been merged, 23 others renamed, and 11 new controls introduced. (Overall this reduces the total controls from 114 to 93.)
- Streamlined and reorganized Annex A—this is a moderate change.
- Controls are now placed into four broad categories—organizational, people, physical and technological controls instead of the previous 14.
“With these changes, not too many technical changes should be required,” said 360 Advanced’s Director of Compliance Strategy, Eric Ratcliffe.” The good thing is that after nine years, some security and compliance professionals were expecting significant changes, but I believe that if you are already certified against the 2013 revision this change is only moderate.”
Ratcliffe recommends conducting a gap analysis of your ISMS against the new control set to help prepare for this change.
No More Barrier
“Today, the barrier between IT and OT (operational technology) has disappeared, and the new edition of ISO/IEC 27001 considers this challenge,” Tranchard said.
ISO 27001 is an independent, nongovernmental organization with 167 national standards bodies as members.
The ISMS encompasses a holistic approach between people, policy, and technology. The standard is a tool for risk management, cyber resilience, and operational excellence and is considered essential for products and services with IT components.
The ISO 27001 certification is applicable to businesses of all sizes and is designed to help organizations identify and manage risks.
“When done right, cybersecurity is much more than a tick-box exercise,” Tranchard said. “It is a roadmap toward excellence in information security.”
How 360 Advanced Helps
With our ISO audits, the team at 360 Advanced helps you customize the most suitable security approach for your business and gets you on the path to ISO certification. Our team of experts review your cybersecurity and compliance plans, streamline your process, and identify your optimal solutions, all with an eye on your budget. Contact us today.