ISO 27001

Partage

Published in 2005, the international ISO 27001 standard provides the reference framework for establishing an information security management system (ISMS). This standard addresses security through the lens of risk management impacting your data, based on a simple concept encapsulated in one phrase: “prevention is better than cure.” Let’s take a closer look.

ISO 27001, THE INTERNATIONAL STANDARD FOR CYBER RISK MANAGEMENT

What is the ISO 27001 standard?

The ISO 27001 standard was published in 2005 and revised in 2013, and then in 2022. It was developed by the specialised global standardisation system, namely ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). This is why it is also known by the acronym ISO/IEC 27001:2022.

This international reference standard provides a framework for the organisation to help implement, maintain, and continuously improve the company’s ISMS. Its objective? To establish the necessary protective measures to maintain the confidentiality, availability, and integrity of your organisation’s information.

ISO 27001 is sufficiently generic to be adaptable to any type of organisation, regardless of its size, nature, or sector of activity.

What are its areas of application?

This standard addresses security through risk management. The 252 requirements of this standard (yes, that many!) pertain to the following areas:

  • the protection of personal data;
  • information security governance and data governance strategy;
  • the security of physical resources (infrastructure, networks, and IT systems);
  • human resources (organisation and responsibility of staff, security policy, awareness training, etc.);
  • physical security (access to buildings or IT infrastructure); 4o mini
  • the development and maintenance of systems and software;
  • business continuity (BCP, DRP, etc.);

A company that correctly implements all the requirements of the ISO 27001 standard can obtain certification from a qualified auditor.

Why was it established?

Generally, before this standard, organisations implemented security measures in response to incidents, but they did not have an evaluation tool to define requirements for maintaining the operational and security aspects of their information systems.

By defining security requirements to address threats such as intrusion, loss, theft, or alteration of your data, it is considered, along with ISO 27035 (Information Security Incident Management), as a benchmark in information security management.

Advantages and Challenges of ISO 27001

5 advantages of the ISO 27001 standard
  • Improvement of information security

    Implementing ISO 27001 helps organisations to better identify cyber risks and implement controls to mitigate them. It therefore protects sensitive data against breaches, cyberattacks, and other threats.

  • 2. Increased trust from clients and partners

    ISO 27001 certification demonstrates a commitment to information security, which can be a differentiating factor in the market (particularly in sensitive sectors such as finance).

  • 3. Compliance with other regulations

    Obtaining ISO 27001 certification can also mean compliance with other data protection and privacy regulations and laws (for example, the GDPR).

  • 4. Continuous improvement

    The standard encourages innovation and progress through regular audits and reviews of information security management processes. This ensures that organisations stay up-to-date with new threats and technologies!

  • 5. Reduction of costs related to security incidents

    By identifying and mitigating risks, companies can avoid the costs associated with security incidents (fines, data loss, service interruptions, etc.).

Sometimes complex implementation

While obtaining (and maintaining) ISO 27001 certification offers numerous benefits, its implementation can be a real challenge for organisations.

  • Achieving compliance can be costly in terms of time, money, and human resources (training, documentation, audits, etc.).
  • The text and its requirements can be difficult to understand, especially for small businesses that do not have a dedicated cybersecurity department.
  • Implementing an ISMS according to ISO 27001 requires significant changes in internal processes and organisational culture.
  • Maintaining compliance requires ongoing commitment and regular monitoring, as well as detailed (and extensive!) documentation, which represents a significant administrative burden.

How to Facilitate Compliance with ISO 27001

To implement ISO 27001 in your organisation, you first need to secure the support of your employees and management:

  • secure the commitment of your executive committee (COMEX), which must actively support the project and allocate the necessary resources;
  • train and raise awareness among staff about the importance of the standard;
  • involve all stakeholders, including suppliers and partners.

Another important point: carry out a precise assessment of the risks associated with your organisation (threats, vulnerabilities and impacts) to define the controls to be put in place. Once this stage has been completed, carry out regular internal audits as part of a continuous improvement process.

Also remember to document security policies and audit reports clearly and exhaustively.

Finally, you can rely on specialist tools (such as Tenacy!) that make compliance management easier.

ISO 27001:2022 VERSION: A SIGNIFICANT UPDATE

The necessary adaptation of the ISO 27001 standard

A decade has passed since the last update of the standard in 2013. During this time, threats have evolved significantly. On one hand, our lifestyles and relationship with digital technology have been transformed, presenting an increasingly broad attack surface:

  • rapid acceleration of digital transformation;
  • adoption of remote work and hybrid working models at a rapid pace;
  • dominance of cloud computing with a need for connectivity everywhere and all the time…

At the same time, cyberattacks have been increasing, with attackers becoming more professional and techniques of compromise becoming more accessible. It has never been easier to launch an attack: cybercriminal networks have become structured and now offer malware and initial access on demand.

These developments made securing organisations increasingly complex. It was essential for the ISO standard to adapt to this new reality. It all starts with the change in the standard’s name. The title of the standard shifts from “Information Technology” to “Information Security, Cybersecurity, and Privacy Protection.

What changes can be expected with ISO 27001:2022?

The 2022 version of ISO 27001 aims to (re)define the standards and requirements for establishing your organisation’s information security management system. Widely used across all types of organisations, this version update naturally raises questions about the changes it entails.

Annex A and Its Updates on Controls

The changes in this new version of the standard primarily concern Annex A, which is derived from the latest version of the ISO 27002:2022 standard published in February 2022. This annex is no longer regarded as a detailed and exhaustive list.

In the ISO 27001:2013 version, the controls were divided into 14 different domains. They are now consolidated into 4 categories.

  1. Controls related to people: remote work, confidentiality, non-disclosure of information, filtering…
  2. Organisational controls: organisational information policies, use of cloud services, use of assets…
  3. Physical controls: security surveillance, storage media, maintenance, facility security…
  4. Technological controls: authentication, encryption, data leakage prevention…

Another notable change is the addition of 11 new controls covering the following aspects:

  • threat intelligence (A.5.7),
  • cloud-hosted information security (A.5.23),
  • ICT preparedness for business continuity (A.5.30),
  • physical security monitoring (A.7.4),
  • monitoring / surveillance activities (A.8.16),
  • web filtering (A.8.23),
  • secure code design (A.8.28),
  • configuration management (A.8.9),
  • information deletion (A.8.10),
  • data masking (A.8.11),
  • data leakage prevention (A.8.12).

Regarding the domains, despite the addition of new controls, their number has decreased from 114 to 93 due to consolidations and mergers.

What are its concrete impacts on the organisation?

The evolution of the standard emphasizes procedures, criteria, and controls, which are reiterated as integral parts of the ISMS. Objectives must now be documented and monitored; changes to the ISMS must be planned.

In practice, for the ISMS to comply with the new ISO standard, organisations will need to undergo a transitional phase over the next two to three years.

The main change lies in the Statement of Applicability (SoA) as well as in the evidence of the comparison between the two versions of the ISO 27001 standard. Several tasks need to be planned:

  • updating the framework and translating it into certification requirements;
  • reviewing the risk treatment plan;
  • reviewing the ISMS communication plan;
  • updating procedures and checklists used for internal or external audits.

Whether you are a certified company or not, you will need to assess the necessary adaptations to your third-party security tools. Fortunately, at Tenacy, we are ahead of the game, and the requirements framework is already updated on the platform (requiring no action from you). You can be assured that the records you use to demonstrate compliance meet the new security requirements!

Contact us to learn more