The global digital landscape is changing. New business practices, such as remote working, “bring your own device” have become widespread, and core business practices are increasingly cloud-based and digitally reliant. In response, the ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Controls for Information Security standards are being updated to reflect this evolution.
These updates provide more robust controls, enabling your organization to address increasingly sophisticated security risks, ensure business continuity, and gain a competitive advantage. Understanding these changes and their impact on your organization as soon as possible will ensure your information remains protected, and that you continue to maximize your competitive edge.
There are 11 new controls, which were needed because of the trends in IT and security:
ISO 27002:2022 has 93 controls in the following 4 sections:
If you already have your Information Security Management System implemented according to ISO 27001:2013, you will need to follow these steps:
Since this change in the standard involves 11 new controls, this alignment in risk treatment and documentation will be the biggest job that’s ahead of you, although it probably will not require a big change in technological and process areas.
The business benefits of ISO 27001 compliance
ISO 27001 compliance is optional, but it can greatly improve your business in several ways:
While most news stories around cybercrime focus on large organisations, businesses of all sizes and industries are at risk, and the consequences can be devastating. The ISO 27001 compliance process forces business owners to look in detail at the way they manage and protect information assets, highlighting weaknesses before breaches occur. The standard also uses a continuous improvement lifecycle model which helps organisations constantly adapt their security according to the threats they are facing.
In achieving ISO 27001 certification, you are demonstrating to all stakeholders that you take information security seriously. This can enhance relationships with existing customers, employees, and investors, opening new business opportunities, ability to tender, and helping businesses to distinguish themselves from competitors.
It only takes a single data breach or mishap to damage a company’s reputation. Compliance with ISO 27001 will help you reduce the risk of data breaches that may have a reputational impact, and helping you maintain a positive position within the market.
By voluntarily implementing ISO 27001, you will be better positioned to meet regulatory requirements under data privacy and security laws such as EU/UK GDPR (General Data Protection Regulation), FCA (Financial Conduct Authority) and the NIS Regulations (Network and Information Systems Regulations), as many of the criteria overlap. It can also save time for businesses who are required to complete supplier due diligence questionnaires, considerably reducing administrative overheads.
By becoming compliant with ISO 27001, you’ll build an ISMS that can be scaled to support the growth of your business. You’ll have a framework in place that will help account for changing risks and responsibilities, meaning you never lose sight of the best information management practices.