ISO/IEC 27001:2022 standard takes more account of cyber risks

In order to address global cybersecurity challenges and strengthen digital trust, a new and improved version of the ISO/IEC 27001 published the ISO/IEC 27001:2022 version. The world's best-known standard for information security management helps organizations protect their information - a critical factor in today's increasingly digital world.

The importance of ISO/IEC 27001 certification

Cybercrime is becoming increasingly serious and sophisticated as hackers develop more advanced cybercrime techniques. The World Economic Forum's Global Cybersecurity Outlook report indicates that cyberattacks increased by 125 % globally in 2021, with indications of further increases through 2022. In this rapidly changing landscape, leaders must take a strategic approach to cyber risk.

ISO/IEC 27001 certification, which has been adopted by tens of thousands of organizations, demonstrates an organization's commitment to information security and provides assurance to customers and other partners that it is serious about protecting the information under its control. The standard is technology agnostic, so it doesn't matter what technology environment an organization has. It is formulated so that it can be applied by any organization, from small businesses to large multi-billion dollar enterprises.

Further development to cope with the threats

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continuously improving an ISMS for security and protection. It also includes requirements for assessing and addressing information security risks tailored to an organization's needs. Properly applied, the standard can lead to the following results:

• Increased credibility
• Reducing the risk of fraud, information leakage and disclosure
• Demonstration of the integrity of own systems
• Change in corporate culture and greater awareness of the importance of information security
• New business opportunities with security-conscious customers
• A greater awareness of confidentiality in the workplace
• Better prepare for the inevitable - the next security event or incident

Willy Fabritius, Global Head, Strategy & Business Development at SGS, a global testing, inspection and certification company, comments, "ISO/IEC 27001 was last updated in 2013, and the cyber world and its threats have evolved dramatically. The standard has had to adapt to that." One important change is in the title of the standard alone. It is ISO/IEC 27001:2022 - Information security, cybersecurity and privacy - Information security management systems - Requirements. Other changes include section numbering, new and rearranged text, and updates to Annex A.

Implementation of ISO/IEC 27001:2022: What does it mean now?

If an organization is already ISO/IEC 27001 compliant, no technical changes are required, only updates to documentation. They may need to revise their internal policies to reflect the new sub-clauses and changed requirements. The results of their risk assessment and risk treatment plans should also be reviewed and the Statement of Applicability (SoA) updated.

The transition period is three years from the date of official publication of ISO/IEC 27001:2022, so there is sufficient time to meet the requirements. An ISO/IEC 27001 certificate already acquired will remain valid until the end of this period. Willy Fabritius recommends, "If you're renewing your certification during the transition period, you can stick to the new controls to avoid putting it off until the last minute."

Sources: ISO, SGS