Each day we see organizations push the boundaries of technology. With no sign of this slowing down, standards and policies must shape these evolving industries to ensure organizations remain secure as they move to the future. An organization can gain confidence as they scale by aligning with the ISO 27001 framework, which allows them to prevent or reduce real-world information security incidents by implementing a risk-based approach to their security program.
The International Organization for Standardization (ISO) created the Information Security Management standard in 2005 to ensure organizations can effectively handle data security and guide them to establish and maintain an effective ISMS. ISO 27001 has become increasingly popular in recent years due to the rise of data breaches and the severe impact caused by the incidents within an organization.
The focus of this framework is to protect the availability, integrity, and confidentiality of sensitive information that may exist within an organization. As the international standard that provides requirements for an information security management system (ISMS), ISO 27001 is seen as a vital piece of any security program.
Every organization wouldn’t answer this question the same. As mentioned earlier, ISO 27001 is to prevent or reduce real-world information security incidents. While this framework certainly would mitigate risk across an entire organization, still in 2022, it is common to find ulterior motives pushing an organization to align with this framework.
Customer or Prospect Pressure: How organizations evaluate the cost of doing business nowadays is much different than in years past. Today it is critical to consider the inherent risk associated with an organization. One way to “prove you’re less risky” is by showing current customers or prospects that you have aligned with the ISO 27001 framework. It becomes a way to communicate that your organization understands the importance of protecting sensitive information and that you have a robust process to ensure you continue to do so throughout the engagement.
New Markets: As an organization scales, it’s expected they will begin identifying new markets their product or service can penetrate. Depending on the geographic location, it may be required that the organization is aligned to a framework such as ISO 27001 to ensure they have the proper systems in place to remain secure.
Competitive Advantage: Many factors come into play when evaluating a new partner. In 2022, a great way to distinguish your organization is to align with ISO 27001, which will show your prospects that you have excellent security assurances.
Value of Security: ISO 27001 was designed in response to the increase in breaches organizations were experiencing. While we completely understand the motivations of the three factors above, the real reason to align with this framework should be to reduce risk and exposure.
ISO 27001 has only been updated in 2013 since its original release in 2005. Due to the fast-growing technology space, risks and threats also rapidly evolve; therefore, it was time for the International Standards of Organization to update the framework once more to address cybersecurity risks and better align to current high-risk sources such as third-party risk management and cloud security.
The new framework still follows the continuous improvement principle, which is best shown by the fact that the 4-10 section was relatively untouched. This section has the common clauses such as the scope, interested parties, context, information security policy, risk management, resources, training and awareness, communication, document control, monitoring and measurement, internal audit, management review, and corrective actions. Each of these ensures the effective operation of the Plan, Do, Check, Act (PDCA) cycle.
Only the security controls listed in Annex A have changed, which means that the number of controls decreased from 114 to 93 and was placed into four sections instead of the previous 14. While none of the controls were deleted, many got merged, and 11 new controls were added, which are:
These specific controls were added to the framework to reflect today’s world and organizations’ threats and vulnerabilities. To better understand the applicability of these controls, the framework structure incorporates these controls into the following sections:
Each control has elements that will help justify and better understand the use of controls in your environment. This provides a standardized way to sort and filter controls against different views to address the needs of other groups.
Attributes options for each control are as follows:
The transition period for these changes is not published yet, but it will probably be two years starting from the date of the official update. Since the changes to the new framework are relatively moderate, only documentation level changes should be made rather than technology level. Documents such as the Statement of Applicability (SOA), your risk assessments, and policies should be updated to reflect the control changes, in case needed, in your control environment.
While there are a few ways to do this, the best way to handle this type of migration would be to have a mapping sequence that manages the entire transition process. This type of functionality is part of Compyl and allows an organization to grow confidently while adapting quickly to industry requirements, expansion, and other needs. Compyl is an extension of your organization’s information security team as a continuous improvement solution, providing the expertise and guidance when needed.
For more information on ISO 27001, the recent update to the framework, or other information security questions, reach out to one of our experts today.