Updates to the ISO 27001 certification standard: What you need to know

If you're not yet familiar with the ISO 27001 standard, it's an internationally recognised certification standard specifically focused on information security. Using the policies and procedures outlined in the standard enables an organisation to implement an information security management system (ISMS) to better protect their information in a systematic way. 

Certification using the ISO 27001 standard consists of several steps that include: 

1. Assessing where your organisation sits as compared to the ISO 27001 standard (also known as a gap assessment).
2. Remediating any gaps found in the initial assessment to meet the required standards.
3. ISO 27001 audit preparation
4. Stage 1 Audit
5. Stage 2 Audit

This year, the standard was updated to reflect the increasing importance and changing nature of how information security affects organisations. The last update to the ISO 27001 standard prior to this was in 2013. Some of the new changes to the standard include:

• 93 controls over four domains (from 114 controls over 14 domains)
• Changes in existing controls, with some from the previous standard disappearing altogether. 
  • New controls include areas like threat intelligence, cloud service security, business continuity, configuration management, monitoring activities, and secure coding. 
• Each control now has five attributes assigned to them along with attribute values. These include: 
  
  • Control Type – Preventive, Detective, Corrective
  • Security Properties – Confidentiality, Integrity, Availability
  • Cybersecurity Concepts – Identify, Protect, Detect, Respond, Recover
  • Operational Capabilities.
  • Security Domains – Governance and Ecosystem, Protection, Defense, Resilience

Organisations who have previously completed an ISO 27001 certification are expected to have 18-months to two years to update and implement the new standard, which means it's important to begin planning as soon as possible. 

ISO 27001 certification can be beneficial to organisations looking to improve their information security policies and procedures in a way that adheres to an international standard. Working towards and attaining ISO 27001 certification can demonstrate your level of information security to your clients, partners, vendors, and suppliers. As attacks to cyber supply chains increase and organisations continue to increase their focus on reducing third party risk, certification can make the difference when competing for a contract or client in addition to improving your organisation's cybersecurity. 

Interested in discussing how your organisation can implement ISO 27001 standards and achieve certification? Contact us to speak to our GRC team about how we can help you reduce your information security risks.