What are the changes and benefits of the latest ISO/IEC 27001 standard?

The publication of the latest version of ISO/IEC 27001 and connected ISO/IEC 27002 comes as a timely reminder that all companies are increasingly exposed to information security risks. So, what then are the main changes and benefits that the new version brings to the table?

With so much of modern business and commerce being carried out digitally, information, data and cyber security must always be high on the list of management concerns. The issue of cyber threats and attacks may have been pushed off the headlines in recent months by energy costs and security concerns, but the cyber threat has certainly not diminished and may even have grown.

So, the publication of the latest version of ISO/IEC 27001 on October 25 reminds us that all companies are increasingly exposed to information security risks. ISO/IEC 27001 is the internationally recognized information security management system (ISMS) standard which helps companies proactively manage and protect their information assets and to manage and mitigate security events. It also helps address regulatory compliance and meet customer requirements.

Significant loss and reputational damage can result from security breaches and cyber-attacks. To avoid this organizations must manage current threats and, and where required, reduce the risks. This will help build stakeholder trust and ensure the risk of financial loss and disruption is minimized.  Putting in place a robust, structured framework to identify, manage and mitigate risk will drive continual improvement and strengthen business continuity.

ISO/IEC 27001 is designed to be compatible and harmonized with other recognized ISO management system standards. The last major overhaul of the standard was in 2013.  Therefore, it was deemed necessary to bring the standard, including the information security controls as defined in ISO/IEC 27002, up to date with the cyber-attack and data security-breach scenarios that have developed in the interim.

Organizations certified to the current 2013 version of ISO 27001 will have three years to transition to the new version. This means their current ISMS must meet the new requirements before November 2025. For organizations not yet certified, the best course would be to aim for certification against the new standard immediately.

The main changes that the latest version of ISO/IEC 27001 brings to the table…

The structure of the new version is identical to that of the earlier version but reflects the concepts of Cybersecurity and Data security. A brief glance reveals that changes are almost exclusively contained to the revised set of controls from ISO/IEC 27002. These are referred to in Annex A of ISO/IEC 27001. Annex A sets out information security controls for an information security management system based on ISO/IEC27001. The total number of controls have been  revised from 114 to 93 controls. There are 11 new security controls, 58 have been updated and 24 merged to simplify and to better reflect the new scenarios companies face. The controls have been re-organized in 4 control “themes”: Organizational, People, Physical and Technological. For users and implementers, ISO/IEC 27002 also provides useful updates in the guidance section for the controls, including more examples.

The 11 new controls are:

In addition to the controls, there are some minor changes to align with the latest updates of ISO’s High Level Structure (HLS). The main areas of the management system that are impacted are leadership, corporate security, IT functions and other support functions. For service providers, delivery is impacted as well. The new version enables more effective risk management due to the updated security controls.

…and the benefits

  • The main benefits of the new version can be summarized as: •Enables more effective risk management since the security controls in Annex A have been improved to reflect the current scenarios companies have to tackle.
  • Helps companies reassess their risks and threats and implement security controls befitting a context with constantly increasing interconnectivity, cloud and automation technology, malware and ransomware and other vulnerabilities.
  • Extends to include cyber security and privacy, connecting the information security management system better to these critical issues companies have to deal with.
  • Provides a better structure and presentation of the controls in Annex A,  and with a clearer and simpler language.
The benefits of an ISO/IEC 27001 management system and certification have not changed; however, the new version makes companies better able to understand, manage and mitigate new risks and threats in their business context. Regardless of whether an organization is transitioning or working towards certification to the new standard, DNV can provide all the services and support necessary to ensure a successful conclusion.