The International Organisation for Standardisation (ISO) is releasing an update to its cybersecurity compliance guidelines this September called ISO 27001:2022. Originally introduced in 2005 to provide companies with an international standard for cybersecurity, the latest update makes subtle changes to the framework designed to ease its implementation and combat the contemporary threat landscape.
The update is expected to be released at the end of September. Questions remain, however, about how businesses should best comply with the new standard – and whether it’s worthwhile doing so at all.
How will September’s ISO 27001 differ from the current ISO?
The main body of the framework, clauses four through ten, will not change. These include most of the management controls, such as internal audits, information security policies and risk management.
The biggest change will be in the security controls listed in Annex A of the new document. There are 11 new controls that cater to risks that the current ISO does not. Even so, these controls are not mandatory. The ISO 27001 framework will allow a company to exclude a control if it has identified no related risks or there are no legal or regulatory requirements to implement that particular control.
The new controls run through from threat intelligence to security in the cloud and even provide advice on secure coding. The full list of new controls in Annex A can be found here.
“The update is a very minor tracking change in a few minor clauses,” explains Alan Calder, founder and executive chairman of IT Governance. “To all intents and purposes, it’s the same standard that people are currently working to.”
The number of controls has decreased from 114 to 93. However, the 11 new controls added in Annex A bring the total back up to 114. None of the controls were deleted, but several were merged and updated.
Finally, the controls have been placed in four distinct sections rather than 14. This is to add clarity to the implementation process, explains Calder. “You’ve got different people inside your organisation typically responsible for implementing different sets of controls,” he says. “The practical benefit of breaking controls down into four specific groups is that it makes it very easy for the implementation team to determine which group inside the organisation is responsible for which set of controls.”
How does complying with ISO 27001 benefit businesses?
ISO 27001 security will help a company adopt good security practices across the board. The IT Governance guidelines detailing ISO 27001 certification explains that initialising ISO in a business will give it a proven marketing edge. Many public bodies will demand ISO accreditation as a matter of course in a bid to protect the security of its supply chain, explains Calder.
“The DWP, for instance, requires organisations it is contracting to have ISO specification,” he says. “You, therefore, have a situation where the fact that you failed to get it means the DWP will not consider your contract.”
This does not mean ISO is a legal requirement, he stresses. “That is a commercial contractual requirement, however,” says Calder. “There are no legal requirements to be certified.”
Although, there are numerous financial penalties a company can incur through implementing other, inappropriate cybersecurity controls. “As the accepted global benchmark for the effective management of information assets, implementing ISO 27001 requirements enables organisations to avoid the potentially devastating financial losses caused by data breaches,” the guidelines read. The global average cost of a data breach rose to $4.24m in 2021, up from $3.86m in 2020, according to the latest Cost of a Data Breach report from IBM and Ponemon Institute.
Calder also stresses how ISO 27001 can help achieve GDPR compliance. “It helps,” he says, because the regulation “specifically requires organisations to adopt appropriate technical and organisational measures to protect data. The best way they can demonstrate they’ve done this is through an ISO 27001 standard.”
How should businesses prepare for the ISO 27001 update?
If a business already complies with the current ISO9001:2015 regulations, it will have very little work to do to ensure it is up to date. Come September, its main priority will be to reassess its risk environment with reference to the new guidelines set out in Annex A before applying for a new audit.
“You’ve got to select the controls appropriate for your risk environment,” says Calder, “and put them in place once you have selected them. They could come from any framework in the world, but you have to tie them in to Annex A so that anyone looking at your management system can see how they tie together.”
This will entail more changes in documentation than technology. However, the 27001 Academy, a body that provides courses on successfully achieving ISO compliance, suggests that companies should hold off on adding in new documents or deleting old ones, given the subtlety of the new changes.
“In our opinion, the best way to comply by these changes is to update your risk treatment process with new controls,” an explainer on the site reads. Companies should then update their Statement of Applicability before adapting “certain sections in your existing policies and procedures.”
If a company is not yet ISO compliant and needs to start from scratch, the best advice is to start complying with the current ISO rather than waiting for the next version of ISO 27001 to be released, continues Calder: “There’s a very easy transition from the current version to the new version. Why would you want to spend any time not being secure?”
What are the consequences of not getting the certification?
Experts believe there are numerous benefits in achieving ISO 27001 compliance. The certification provides proof to organisations of a reasonable level of cyber resilience. Complying with the ISO controls will protect the company against easy-to-avoid attacks. However, achieving ISO 27001 compliance alone may not protect businesses against targeted cybercrime.
One of the main reasons for this, argues Palo Alto’s head of research Tim Erridge, is that the standard was originally conceived at a time when most companies could get away with protecting themselves from cybercriminals by building robust firewalls. Attacks since then have grown much more sophisticated, with thousands of ISO 27001-compliant companies being compromised in the meantime. As such, says Erridge, “it’s proven to not be an effective way to mitigate the potential for an attack or breach.”
However, Erridge believes that the forthcoming update of ISO 27001 is ultimately a positive development. “I think in its previous guise it had the potential to be disregarded,” he says. “I think it’s an important step forward for them.”