The International Organisation for Standardisation (ISO) released a newer version of ISO 27001 in October 2022. Ankur Aeran looks at the updated standard, and what you should do to optimise your framework and improve your information security management systems.

Sophisticated cyber security attacks are on the rise, driven by geopolitical conflict and emerging tech. High-profile attacks on organisations, including retailers, have raised concerns from businesses across the UK, and it’s important to have the tools in place to mitigate against data breaches and ransomware attacks.

The latest revision of ISO/IEC 27001, updated last year, provides an updated information security framework to help firms enhance their internal cyber data protection tools, identify information storage areas and define solutions to mitigate potential risks.

The total number of controls has decreased from 114 to 93, with 11 new controls added. The update aims to meet the demands of modern IT and the changing landscape of information, physical and cyber security, as compared with the previous version released eight years ago.

11 new security controls

The ISO has outlined the main areas of vulnerability that you're likely to face in your security framework. These 11 components help identify the core elements of your cyber processes and highlight key areas of focus.

1 Threat intelligence

The foundation of keeping up to date with ISO 27001 requires having a distinct knowledge of the cyber landscape. Specifically, you need an acute awareness of cyber attackers and their methods of infiltration to avoid unsuspecting hacking events – and to identify this in the context of the your IT landscape and internal operations to meet the requirements of the firm.

2 Information security for the use of cloud services

Cloud initiatives are becoming common as a way of information sharing, and are frequently used by businesses to host and transfer data in a shared space. Although this method of data sharing is efficient and convenient, it also introduces another avenue for attack if left unprotected.

3 ICT readiness for business continuity

To improve capabilities business continuity needs to at the forefront of operations when establishing IT systems. The requirements for the IT framework within the business should be built upon from the overall processes of the firm, and provide the ability to recover operational capabilities and undertake frequent risk assessments.

4 Physical security monitoring

Although cyber threats are commonly hosted in the digital space, the ISO 27001 standard adds emphasis to the physical threats, for example, of attackers stealing unprotected IT equipment and information in person. Mitigating this requires the use of alarms and internal monitoring systems to prevent unauthorised entry to internal systems.

5 Configuration management

IT systems should be configured to ensure internal systems perform as expected. This is achieved by hardening and securing the configuration of IT systems, and establishing consistency of the cyber systems based on their performance, functionality and physical attributes. You should also carry out regular checks to ensure that it is up to standard.

6 Information deletion

The revised standard affirms the need to delete data when it's no longer needed. There needs to be compliance with data protection regulations, and you need to ensure that the information being removed is approved first and logged for future reference. Doing this efficiently means implementing data protection deletion concepts and configuring internal systems to delete data in accordance with your internal policy on data retention.

7 Data masking

Protecting internal data is essential to manage and run IT systems effectively. The recommended approach is to use data masking techniques, such as anonymisation and pseudonymisation, both of which bolster data protection by modifying sensitive information so that it's unreadable to unauthorised users.

8 Data leakage prevention

Taking steps to prevent data leakage is crucial to block the use of data by unauthorised parties. You should be looking to detect potential data breaches and monitor who can authorise internal systems to ensure that confidential information is stored within the firm and minimise the risk of it being leaked.

9 Monitoring activities

Capable cyber activity monitoring tools need to be in place to enhance your risk practices. Monitoring network security and application behaviour is crucial to detect network anomalies, and also allows the business to evaluate mitigation by tracking its effectiveness.

10 Web filtering

Web filtering is an important tool to safeguard your internal activity. With online processes for employees now prevalent within a firm, incorporating web filters helps prevent users from viewing specific URLs containing malicious code.

11 Secure coding

Having reliable coding methods is integral to ensure that operations run smoothly. Secure coding requires using specific tools, commenting capabilities, tracked changes and using secure programming methods to mitigate the risk of a cyber-attack and enhance day-to-day business operations. Putting strong cyber processes in place helps ensure that the firm runs smoothly and minimises errors from the top down.

Implementing ISO 27001:2022

The ISO has set a transition date of 31 October 2025 for firms already certified against ISO 27001:2013 to give them enough time to update their systems. If you're implementing ISO 27001:2022 from scratch, however, it'll take longer to implement the processes and align them with your existing frameworks.

The revised standard represents changes in the industry and ensures firms are up to date on cyber security practices. It also provides a useful opportunity to check that your firm has a clear understanding of its internal systems and the steps needed to mitigate the changing risks.

Implemented correctly, ISO 27001:2022 certification has the potential to highly reduce cyber risks. Additionally, it can help you meet best practice, align with regulatory compliance, and give third parties and their customers greater assurance. 

For more insight and guidance on meeting the new requirements, get in contact with Ankur Aeran.