May 03 2023

What Is ISO 27001 And How To Go About It The Right Way

Category: ISO 27kDISC @ 11:10 pm

What Is ISO 27001 And How To Go About It The Right Way

What is ISO 27001?

ISO 27001 is a globally recognized standard on information and cyber security. By being compliant with this standard, you are operating in accordance with globally identified best practices. By being ISO 27001 certified, you’re not only operating in accordance with it, but you will also receive a clear stamp as evidence to your customers and other stakeholders that you are working aligned with security best practices.

Common Trap When Pursuing ISO 27001

Often companies who want to pursue ISO 27001 will quickly drop the idea when they start looking into the standard – this is because, often companies fall into the trap of starting with the controls as specified in ISO 270002 . When you only focus on the controls and implementation guidance, it can feel overwhelming and be frustrating as you will notice a lot of the implementation guidance will not make sense to your company and you can be under the impression that you are required to follow all the implementation guidance in order to become compliant or go for the certification.

This is false!

Falling into this trap, you are missing out on the core purpose of the standard. It is not about implementing all the controls and all the guidance you get from the standard – it is about building a functional management system that is aligned with your company context – it is about understanding the issues and risks you as a company are facing, and taking the appropriate measures to protect your assets and information.

How To Go About It The Right Way!

You should always start by focusing on the standard clauses in ISO 27001 that provide clear guidance on how to build a functional management system, when this is done correctly the controls will fall into place in the correct order at the right time in accordance with your company context and the risks that you as a company need to manage.

When people say that small companies should not pursue iso because it is too complex and has too many requirements – the above is the reason why it does not have to be.

All companies should prioritize and have a functional management system on how they secure their own company and the company assets. Protecting your values is a crucial element to stay in business!

Make sure you understand your company, your needs, and please avoid looking at other companies and the measures they have taken to protect themself and think that you have to do the same. Make your management system your own, build it so that it isdesigned to protect your assets. This way, you will have greater success and security will not be something that is forced on your company, it will be a tool to help you work more efficiently and securely.

Summary

To sum it up, ISO 27001 is a great standard to pursue both for small and large organizations.

Make sure you understand the purpose of the standard, and as a result implement a management system that is a perfect fit for your organization for long term success. ISO 27001 done right will result in a more secure and effective company that will again support the main goal of business continuity.

ISO 27001 Risk Assessment and Gap Assessment

Cybersecurity Management Solution Pack:


What is BS ISO/IEC 27001:2022 – Expert Commentary about?
BS ISO/IEC 27001:2022 is the third edition of this standard. It technically revises, cancels, and replaces the Second Edition – ISO/IEC 27001:2013 (also published as BS EN ISO/IEC 27001:2017). BS ISO/IEC 27001:2022 presents the requirements for an information security management system (ISMS). An ISMS assists an organization to preserve the confidentiality, integrity, and availability of information, in the face of an ever-changing threat landscape, no matter the source of risk. Thus, it deals with threats that can be technological, human, physical and environmental in nature.

The standard requires an organization to adopt a risk management framework to determine the necessary information security controls best suited to their business needs and risk appetite. To help organizations ensure that they have not inadvertently omitted any necessary control, the framework uses a reference set of controls (BS ISO/IEC 27001, Annex A), which also facilitates reliable comparisons to be drawn between organizations. The level of change incorporated into the revised version of the standard is medium.

The main changes compared to the previous edition are:
a fully revised reference information security control set (Annex A), which now aligns with ISO/IEC 27002:2022 and
alignment with the revised harmonized structure (HS) for management system standards.

Download ISO27000 family of information security standards today!

InfoSec books | InfoSec tools | InfoSec services

Tags: ISO 27001:2022, ISO 27002 2022

Nov 14 2022

ISO 27001:2022 Has Been Released – What Does It Mean for Your Organization?

Category: Information Security,ISO 27kDISC @ 12:39 am
ISO 27001:2022 Has Been Released – What Does It Mean for Your Organisation?

A new version of ISO 27001 was published this week, introducing several significant changes in the way organisations are expected to manage information security.

The Standard was last revised almost a decade ago (although a new iteration of the supplementary standard ISO 27002 was published in February 2022), meaning that the release of ISO 27001:2022 has been much needed and highly anticipated.

What’s changing?

The good news for organisations is that ISO 27001:2022 doesn’t drastically overhaul their compliance requirements. There are new requirements on planned changes and how your organisation should deal with them, as well as a greater focus on how you must deal with the needs and expectations of interested parties.

Annex A of ISO 27001 now refers to the updated information security controls in ISO 27002:2022, and the Standard requires organisations to document and monitor objectives.

It also aligns its terminology with that used across other ISO management system standards.

Another notable aspect of its terminology is that ISO 27002:2022 no longer refers to itself as a “code of practice”. This better reflects its purpose as a reference set of information security controls.

However, the most significant changes with the 2022 version of ISO 27002 are in its structure. It is no longer divided into 14 control categories, and is instead split into four ‘themes’: organisational, people, physical and technological.

Meanwhile, although the 2022 version of ISO 27002 is significantly longer than its predecessor, the total number of controls has decreased from 114 to 93.

This is because many of its controls have been reordered and merged. Only 35 controls are unchanged, while 11 completely new requirements have been added. These are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

The new and amended controls are also categorised according to five types of ‘attribute’: control type, operational capabilities, security domains, cybersecurity concepts and information security properties.

This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.

How will this affect organisations implementing ISO 27001?

The introduction of ISO 27001:2022 won’t have an immediate effect on organisations that are currently certified to ISO 27001:2013 or are in the process of achieving certification.

For the time being, organisations should continue to follow the 2013 version of the Standard. This means, for example, that the SoA (Statement of Applicability) should refer to the controls listed in Annex A of ISO 27001:2013, while the 2022 version of the Standard should be used only as a reference.

Indeed, the reason that the updated version is being published now is to give organisations time to familiarise themselves with the new controls before embarking on an implementation project.

The controls listed in ISO 27002:2022 can be considered an alternative control set that you will have to compare with the existing Annex A – just as you would with any other alternative control set.

ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.

What next?

There is a three-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be plenty of time to make the necessary changes.

However, it’s never wise to put off the planning process until the last minute. Implementation will take several months, and it’s worth knowing what’s expected of you as soon as possible.

You can begin by reading the Standard for yourself. You can purchase a digital copy of ISO 27001:2022 from our website, and we recommend comparing the updated version to the 2013 edition and your current compliance practices to determine what adjustments you’ll have to make.

If you’re unsure how to proceed, our team of experts are here to help. Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard.

Speak to one of our experts for more information on how we can support you.

Tags: ISO 27001:2022

Oct 18 2022

Detailed explanation of 11 new security controls in ISO 27001:2022

Category: Information Security,ISO 27kDISC @ 9:00 am

If you’re a security practitioner dealing with ISO 27001, you’re probably wondering what new things you will need to implement as part of the changes that will be made to this standard during 2022.

In this article, I’ll focus on 11 new controls that are set to be introduced in ISO 27001. For general information about the changes, see this article: Most important facts about changes in ISO 27001/ISO 27002.

What you’ll notice is that some of these new controls are very similar to old controls from the 2013 revision; however, because these controls were categorized as new in ISO 27002:2022, I have listed all 11 in this article.

As the main source for this article, I’ve used guidelines from ISO 27002:2022 – I’ve given an overview of requirements, technology, people, and documentation, but if you’d like to learn about these controls in more depth, you can purchase the ISO 27002 2022 standard.

Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.

So, let’s review the 11 controls in more detail


https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/?

Tags: ISO 270012022, ISO 27001:2022, ISO27k

Jun 20 2022

Get ISO 27001:2022 and 2013 toolkits for the price of one

Category: ISO 27kDISC @ 11:22 am

If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.

Buy the ISO 27001:2022 toolkit now, and receive the 2013 revision toolkit for free! Then you’ll have time to go over your implementation plans and decide if you should start with the project right now, or postpone it until later. With this bundle, you are covered for whatever option you choose.

Step-by-step guidance with LIVE EXPERT SUPPORT

  • 45 document templates â€“ unlimited access to all documents required for  ISO 27001 certification, plus commonly used non-mandatory documents 
  • Access to video tutorials 
  • Email support 
  • Expert review of a document 
  • One hour of live one-on-one online consultations
    with an ISO 27001 expert 
  • Receive ISO 27001:2022 and ISO 27001:2013 toolkit documents. 

Information security, cybersecurity and privacy protection. Information security controls ISO/IEC 27002:2022

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: iso 27001, ISO 27001:2022, ISO/IEC 27002:2022, ISO27001:2013