Information Security: Probable changes needed to your ISO 27001 system?

ISO 27001 is a management system information security standard, last updated in 2013. To those of you who, like me are getting on in years, this might seem like only yesterday but in technology terms that’s an age ago.

As we’ve seen while helping businesses to gain certification over the last few years, the 2013 version of ISO 27001 is becoming increasingly out of touch with the technology in common use today. It was written when companies were buying servers and 3.5” disks, needed extensive backup facilities and were just becoming aware of the dangers from virus’s, Trojans and ransomware. As the majority of business moves to cloud-based solutions many parts of this version of the standard are becoming redundant.

So why hasn’t it been updated?

Well, international standards are supposed to be updated every six years to keep them relevant, so ISO 27001 should have been updated in 2019. This hasn’t happened, technological change, a worldwide pandemic and its crippling impact probably have something to do with it.

But ISO 27002, titled “Information security, cybersecurity and privacy protection. Information security controls” has been updated. This isn’t a standard you can be certified against; its content is meant to help businesses to select the security controls they need to implement in their business environment.

HOWEVER, the changes which have been made to 27002 give a good indication of how ISO 27001 is going to change, once the various international committees get back together and formulate the updates.

ISO 27002 amends the security controls listed in the annex of ISO 27001 and splits them into four sections:

Having produced many SOA’s for our customers over the years I know this is a change which shouldn’t be taken lightly and will take several days to complete. The good news is that as this isn’t a certification standard, “non-compliances” can’t yet be raised for not meeting it, but I’d suggest that sooner or later it will be!