Do you need to implement ISO27001 information security, cybersecurity and privacy protection – information security management systems requirements?

The question is how vulnerable are you to a cyberattack? Many organizations have ignored how secure their information technology system is. I know two organizations that have been attacked with one of those occurring during a renewal audit. This attack resulted in production being terminated for two days and on the third day it began operation using manual documentation until the system was up and running. There was no contact with the attacker, only the damage it left behind. The second was a ransom attack that the client did pay. Why did they pay? The attack went all the way back to their home computer which also contained personnel data on it. Unfortunately, even though they paid the ransom, they only received a portion of the files that were stolen. Needless to say, both organizations reacted by installing and implementing programs for general security such as fire walls, antivirus as well as cybersecurity. In fact, cloud security is now included in ISO 27001: 2022 which was not covered in the previous 2013 version.

ISO27001:2022 is considered the world’s leading information security standard and is supported by ISO 27002: 2022. ISO 27001: 2022 was published on October 25^th, 2022. ISO 27001 and ISO 27002 are exactly the same with the difference being that ISO 27002 provides detailed guidance on how the 93 controls could be implemented. The 2022 revision transformed the 114 security controls in the 2013 standard into the 93 controls to provide a better structure. There were 58 controls that remained in place, 24 that were merged and 11 new controls. The fourteen sections in the 2013 version were changed to four sections and two annexes.

• Organizational Controls: Has 37 controls which address various organizational issues.
• People Controls: There are 8 controls to focus on human resources security.
• Physical Controls: These 14 controls address the physical environment.
• Technological Controls: 34 controls are related to technological solutions.
• Annex A: Attributes are used to provide a matrix of all the new controls and compares it to their attributes for providing guidance in their usage.
• Annex B: Provides a correspondence with ISO/IEC 27002: 2013.

ISO 27001: 2022 supported by ISO 27002: 2022 provides a transparent structure of controls that are able to be applied throughout an organization. There are additional controls and focus on technical aspects of cybersecurity and the human elements of protecting privacy. There are additional standards that support ISO 27001. ISO 20000-1 Information technology - Service management – Part 1: Service management system requirements and ISO 27006 Information technology – Security techniques – Requirements for bodes providing audit and certification of information security management systems. Both of these standards provide me with additional guidance in auditing and implementation of information security management.