Skip to main content

Organisations should always want to find out how secure the organisation is and what their current cyber posture looks like. If

In terms of cybersecurity standards, ISO 27001 is the gold standard. Organisations can use this technology to secure the information assets they have on hand, such as financial information, intellectual property, employee data, or information that is entrusted to them by others. ISO 27001 is the best-known standard in providing requirements for an information security management system (ISMS).

Information Security Management Standard ISO27001:2013 is the most recent version. A committee of information security specialists was required to make a few changes to the standard in 2017, namely, changing a few words and adding a few ‘full-stops’.

On 15 February 2022, ISO 27002 was updated and a revised version of ISO 27001 should be released by October 2022.

an organisation does not perform regular cyber reviews and assessments, it is impossible to find vulnerabilities and weak areas and it is guaranteed that a cyber criminal will find them.

What’s new?

In the previous standard, there are 114 controls categorized into 14 different categories. There will be 93 controls distributed over four domains in the new version. There is no doubt that ISO has consolidated multiple control categories into a single domain. ISO27001:2022 certification encompasses the following four themes:

1) Organisational Controls – 37 Controls

2) People Controls – 8 Controls

3) Physical Controls – 14 Controls

4) Technological Controls – 34 Controls

Following are 11 new controls added to the list:

1) Threat intelligence

2) Information security for use of cloud services

3) ICT readiness for business continuity

4) Physical security monitoring

5) Configuration management

6) Information deletion

7) Data masking

8) Data leakage prevention

9) Monitoring activities

10)Web filtering

11)Secure coding

To categorize the 93 controls based on the ISO27001:2022 standard, they will have the following attributes with values:

1) Control type (preventive, detective, corrective)

2) Information security properties (confidentiality, integrity, availability)

3) Cybersecurity concepts (identify, protect, detect, respond, recover)

4)     Operational capabilities (governance, asset management, etc.)

5) Security domains (governance and ecosystem, protection, defence, resilience)

Due to duplication or better alignment with other controls, 16 controls have been removed:

1) Review of the policies for information security

2) Mobile device policy

3) Ownership of assets

4) Handling of assets

5) Password management system

6) Delivery and loading areas

7) Removal of assets

8) Unattended user equipment

9) Protection of log information

10)Restrictions on software installation

11)Electronic messaging

12)Securing application services on public networks

13)Protecting application services transactions

14)System acceptance testing

15)Reporting information security weaknesses

16)Technical compliance review

There is no need to panic if you are already certified

Certified organisations typically have a two-year transition period during which they can revise their management system in order to comply with a new version of a standard. Therefore, there will be plenty of time to make the necessary changes.

This does not mean that no action needs to be taken. Therefore, you should start looking at the new standard NOW and prepare for the transition over the next few years.

My organisation is prepared to conform to ISO27001:2013. Should I wait?

No, Even if you planned and prepared  ISMS that conforms to ISO 27001:2013 and uses the existing Annex A control set, whether for direct implementation or as a reference against other controls.

Waiting till the new iteration of ISO 27001 is published will likely leave you at greater risk.

How rabbon can help?

A report detailing the gaps with NIST CSF, controls and recommendations to improve security posture. The report will address all categories of NIST, a maturity score of your organisation in regards to each category and subcategories.

Generally, a report will provide you with a chart with your organisation’s current and target security posture.

A security review is an essential milestone in your secure digital transformation journey, especially for SMBs. We have noticed that SMB’s or startups build their organisation infrastructure to support certain business goals and in the initial phases, security is not a focus. However, once an organisation has reached a certain level, security becomes essential for its existence. A security review will help such organisations to identify the gaps in their current infrastructure and continue their journey securely.

What’s next?

Our experienced GRC consultants can help your organisation with the following use cases of ISO 27001 certification:

  1. We can perform a gap assessment to identify gaps between ISO 27001 and ISO 27002. We can extend your current ISMS based on ISO 27001:2013 to ISO 27001:2022. We can prepare you for your next audit and help you certify with ISO 27001:2022.
  2. You are halfway through the ISO 27001:2013 readiness and now you want to target ISO 27001:2022. We can help you upgrade your current ISMS with ISO 27001:2022. 
  3. You are still planning for ISO 27001 certification, we can help you plan your certification roadmap aligned with ISO 27001:2022.

Cybersecurity is what we do

Rabbon is a Cybersecurity company with offices in Sydney, Melbourne, Brisbane, and Canberra. Our team of Cyber Security experts and ISMS Consultants provides businesses with access to effective and affordable cybersecurity services that help them become cyber resilient. Cybersecurity matters to every business, no matter how big or small

You can contact our Cyber Security Consultants for an obligation-free consultation.

Book your obligation free consultation – Contact us

Leave a Reply