What Is ISO 27001? Everything You Need To Know About ISO 27001:2022
ISO 27001, also known as ISO/IEC 27001, is a widely recognized international standard that defines best practices for implementing and managing information security for an Information Security Management System, or ISMS.
The risk-based standard was published by a joint technical committee comprised of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 but has been revised since then, including in 2013 and most recently in 2022. That version, released in October, is known as ISO 27001:2022.
Who is ISO 27001 for?
While the standard is not mandatory, it is viewed as a best practice for any organization that wishes to protect its critical data and comply with rapidly changing data protection laws and regulations.
The standard is widely accepted; it’s used globally and certification is accepted in 168 countries worldwide. Companies that stand to benefit the most from ISO 27001 however are those who primarily deal with sensitive data, like healthcare firms, financial services companies, and government contractors.
What is the goal of ISO 27001?
Since it was first developed, the goal of the standard has been to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system.
The main goal of the ISO 27000 family of standards – there’s a handful, ISO 27002, ISO 27003, and so on – is to help organizations keep information assets, whether it’s intellectual property, contracts, financial data, or customer or employee data, secure. ISO 27001 in particular lays out how an ISMS should function to ensure that what’s referred to as the CIA triad (Confidentiality, Integrity, Availability) is satisfied.
A fundamental concept in cybersecurity, under the CIA triad, an effective system ensures that access to data is restricted to authorized users (Confidentiality), that data is complete, accurate, and valid over its lifespan (Integrity), and that users can access the data they need (Availability).
How is ISO 27001 broken up?
The standard primarily consists of two sections: clauses – further broken down into requirements – that look at processes organizations should use to build out their ISMS, as well as a series of controls that are outlined in what’s known as Annex A.
Clauses
As part of the standard, there are 10 clauses that break down requirements around information security policies, organizational roles, and leadership and commitment, including:
- Terms and definitions
- Process approach impact
- Plan-Do-Check-Act cycle
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
When comparing and contrasting previous versions, it’s worth keeping in mind that several clauses were reworded or reordered in the latest version of ISO 27001.
Controls
Adhering to the controls from ISO 27001’s Annex A can help organizations prevent unauthorized physical access, damage, and interference to the organization’s information and information processing facilities.
There are 93 controls divided across four sections in Annex A, including:
- People (8 controls)
- Organizational (37 controls)
- Technological (34 controls)
- Physical (14 controls)
The most recent version of ISO 27001 incorporates 11 new controls:
- Threat intelligence (A.5.7)
- Information security for use of cloud services (A.5.23)
- ICT readiness for business continuity (A.5.30)
- Physical security monitoring (A.7.4)
- Configuration management (A.8.9)
- Information deletion (A.8.10)
- Data masking (A.8.11)
- Data leakage prevention (A.8.12)
- Monitoring activities (A.8.16)
- Web filtering (A.8.23)
- Secure coding (A.8.28)
What are the benefits of ISO 27001 Compliance?
Certification to ISO 27001’s management system standards can help organizations:
- Ensure they stay in compliance with ongoing business, legal, contractual, and regulatory requirements.
- Maintain their brand’s reputation and in some scenarios, give them a competitive advantage over organizations that are not ISO 2700 certified.
- Secure information by ensuring their systems are bound by the CIA triad
- Improve their risk management posture and help gauge their cyber readiness
Simply put, an organization that’s achieved ISO 27001 compliance is likely to be more secure than one that hasn’t. As it shares some common threads with the General Data Protection Regulation , the Center for Internet Security’s Critical Security Controls and the National Institute of Standards and Technology Cybersecurity Framework, being in compliance with ISO 27001 can give an organization a head start on meeting the needs of other frameworks, too.
How does ISO 27001 certification work?
While there’s a handful of information security best practices laid out by the ISO 27000 family of standards, the ISO 27001 is the only standard in which its possible to be certified.
To become certified, organizations need to be fully prepared, have the correct processes in place and be ready to pass annual external audits throughout the certification cycle.
The three-year transition period for ISO 27001:2022 began on October 31, 2022 and ends on October 31, 2025. Certifications based on ISO 27001:2013 will expire or be withdrawn at the end of the transition period.
Certification bodies, which ask organizations to demonstrate how their information security management systems are secure, must be required to be ready to certify against the ISO 27001:2022 by April 30, 2023, though most will be ready to certify prior.
If your organization is already certified to ISO 27001:2013, you’ll be granted three years to transition to ISO/IEC 27001:2022.
How can Fortra’s Data Classification Suite help?
Fortra's Data Classification Suite can help your organization better identify, classify, and secure your sensitive data while complying with government and industry regulations like ISO 27001.
This is especially important when it comes to following one of the standard’s organizational controls, 5.12 Classification of Information and 5.13 Labelling of information.
Using Data Classification To Support ISO 27001 Compliance
Learn more about why data classification is an essential part of an information security system and how Fortra’s Data Classification Suite can help your organization in ISO 27001 certification.
