A new version of ISO 27001

The ISO/IEC 27001 standard for information security and cybersecurity received an update. The large increase in cyberattacks makes this information security management system (ISMS) invaluable for organizations that want to get and keep their information security in order. Because secure information is vital in today's increasingly digital world.

What is ISO/IEC 27001?

ISO/IEC 27001 contains the requirements to establish, implement, maintain and improve an information security management system in your organisation .

To that end, ISO/IEC 27001 uses the security controls from the ISO/IEC 27002 Code of Practice in Appendix A.

What has changed in this new version?

Annex A contained 114 controls in 14 domains. The restructured 2022 version has 93 controls divided into 4 main domains. Some controls have been merged, while others are new and may require modification of your existing system.

The updated standard is now in line with the Harmonized Structure (HS) for management system standards.

‍

The new ISO/IEC 27001:2023 contains a few more minor changes:

The sections on ‘stakeholders’, ‘scope’, ‘risk treatment’ and ‘operational planning’ have been refined.

A section on ‘change management’ was added.

The ‘audit programme’ and ‘input/output’ sections have been split.

Transition period for certified companies

Organisations with ISO/IEC 27001 certification will have the opportunity to incorporate the changes and adapt their ISMS accordingly. There is a three-year transition period for organisations to do this. This means that the changes will have no impact on current certification.

Essential for IT

ISO/IEC 27001 has become the common international language for IT security across all industry sectors. The standard is used for risk management, cyber resilience and operational excellence.

Properly applied, this cybersecurity standard is a roadmap to information security excellence. It’s therefore the foundation for building and managing a secure future.

‍