Neuauflage ISO 27001 kommt
What changes and what to consider
The ISO/IEC 27001 standard is not only getting a refresh and restructuring, there are also some changes to be aware of. However, all those who are already certified still have time to adjust to the changes, because the release of the new standard is not planned until the end of the year. After that, a transition period of three years is expected to apply. However, anyone planning an initial certification or introduction of an ISMS (information security management system) should do so on the basis of the updated guide, ISO 27002. This is because it has already been published since February 2022 and offers a good basis for implementation.
New title and restructuring of ISO/IEC 27002
The title of ISO 27002 is already new: From now on, it is Information Security, Cybersecurity and Data Protection – Information Security Measure. This is the standard’s reaction to the new challenges that companies are facing in the context of data security. While the old version still had fourteen subject areas and 35 measure objectives, these are now divided into the four main areas of Organisational Measures, Measures in Connection with People, Physical Measures and Technical Measures. This is to ensure better readability. In addition, the number of controls has changed from 114 to 93. This change is due to the fact that some controls have been combined. However, the new version of ISO 27002 does not contain fewer required measures, but eleven controls have been added.
Innovations and necessary steps for ISMS certification
New controls include web filtering, data masking, physical security monitoring and information deletion. But what does this mean for the re-certification or new certification of an ISMS? Especially some of the new controls, such as physical security monitoring, where it must be ensured that it is clear at all times who was in the company’s premises and when, could pose new challenges for smaller companies. How big the effort for the changeover is certainly depends as much on the size of the company as on its structures. This can only be determined after a close look at existing measures. What is certain, however, is that companies should already start analysing the gap between the existing ISMS and the one required by the new standard. Those planning an initial certification according to ISO 27001 should immediately work on the basis of the new regulations in order to avoid having to adapt existing, newly implemented processes and documentation.
ISMS – information security guideline of our organisation
Certified in accordance with ISO 27001:2013
We, think tank Business Solutions AG, Messerschmittstraße 7, 80992 Munich (hereinafter: think tank) have implemented an Information Security Management System (ISMS) according to ISO 27001:2013. The ISMS is intended to form the basis for systematically identifying and managing existing risks. The ISMS also has the function of ensuring the continuous improvement of the protection goals for information security – confidentiality, integrity, availability. The think tank’s ISMS applies to all organisational units. It therefore includes all procedures, processes and activities of the company. If third parties are commissioned with the provision of services, contractual agreements must ensure that the information security guideline is taken into account in the service relationships.
Scope of the ISMS according to ISO27001:2013
The Board of Directors is responsible for the information security of think tank. As part of this responsibility, the Executive Board issues this information security guideline. According to this guideline, each area of think tank is responsible for the security and appropriate protection of information. These measures are not only required by law, but are also part of our obligations towards our customers. Every employee must therefore adhere to this guideline and the standards derived from it.
These guidelines are binding for all employees of think tank. All employees are requested by the Executive Board to actively implement information security on the basis of this guideline and in accordance with ISO 27001, data protection in accordance with the BDSG and EU-DSGVO and material security to the best of their ability in their respective areas of activity.
In addition to the Executive Board as the overall responsible party, all those involved in the business processes are also responsible for information security. The Executive Board actively supports the measures and strategies of information security and promotes the implementation of security measures in the company. Each person responsible has to pay particular attention to the following in his or her area:
- Assessing and determining the business relevance of the information and data for which he or she is responsible,
- determining and approving the scope of security and controls to adequately ensure the availability, confidentiality and integrity of the information and data for which he or she is responsible,
- ensuring that responsibilities are explicitly defined and security and control measures are implemented to manage and protect the information and data for which he or she is responsible,
- ensuring that the systems used to process the information and data for which he/she is responsible are regularly audited for compliance with the Information Security Policy.
All employees are required to comply with the guideline and any derived guidelines when creating, using and managing information and data. Employees are responsible for all actions they take when using information and related systems. Employees must understand that information security is central to the company’s philosophy and develop appropriate security awareness. Employees who suspect or become aware of a breach of information security and related information security standards, or who suspect that information is not appropriately protected, must report it immediately to their supervisor and/or the Information Security Officer. Non-compliance or deliberate violation of company requirements may result in disciplinary action, dismissal and criminal and/or civil proceedings, depending on their extent.
Due to the importance of information security, every employee is expected to maintain a high level of security awareness. Their compliance will be monitored. Security awareness is characterised by the following behaviour:
Recognising that information security is a critical and essential element of the company’s philosophy and success,
constant security awareness in all daily activities,
personal accountability for proactive as well as effective reactive measures in relation to all risks, vulnerabilities, incidents to employees, information, assets and the continuation of business in the event of an emergency,
the Information Security Officer is informed immediately of any irregularities.
As the importance of information security is central to the execution of business processes, the following key, strategic information security objectives emerge:
Protection of confidential data of both customers and the company and its employees,
Availability of all services and thus the availability of the data involved,
Integrity of all services and thus the integrity of the data involved,
– Preservation of the value invested in technology, information, work processes and knowledge,
Compliance with the requirements resulting from legal, contractual and regulatory obligations,
Ensuring the continuity of work processes within the company,
Establishing and maintaining a good reputation of the company with regard to information security in the public awareness,
Reducing the costs incurred in the event of a loss.
Minimum or need-to-know principle: Access to security-critical systems, applications and information must be restricted to a minimum number of people. In principle, what is not explicitly permitted is prohibited (prohibition with reservation of permission).
Introduction and ongoing maintenance of the ISMS based on the idea of continuous improvement in the sense of the PDCA model (Plan-Do-Check-Act).
Provision of sufficient resources to achieve the set goals.
Risk management is the basis of the ISMS according to ISO 27001. The risk analysis within the framework of the ISMS serves to systematically consider potential risks, followed by their evaluation and, if necessary, the initiation of countermeasures. The risks existing for information technology and security are recorded and evaluated according to a given scheme. The application of appropriate, economic measures, the shifting of business risks and the lowering or conscious acceptance of risks below a defined, acceptable level are described in the risk analysis and countersigned by the Executive Board.
Continuous improvement process
The ISMS based on the PDCA model is implemented to maintain and continuously improve information security. Improvement measures from various sources flow into the PDCA cycle, and their implementation is continuously documented.