Neuauflage ISO 27001 kommt
What changes and what to consider
The ISO/IEC 27001 standard is not only getting a refresh and restructuring, there are also some changes to be aware of. However, all those who are already certified still have time to adjust to the changes, because the release of the new standard is not planned until the end of the year. After that, a transition period of three years is expected to apply. However, anyone planning an initial certification or introduction of an ISMS (information security management system) should do so on the basis of the updated guide, ISO 27002. This is because it has already been published since February 2022 and offers a good basis for implementation.
New title and restructuring of ISO/IEC 27002
The title of ISO 27002 is already new: From now on, it is Information Security, Cybersecurity and Data Protection – Information Security Measure. This is the standard’s reaction to the new challenges that companies are facing in the context of data security. While the old version still had fourteen subject areas and 35 measure objectives, these are now divided into the four main areas of Organisational Measures, Measures in Connection with People, Physical Measures and Technical Measures. This is to ensure better readability. In addition, the number of controls has changed from 114 to 93. This change is due to the fact that some controls have been combined. However, the new version of ISO 27002 does not contain fewer required measures, but eleven controls have been added.
Innovations and necessary steps for ISMS certification
New controls include web filtering, data masking, physical security monitoring and information deletion. But what does this mean for the re-certification or new certification of an ISMS? Especially some of the new controls, such as physical security monitoring, where it must be ensured that it is clear at all times who was in the company’s premises and when, could pose new challenges for smaller companies. How big the effort for the changeover is certainly depends as much on the size of the company as on its structures. This can only be determined after a close look at existing measures. What is certain, however, is that companies should already start analysing the gap between the existing ISMS and the one required by the new standard. Those planning an initial certification according to ISO 27001 should immediately work on the basis of the new regulations in order to avoid having to adapt existing, newly implemented processes and documentation.