06 Mar 2023

Information security benchmark ISO 27001 – what has changed?

What is ISO 27001?

ISO 27001 is an internationally recognised benchmark for information security. It provides a comprehensive framework for managing information security across your whole organisation (or group of organisations) as opposed to exclusively focusing on IT security. With cyber insurance premiums soaring, certifying to ISO 27001 demonstrates to insurers you have appropriate safeguards in place to reduce the risk of a data breach.

Why has it been updated?

A lot has changed in the world of information security over the last decade and the 2013 iteration was in danger of falling behind the times. The latest revision (ISO/IEC 27001:2022) pulls the standard into the modern era with increased focus on the security challenges of today. To reflect this, the standard has been updated to now include cyber security. This shows a shift in focus to align to the pressures of today’s technologically advanced world. It’s ensuring the standard continues to remain relevant, but also an attempt to future proof it.

What has changed in the standard?

There are a total of 114 controls in the 2013 version and this has now been reduced to 93. The reduction of these controls does not mean there are less requirements, on the contrary 57 have been merged and there has been an introduction of 11 brand new controls.

The wording and structure of the controls have been revised to make the standard more accessible to management and the ‘non-technical’ person. This has been achieved by simplifying the technical language and grouping the controls into four easier to understand sub-sections: organisational, people, physical and technological. Previously, the standard had 14 sub-domains which were designed IT professionals in mind.

The standard has now been updated to include cloud computing. You are now required to implement a robust due diligence process for the acquisition, use, management of, and exit from cloud services. Vendor due diligence is increasingly important with increased supply chain security attacks in the last 12-18 months. Implementing this process can be a big step if your organisation is trying to achieve ISO 27001 certification for the first time, or if you don’t currently have a formal process in place.

Seven of the new controls relate to additional technical requirements. An example is a new requirement to ensure you adhere to secure coding principles within your software development process, or another to implement a proactive approach to monitoring your network and devices for security threats. These controls can be challenging, particularly if you don’t have the required IT knowledge in house to implement them.

Have any of the clauses changed?

There are minor editorial changes to clauses 4-10 of the standard. The changes include the requirement to formally track the progress of your organisation’s security objectives and to ensure any changes to your information security management system (ISMS) are clearly planned.

You will now start to define the security needs of your interested parties making sure their requirements are met within your ISMS. An interested party can be anyone from an individual, organisation or stakeholder who is affected by your ability to prevent a data breach. This is of particular importance if you are storing or processing data on behalf of others. This is inextricably linked to GDPR. Understanding whether you are a data controller or processor will help with this process.

Have ISO 27002 and 27017 been updated?

ISO 27002:2022, which provides detail on the implementation of the controls in ISO 27001, has been updated to reflect the changes to the 27001:2022 standard.

ISO 27017:2015 is an extension to 27001 which provides additional security controls and guidance for cloud computing. It is a security standard, primarily designed for cloud service providers and covers topics such as asset ownership, data storage and recovery plans if the provider is dissolved. ISO 27017 certification cannot be achieved independently; you must first implement an effective ISMS and certify to 27001. ISO 27017 is currently under review.

How we can help

Our qualified lead auditors can provide you with varying levels of support to help you prepare for an upcoming certification, or surveillance audit. The standard doesn’t provide a lot of information on how to implement a control effectively. This can make it difficult for organisations to identify areas of non-compliance. We can conduct a detailed gap analysis, which will map your current security controls to the requirements of the standard, providing a set of recommendations on how to achieve compliance.

We can conduct any of your internal audits. This will provide you with a detailed set of recommendations to drive the continuous improvement of your ISMS. If you aspire to achieve ISO 27001 certification but are not yet ready to implement a comprehensive ISMS, obtaining the IASME Cyber Assurance (CA) certification can serve as an excellent steppingstone. As a CA certification body we can support you throughout this process, no matter the size of your organisation or the number of incremental steps you take towards these certifications.

Get in touch

Related insights

HMRC’s consultation on transfer pricing: what you need to know

30 May 2025

Read

UK abolishes non-domicile tax status in 2025: What you need to know

27 May 2025

Read
An office worker sits in front of a computer whilst looking at a notepad with his mobile phone held to his ear.

Payrolling benefits in kind FAQs

21 May 2025

Read

New UK-EU agreements – What this means for British businesses

20 May 2025

Read

FireText Communications sold to Norwegian buyer

20 May 2025

Read
Two colleagues deep in thought discussing what they see on a laptop

Redundancies and tax considerations for employers in the South West

19 May 2025

Read

R&D claim tribunal: Realbuzz case

15 May 2025

Read
Employees of an international law firm sitting at a large table in a well-lit conference room.

Salaried members rules update

14 May 2025

Read

US-China tariffs: pause and reduction

13 May 2025

Read

Inheritance tax: planning for changes to business property relief

12 May 2025

Read
A view across the Thames river towards Big Ben and the Houses of Parliament, the Union Jack is raised high against a sky of purple hues.

US-UK trade deal: What you need to know

9 May 2025

Read

The India-UK free trade agreement: Key actions for UK businesses

7 May 2025

Read