Important changes in the new ISO 27001 version
ISO 27001, one of the world’s most important standards for information security management, has been significantly updated in its latest version.
These changes are aimed at helping companies to better protect themselves against the ever-growing threats in the area of cyber security.
Particularly affected are the security measures in Annex A, which are described in detail in ISO 27002.
In the new version, 11 new measures have been introduced and existing measures have been combined.
As a result, the total number of security measures has been reduced from 114 to 93.
These measures are now divided into four categories: organizational, personal, physical and technical.
Overview of the new measures
The eleven new measures in the revised ISO 27001 are aimed at aligning information security with current threats and technical developments.
Here are the newly introduced measures in detail:
1. threat intelligence (threat information)
Companies are increasingly required to recognize threats at an early stage and act accordingly.
With the new threat intelligence measure, companies should analyze and understand threats in a targeted manner.
This enables them to take proactive measures before an incident occurs.
The collection, analysis and use of threat data will become a central component of the security strategy.
2. cloud security
The use of cloud services is constantly increasing.
The new ISO 27001 version places specific requirements on security in the cloud.
Companies must ensure that their data is adequately protected in cloud environments and define corresponding security requirements for cloud service providers.
3. ICT readiness
Information and communication technology (ICT) is a central component of many business processes today.
Integrating ICT readiness into business continuity management ensures that companies can maintain their business operations even in the event of an incident.
This measure requires companies to design their ICT systems in such a way that they can be restored quickly in the event of an emergency.
4. physical monitoring
The physical security of buildings and IT infrastructures remains an important aspect of information security.
The new physical surveillance measure further strengthens the monitoring of unauthorized access.
Companies must continuously improve their monitoring systems in order to detect intruders at an early stage and respond appropriately.
5. configuration management
This new measure requires precise documentation and regular checks of IT configurations.
The aim is to ensure that all systems are configured correctly and that no vulnerabilities arise due to insecure settings.
Systematic and comprehensible configuration documentation minimizes the risk of errors and attacks.
6. deletion of information
Data that is no longer required must be securely deleted.
This measure aims to ensure that sensitive data that is no longer relevant is irretrievably deleted in order to minimize the risks of data breaches.
7. data masking
Sensitive data should not be accessible to everyone.
The new data masking measure ensures that sensitive information remains hidden when processing, analyzing or testing systems.
This protects personal data in particular and prevents unauthorized access to confidential information.
8. data leakage prevention (prevention of data leaks)
Protection against the unwanted outflow of data is crucial.
Data leakage prevention includes measures that prevent sensitive data from leaving the company in an uncontrolled manner.
This includes protection against unintentional or malicious actions by employees and the monitoring of external interfaces.
9. monitoring activities
Companies must increasingly pay attention to anomalous behavior in their systems.
This measure requires companies to implement monitoring mechanisms that identify unusual or conspicuous activities.
This allows potential security incidents to be detected at an early stage and countermeasures to be taken.
10. web filtering
Controlling access to websites is another important security aspect.
The new web filtering measure is designed to ensure that access to harmful or unwanted content is restricted.
This reduces the risk of employees accessing unsafe websites that contain malware or other threats.
11. secure software development
The requirements for secure software development have been expanded.
Companies must ensure that all phases of the software development process are designed with security in mind.
This includes the application of secure development practices and the regular review of software security.
Effects on companies
The new and revised measures in ISO 27001 present companies with the challenge of reviewing their existing security practices and adapting them where necessary.
Each measure must be individually assessed for its added value for information security.
Factors such as the size of the company, the industry and the specific threats to which the company is exposed play an important role here.
The reduction in the total number of measures from 114 to 93 is intended to help companies make their security measures more efficient.
By grouping similar measures together, the implementation effort is reduced while at the same time the effectiveness of the measures is increased.
The new structure of the categories (organizational, personal, physical and technical) also makes it easier to assign and manage the measures.
Implementation of the new requirements
The implementation of the new security measures can be complex, as it depends heavily on the individual company structure.
Companies must first carry out a risk analysis to determine which measures are relevant for them.
The appropriate processes and technologies must then be implemented in order to meet the requirements of ISO 27001.
Some of the new measures, such as cloud security or monitoring activities, may require the purchase of new technologies or the training of employees.
Others, such as configuration management or data erasure, primarily require organizational adjustments and closer collaboration between the IT and security teams.
Conclusion
The new version of ISO 27001 brings with it significant changes, particularly with regard to the security measures in Annex A. Companies must adapt to these changes and adjust their information security measures accordingly.
This requires not only technical know-how, but also organizational and strategic measures to efficiently implement the new requirements.
Syngenity® GmbH offers comprehensive consulting and services for companies that need support in implementing the new measures.
Contact us today via our website: www.syngenity.de to receive a non-binding offer.
