How did the ISO/IEC 27001 Standard come about?

After this standard appeared in 1990 as a safety standard, the International Standards Organization published it as ISO 17799 in the early 2000s. And, five years later, it changed its name to ISO 27001.

This is how this regulation has gone through three revisions to reach the current one, which was published in February 2022 and whose transition period for companies is expected to end in October 2025.

Each organization that has this standard or wants to implement it, should be aware of the changes that the new version implied:

1. a) Renaming the standard from “Code of Practice for Information Security Controls” to “Code of Practice for Information Security, Cybersecurity and Privacy Controls”.
2. b) New nomenclature and structure by changing from 14 domains to only 4 major domains (organizational, physical, technological and people).
3. c) Reduction from 114 to 93 controls (11 new):

1. Threat intelligence
2. Information security for the use of cloud services
3. ICT Readiness for Business Continuity
4. Physical Security Monitoring
5. Configuration management
6. Deleting Information
7. Data masking
8. Data Leak Prevention
9. Activity monitoring
10. Web Filtering
11. Secure Coding

1. d) The changes in the clauses are as follows:

• Clause 4. When identifying the internal context and environment of the organization, cyberspace should be considered. When identifying stakeholders, include groups that will be contributing to the control of privacy and cybersecurity.
• Clause 5. Include cybersecurity and privacy protection in the Information Security Policy.
• Clause 6. In risk management, consider personal and cyberspace assets. In addition to planning the changes that will be implemented.
• Clause 7. Consider resources to cover privacy and cybersecurity.
• Clause 8. No modification.
• Clause 9. Monitor new controls.
• Clause 10. Upgrading must consider technological changes in cyberspace.

The main reason for updating is to adapt to the new work reality of many companies around the world. And in this dynamic, remote work and the control of new cyberattacks occupy an important place.

Take into account the 4 actions for the 2022 version of the ISO/IEC 27001 Standard

In view of the changes, the main actions expected from companies are the following:

1. Update the risk treatment process considering the new controls.
2. Update the statement of applicability.
3. Modify existing policies and procedures.
4. Include safety metrics and indicators.

Do you have questions or would you like to learn more?

At Itera we can provide you with consulting services and solutions on cybersecurity, cloud and ISO/IEC 27001 standard matters.

Contact a specialist:

seguridad@iteraprocess.com

This document provides a set of generic information security controls references, including an implementation guide.

It is designed to be used by organizations:

27001. a) Within the context of an information security management system (ISMS) based on ISO/IEC 27001.
27002. b) To implement information security controls based on internationally recognized best practices.
27003. c) To develop its specific information security management guidelines.

Overview

• Status : Published
• Publication date : 2022-02
• Edition : 3
• Number of pages : 152
• Technical Committee: ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection.
• ICS:35.030 Computer security.

Main changes

The development of the new standard contemplates the reduction of controls, going from the 114 existing in the 2013 version to 93 controls in the new ISO/IEC 27002:2022 version. Some controls from the 2013 version have been grouped together and 11 new controls are defined.

New Controls

In total, 11 new controls are defined, which correspond to:

• Threat Intelligence.
• Information security for the use of cloud services.
• ICT readiness for business continuity.
• Physical security monitoring.
• Configuration management.
• Deletion of Information.
• Data masking.
• Data leak prevention.
• Activity monitoring.
• Web Filtering.
• Secure Coding.

Do you have questions or would you like to learn more?

At Itera we can provide you with services, solutions and consulting for ISO/IEC 27001:2013 and 27002 standards, among others.

Contact a specialist:

seguridad@iteraprocess.com

delfino.vazquez@iteraproces.com

Fountain:

https://www.iso.org/standard/75652.html

Without the necessary technology and sufficient technical skills, it is impossible to successfully complete a project. Much less so when you lack the right cloud services to make the most of its benefits.

Because designing new applications or modernizing them involves adding technology and experience focused on quality and innovation. Value is authentic when the development of a software project advances in a timely manner until it becomes a functional reality.

Using technologies such as Python, Java, .Net, and R, as well as cloud platforms from AWS, Google and Azure, we create the right solution with the right tools and the necessary knowledge that also covers topics such as Big Data, DevOps and Mobile developments. Constantly executing continuous improvement and service level measurements.

THE DIFFERENCE IS IN THE DETAILS

If we dare to place a sacred component within a technological project, it is shaped by the business objectives of the organizations, since they define the requirements of the solution. Based on this and best practices, we establish the strategy, its design platform and corresponding estimates.

A process where application maintenance is a core part of our service as a software factory, also providing value with our experience through a strategy based on Quick Wins and focused on the company’s vision.

NATURAL FIT

The needs of the organization define the deployment of digital services. Whether with agile, traditional or hybrid frameworks and operating models, continuous value delivery is experienced hand in hand with operational continuity assured in the face of any contingency. All this with experience in IT governance and making use of best practices such as ISO, ITIL, COBIT, TOGAF, Scrum, CMM and DevOps.

The same is true if the infrastructure and its components are located on-premise or in the cloud, the services work optimally. And, when required, we provide database or bulk migration services, infrastructure and applications to move them to the cloud – whether hybrid or multi-cloud – in order to acquire analytics, artificial intelligence or chatbot functionalities.

THE HUMAN; TECHNOLOGICAL KEY

Each part of the process is executed in a scenario integrated by the experience and knowledge of our architects and business analysts, as well as specialists in security, Data Science and Machine Learning. It also makes use of Business Data Driven so that, together with the organization, decisions can be made based on reliable and timely information services to analyze, visualize and predict business results.

PURPOSEFUL ADAPTABILITY

Once the software is launched, its operation sets the tone for continuous improvement. Stage in which maintenance and development problems are resolved. This allows us to detect opportunities that generate proposals that add to the business.

By assigning the right talent with extensive experience in PMO, IT governance, supplier management and quality assurance, we carry out the validation process, which is present in the periodic deliverables that make up the project. In this way we achieve adequate planning, validating each aspect for the fulfillment of processes.

This way we get to the point where a tangible deliverable can be taken by the testing team for execution. The result is a quality and functional deliverable. A result that goes beyond good intentions. A result that arises from experience in various commercial, industrial and governmental organizations.

With specialized knowledge and adaptable work schemes, at Itera we make the software happen successfully in your organization, in an integrated way and without operational interruptions. This is how our solution machinery is activated in each project. Because in reality, we don’t know how to do it any other way.