ISO/IEC 27001 was revised last October with the new version containing long-awaited amendments relating to IT security measures, data protection and concrete cloud security measures.
According to TÜV SÜD, the amended standard contains changes to the controls defined in Annex A of the standard, which have been reduced in number from 114 to 93 and reclassified into four groups: organizational controls (37 controls), people controls (8 controls), physical controls (14 controls), and technological controls (34 controls).
A further 11 controls have been added, addressing issues including data masking (a method of rendering data unusable for hackers), monitoring activities (to detect unusual IT activities) and information security for use of cloud services.
There will be a 36-month transition period ending in late 2025 after which all existing certificates must be transitioned to the new standard. But TÜV SÜD said companies need to begin addressing the changes in the new standard as soon as possible, given their crucial importance for information security.
“An information security management system (ISMS) can help companies of any size to protect themselves effectively against cyberattacks and other forms of malicious data manipulation. ISO/IEC 27001 certification enables companies to strengthen their protection against cyberattacks and prevent loss of sensitive information”, says Alexander Häußler, global product performance manager IT and lead auditor at TÜV SÜD.
The White Paper published by TÜV SÜD provides an up-to-date overview of ISO/IEC 27001, its development and the steps involved in gaining certification and can be downloaded free of charge here.