ISO Updates Information Security Management Standard

For organizations certified to ISO 27001:2005, they will need to upgrade their information security management system to comply with the requirements of the new edition

“We have brought the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005,” wrote Edward Humphreys, convener of the working group responsible for the development and maintenance of ISO/IEC 27001, in a post on the ISO website. “The idea is to provide a more flexible, streamlined approach, which should lead to a more effective risk management.”

As far as the specific major benefits of the new edition, the ISO is eyeing the modern threat landscape and has made a number of improvements to the security controls listed in Annex A to better address identity theft, risks related to mobile devices and other online vulnerabilities.

The new ISO/IEC 27001 has also been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easier option. Aligning ISO/IEC 27001 to the new structure should help organizations if they want to implement more than one management system at a time. For example, an organization might want to integrate their information security system (ISO/IEC 27001) with other management systems such as the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).

The similarity in structure between the standards will save organizations money and time, so businesses can adopt integrated policies and procedures.

As far as timing, the revision of the 2005 edition is now at the Final Draft International Standard (FDIS) stage. This will be completed in early September, after which any typographical edits will be made ready for an expected launch in October. At this point the new edition of ISO/IEC 27001 will be available for purchase and the 2005 version withdrawn.

For organizations certified to ISO 27001:2005, they will need to upgrade their information security management system to comply with the requirements of the new edition.

“The transition period for upgrading has not yet been decided but it is likely to be two years from when the new edition is published,” Humphreys noted. “Upgrading to the new edition of ISO/IEC 27001 should not prove particularly problematic. The transition period helps as it means the effort required can be part of a staged work program and integrated into continual improvement activities and planned surveillance audits.”

ISO Updates Information Security Management Standard

You may also like

ISO adds risk management to new information security standard

ISO information security management certifications jumped 40% last year

ISO issues interorganizational communication security standards

ISO issues two new records management standards

ISO releases cyberspace-focused security standard

What’s hot on Infosecurity Magazine?

Linux Cerber Ransomware Variant Exploits Atlassian Servers

US Government and OpenSSF Partner on New SBOM Management Tool

Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites

UK Police Lead Disruption of £1m Phishing-as-a-Service Site LabHost

EU Elections: Pro-Russian Propaganda Exploits Meta's Failure to Moderate Political Ads

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Banning Ransomware Payments Will Do More Harm Than Good

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Palo Alto Networks Warns About Critical Zero-Day in PAN-OS

Russian Sandworm Group Using Novel Backdoor to Target Ukraine and Allies

Russia and Ukraine Top Inaugural World Cybercrime Index

FBI Warns of Massive Toll Services Smishing Scam

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Cracking the Culture Code: Building a Cybersecurity-Aware Workforce

Beyond Passwords: Securing the Digital Age with MFA, 2FA, and Passwordless Authentication

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Untangling the Web: Navigating Third-Party Risk in a Hyperconnected World

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024