Tackling the new reality of information and cyber security

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

February 14, 2023 - The new ISO/IEC 27001 standard is now in operation. The importance of updating and revising your Infosec posture cannot be over-emphasized. The reason is simple: the old standard was created to address the information and cyber security challenges that existed a decade ago. However, things have changed dramatically since then, and a lot faster than anyone anticipated.

Whilst you have three years to complete the transition, there is a pressing need to update your ISMS to reflect your current business practice and the associated risks. The time to start is now. Let’s explore how implementing the new, upgraded standard can help you respond to three intertwining challenges that headline today’s digital landscape.

The acceleration of digitalization

As a result of the COVID-19 pandemic, businesses worldwide were forced to adapt or perish. More digital transformation happened in those two years than in the decade before. Switching to cloud services enabled easier remote working, more effective business continuity and faster disaster recovery. However, new services bring their own risks to security, with large amounts of often very sensitive data being stored by multiple third parties, potentially held, and accessed all around the world.

As a result of these risks and challenges, ISO/IEC 27001 has made several changes to ensure organizations can accommodate the new information and cyber security requirements into their existing management standards. That includes new requirements for defining, communicating, and implementing processes to ensure the safety of data.

The removal of the physical perimeter

The old days of a self-contained network of hardware are long gone. Even before 2020, every part of our life was becoming intertwined, but the pandemic accelerated that further. More employees are now working from their own devices at home, at the airport, and anywhere else you might imagine, raising the risk of them using potentially insecure devices and connecting through unsecured personal routers, public Wi-Fi, or worse.

This entirely new way of working is now accounted for in the new standard, providing updated context for the security controls covering information, cyber, physical, environmental, asset management and human resources considerations.

The industrialization of cybercrime

The rise of cloud services also gave rise to the concept of Software-as-a-Service. Unfortunately, innovation doesn’t just favor the good guys, and it was only going to be a matter of time before cyber criminals caught onto the benefits of offering Ransomware-as-a-Service (RaaS). The dark web is awash with ready-made malware, removing the requirement for malicious actors to have any technical knowledge in order to target businesses.

The regrettable truth is that cybercrime has gone through the same rapid transformation we are seeing in our organizations and it’s a pattern that will continue with the ongoing rapid evolution of threats and attacks.

This is a key driver behind the inclusion of cyber security threat response frameworks within the new guidelines for the updated standard, such as identify, detect, protect, respond, and recover. By moving beyond traditional information security frameworks, it ensures your organization has the processes in place to manage ever-evolving cyber threats.

Your urgency when it comes to addressing these challenges will vary depending on the risks associated with your data, the likelihood of attack, and the potential impact should one occur. However, thanks to the ubiquity of RaaS and its ease of application, it is fair to say companies of any size and industry should consider themselves vulnerable.

How the new standard has changed

In February 2022, the new ISO/IEC 27002:2022 standard was published to reflect the reality of how we now live and work. Those changes are reflected in the newly published ISO/IEC 27001.

The revised ISO/IEC 27001 standard includes the new ISO Harmonized Structure, which brings consistency, clarity, and simplicity, as well as new security categories and controls, with their associated new guidance and attributes, so take a moment to explore the key changes via our one-page summary.

Why the new standard matters

In short, the new standard ensures you have an information management system that is compliant with global best practice. It enables you to align your information security posture with the way you operate within the current threat landscape.

It helps you to more effectively manage the data associated with your information and cyber security, and it has been rationalized to make it easier for more people to access and implement the right controls.

Overcoming the challenges of implementation

Implementing the new standard requires you to revisit your statement of applicability and your risk assessment. But implementation will be more about people than anything else. From BYOD to remote working, responsibility for information and cyber security now sits with every stakeholder within your organization, so the key to success lies in getting their buy-in.

It’s about challenging people’s expectation that they can simply rely on technology to deliver the right level of security. Instead, it becomes a discussion about responsibility.

These conversations shouldn't just be internal. Maintaining the security of global supply chains is often very complex, with multiple third-party providers of cloud service platforms, technologies, and information management systems to contend with. Implementation will require you to work closely with the supply chain and procurement managers across your network.

Effective coordination doesn’t just mean helping them understand how and what they need to do, but also why. You need to be able to explain how the new standard directly impacts each party, which is why engaging with the transition process as early as possible is so important. It provides you with an opportunity to properly educate yourself on the threats, weaknesses and opportunities facing each stakeholder, so you can help them to embrace the necessary changes.

Continuous improvement is the ultimate goal

We are seeing an increasingly complex regulatory landscape. As new regulations come in around the world on a regular basis, this in turn increases the complexity of compliance. However, this is only one part of a wider issue, which is risk management.

It’s impossible to build a wall big enough to keep your organization safe. There is no single technological or process-related solution. The only way to maintain the optimum level of information and cyber security is by ensuring everyone, from the CEO to temporary workers, has ownership of it.

From awareness, to training, to compliance and beyond, the effectiveness of your management system requires continual assessment and improvement. The only certainty is that everything is going to change, and fast. Taking a holistic, iterative view of your organization and everything it interacts with will be the only way to stay ahead.

To read further news on Digital Trust and Environmental, Health, and Safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.