Made Tech Blog

ISO 27001: what does the updated information security standard mean for you?

At Made Tech, we help public sector organisations to deliver innovative, digital transformation projects that make a positive impact on society. One of the most important things that shows our ability to deliver results in a secure way, while respecting the importance and privacy of data, is our ongoing ISO 27001 certification. 

ISO 27001 is the international standard for information security. It provides a comprehensive framework and guidance on how an organisation should implement and operate its Information Security Management System (ISMS). 

Made Tech’s ISMS clearly defines our approach to information security and data privacy. It allows us to monitor and continuously improve the processes and security controls that support them.

Our ISMS is focused on proactive risk management. This means working out what could go wrong and making sure that our security controls are always operating as they should so we can manage a wide range of threats and vulnerabilities. It’s regularly audited by external assessment organisations. As risks get bigger and more complex on a daily basis, it should be no surprise that our risk activities are constantly under review.

Organisations should always have a framework that’s relevant and aligned to our modern technical world. With risks constantly changing, it’s important that the ISO 27001 standard also continues to evolve. The existing version (dating from 2013) has been the reference point for over nine years. Last October, ISO/IEC 27001:2022 was released. 

Assessment bodies have started a transition period for existing ISO 27001 certified organisations like us to move to the new standard. At Made Tech, we’ve started our own updates to align with the new version of the standard. 

The 2022 version will support us in making sure that our approach to risk management remains current and relevant. It will help Made Tech to focus on today’s “security posture”. This means how an organisation views and reacts to what it sees as security risks. For example, there are new sections covering the security of cloud services, ICT readiness for business continuity, improved guidance on configuration management and secure data deletion. 

Let’s go through some of the changes, and understand why they’re a positive thing for Made Tech and other organisations in more detail. 

So what’s changed?

The new version of the standard is still focused on risk management: identifying the things that could compromise data, systems or other assets, and implementing appropriate security controls to prevent or control them. In this version, the framework of security controls is what’s changed the most. These changes include:

  • 93 security controls, which are replacing the previous set of 114
  • adding 11 new controls not seen before
  • several controls being merged together instead of being removed
  • existing 14 “domains” of controls reset into 4 for better identification
  • 4 clearly defined domains for security controls – Organisational (37), Technological (34), Physical (14) and People (8)

A closer look at the new controls

Any organisation that wants to maximise its security posture will be especially interested in understanding (and implementing) the 11 new controls mentioned earlier. These are:

Threat intelligence – Activities to proactively identify and understand information about the current threat landscape. 

Information security for use of cloud services – Understanding technical resilience, supplier responsibilities, data protection considerations and much more.

ICT readiness for business continuity – With the recent global pandemic, were our ICT plans appropriate and scalable? Did they support our continued normal operations?

Configuration management – Specifically security configuration information which gives effective protection for our data and data processing systems.

Deleting old information – Making sure data is securely deleted when it’s no longer needed. This is so easily overlooked by many organisations.

Physical security monitoring – Helping to make sure that physical security controls are regularly monitored to detect unauthorised access.

Data masking – A new control that introduces an organisation-specific need to mask elements of data. Certain types of data, for example, personal data, may need extra protection like data masking to be kept confidential.

Data leakage prevention – Using appropriate technical controls to help prevent the unauthorised or accidental visibility or sharing of sensitive/confidential content.

Monitoring activities – Applications, systems and networks should be monitored for unexpected activities, which may identify security incidents.

Web filtering – A new control to help reduce the risk of exposure to malicious content which may be downloaded or activated by accessing internet resources.

Secure coding – Makes sure that secure coding principles are followed within software or application development.

Improving our protection against today’s threat environment

I’m one of the team members responsible for making sure we effectively deploy information security risk management controls at Made Tech. I believe ISO 27001:2022 will support us in improving our alignment with the latest threat environment we see today and help us to identify and implement the most effective mitigation controls. This revised version especially aligns with and supports:

  • our greater reliance on cloud services and SaaS applications, requiring more supplier due diligence, secure configuration and ongoing monitoring
  • a growing number of remote-working teammates, where effective technical controls are as important as physical security controls
  • more resilience for business continuity, looking at what worked well and what could be improved from COVID-19 lockdowns
  • our management of legacy data repositories, making sure the team clearly understands retention period and secure data disposal techniques

A positive thing!

ISO 27001:2022 is a positive thing for us.  We can clearly see the benefits of it for our established risk management activities. For organisations that have (or are actively progressing towards) ISO 27001 certification, I hope this blog post’s provided a useful insight into what’s coming! 

If you’d like more Made Tech content delivered straight to your inbox, sign up for our monthly Insights newsletter.

About the Author

John A. Godwin

Director of Compliance and Risk at Made Tech