Photo of Harvina Bains

Harvina Bains

Security Blogger

19th July 2023

What is ISO 27001?

ISO 27001 is an international standard to help businesses manage information security. It’s a framework of best practice guidelines for establishing, implementing and maintaining an information security management system (ISMS). This includes policies, procedures and other controls that work across all touchpoints of an organizations’ data, such as people, processes and technology.

There are three principles of ISO 27001:

  • Confidentiality: Only authorised people can access information that is held by an organization.
  • Integrity: Information has to be accurate, complete, and unaltered throughout its lifecycle.
  • Availability: Authorised users have timely and uninterrupted access to information when they need it.

These principles set out a systematic approach to help businesses manage sensitive information such as financial data, intellectual property, employee details, and customer information.

The key objectives of ISO 27001 are to identify and assess information security risks, implement a set of controls to mitigate those risks, establish a management framework for information security, and continually monitor and improve the effectiveness of the information security management system.

Why is ISO 27001 important?

ISO 27001 is a vital standard for organizations seeking to safeguard their information assets and maintain a robust security posture. The standard promotes a holistic approach to identifying, assessing, and managing information security risks.

ISO 27001 encourages organizations to proactively identify and address weaknesses that will safeguard against security breaches, data breaches, and cyber threats. The standard also focuses on continuous improvement and risk mitigation which has a positive impact on operational efficiency and resilience.

When organizations demonstrate compliance with the ISO 27001 standard, they can instil confidence in their stakeholders and prove their commitment to information security. This all helps in building a competitive advantage and a positive business reputation.

ISO 27001:2022 – important changes

ISO 27001 was first launched in 2005 and underwent a major update in 2013. Since then, new technologies have changed the business landscape and resulted in new security challenges. The latest revision to ISO 27001, called ISO 27001:2022, was released in October 2022 and more accurately reflects the state of cyber security today, with a view to improving and managing an organization's resilience to modern cyber threats and vulnerabilities.

The standard is currently going through a transition period, which refers to the phase where organizations are moving from the previous version of ISO 27001:2013 to the latest revision ISO 27001:2022. Organizations have been given three years to make these changes and they will need to be implemented by 2025.

Here’s what you need to know:

  • The number of controls has been reduced from 114 to 93
  • The 93 controls have been restructured into 4 sections
  • 11 new controls have been added to Annex A
  • Clauses 4 to 10 have undergone several minor updates

Clauses 4 to 10 are mandatory requirements that must be satisfied by your ISMS before it can be ISO/IEC 27001:2022 certified. These clauses are as follows:

ISO 27001 Clauses 4-10

Clause Requirement
4: Context of the organization Identify the internal and external issues that may impact the ISMS, as well as interested parties and their requirements
5: Leadership Emphasise the commitment and involvement of top management in establishing and maintaining the ISMS
6: Planning Address risk assessment, risk treatment, and the development of an information security policy
7: Support Define and document resource management, competency, awareness, communication and other supportive processes
8: Operation Focus on the implementation and operation of the ISMS, including risk assessment and treatment, security controls and incident management
9: Performance evaluation Describes the monitoring, measurement, analysis, and evaluation of the ISMS through internal audits and management review
10: Improvement Provides guidance on nonconformities, corrective actions, and continual improvement of the ISMS

Restructuring of controls

You also need to be familiar with Annex A, which now defines a set of 93 controls that your organization can implement to meet those requirements.

Annex A has undergone the biggest change during the update to the newest version of ISO 27001. The controls have been restructured and consolidated to reflect the current cyber security challenges and modern risks businesses face today.

The 93 controls now sit in 4 sections instead of the previous 14. The new categories are:

  • People (8 controls)
  • Organisational (37 controls)
  • Technological (34 controls)
  • Physical (14 controls)

The main reason for reducing the controls and categorising them into four groups is to make it easier to understand and implement an effective ISMS. Separating the controls can make it easier for implementation teams to determine who in the organization is responsible for each category.

The 11 new controls that sit within Annex A are:

  • Threat intelligence
  • Information security for the use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

Who needs ISO 27001?

The requirement for ISO 27001 certification is determined by a number of factors, including:

  • Industry and sector: Industries such as finance, healthcare, and government, have strict regulatory requirements for data protection and security. The ISO 27001 certification may be necessary to demonstrate compliance with these regulations.
  • Risk profile: Organizations that handle sensitive information, such as personally identifiable information (PII), financial data, or intellectual property, may choose to implement ISO 27001 as a proactive measure to manage and mitigate information security risks.
  • Customer requirements: In some cases, businesses may be required by their clients or partners to have the ISO 27001 certification as a condition for collaboration or to ensure the secure handling of shared information.
  • Business objectives: Organizations that have prioritised information security as a strategic objective may opt for the ISO 27001 certification to establish a robust security management system and gain a competitive edge in the market.

If you are considering the ISO 27001 certification, it is critical that you assess your organization's specific needs, risks, and regulatory requirements to understand the benefits. It would be beneficial to consult with information security professionals to make an informed decision about whether ISO 27001 is the appropriate framework for your business.

It's also worth noting that, while ISO 27001 provides a comprehensive framework, you can implement controls based on your specific needs and risk tolerance. The standard emphasises a risk-based approach, allowing your company to tailor your information security management system to your specific needs.

What value does ISO 27001 bring?

Adopting and implementing ISO 27001 can bring several benefits to your organization.

Here are some of the key benefits:

  • Increased customer trust and confidence: ISO 27001 allows you to demonstrate to customers that your organization is taking security seriously. It showcases your robust security measures and your commitment to safeguarding sensitive data.
  • Gain new business: Due to the nature of the threat landscape, more companies are requiring ISO 27001 certification as a minimum for their suppliers and partners as part of their due diligence checks. This means you could risk losing out on certain contracts if you do not have the certification.
  • Improved incident response and recovery: ISO 27001 requires organizations to establish incident management processes and procedures. This enables you to respond effectively to security incidents, minimise their impact, and facilitate the recovery process. By having a well-defined incident response plan, your organization can reduce downtime and mitigate the financial and reputational damage caused by security breaches.
  • Improved efficiency through enhanced systems and processes: The standard helps establish a framework which leads to a more structured approach to managing information. It defines clear roles and responsibilities which reduces ambiguity and it promotes effective communication about information security risks and controls throughout the business.
  • Reduce cyber insurance costs: ISO 27001 demonstrates to insurers that you have implemented effective cyber security measures, which can contribute to favourable premiums. It’s important to note that each insurance provider has its own risk assessment criteria so it would be advisable to consult with your insurer to understand how ISO 27001 may influence your premium. Read more about cyber insurance.
  • Adopt more targeted, risk-based spending on cyber security: The nature of ISO 27001 allows your organization to understand specific risks in depth, which helps to understand resource allocation and priority. By identifying critical assets, vulnerabilities, and threats it allows you to make more informed decisions about your cyber security spending.
  • Support compliance: ISO 27001 provides a solid foundation for your organization to meet the requirements defined by regulations such as GDPR and PCI DSS.

How can™ help? helps you address multiple ISO 27001 requirements from a single platform, helping you effectively maintain your ISMS.

Here are just some of the features we offer to help you achieve your controls:

Control features
Threat intelligence
Information security awareness and training
User endpoint devices
Protection against malware
Management of technical vulnerabilities
Monitoring activities

For more information about how™ can help you stay compliant contact us.

In Summary

ISO 27001 is an essential standard for organizations looking to protect their information assets and establish a robust security management system. With the updated ISO 27001:2022 version, your organization can effectively manage the evolving cyber threats and vulnerabilities of today’s business landscape.

By adopting the framework, your organization can enhance its security posture and build a reputation as a trusted and secure partner. ISO 27001 is a valuable investment that will help your business thrive in the face of evolving cyber threats and maintain a competitive edge in the market.

Start securing your business today

Get in touch today to start your free trial of™ and discover how we can help you take the stress out of your cyber security.