Due to the pervasiveness of hackers, implementing a strong information security system that adheres to the requirements in ISO/IEC 27001:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Management Systems – Requirements is integral for the privacy protection of an organization’s data. Here are some facts about information security you should know:
- Every 39 seconds, one hacker attack occurs worldwide
- 64% of companies worldwide have experienced one form of a cyber-attack in the past year
- 30,000 websites are hacked daily
- Email is responsible for 94% of all malware
- The average data breach costs in 2022 is $4.35 million
- The global annual cost of cybercrime is estimated at $6 trillion per year
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 provides the requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS) within an organization. ISMS refers to the practice of being protected against the unauthorized use of information, especially electronic data. This standard also includes requirements for assessing and treating information security risks for an organization. The requirements set out in ISO/IEC 27001:2022 are intended to be applicable to all organizations.
What Are the Changes to ISO/IEC 27001:2022?
ISO/IEC 27001:2022 revises the second edition of the same international standard that was published in 2013. Its text was changed to align with the harmonized structure for management system standards and ISO/IEC 27002:2022.
What Is ISO/IEC 27002:2022?
ISO/IEC 27002:2022 Information Security, Cybersecurity And Privacy Protection – Information Security Controls serves as a guidance document and reference point for organizations determining and implementing controls for security risk treatment in ISMS based on ISO/IEC 27001. The controls include policies, rules, processes, procedures, organizational structures, and software and hardware functions. To learn more about this standard and the significant changes made to its framework, check out this blog post: Changes in the New ISO/IEC 27001 and ISO/IEC 27002.
How Does Working from Home Impact Cyber Crime?
The COVID-19 pandemic forced businesses to accommodate for remote work. This expanded the surface for cybersecurity threats to target employees working from home. Work-from-home employees are at greater risk of cybersecurity threats because home connections are less secure than those in offices. The following data shows that cyber criminals have capitalized on employees working remotely:
- 47% of people who work from home have been a victim to scams
- Since the beginning of the pandemic, 25% of all employees have noticed an increase in fraudulent emails, spam, and phishing attempts in their corporate email.
- Phishing emails have spiked by over 600% since the end of February 2020
- Remote work has increased the average cost of data breach by $137,000
- The average data breach cost increased by over $1 million whenever remote work was a causal factor of an experienced breach.
What Are the Requirements in ISO/IEC 27001:2022 for Interested Parties?
Regarding their information security management system (ISMS), all interested organizations shall determine the following:
- Context: External and internal issues that are relevant to its purpose and that affect its ability to achieve an ISMS.
- Needs: Requirements of interested parties that will be addressed through the ISMS.
- Scope: Boundaries and applicability.
- Risk Assessment: Information risks are identified, analyzed, evaluated, and produce consistent and valid results.
- Risk Treatment: Implementation of controls that are necessary to perform the information security risk treatment plan.
- Objectives: Information security objectives that are measureable, communicated, monitored, updated, documented, and are consistent with relevant policies.
- Competence: Necessary competence of person(s) doing work under its control that affects its information security performance.
- Awareness: Persons doing work under the organization’s control shall be aware of the information security policy and their contribution to the effectiveness of the ISMS.
- Communication: Internal and external communications.
- Internal Audit: internal audits at planned intervals to provide information on whether the ISMS conforms to the organization’s own requirements and to those in ISO/IEC 27001:2022.
- Management Review: top management shall review the organization’s ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
- Improvement: continual improvement of the suitability, adequacy. and effectiveness and determining nonconformity and corrective action.
ISO/IEC 27001:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Management Systems – Requirements is available on the ANSI Webstore. You can also get it at a discount as part of the following standards packages:
ISO/IEC 27001 and 27002 IT Security Techniques Package
ISO/IEC 27000 Information Technology Security Techniques Collection
Accreditation for ISO/IEC 27001 ISMS CBs
In order to demonstrate adherence to ISO/IEC 27001, organizations can achieve certification to the requirements of the international standard. Management systems certification bodies (CBs), like those that certify organizations to ISO/IEC 27001, maintain an elevated level of trust through accreditation by the ANSI National Accreditation Board (ANAB).
Learn about Accreditation for ISO/IEC 27001 Information Security Management Systems Certification Bodies here or search for an ANAB accredited ISO/IEC 27001 Certification Body here.