ISO 27001:2022 vs 2013
Information security is a major issue for businesses of all sizes, and SMEs are no exception. The internationally recognised ISO 27001 standard has recently been updated to better meet today's challenges.
In this article, we'll explore the key differences between the 2013 and 2022 versions of ISO 27001 and explain how these changes can help SMEs turn their security incidents into compliance lessons, strengthen their security and improve their incident management, even without certification.
Why ISO 27001 is crucial for SMEs
SMEs are often perceived as easy targets for cyber attacks because of their limited security resources.
Adopting ISO 27001 enables SMEs to implement a robust Information Security Management System (ISMS) and follow proven practices to protect their sensitive information. Even without certification, following the principles of this standard provides a valuable framework for improving security and incident management.
Main changes in the 2022 version
ISO 27001 standard
The 2022 version of ISO 27001 introduces several important changes compared to the 2013 version:
Reduction in the number of safety measures
- New structure of measures: the 93 security measures are now divided into 4 categories instead of 14: organisational, people-related, physical and technological;
- New measures introduced: 11 new measures have been added, such as threat intelligence (A.5.7), use of cloud services (A.5.23), and configuration management (A.8.9).
Requirements for interested parties
- Stakeholder requirements must be addressed by
the ISMS (§ 4.2).
Change planning and management
Introduction of a new paragraph for planning modifications (§ 6.3);
Addition of the need to establish criteria for processes (§ 8.1).
Communication and monitoring
Change of focus on how to communicate rather than who should communicate (§ 7.4);
The results of monitoring, measurement, analysis and assessment methods must be comparable and reproducible (§ 9.1).
External process management
Addition of control of external processes, products and services (§ 8.1).
Transforming security incidents
in compliance lessons
Effective incident management is essential to minimise the impact of security incidents and maintain compliance. Here's how ISO 27001:2022 helps SMEs achieve this goal:
Identifying and recording incidents
Set up a system to identify, record and classify security incidents;
- Use a platform like the one offered by our company to centralise incident management.
Response and resolution
Establish procedures for responding quickly and effectively to incidents;
- The measures in Annex A (A.5.24 to A.5.27) of ISO 27001:2022 provide guidelines for incident management.
Evidence gathering and analysis
Integrate evidence gathering and post-incident analysis processes to understand causes and prevent recurrence;
- Use monitoring and logging tools to document incidents (A.8.16).
Communication and reporting
Ensure clear and regular communication on incidents to the relevant stakeholders;
- Use dashboards and reports to monitor and analyse incident trends.
Continuous improvement
Regularly review incident management procedures and implement improvements based on lessons learned;
- Use the results of incident analysis to improve security controls and reduce residual risks.
In conclusion?
The update of ISO 27001 to 2022 brings significant changes that can greatly benefit SMEs by strengthening their security, simplifying incident management and improving compliance. By adopting these new requirements, even without formal certification, SMEs can not only protect their sensitive information but also gain in operational efficiency.
Ready to simplify your ISO certification?
For more information on how our comprehensive governance platform can help your organisation comply with ISO 27001:2022 and manage incidents effectively, please contact contact us.
