Workshop on ISO/IEC 27001: Cybersecurity and Information Security
Mexico is one of the countries with the most cyber-attacks in Latin America: in the first quarter of this year alone, around 80 billion cyber threat attempts were registered. For this reason, cybersecurity is of great interest in Mexico. A federal cybersecurity law has been discussed for some time.
Companies can be severely affected when there is a lack of cybersecurity. Especially along value chains, where one weak link can jeopardise the entire chain. International standards are highly relevant tools to strengthen cybersecurity.
On 7 September, around 170 people attended the GPQI workshop ISO/IEC 27001 Information Security. It focused on the ISO/IEC 27001 standard and proved insight into various aspects of the 27001 series. Pablo Corona, Global Sales Director at the Conformity Assessment and Standardisation body (Normalización y Certificación – NYCE), and Vice-Convenor of the International Organization for Standardization (ISO) working group that develops the 27001 series, conducted the workshop.
ISO/IEC 27001:2022: The basis of information security
Back in 1989, ISO/IEC 27001 was initially a practical guide to security controls (which is now ISO/IEC 27002). It was until 1995 that the content of the standard was further developed. Since then, this standard has provided added value to every company that implements it, regardless of their sector.
ISO/IEC 27001 could be seen as crucial pillar in the sense that the standard can be considered a generic one. However, underneath the surface, all the required technical details for specific sectors such as energy, health, data protection, Internet of Things, etc., are available through other parts of the series. For example, the ISO/IEC 27011 related to security management for telecommunications organisations is based on ISO/IEC 27002.
Main changes in ISO/IEC 27001:2022
The workshop also served to inform Mexican stakeholders about the main changes found in the new version of ISO/IEC 27001. The new edition was published in October 2022, replacing regulations of the old edition from 2013.
A first change is the modification of the name to “Information security, cybersecurity and privacy protection.” There is also a new requirement: “6.3 Planning of changes”. It requires that when an organisation determines the need for changes to the information security management system, these changes must be implemented in a planned manner. All certified organisations are granted a transition period of two years.
Heavily related to the new ISO/IEC 27002:2022, the following changes are the most relevant for the implementation of the standard:
- The information included in Annex A will be replaced by the controls included in ISO/IEC 27002. To favour an easier reading and to avoid repetitions, on this new version of the standard, information security controls were restructured and clustered into four groups. The following substitute the domains and subdomains established in the previous version of 2013:
- organisational controls
- personnel controls
- physical controls
- technological controls
- The ISO/IEC 27002 new version introduces the concept of “attributes” which allow users to classify and rearrange controls depending on their needs. Attributes are categorised as follows:
- Control types
- Information Security Properties
- Cybersecurity properties
- Security domains
- Operational capabilities
The human factor in cybersecurity
Cyber-attacks affect systems - and people. In this regard, information security is more than simply bits and bytes. They are only the technical component. Nowadays, technologies connect with humans on several levels – for example, an on-board computer with a driver or a cardiac pacemaker with a patient. Thereby, cyber and information security are, first and foremost, about protecting people.
However, the human factor also plays an important role in cyber and information security. Human behaviour can contribute to security or cause security breaches in businesses. Important insights on how to detect potentially harmful emails and texts were therefore also presented during the event.
Given the risks involved in today's digital interconnection, would it be wiser to shut down systems? Pablo Corona believes the answer is no. The benefits of digital networking are much greater. Instead, companies need to have better risk management, more monitoring, more traceability, less security breaches, and better user control, among other measures. In other words, a comprehensive strategy is needed. In terms of a "Zero Trust" security policy, companies must assume that all systems can be compromised. Hence, there is a constant need to regulate the systems. Standards, such as ISO/IEC 27001, are of fundamental importance. They ensure the protection of companies’ data in global value chains – and the protection of people.