“The ISO certification is a great success for us in recognizing the technical and organizational measures we’ve taken to complete our approach to security, together with the design principles in our platform. The certificate proves that we have established an effective ISMS that supports our security objectives. The implemented security measures protect our platform and ensure security of data for our customers. With Intelliant, we felt in good hands at all times,” said Dr. Michael Höh, CTO at Apheris.

Intelliant GmbH led Apheris through the “How to achieve ISO 27001 certification” process, from initial plan to implementation and then audits. Their advisors supported the Apheris team with their professional and personal experience. Necessary activities were carried out in a pragmatic, hands-on way in cooperation with employees. This ensured that all documentation (for example, security policies), as well as processes and security measures, were tailored to Apheris’ needs.

The new and revised version of the ISO/IEC 27001:2022 was published at the end of October. So far, it is only available in English. The German translation is expected by the end of 2023.

Influence on certifications

Current certifications are valid until October 2025. If the organization’s recertification is due sooner, the new standard must be considered as early as May 2024. Companies can certify against the new revision of the ISO 27001 standard since October 25, 2022.

Content update

The main clauses stayed nearly the same, but the controls in Annex A have been updated significantly – some changes may have a major impact on affected organizations.

The structure of the standard is now identical with the structure that is used for other ISO standards, like ISO 9001 (Quality Management), ISO 22301 (Business Continuity Management) and others. Some chapters have undergone some editorial changes (texts were combined, clauses are structured in a new way, e.g., 9.2 Internal Audit has now two subchapters “9.2.1 General” and “9.2.2 Internal audit programme”. Some clauses have been enhanced with new requirements: e.g., “9.3.2 c) changes in needs and expectations of interested parties that are relevant to the information security management system” or”4.2 Understanding the needs and expectations of interested parties” that adds the requirement that it shall be documented which of the requirements from interested parties will be addressed through the information security management system. Chapter “6.3 Planning of changes” requires that the changes to the ISMS are carried out in a planned manner.

Annex A is now titled “Information security controls reference”. The structure has changed completely:

• • Organizational controls (37 controls)
  • People controls (8 controls)
  • Physical controls (14 controls)
  • Technological controls (34 controls)

New controls

The number of controls has decreased from 114 to 93. Some controls have been summarized and eleven new controls have been added:

• • 7 Threat intelligence
  • 23 Information security for use of cloud services
  • 30 ICT readiness for business continuity
  • 4 Physical security monitoring
  • 9 Configuration management
  • 10 Information deletion
  • 11 Data masking
  • 12 Data leakage prevention
  • 16 Monitoring activities
  • 22 Web filtering
  • 28 Secure coding

Especially the requirements regarding 5.30 ICT readiness for business continuity have been significantly increased while some other controls have been slightly enhanced requirements.

Operating the management system

Additional information on how to implement the new controls can be found in the ISO 27002:2022 standard, that has been released earlier this year. If you operate an ISO 27001 compliant ISMS, you should start in time to analyze the gaps to your current ISMS to have enough time for implementing the changes to reflect the new requirements of the ISO 27001:2022.

For further information, questions or assistance regarding the ISO standard or Cyber Security in general please don’t hesitate to contact us.

At this year’s COMMUNITY DAYS, from June 9 to 10 in Leipzig, our colleague Robert Kallwies will give a presentation on Day 1 on the topic of “Cyber Resilience: Ensuring Business Continuity in Current Threat Scenarios”. The content will be about the methodology for implementing a cyber resilience approach and the challenges of implementation.

The event is hosted by SOFTWARE FOREN LEIPZIG, more information can be found here.

As part of an interview series of RealPort, Pascal sat down with Sandra to discuss his own career, the mission and development of Intelliant, as well as the collaboration with RealPort from the start and where it is heading. Further, they dove deeper into GDPR and approaches to compliance-related topics in general. Especially how start-ups and fintechs can choose to tackle their data protection and security organizations in order to build up appropriate and pragmatic management systems.