Updated cybersecurity norms ISO 27001 and ISO 27002
Independent consultant, open-source enthusiast (openSUSE, Drupal, etc). Also a big classical music lover (artistic manager of the Huygensfestival in Voorburg, supporter of several international chamber music festivals in/around The Hague, The Netherlands). One of my companies basic philosophies is, if open-source provides you with a stable revenue (thank you, 10x), you should do something in return. So my company donates 10% of its annual profit to one of the projects we've been using that year. This contribution can also be by providing help, i.e. in 2015 I was project lead and organizer for openSUSE conference in The Hague!
No video of the event yet, sorry!
Both the ISO 27001 and ISO 27002 standards have been updated in 2022. What does this mean for open source communities and companies leveraging open source? What are the most significant changes to the standards? The new ISO27001 standard requires companies to identify and meet the needs of interested parties, such as customers and suppliers. That way, organizations can ensure that their information security management system is designed to meet their stakeholders needs. It also requires that organizations include processes for managing information security objectives in their ISMS, so that those objectives can be monitored and evaluated over time. It is essential for organizations to be able to demonstrate that their data-protection and security risk mitigation measures will be maintained and continuously improved. The new ISO27001 standard also makes it clear that changes to an organization's ISMS must be planned, with a specific process for communicating those changes to interested parties. This process should establish how communication should occur (rather than just who should communicate). Organizations now have to control processes, products, or services that are outside of the ISMS (as well as those that are inside of it), which means that they have to take a more holistic approach to managing both internal and outsourced operations. ISO 27002 has been updated, firstly the phrase 'code of practice' has been dropped from the title of the updated ISO 27002 standard. This approach better reflects the set's intended purpose as a reference of information security controls. The 27002 Standard itself is considerably longer than the previous version, and the controls have been reordered and updated. The new controls are identifiable by attribute, which makes it easier to focus on relevant categorical selections, which could reduce the compliance burden or help better integrate information security processes, making the ISMS easier to implement and manage. What is a reasonable for IT vendors and open source communities to update their cybersecurity approach to reflect the new requirements from the new norms?
- 2023 May 26 - 16:30
- 30 min
- openSUSE Conference 2023
- Open Source