Information security, cybersecurity, and protection of privacy data - ISO/IEC 27001 : 2022

Information is a vital asset for any organization. It represents a vital resource for carrying out activities. As such, information requires appropriate protection and management.

The aim of information security is to protect information against the many threats that can lead to the deterioration or interruption of an organization's business continuity. Measures must be defined, implemented, monitored, reviewed and improved in order to achieve a number of dedicated security objectives.

Specific processes must be defined and deployed to achieve this. However, these must be organized harmoniously with other processes as part of the organization's overall management system.

In order to specify the security requirements for information, an international standard has been drawn up. Naturally, it is applicable to the various systems that process information.

The content of this article has been updated following the latest version of the international standard NF EN ISO/IEC 27001 published in January 2023. This third edition replaces the 2013 version, and incorporates the two technical corrigenda ISO/IEC 27001 : 2013/Cor 1 : 2014 and ISO/IEC 27001 : 2013/Cor 2 : 2015. The text of Annex A has been aligned with the security measures of the latest version of ISO/IEC 27002 : 2022.

Two new terms have been introduced:

• cybersecurity: the practice of protecting systems, networks and programs against digital attacks; cyberattacks are generally aimed at accessing, modifying or destroying sensitive information, or disrupting a company's normal processes;

• protection of privacy: the right to privacy is guaranteed by the Constitutional Council; it implies :

  • respect for privacy, medical confidentiality, image rights, etc,

  • limits to spying and investigative practices (such as telephone tapping).