Notice

Please be advised you are about to leave the Standards Australia website to proceed to the AustLII website. Click OK to proceed.

Webinar recap: Strengthening defences against cyber threats

June 12, 2024

Statements

With information security threats, cyber-attacks, and data breaches on the rise, managing these risks has never been more important for businesses.

AS/NZS ISO/IEC 27001:2023 - Information security, cybersecurity and privacy protection – Information security management systems – Requirements is the world’s best-known standard for information security management systems (ISMS). As a globally recognised framework, the standard helps businesses set up, roll out, maintain, and improve information security, cyber security, and privacy protection.

Standards Australia recently hosted an online event focused on AS/NZS ISO/IEC 27001:2023. The event aimed to provide essential insights into how the standard can help protect an organisation’s information and assets from cyber threats. The webinar was presented by Anna Harris, Committee Member of Australian Technical Committee IT-012 Information Security, Cybersecurity, and Privacy Protection and Principal Advisor – Information Security at the Office of the Victorian Information Commissioner. During the session, Ms. Harris explored the standard and discussed how organisations can effectively manage risks associated with information security threats.

The event also included a live Q&A session, providing attendees with the opportunity to ask questions related to the standard and its implementation.

Read on for answers to all the questions that were asked during the event or scroll to the bottom of this page to watch the video recording.

Q&A

Can an organisation implement AS/NZS ISO/IEC 27001:2023 without getting formal certification?

Yes, an organisation can follow AS/NZS ISO/IEC 27001:2023 as best practice without needing formal certification. Formal certification can provide independent verification to stakeholders or customers, but it is not mandatory.

Why should an organisation consider adopting AS/NZS ISO/IEC 27001:2023 instead of, or in addition to, the ASD Essential 8?

The ASD Essential 8 focuses on specific technology and primarily on Microsoft systems. It does not cover other systems or non-digital information. AS/NZS ISO/IEC 27001:2023 is more holistic and covers all aspects of information security, making it a more comprehensive choice.

What advice do you have for SMEs looking to implement AS/NZS ISO/IEC 27001:2023?

SMEs should start by understanding the information they need to protect. This involves discussions with the business to identify valuable information and prioritising protection efforts. Executive buy-in is crucial for successful implementation.

Are ISO/IEC 27000 and ISO/IEC 27002 standards available for free?

Yes, ISO/IEC 27000, which provides an overview and vocabulary, is free to download. The other standards in the ISO 27000 series are not free.

How will AS/NZS ISO/IEC 27001:2023 harmonise with operational technology (OT) system standards?

If OT systems use a management system standard (MSS), AS/NZS ISO/IEC 27001:2023 can be applied using the same structure. If not, AS/NZS ISO/IEC 27001:2023 can still be used as it is generic and applicable to all types of information, including OT environments.

Is it best to apply AS/NZS ISO/IEC 27001:2023 together with COBIT 5 as both address IT risk management?

Both AS/NZS ISO/IEC 27001:2023 and COBIT 5 address IT risk management, but they serve different purposes. COBIT 5 is a holistic IT governance framework, while AS/NZS ISO/IEC 27001:2023 is a holistic information security framework. The key is to understand your specific needs and apply the necessary controls from either standard. AS/NZS ISO/IEC 27001:2023 covers a broader range of information security, not just electronic information on IT systems, whereas COBIT 5 focuses more broadly on IT governance.

Are ISO/IEC 27017 and ISO/IEC 27018 still part of the updated ISO 27000 family?

Yes, ISO/IEC 27017, which covers controls for cloud services, and ISO/IEC 27018, which focuses on personal information in public clouds, are still part of the ISO 27000 family.

What are the differences between AS/NZS ISO/IEC 27001:2023 and IEC 62443, and why might a contractor use both?

IEC 62443 focuses on industrial automation and control systems (IACS), while AS/NZS ISO/IEC 27001:2023 describes an information security management system for business systems. A contractor might use both standards to cover a broader range of security controls, especially if they serve clients in utilities like water, gas, or electricity as well as the corporate/enterprise environment. IEC 62443 emphasises the need for consistency with AS/NZS ISO/IEC 27001:2023 practices, noting that IACS security risks may have health, safety, and environmental implications, which should be integrated with existing risk management practices.

What are the benefits of adopting AS/NZS ISO/IEC 27001:2023 if my organisation has outsourced IT?

Even with outsourced IT, the organisation remains accountable for its information. AS/NZS ISO/IEC 27001:2023 helps manage risks related to outsourced information, including hard copy and verbal information.

After achieving AS/NZS ISO/IEC 27001:2023 certification, is certification to ISO 27002 also required?

No, AS/NZS ISO/IEC 27001:2023 certification includes the controls detailed in ISO 27002. It is one certification that covers both the management system and the specific controls.

How will the amendment to AS/NZS ISO/IEC 27001:2023 be referred to if it includes climate action?

The amendment will be referred to as AS/NZS ISO/IEC 27001:2023 Amd 1:2024 if finalised in 2024. It will include additional lines to be read in conjunction with the 2023 edition.

How deep do you need to go to apply AS/NZS ISO/IEC 27001:2023 across your supply chains and subcontractors?

The depth of application depends on the risk and value of the information shared with supply chains. More critical information may require more in-depth review of the wider supply chain, stricter controls and regular audits.

How do we assess security controls for cloud-hosted applications?

Again, the type of assessment and testing of controls will depend on the information the cloud-hosted application handles, its value to the business, and its associated risks. Assessing security controls for cloud applications can involve side audits, inspections, pen tests, and regular reviews with third parties. Communication with cloud providers is essential to understand and manage risks.

What is the difference between AS/NZS ISO/IEC 27001:2023 and ISO/IEC 27001:2022?

AS/NZS ISO/IEC 27001:2023 is an identical adoption of the international ISO/IEC 27001:2022 standard. This means that the content, requirements, and guidelines of AS/NZS ISO/IEC 27001:2022 are the same as those of ISO/IEC 27001:2023. This ensures that organisations in Australia are following the same international standards for information security management systems as those around the world.

Live event recording

AS/NZS ISO/IEC 27001:2023 is available via the Standards Australia Store and our distribution partners.

NOTE: This webinar and other information on this page contain general information and is not formal advice. Users must make their own assessment as to the suitability of this material and the standards referred to herein for their specific business needs.

Contact
Communications Department
Webinar recap: Strengthening defences against cyber threats
Email and link here
Graphic image of a red padlock and binary code in a dark blue background
With information security threats, cyber-attacks, and data breaches on the rise, managing these risks has never been more important for businesses.

AS/NZS ISO/IEC 27001:2023 - Information security, cybersecurity and privacy protection – Information security management systems – Requirements is the world’s best-known standard for information security management systems (ISMS). As a globally recognised framework, the standard helps businesses set up, roll out, maintain, and improve information security, cyber security, and privacy protection.

Standards Australia recently hosted an online event focused on AS/NZS ISO/IEC 27001:2023. The event aimed to provide essential insights into how the standard can help protect an organisation’s information and assets from cyber threats. The webinar was presented by Anna Harris, Committee Member of Australian Technical Committee IT-012 Information Security, Cybersecurity, and Privacy Protection and Principal Advisor – Information Security at the Office of the Victorian Information Commissioner. During the session, Ms. Harris explored the standard and discussed how organisations can effectively manage risks associated with information security threats.

The event also included a live Q&A session, providing attendees with the opportunity to ask questions related to the standard and its implementation.

Read on for answers to all the questions that were asked during the event or scroll to the bottom of this page to watch the video recording.

Q&A

Can an organisation implement AS/NZS ISO/IEC 27001:2023 without getting formal certification?

Yes, an organisation can follow AS/NZS ISO/IEC 27001:2023 as best practice without needing formal certification. Formal certification can provide independent verification to stakeholders or customers, but it is not mandatory.

Why should an organisation consider adopting AS/NZS ISO/IEC 27001:2023 instead of, or in addition to, the ASD Essential 8?

The ASD Essential 8 focuses on specific technology and primarily on Microsoft systems. It does not cover other systems or non-digital information. AS/NZS ISO/IEC 27001:2023 is more holistic and covers all aspects of information security, making it a more comprehensive choice.

What advice do you have for SMEs looking to implement AS/NZS ISO/IEC 27001:2023?

SMEs should start by understanding the information they need to protect. This involves discussions with the business to identify valuable information and prioritising protection efforts. Executive buy-in is crucial for successful implementation.

Are ISO/IEC 27000 and ISO/IEC 27002 standards available for free?

Yes, ISO/IEC 27000, which provides an overview and vocabulary, is free to download. The other standards in the ISO 27000 series are not free.

How will AS/NZS ISO/IEC 27001:2023 harmonise with operational technology (OT) system standards?

If OT systems use a management system standard (MSS), AS/NZS ISO/IEC 27001:2023 can be applied using the same structure. If not, AS/NZS ISO/IEC 27001:2023 can still be used as it is generic and applicable to all types of information, including OT environments.

Is it best to apply AS/NZS ISO/IEC 27001:2023 together with COBIT 5 as both address IT risk management?

Both AS/NZS ISO/IEC 27001:2023 and COBIT 5 address IT risk management, but they serve different purposes. COBIT 5 is a holistic IT governance framework, while AS/NZS ISO/IEC 27001:2023 is a holistic information security framework. The key is to understand your specific needs and apply the necessary controls from either standard. AS/NZS ISO/IEC 27001:2023 covers a broader range of information security, not just electronic information on IT systems, whereas COBIT 5 focuses more broadly on IT governance.

Are ISO/IEC 27017 and ISO/IEC 27018 still part of the updated ISO 27000 family?

Yes, ISO/IEC 27017, which covers controls for cloud services, and ISO/IEC 27018, which focuses on personal information in public clouds, are still part of the ISO 27000 family.

What are the differences between AS/NZS ISO/IEC 27001:2023 and IEC 62443, and why might a contractor use both?

IEC 62443 focuses on industrial automation and control systems (IACS), while AS/NZS ISO/IEC 27001:2023 describes an information security management system for business systems. A contractor might use both standards to cover a broader range of security controls, especially if they serve clients in utilities like water, gas, or electricity as well as the corporate/enterprise environment. IEC 62443 emphasises the need for consistency with AS/NZS ISO/IEC 27001:2023 practices, noting that IACS security risks may have health, safety, and environmental implications, which should be integrated with existing risk management practices.

What are the benefits of adopting AS/NZS ISO/IEC 27001:2023 if my organisation has outsourced IT?

Even with outsourced IT, the organisation remains accountable for its information. AS/NZS ISO/IEC 27001:2023 helps manage risks related to outsourced information, including hard copy and verbal information.

After achieving AS/NZS ISO/IEC 27001:2023 certification, is certification to ISO 27002 also required?

No, AS/NZS ISO/IEC 27001:2023 certification includes the controls detailed in ISO 27002. It is one certification that covers both the management system and the specific controls.

How will the amendment to AS/NZS ISO/IEC 27001:2023 be referred to if it includes climate action?

The amendment will be referred to as AS/NZS ISO/IEC 27001:2023 Amd 1:2024 if finalised in 2024. It will include additional lines to be read in conjunction with the 2023 edition.

How deep do you need to go to apply AS/NZS ISO/IEC 27001:2023 across your supply chains and subcontractors?

The depth of application depends on the risk and value of the information shared with supply chains. More critical information may require more in-depth review of the wider supply chain, stricter controls and regular audits.

How do we assess security controls for cloud-hosted applications?

Again, the type of assessment and testing of controls will depend on the information the cloud-hosted application handles, its value to the business, and its associated risks. Assessing security controls for cloud applications can involve side audits, inspections, pen tests, and regular reviews with third parties. Communication with cloud providers is essential to understand and manage risks.

What is the difference between AS/NZS ISO/IEC 27001:2023 and ISO/IEC 27001:2022?

AS/NZS ISO/IEC 27001:2023 is an identical adoption of the international ISO/IEC 27001:2022 standard. This means that the content, requirements, and guidelines of AS/NZS ISO/IEC 27001:2022 are the same as those of ISO/IEC 27001:2023. This ensures that organisations in Australia are following the same international standards for information security management systems as those around the world.

Live event recording

AS/NZS ISO/IEC 27001:2023 is available via the Standards Australia Store and our distribution partners.

NOTE: This webinar and other information on this page contain general information and is not formal advice. Users must make their own assessment as to the suitability of this material and the standards referred to herein for their specific business needs.

Contact
Communications Department
communications@standards.org.au
communications@standards.org.au
Sarah Campbell
Sarah Campbell
Communications Manager
+ 61 2 8099 6487