Managing change in cybersecurity: navigating transition between standard versions and compliance with legislation: A case study
Viheriäranta, Henna-Jasmin (2024)
2024
Tietojohtamisen DI-ohjelma - Master's Programme in Information and Knowledge Management
Johtamisen ja talouden tiedekunta - Faculty of Management and Business
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2024-04-25
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202403303215
https://urn.fi/URN:NBN:fi:tuni-202403303215
Tiivistelmä
The International Organization for Standardization introduced a renewed version of the international standard ISO/IEC 27001 in 2022 with new requirements and an updated structure, mandating certified organizations to update their certification to the new version by the end of October 2025. The popularity of ISO/IEC 27001 certifications has steadily grown due to its several advantages, such as helping organizations to align with evolving regulatory requirements in cybersecurity, which is a one of the key motivators for organizations seeking certification. Additionally, the landscape of cybersecurity threats is changing faster than ever before, leading organizations to adopt standardized practices like ISO/IEC 27001 to protect their digital environments.
In 2023, Network and Information Security 2 directive by the European Union entered into force giving the subject organizations 21 months to comply with its requirements and rules. The directive aims to enhance the level of cybersecurity across the European Union by setting out a common cybersecurity regulatory framework, along with obligations to follow rules on cybersecurity risk-management measures and reporting in critical sectors. Breaches and repeated violations of the directive have serious monetary and reputational consequences. These changes apply to many organizations simultaneously, prompting the need for effective implementation to achieve the compliancy. The objective of this thesis is to analyse the changes between the ISO/IEC 27001 versions 2013 and 2022 as well as the requirements introduced in the NIS 2 directive and establish action plans to comply with the requirements of both elements. The action plans are recommended models for approaching the changes based on findings from the literature and an empirical study conducted for this research.
The literature review creates the backbone for understanding the changes in the new version of the ISO/IEC 27001 standard and the requirements of the NIS 2. It also focuses on finding suitable change management practices and models to support the change execution. The second part of the research is mapping the differences between the ISO/IEC 27001 standard versions and the similarities between the 2022 standard version and the NIS 2 requirements. As the empirical research part of this study, several cybersecurity compliance specialists from the global community of the case organization were interviewed to gain insights on their implementation plans and best practices. The interviews were conducted as semi-structured interviews.
The results of this thesis indicate that the changes between the standard versions are mostly structural and the changes in the contents are moderate. The main part of the standard remained mostly the same, but the Annex A has been completely reorganized. The new version introduced 11 new requirements while the amount of security controls decreased from 114 to 93. It was found that the requirements of ISO/IEC 27001 and the NIS 2 are highly similar but compliance in one does not imply compliance to both, even though the implementations can support one another significantly. The responsibility of the NIS 2 implementation is on the management board of the organization, but involving ISMS implementers could benefit the implementation and management of the requirements. The Kotter’s 8-step model, pre-estimated most suitable for this use case, was tested on a conceptual level and determined appropriate for further use in similar changes.
In 2023, Network and Information Security 2 directive by the European Union entered into force giving the subject organizations 21 months to comply with its requirements and rules. The directive aims to enhance the level of cybersecurity across the European Union by setting out a common cybersecurity regulatory framework, along with obligations to follow rules on cybersecurity risk-management measures and reporting in critical sectors. Breaches and repeated violations of the directive have serious monetary and reputational consequences. These changes apply to many organizations simultaneously, prompting the need for effective implementation to achieve the compliancy. The objective of this thesis is to analyse the changes between the ISO/IEC 27001 versions 2013 and 2022 as well as the requirements introduced in the NIS 2 directive and establish action plans to comply with the requirements of both elements. The action plans are recommended models for approaching the changes based on findings from the literature and an empirical study conducted for this research.
The literature review creates the backbone for understanding the changes in the new version of the ISO/IEC 27001 standard and the requirements of the NIS 2. It also focuses on finding suitable change management practices and models to support the change execution. The second part of the research is mapping the differences between the ISO/IEC 27001 standard versions and the similarities between the 2022 standard version and the NIS 2 requirements. As the empirical research part of this study, several cybersecurity compliance specialists from the global community of the case organization were interviewed to gain insights on their implementation plans and best practices. The interviews were conducted as semi-structured interviews.
The results of this thesis indicate that the changes between the standard versions are mostly structural and the changes in the contents are moderate. The main part of the standard remained mostly the same, but the Annex A has been completely reorganized. The new version introduced 11 new requirements while the amount of security controls decreased from 114 to 93. It was found that the requirements of ISO/IEC 27001 and the NIS 2 are highly similar but compliance in one does not imply compliance to both, even though the implementations can support one another significantly. The responsibility of the NIS 2 implementation is on the management board of the organization, but involving ISMS implementers could benefit the implementation and management of the requirements. The Kotter’s 8-step model, pre-estimated most suitable for this use case, was tested on a conceptual level and determined appropriate for further use in similar changes.