ISO27001 and legacy systems | Everything you need to know about it!

28-10-2024 | 9 min read | Cybersecurity, Decommissioning of Legacy Systems, SAP Data Archiving


ISO27001 is defined as a standard for regulating information security, guiding organisations to build, implement, maintain, and continuously enhance their information security management systems (ISMS), thereby ensuring protection of the invaluable information assets. It is an internationally recognised standard, published by the International Organisation for Standardisation (ISO), in partnership with the International Electrotechnical Commission (IEC). The ISO27001 comes with a framework that helps improve the operations of the ISMS; the ISO security framework defines a purpose – which is to protect the information of the organisation is a streamlined, systematic, and most importantly, cost-effective manner – irrespective of their size or industry.

Organisations must keep in mind that the ISO27001 certification is achieved through an external audit process. A certification body will evaluate the information security management systems (ISMS) of the organisation as per the standard’s requisites. Attaining this certification will help demonstrate your commitment to maintaining high information security standards to your stakeholders and customers.

At its very core, the ISO27001 standard helps organisations with the necessary information and knowledge that further enables them to protect their invaluable information. Having said that, the standard also allows organisations to obtain an ISO27001 certification, furthermore, proving to its customers and partners that their data is safeguarded. What’s more interesting about this standard is that even individuals can obtain the ISO27001 certification by attending a course and passing the exam. As it is an international standard, the certification is recognised and renowned across the world, increasing opportunities of business relations for organisations.

There are several key aspects of the ISO27001 standard that you must know about; some of the most important ones are mentioned below –

There are primarily three main guiding principles of the ISO27001 standard that helps in securing people, processes, and technology. They are – confidentiality, integrity, and availability, which is commonly referred to as the C-I-A triad. Here’s more about them –


All in all, with an information security management system (ISMS) that meets the requirements and guiding principles of ISO27001, organisations can seamlessly ensure data security. In fact, it gives confidence and establishes credibility amongst shareholders, clients, and interested parties that their data is secured and maintained adequately.

Like we always say, cybersecurity is at the heart of every organisation. However, it is unfortunate that organisations with legacy systems often miss this notion. Especially, if the obsolete systems are left unchecked, they can be vulnerable to attacks from cybercriminals through various cyberthreats.

Legacy systems are, sometimes, the entry point of vulnerabilities, because these obsolete systems sink into oblivion and are, often, neglected. Obsolete systems are more prone to receive vulnerabilities if left unchecked. But keeping them updated and up to date with the latest security check is expensive and unproductive. Having these outdated systems come with their share of challenges like systems may not be encrypted or protected by access controls, leaving them at-risk from internal or external attacks that are offline.

Secondly, staying on par with patches and system updates happens to be another challenge for the IT teams of organisations. The list of cyber vulnerabilities is a long one, and with legacy systems, it becomes even more essential to keep a close eye.

All these combined together always points towards the fact that decommissioning legacy systems is the way forward. However, some organisations are still using outdated systems, at least, till they migrate to the much necessary S/4HANA. That said, sometimes, keeping obsolete systems, even though not in use, becomes necessary due to factors such as audits, accessibility to historical data, and so on. Therefore, whether your organisation uses a legacy system or have kept it for decommissioning later, implementing cybersecurity measures is crucial. But can ISO27001 be applied to these systems?

Organisations wanting to obtain such praised badge must put in place and maintain certain standards (as described above), which also concern legacy systems. It can be a challenging task, but it is definitely a possibility. In fact, it helps ensure holistic information security across your organisation. We have discussed some key considerations and strategies on how legacy systems can be maintained under ISO27001.

As an example, legacy system on VM may put your entire hypervisor at risk: https://www.tjc-group.com/blogs/virtual-machines-to-maintain-legacy-systems-a-good-or-a-bad-idea/

3.2.1 Compliance gaps: Probably one of the most important aspects to consider, ensure to check for the compliance gaps. But how do you do that? It is pretty simple. All you need to do is compare the current state of your legacy systems as per the requisites of the ISO27001 standards. This way, you will be able to identify the compliance gaps.

Therefore, you must identify where your existing obsolete systems fall short of modern security practices and controls. Attached is an example on how SAP system need ongoing work to close security gaps: https://www.tjc-group.com/blogs/is-it-safe-to-keep-legacy-data-in-an-old-sap-system/

3.3.2 Network segmentation: It is quintessential for organisations to isolate the outdated systems from the rest of the network. This way, you can minimise the potential damages in case of a security breach.

3.3.4 Encryption: Again, a tedious process in obsolete systems, but quite an important one – ensure to use encryption to protect sensitive data that are processed or stored in the system.

Here some regulations across the world https://www.tjc-group.com/blogs/data-privacy-your-absolute-guide-to-its-importance-regulations-and-more/

3.4.1 Document procedures: Ensure to create and maintain detailed documentation of all the policies and procedures that are in place to manage and secure legacy systems. This basically comes in handy with the second guiding principle of the ISO27001 standard, establishing the integrity and reliability of data.

3.4.2 Incident response: As vigilant team members of the organisation, you must develop specific incident response plans for the obsolete systems in use. Bear in mind that the incident responses must consider each system’s unique vulnerabilities and limitations.  

3.5.2 Awareness programs: Apart from conducting training sessions, it is also important to identify and implement ongoing awareness programs. This will help ensure that your team members remain vigilant about the security issues related to obsolete systems.

3.6.1 Continuous monitoring: Keeping the guiding principles of ISO27001 in mind, implementing continuous monitoring solutions comes in handy to detect and respond to security incidents in legacy systems.

3.6.2 Conducting regular audits: Regular audits of your obsolete systems help ensure compliance with the ISO27001 standards and guiding principles. Not just that, regular audits also help identify new risks and vulnerabilities.

3.7.1 Decommissioning: As mentioned before, organisations cannot stick to obsolete systems forever and decommissioning of these legacy systems are critical. However, for the migration process, you must have proper plans and strategies in place. Make sure that the plans for legacy system sunset & decommissioning are optimised and secured.

With the help of these considerations, organisations can implement, manage, and maintain the security of legacy systems under the ISO27001 framework, while ensuring a comprehensive and robust information security management system.

Not surprisingly, decommissioning program and vendor management also relate to value and return on investments. Some more details here: https://www.tjc-group.com/blogs/decommissioning-legacy-systems-exploring-the-hidden-costs-of-legacy-systems/

It is, with immense pride, we say that TJC Group is ISO27001 certified. Achieving this milestone showcases the organisation’s commitment to information security while meeting the highest standards of information security management. TJC Group’s journey for the ISO27001 certification started a year ago; to formalise and enhance our cybersecurity practices in order to build a robust Information Security Management System (ISMS).

Read: https://www.tjc-group.com/blogs/tjc-group-achieves-iso-27001-certification-for-information-security/

With our ISO27001 standards in place, organisations looking for decommissioning their legacy systems can join forces with us. Why? Our team of experts help organisations –

  • Avoid non-compliance risks that comes with the non-enforcement of legal regulations and data privacy requirements in legacy systems.
  • Avoid non-compliance during mergers and acquisitions while ensuring secured and continued access to data.
  • With our decommissioning techniques, organisations can bid goodbye to the hight costs of maintaining obsolete systems, their substantial licensing costs, and more.

Apart from this, one of our key points is that TJC Group can decommission both SAP and non-SAP legacy systems. As a matter of fact, besides using SAP ILM for decommissioning, we offer our very own cloud-based solution – the Enterprise Legacy System Application (ELSA) for decommissioning. To learn more about how we decommission legacy systems, reach out to our experts here!

ISO27001 and legacy systems working together require careful risk management, documentation, security management, and more as per the considerations mentioned above. Adding to that are the guiding principles of the ISO27001 standards that organisations need to adhere to. While legacy systems pose challenges, all in all, they can be managed effectively with a well-structured and robust ISMS.

For more such interesting reads on cybersecurity, data privacy, and more, stay tuned with us!