ISO 27001 - Information Security.
The ISO 27001 standard details requirements for Information Security management systems and the aim of this standard is to help organisations review, identify and manage key information assets and data. Often considered an Information Technology standard, ISO 27001 is actually much broader and like other management system standards such as ISO 9001 in that the standard is primarily concerned with the management system. Where ISO 27001 differs is that it includes an Annex (Annex A) listing various controls which need to be considered in the risk treatment process.
The current version of the standard, ISO 27001:2022, is structured following Annex SL and therefore the clauses are very similar to the structure of ISO 9001 and other Annex SL standards. The standard requires a clearly defined organisational structure with roles and responsibilities defined with the involvement and commitment from top management. Other requirements of this standard are that documented information is controlled, risks and opportunities are considered and that actions to address risks and opportunities are identified and managed.
The standard requires quite a lot of documentation to be prepared including Information Security Policies and evidence that all the Annex A controls have been addressed in a statement of applicability. The risk assessment / risk treatment process may include review and consideration of IT infrastructure and systems and therefore may require some competent assessment / review of IT systems.
Meeting the requirements of this standard
There are quite specific documentation requirements for this standard and a full review of all the Annex A controls is required. A full review of information within the organisation, where it is stored, accessed and how it is disseminated as well as the controls in place to preserve the data and ensure it is protected from unauthorised access, is protected from accidental corruption or alteration and that the Information systems in place are robust and reliable to ensure availability of information when required for business continuity.
isoassured can assist with preparation of management systems to meet the requirements of this standard – check our ISO Consultancy page for details of how we can help with onsite consultancy, remote consultancy or by using of our alpha-Z documents package to meet the requirements of this standard.
ISO 27001 Certification process
We offer a simple, smart, certification process to provide independent confirmation that your organisation meets the requirements of the ISO 27001 standard and once an audit has been completed with a satisfactory outcome we issue an ISO27001 registration certificate and authorise the organisation to display our ‘ISO 27001 Registered’ logo.
Further details on our certification service are available on the ISO Certification page.
Benefits of ISO 27001 Certification
- Achieve better scores in pre-qualification questionnaires (PQQ’s)
- Improved Systems for management and preservation of critical company information and data
- Improved appraisal of outsourced services and checks to protect company information and data
- Demonstration to suppliers / other interested parties that their information is protected and managed correctly
- Systems to ensure staff background checks completed as required
- Checks that IT infrastructure managed correctly with effective backup and disaster recovery systems in place
- Effective systems for monitoring and dealing with IT security incidents
- Ongoing checks and reviews of operational activities
- Systems for improvements and continual improvement of management systems
- ISO 27001 Registered Logo for use in marketing
- Enhanced systems for ongoing checks of IT security
- Checks that meeting applicable legal requirements such as Data Protection
ISO 27701 Security Techniques for Privacy Information Management - ISO 27001 Standard Extension
The ISO 27701 standard is an extension to the ISO 27001 / ISO 27002 standards and follows the structure of these standards with some additional requirements.
This extension requires the management system to cover all the additional requirements relating to the management and protection of Personally Identifiable Information (PII) and can be followed by PII controllers and processors.
ISO 27701 Certification process
We offer a simple, smart, certification process to provide independent confirmation that your organisation meets the requirements of the ISO 27701 standard with audit being completed at the same time as ISO 27001 audit or as a standalone audit. Once an audit has been completed with a satisfactory outcome this standard is also detailed on the ISO 27001 certificate and we authorise the organisation to display our ‘ISO 27701 Registered’ logo.
Further details on our certification service are available on the ISO Certification page.
ISO 27001 is an Information security management standard that provides organisations with a structured framework to safeguard their information assets and ISMS, covering risk assessment, risk management and continuous improvement. In this article we’ll explore what it is, why you need it, and how to achieve certification.
Why do you need ISO 27001?
ISO 27001:2022 certification assures customers, partners and other stakeholders that your company’s information security infrastructure meets their expectations.
ISO 27001 is an information security management system (ISMS) internationally recognised best practice framework and one of the most popular information security management standards worldwide.
The cost of not having an effective Information Security Management System can be high – both financially and reputationally. The Standard is a critical component in any organisation’s information security risk management process , and it has become an essential part of many organisations’ IT governance, risk and compliance (GRC) programmes.
The benefits of ISO 27001
1) ISO 27001 Will Help You Reduce Information Security and Privacy Risks
Information security risks are constantly growing. New data breaches make the headlines every day. So more and more organisations realise that poor infosec can be costly, whether it leads to breaches of their own or their customers’ confidential information.
That’s why many organisations are creating their own ISO 27001-certified information security management system or ISMS’s.
An effective ISMS will help you meet all your information security objectives and deliver other benefits.
And any scale and type of organisation, from government agencies to commercial companies, can use ISO 27001 to create an ISMS.
Several of the ISO 27001 requirements also fulfil those of GDPR and Data Protection Act compliance, and legal and regulatory obligations, giving much greater information assurance overall. Implementing ISO 27001 will show regulatory authorities that your organisation takes the security of information it holds seriously and, having identified the risks, done as much as is reasonably possible to address them.
Your risk management process will be both robust and easy to demonstrate. And it’s an excellent gateway to other ISO management system standards too.
2) ISO 27001 Means Saving Time and Money
Why spend lots of money solving a problem (for example, loss of customer information, risk assessments, business continuity management) in a crisis when it costs a fraction to prepare for it in advance? With an ISO 27001-certified information security management system, you’ll have all your information security incident management plans and systems ready. It’s the most cost-effective way of protecting/keeping your information assets secure.
You’ll base your risk management plans on a robust, thorough risk assessment. Ongoing internal audits will ensure your ISMS meets the ever-evolving threat of digital crime with new security techniques and information security controls. And with our help, you can measure the ROI on your information security risk management investment.
You’ll also cut your cost of sales. Customers increasingly seek assurance of their supplier relationships’ information security management and data protection capabilities. Your sales department will probably testify to the amount and the length of the ‘requests for information’ they regularly have to deal with as part of the sales process and how that is growing all the time. Holding ISO 27001 certification will minimise the detail you need to provide, simplifying and accelerating your sales process.
3) ISO 27001 Boosts a Reputation and Builds Trust in the Organisation
It’s bad enough having your information systems hacked and your customer data exposed and exploited. What’s worse is when news of that kind of breach starts spreading. It can severely damage your reputation and, with it, your bottom line. With an ISO 27001 ISMS, you’ll have conducted a robust risk assessment and created a thorough, practical risk treatment plan. So you’ll be better positioned to identify and prevent breach risks before they happen.
Like many things in business, trust is essential. But demonstrating that an accredited certification body has independently audited your Information Security Management Systems (ISMS) solidifies that trust. Your customers will quickly and easily see that it’s based on specific system engineering principles. They won’t need to take the security of your operations on trust because you’ll be able to prove you’ve met the relevant ISO management system standards.
And managing information security with ISO 27001 is about more than just protecting your information technology and minimising data breaches.
The Standard Can Help You:
- Protect everything from your organisation’s intellectual property to its confidential financial information.
- Put defined information security policies in place to help you manage processes, including your access control policy, communications security, system acquisition, information security aspects of business continuity planning and many others.
- Ensure your information security incident management is carefully planned and demonstrably effective if and when a compromise happens.
- Perform and information security risk assessment and management activities clearly, practically and transparently.
- Ensure key stakeholders and other third parties are aware of, in agreement with and, where necessary, fully compliant with your infosec measures.
- Meet specific industry regulations or operating procedures set by relevant regulatory bodies.
- Secure your employees’ and customers’ personal data.
ISO 27001:2022 requirements & controls
Defined within the ISO 27001 standard are ten requirements, including information security guidelines, requirements intended to protect an organisation’s data assets from loss or unauthorised access and recognised means of demonstrating their commitment to information security management through certification.
Requirement 6.1.3 (Information Security Risk Treatment) defines Annex A, specifying controls derived from ISO 27002:2022.
ISO 27001 also includes a risk assessment process, organisational structure, Information classification, Access control mechanisms, physical and technical safeguards, Information security policies, procedures, monitoring and reporting guidelines.
Annex (S)L Explained
“Annex L” defines a generic management system’s core requirements and characteristics. This is a critical point. Your company’s management system extends beyond information security.
While the focus of ISO 27001 is information security, the standard integrates with other ISO standards based on ISO’s Annex L, allowing you to introduce these standards to develop further and improve your overall management system later. They include ISO 9001 for quality management, ISO 22301 for business continuity management, ISO 227701 for Privacy protection and up to 50 other ISO standards.
Whilst we are not suggesting that you look at these standards for now, the point is that it is possible. You have an ‘upgrade path’ within ISO and ISMS.online (Integrated Management System) that won’t require reinventing the wheel when stepping it up to another level.
ISO 27001:2013 & ISO 27001:2022 – What’s the difference?
In practical terms, very little has changed between the 2013 and 2022 ISO 27001 information security standards except for minor cosmetic points and additional requirements (9.3.1, 9.3.2, 9.3.3) and revised Annex A controls linked to ISO 27002:2022.
Transitioning to the New Standard
Organisations that have already achieved ISO 27001 certification must transition to the new version by October 31, 2025. This transition will require them to review and update their current ISMS to comply with the new requirements.
Overview of Changes Introduced in ISO 27001:2022
ISO 27001: 2022 brings with it several refinements and additional wording requirements. These changes ensure the standard remains applicable and updated with the latest security best practices.
The new version of the Standard requires organisations to ensure that their management systems comply with the updated requirements and to review any changes to the wording of the Standard to ensure they understand the implications for their security management systems. This includes changes to the language used, adjustments to the structure and content, and the addition of new clauses.
Restructuring of Annex A Controls in ISO 27001 2022
Following the release of ISO 27002:2022 on February 15, 2022, ISO 27001:2022 has aligned its Annex A controls.
The new version of the Standard draws upon a condensed set of 93 Annex A controls, including 11 new controls. A total of 24 controls were merged from two, three, or more security controls from the 2013 version, and 58 controls from the ISO 27002:2013 were revised to align with the current cyber security and information security environment.
Organisations must ensure that their information security management system meets the new requirements and that their existing controls are current.
To help with this, ISO 27002:2022 has made changes to the wording of some of the existing controls and added additional requirements for others. Additionally, the Standard now requires organisations to evaluate the performance of their information security management system and the effectiveness of the controls.
Control Categories and Attributes
Annex A controls have now been grouped into group categories:
Organisational
People
Physical
Technological
Each control has additionally assigned an attribution taxonomy. Each control now has a table with a set of suggested attributes, and Annex A of ISO 27002:2022 provides a set of recommended associations.
These allow you to quickly align your control selection with common industry language and international standards. The use of attributes supports work many companies already do within their risk assessment and Statement of Applicability (SOA).
For example, Cybersecurity concepts similar to NIST and CIS controls can be distinguished, and the operational capabilities relating to other standards can be recognised.
11 New Annex A Controls
The 11 new controls focus on cloud services, ICT readiness for business continuity, threat intelligence, physical security monitoring, data masking, information deletion, data leakage prevention, monitoring activities, web filtering and secure coding.
New Focus on Risk Treatment Processes
ISO 27001 2022 has placed a greater emphasis on risk treatment processes and the use of Annex A controls. The updated Standard now requires organisations to consider the four options for treating risks: modification, retention, avoidance and sharing. Two additional options for treating opportunities have been added: enhancement and exploitation. The Standard also outlines the need for organisations to consider risk sharing and acceptance in handling opportunities.
Organisations are now required to consider the consequences and likelihood of information security risks and the potential rewards of opportunities when assessing risk. The International Standard also encourages organisations to take risks if the potential rewards are more significant than the potential losses.
Overall, the new focus on risk treatment processes in ISO 27001 2022 provides organisations with a greater understanding of assessing and treating risks to minimise the potential for harm.
Evaluation of Third Parties
Organisations must ensure that third parties can provide adequate risk management measures, including but not limited to security, privacy, compliance and availability. Third parties must be aware of the organisation’s policies, procedures and standards and comply with them.
Organisations should perform periodic reviews and audits to ensure third-party compliance with security policies. They should also have a process for reporting and responding to security incidents resulting from the activities of third parties.
Organisations must ensure that all data and information assets under their control are securely returned or disposed of when terminating contracts or relationships with third parties.
Incident Logging Investigation and Recording
ISO 27001 2022 sets out specific requirements for logging, investigating and recording incidents. This includes organisations needing a process for logging security incidents and a procedure for investigating and documenting the investigation results. It is important for organisations to have a clear policy for logging and investigating incidents, as well as a process for recording the results of the investigation.
The policy should also cover the handling of evidence, the escalation of incidents and the communication of the incident to relevant stakeholders. The policy should also ensure that the organisation can quantify and monitor incidents’ types, volumes and costs and identify any severe or recurring incidents and their causes.
This will enable the organisation to update its risk assessment and implement additional controls to reduce the likelihood or consequences of future similar incidents.
Supplier Relationships Requirements
ISO 27001:2022 has introduced new requirements to ensure that organisations have a robust supplier and third-party management programme. This includes identifying and analysing all third parties that may impact customer data and services security and conducting a risk assessment for each supplier. The agreement between the supplier and service provider must also establish the relationship between them, and regular monitoring and reviews must be conducted to assess compliance.
Organisations must also ensure that supplier security controls are maintained and updated regularly and that customer service levels and experience are not adversely affected. In addition, personal data must be processed per data privacy regulations, and an audit of the supplier’s systems, processes, and controls must be conducted. By implementing these supplier management procedures, organisations can ensure they comply with ISO 27001:2022.
Clarification of Control Requirements for Externally Provided Processes and Products
Organisations must ensure that external services, products, and processes are appropriately managed and controlled. The 2022 version of ISO 27001 clarifies the requirements for externally provided processes and products.
Organisations must establish documented agreements with external providers and ensure that these agreements are regularly monitored and reviewed. Additionally, organisations must have a plan for responding to any inaccurate or incomplete information provided by external services or products and a procedure for handling any identified vulnerabilities in externally offered services or products.
Organisations must also ensure that the associated risks are appropriately managed and that the control of externally provided processes and products includes appropriate measures for security assurance and management of changes to documents, agreements, and procedures.
Supplier Management Procedures
ISO 27001 2022 introduces several changes to how organisations manage their supplier relationships. The revised Standard requires organisations to develop a formal supplier management policy and procedures, segment their supply chain into categories based on the value and risk of the relationship, and develop close working relationships with high-value suppliers:
Organisations must also take a risk-based approach to supplier selection and management, wrap information security policy for suppliers into a broader relationship framework. ISO 27001 2022 emphasises managing ICT suppliers who may need something additional instead of the standard approach.
Organisations must ensure supplier staff are educated, aware of security, and trained on organisation policies. Records of supplier management, including contracts, contact, incidents, relationship activity and risk management, must also be kept. All of this must be done to ensure an agreed level of information security and service delivery is maintained in line with supplier agreements.
Employee Cybersecurity Awareness
Organisations must take action to ensure that employees are aware of their responsibilities when it comes to cyber security.
Companies should focus on preventing human error by empowering staff to understand the importance of cyber security. Businesses should also invest in appropriate cybersecurity training programs and develop clear policies and procedures that detail what is expected from employees.
Furthermore, companies should incorporate cyber security into everyday operations and establish a culture of cyber security where staff feel comfortable and empowered to raise cyber security issues. By taking these steps, organisations can ensure that their employees know their responsibilities and are better prepared to protect their data and networks from cyber threats.
Establishing Controls for Human Resource Security in ISO 27001:2022
ISO 27001 2022 has introduced several new and refined controls for Human Resource Security. This includes the need to establish clear guidelines for personnel screening, terms and conditions of employment, information security awareness, education and training, and disciplinary processes. It also requires organisations to have a policy on using cryptographic controls and a formal starter, leaver, and mover process.
These controls are essential for protecting the organisation’s interests, as they help to ensure that all personnel have the necessary security clearance and are aware of their responsibilities. Furthermore, they help to ensure that confidential information is protected from unauthorised access and that any information security events are reported and dealt with appropriately. Implementing these information security controls is essential for any organisation seeking certification from an accredited certification body.
Understanding the Requirements of Interested Parties
ISO 27001:2022 has a specific focus on understanding the needs and expectations of interested parties. Interested parties are stakeholders, such as employees, shareholders, government agencies, clients, media, suppliers and partners interested in the organisation’s information security and business continuity. Identifying these stakeholders and their requirements is essential to develop an effective ISMS or BCMS.
A procedure should be written to clearly define who is responsible for identifying all interested parties and their legal, regulatory, contractual and other requirements and interests, as well as who is responsible for updating this information and how often it should be done. Once the requirements are identified, assigning responsibility for meeting them is essential.
How to Tackle the Changes Between ISO 27001:2013 and ISO 27001:2022
We’ve incorporated the updated ISO 27001 requirements and ISO 27002 controls into ISMS. online, both responding to the guidance and creating tools to help you. They’ll help you fast-track your ISO 27001 implementation and reduce the ongoing management time of your Information Security Management System.
Where do I start with ISO 27001 Certification?
Achieving ISO 27001 Certification can be complex and overwhelming but our ISMS.online software changes all that. Now you have pre-configured information security frameworks, tools, and content to help you achieve ISO 27001 success quickly and simply.
Imagine too, if you had a helping hand that guided you through each step of ISO 27001, without the need for expensive consultancy fees? Our ISO 27001 Virtual Coach package does just that.
You will find helpful videos from those that are ‘living’ ISO 27001, together with an information security specialist, as well as lots of hints and tips for success.
All delivered right where you need it most, inside the ISMS.online platform allowing you to work where and when you want, at your own pace towards achieving your goals.
How do I achieve ISO 27001?
The core requirements of the information security standard are addressed in clauses 4.1 through 10.2, and Annex A controls you may choose to implement, subject to your risk assessment, risk treatment plan and work, are covered in A.5.1, and 5.31 through 5.36 and A. 8.8 (found at the bottom of this page).
If you want to achieve ISO 27001, you will be expected to meet all the core ISO 27001 requirements. One of the fundamental core requirements (6.1) is to identify, assess, evaluate and treat information security risks. Out of that risk assessment and management process, the ISMS will help determine which of the ISO 27001 Annex A reference control objectives (information security controls) may need to be applied to manage those information security-oriented risks.
Some organisations may not take their Information Security Management System to certification but align to the ISO 27001 standard. This might be okay to meet internal pressures however delivers less value to key stakeholders externally, who increasingly look for the assurances a UKAS (or similar accredited certification body) independently certified ISO 27001 delivers.
ISO 27001 certification
For organisations looking to demonstrate their commitment to information security, certification from an accredited body is the way to go. The process of seeking certification requires a thorough review of the organisation’s ISMS and its ability to comply with the requirements of ISO 27001:2022.
An accredited third-party auditor should conduct the certification process, who will review the organisation’s ISMS and assess its compliance with the Standard. The auditor will also provide recommendations for improvements and ensure the organisation can meet the new requirements of the Standard.
Once the certification process is complete, the organisation will receive an official certificate from the accredited body.
ISO 27001 plays a crucial role in organisations by helping them identify and manage risks effectively, consistently, and measurably. At ISMS.online, we understand the significance of ISO 27001 certification for businesses of all sizes.
Here are a few reasons why ISO 27001 is essential for your organisation:
- Risk Reduction: ISO 27001 minimises your organisation’s information security and data protection risks, ensuring the safety of sensitive information.
- Customer Trust: As a certified organisation, you demonstrate a commitment to security, giving you a competitive advantage in the eyes of customers and potential stakeholders. At ISMS.online, we recognise the importance of building customer trust and confidence in your services.
- Streamlined Processes: Implementing ISO 27001 allows companies to document their main processes, reducing ambiguity and increasing productivity. Our platform at ISMS.online simplifies the management of your ISMS, making it more efficient for your staff.
ISO 27001 is the premier international standard for information security, published by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC).
It belongs to the ISO/IEC 27000 series and offers a framework for organisations of any size or industry to safeguard their information through an Information Security Management System (ISMS).
The latest version, ISO 27001:2022, includes updates to address the evolving landscape of technology and information security.
The primary distinction between ISO 27001 compliance and certification lies in the level of external validation and recognition:
ISO 27001 Compliance
- Refers to an organisation adhering to the requirements of the ISO 27001 standard, which focuses on Information Security Management Systems (ISMS).
- In simple terms, compliance might mean that your organisation is following the ISO 27001 standard (or parts of it) without undergoing any formal certification process.
ISO 27001 Certification
- The process where a third-party, independent organisation called a certification body audits your organisation’s ISMS.
- Determines if your processes, as well as your products and services, meet the ISO criteria.
Your ISO 27001:2022 certification is valid for three years following successful certification audits.
During this period, as information security professionals, you are expected to:
- Conduct regular performance evaluations of your ISMS.
- Ensure that senior management reviews your ISMS consistently.
At the end of the three-year cycle, a recertification audit is conducted, and upon successful completion, the certification is renewed for another three years.
At ISMS.online, we understand the importance of maintaining your ISO 27001 certification. Our platform offers a comprehensive solution to help you and your organisation achieve and maintain compliance with multiple standards, including ISO 27001.