Escalating cyber threats, innovative technology, greater connectivity and ISO/IEC 27002:2022 being published mean that ISO/IEC 27001 had to evolve.
Willy Fabritius, Global Head, Strategy & Business Development at SGS, said: “Whether your organization wants a smooth transition or first certification to ISO/IEC 27001:2022, SGS experts have examined the changes and created new services, including transition training and guidance documents, to support you.”
The importance of ISO/IEC 27001 certification
Adopted by tens of thousands of organizations, ISO/IEC 27001 certification demonstrates an organization’s commitment to information security and provides assurance to clients and other partners that it is serious about protecting information under its control.
The standard is technology agnostic, so it does not matter what technology environment you have. It is written in such a way that any organization, from small business to large multi-billion dollar enterprise, can use it.
ISO/IEC 27001 specifies the requirements to establish, implement, maintain and continually improve an ISMS for safety and security. It also includes requirements for assessing and treating information security risks, tailored to your organization’s needs.
ISO/IEC 27001 can lead to:
Enhanced credibility
Reduced risk of fraud, information loss and disclosure
Demonstration of integrity to your system
Business culture transformation and greater awareness of the importance of keeping information secure
New business opportunities with security-conscious customers
A stronger notion of confidentiality throughout the workplace
Better preparedness for the unavoidable – the next security event or incident
Evolution to meet the threats
Mr Fabritius, who has decades of experience in InfoSec and related fields, said: "ISO/IEC 27001 was last updated in 2013 and the cyber world and threats to it have dramatically evolved. The standard has had to follow suit.
“February 15, 2022, was a crucial day. ISO/IEC 27002:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Controls – was published. Due to this, ISO/IEC 27001 Annex A needed updating to align with ISO/IEC 27002:2022’s controls.
“A key change is to the name, to reflect the standard’s true scope. It is ISO/IEC 27001:2022 – Information Security, Cybersecurity and Privacy Protection – Information Security Management Systems – Requirements. This also aligns with ISO/IEC 27002:2022’s new title.”
Other changes include clause numbering, new and rearranged text, and Annex A updates, among others.
Extensive digital experience – support for all
If your organization is already ISO/IEC 27001 compliant, no changes in technology are needed, just updates in the documentation. You might need to revise internal policies, according to the new subclauses and modified requirements. Your risk assessment result and risk treatment plan(s) should also be reviewed and Statement of Applicability (SoA) updated.
The transition period is three years from when ISO/IEC 27001:2022 was officially published, so you should have ample time to comply. Your ISO/IEC 27001 certificate remains valid until this period ends.
Mr Fabritius added: “With decades of digital experience, we have created a suite of services and materials, including transition training, a step-by-step guide and guidance documents, to support current and new clients.
“We can ensure that you have adapted the documentation within the transition period. Therefore, no new audit(s) need to be scheduled because this will take place during your regular surveillance audits. Furthermore, additional time to assess the successful transition will be required as per the International Accreditation Forum’s (IAF) MD 26:2022 document.
“However, when you renew your certification during the transition period, you could work to the new controls to avoid leaving it until the eleventh hour.
“As the world’s leading testing, inspection and certification company, we are here for you, whatever your size, complexity and needs.”
