ISO 27001:2022 - Information Security Management Systems Requirements
Information Technology Security techniques
What is ISO 27001?
ISO 27001 for Information Security Management Systems requires organisations to adopt a risk based approach to the security of all information. ISO 27001 is not a prescriptive document, rather it is intended to enable organisations to ensure the security of information through the assessment and treatment of information security risks, documented in a Statement of Applicability.
Information Security Management System Requirements
Information Security Management Systems (ISMS) require organisations to:
- identify information security risks
- understand external & internal issues, and interested parties, relevant to information security
- develop an information security Policy - typically one page document declaringcommitment to information security
- develop a Statement of Applicability, documenting the assessment of identified information security risks and establishing controls (risk treatment) based on reference controls documented at Annex A of ISO 27001
- develop procedures -- instructions required to address information security
- control any outsourcing of information management
- develop and monitor information security objectives and targets
- embrace information security risks and opportunities throughout the business
- ensure staff are competent and understand their information security responsibilities
- monitor information security performance
- control information security nonconformances and take corrective action for significant or repetitive nonconformances
- conduct internal audits of the information security management system
- ensure senior management strategically review the information security management system
- Information Security Policy Statement of Applicability
- ISMS or Management Manual Procedures
- Improvement Plan (monitoring information security objectives and targets)
- Registers – nonconformances and corrective action.
Implementing an Information Security Management System:
Benefits of an Information Security Management System:
- demonstrated due diligence by meeting regulatory and customer requirements
- meeting international best practice for security
- meeting tender requirements and stand out from the competition
- improved reputation and enhanced company profile
- demonstrated integrity of data to customers, suppliers and other stakeholders
- reduced risk of fraud, information loss and disclosure
- increased resilience to cyber attacks
- prompt detection of data leakage and rapid reaction to breaches
- reduced costs associated with information security
- all forms of information, ensuring confidentiality, integrity and availability of data secured
- ensured workplace confidentiality and improved company culture
- easily integrated with other management systems.
Transition from ISO 27001:2013 to ISO 27001:2022
ISO/IEC 27001:2022 was published in October 2022. It is not a fully revised edition; the main changes are:
- Annex A references the controls in ISO 27002:2022, which includes the information of control title and control
- the notes of Clause 6.1.3.c are revised editorially, including deleting the control objectives and using “information security control” to replace “control”
- the wording of Clause 6.1.3.d is re-organized to remove potential ambiguity.
The number of controls in ISO 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. Of those, 11 controls are new, 24 are merged from the existing controls, and 58 are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.
Clients may apply to be audited and certified to the old Standard (ISO 27001:2013) until 30 April 2023, after which only applications against the new Standard (ISO 27001:2022) will be accepted. Clients may request to be audited and certified to the new Standard (ISO 27001:2022) from 1 November 2022.
All clients must be audited and certified to ISO 27001:2022 no later than three years following its publication (30 October 2022). No certification to ISO 27001:2013 is permitted after 30 October 2025.
TQCSI Certification Process:
- contact your TQCSI Office and ask for a quote or apply on-line - TQCSI will need to know what your business does, how many employees (full time equivalent) and what types of information security risks are applicable
- to prevent delays, don’t wait until your Information Security Management System is fully implemented.
Certification Mark for Information Security Management Systems:
Once obtained, this certification mark can be used on all marketing material to promote your ISO 27001 Information Security Management System certification.