Information Security Management Systems
ISO/IEC 27001 is the international standard recognised globally for managing risks to the security of information that an organisation hold. The standard adopts a process-based approach to a set of policies, procedures, processes and systems that manage information risks, such as cyber-attacks, data theft, unauthorised access or data breach. Information Security management is one the most important component of any organisation as it protects the confidentiality, integrity, and availability of information assets.
Why ISO/IEC 27001?
Certification to ISO/IEC 27001 Information Security Management Systems Standard demonstrates an organisation’s systems have been independently assessed and the commitment a company put in place in information security best practices and ICT governance.
The ISO/IEC 27001 standard is not just suitable for large organisations but also small businesses as it enables organisations to align with global best-practice for information security management and preserves the confidentiality, integrity, and availability of information by applying a risk management process.
Benefits to your organization
Implement processes and controls that improve your organisation’s ability to identify and manage information security risks.
Build confidence and trust with your stakeholders by demonstrating your compliance to information security requirements.
Demonstrates robust security practices, thereby more opportunity for new business and improving client relationships/client retention.
Improve productivity as it clearly set out information risk responsibilities across the organisation.
Comply with business, legal, contractual and regulatory requirements
Minimize the risks involved in cyber security and data breaches
Avoid the financial penalties and losses associated with data breaches
Benefits to your customers
Improved confidence and assurance.
Safeguard of personal and confidential information.
Minimized risk of cyber threats and data breaches.
Independent audit demonstrates commitment to Information Security.
Transition Arrangement for ISO/IEC 27001:2022
ISO/IEC 27001: 2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
IAF MD 26:2023 was issued on 15th February 2023, with immediate application, describing transition requirements for ISO/IEC 27001:2022, which is replacing ISO/IEC 27001:2013.
ISO/IEC Directives Part 1 state that no more than 2 separate amendments shall be published modifying a current International Standard. The development of a third such document shall result in publication of a new edition of the standard. As this is the case for ISO/IEC 27001:2013 with its various amendments and corrigenda, a new version was published as ISO/IEC 27001:2022 in October 2022.
Key Changes and impact
See sections 2.2 and 2.3 of IAF MD 26:2023, available here:
ISOCert intends to follow exactly the transition arrangements as outlined in IAF MD 26, clients are advised to refer directly to its provisions, but key timescales are as follows:
a) Initial certification and recertification by ISOCert to ISO/IEC 27001:2022 to begin no later than 18 months from the last day of publication month of ISO/IEC 27001:2022 (i.e., 30 April 2024).
b) ISOCert to complete the transitions of certified clients by 36 months from the last day of publication month of ISO/IEC 27001:2022 (i.e., 31 October 2025).
Transition period ends by 31 October 2025 - Certificates for ISO/IEC 27001:2013 will no longer be valid after this date.
If the client failed to complete the transition audit as per the timeline, all certifications based on ISO/IEC 27001:2013 shall expire or be withdrawn at the end of the transition period.
Preparing for your ISO/IEC 27001:2022 Transition
Organizations must transition their management system in accordance with the requirements to ISO/IEC 27001:2022 before their transition audit is conducted. This should include any documentation changes, along with evidence of any new or changed process requirements. Of note, organizations must conduct an internal audit and management review of the new/changed requirements prior to the ISOCert transition audit being conducted. Organizations may have a transition gap assessment conducted by ISOCert prior to their official transition audit. This could be conducted in conjunction with an earlier ISO/IEC 27001:2013 surveillance, or at any other stand-alone time prior to their transition audit.
Your ISO/IEC 27001:2022 Transition Audit
All organizations must have a transition audit to confirm the implementation of the revised standard. The transition audit may be conducted in conjunction with an existing audit or may be a stand-alone audit. If the transition audit is conducted in conjunction with an existing surveillance (i.e., transition surveillance) or recertification audit (i.e. transition re-assessment), additional time may be added to the audit duration in order to cover the new requirements/concepts introduced by ISO/IEC 27001:2022. If a standalone audit is carried out for the transition audit, the duration be calculated on an individual organization basis.
Note: Specific audit durations for transition will depend on the actual situation of the organization including the organization’s size and the complexity of the ISMS. As a guide, minimum of 0.5 auditor day for the transition audit when it is carried out in conjunction with a recertification audit. Minimum of 1.0 auditor day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit. ISOCert Client representative will advise you of your specific transition audit duration.
Revised ISO/IEC 27001:2022 Certificates
As with any audit, non-conformances identified during a transition audit will require a corrective action to be submitted and approved. An updated ISO/IEC 27001:2022 certification will be issued following corrective action approval. a) Updated ISO/IEC 27001:2022 certificate issuance and validity will be as follows: b) Transition surveillance – The organization’s existing ‘Valid Until Date’ will be maintained. c) Transition re-assessment – A new ‘Valid Until Date’ will be issued for the renewed 3-year period. d) Stand-alone transition – The organization’s existing ‘Valid Until Date’ will be maintained.
Integrating ISO/IEC 27001 into your management system
As IMS (Integrated Management System) integrates all of an organization’s systems and processes into one complete framework, it allows an organization to work along with an unified system to achieve the common objectives. The Quality, environmental and safety management systems were frequently combined and managed as an IMS. With the rise of the digital economy, data protection and information security become critical components in an organisation. Certified to ISO/IEC 27001:2013 has become an important part of an organisation who wish to demonstrate their commitment to data security.
Organisations which have been certified with ISO 9001, ISO 14001, ISO 22301 or ISO 45001 are encouraged to embark on ISO/IEC 27001 certification since it will be a smooth sailing step. Information security threats are common these days, it is important to build up a defense and minimize the risk.