ISO 27001 As We Currently Know It Is Changing…

Published on: August 25,2022 Published in: News

ISO 27001:2022 has now been published

Please note that the standard was updated on 25 October 2022. You can read more about the changes on our updated page here.

What is ISO 27001?

The ISO 27001 Standard (hereafter referred to as “the Standard”) is a set of requirements which can be adopted by organisations of any type or size to manage information security risk. The requirements detailed in the Standard are intended to cover the establishment, implementation, maintenance and continuous improvement of the organisation. The requirements in the Standard are to be tailored to each organisation and as such, each ISMS is unique, albeit with lots of similarities to the next. A useful way to think about ISO 27001 is as a framework for information security management.  

What is the relationship with ISO 27002?

ISO 27002 provides guidance for organisations seeking to implement and manage the controls provided in ISO 27001, taking into consideration the organisation’s information security risk environment. It is designed to help organisations select appropriate controls and develop their own information security management guidelines. ISO 27001 is the main Standard, organisations can get certified to it, however companies can not get certified to ISO 27002.

What is Changing in the Standard?

The new Standard will see the introduction of “themes” which replaces “clauses” in the current version. Essentially a re-organisation of the Standard has taken place. As well as the re-structure, there are some new controls too. The current version of the Standard lacks controls relating to threat intelligence, cloud services, web filtering, and secure coding, among others. The total number of controls available for selection has been reduced from 114 to 93, but this does not mean the Standard has been simplified, it is just a result of modernising the control set and some outdated controls have been dropped.

What aspects of ISO 27001 are staying the same?

  • Scope
  • Interested Parties
  • Context
  • Information Security Policy
  • Risk Management
  • Resources
  • Training & Awareness
  • Communication
  • Document Control
  • Monitoring & Measurement
  • Internal Audit
  • Management Review
  • Corrective Actions

What does this mean for those with existing systems?

If your organisation is already certified, the accredited certification body will need to check that documentation has been adapted within the transition period. These checks can be completed during the normal surveillance cycle, there’s no need to schedule a separate audit. It is likely that the transition period will be 2 years from the date of release, so organisations will have plenty of time to re-align to the new Standard.  

As the main parts of the Standard are not changing, those with existing ISO 27001 Lead Implementer/ Lead Auditor qualifications will not have to re-take this.

When is it changing?

ISO 27002 was updated on February 15th, 2022, with changes made to ISO 27001 are due to be released late in 2022.

What does it mean for organisations considering adopting ISO 27001?

As the changes to the Standard are not drastic, it is recommended that any organisations looking to implement the Standard should continue to do so. Any organisation that is aligned to the current version, will have opportunity to adopt the new version following it’s release.

How can we help?

Implementation & Transition

i3Secure can lead or help you with implementing requirements from the Standard. We have already worked with a number of customers this year to prepare them for ISO 27001 certification including NHS Trusts as well as private sector organisations. We have an experienced team of Lead Auditors/ Lead implementers that can take the strain and complexity out of the implementation process for you. As many of our consultants also conduct external certification audits on behalf of Accredited Certification Bodies – we are best placed to help you through your own certification audits.

Outsourced Management

We also specialise in managing systems on behalf of customers. Customers can outsource ISMS management responsibilities to i3Secure on an ongoing basis. This is a cost-effective approach, especially for small/medium-sized organisations that do not have their own Information Security Managers internally.

Internal Audit/ GAP Analysis

We may be external to your organisation, but we can perform internal audits on your behalf. This helps to ensure that your audits are completed in an independent way and maximum value is derived from them. We can also carry out a GAP Analysis for you, to help determine your conformance with the Standard. A GAP Analysis is a form of audit, but typically covers all requirements and is usually performed either before implementation starts, or shortly after.

Find out more about our ISO 27001 Consultancy services here.

Here’s what our customers say about us:

“i3secure were fundamental to gaining our ISO 27001 certification on a very aggressive timeline. They were an effective guide through every stage – from initial scoping through to audit. They worked as both an extension of our team to take on the implementation effort and as a driver holding us to account for the necessary business change. We would highly recommend them.”

Hadean

“i3Secure have been invaluable with the support they have provided. The whole team have worked hard to understand who ABEC are and have helped us document processes which meet the requirements of ISO 27001 but in a way that accurately reflects our business. This provides us with a robust foundation which we can use to grow our information security controls from. 

The i3Secure team have been quick to respond to queries, they have worked to accommodate our needs every step of the way and have somehow made the whole process enjoyable. I’m looking forward to getting our Stage 2 audit done and that certificate on the wall and then seeing where we can develop this to next.” 

ABEC

Get in touch

For further information about i3Secure and how we can support your organisation with ISO 27001 certification, get in touch with our team of specialists today.

Related Insights

Cyber Security News Perspectives

Celebrating International Women’s Day with Head of Defence, Louise Percival

March 8,2024
News

Giving Back in Our Communities: Consultant Fraser Bruce and his Work with Cyrenians

December 19,2023
Forces Friendly News

Remembrance Day – What it Means to Me

November 8,2023
Forces Friendly Insights News

Harnessing the Value of Mentorship: From the RAF to i3Secure

October 26,2023
News

i3Secure Receives Prestigious Award from the Ministry of Defence for Outstanding Support for the Armed Forces Community

October 12,2023

On 5 October 2023, i3Secure joined 18 employers from across the Lowlands of Scotland to formally receive a prestigious award from the Ministry of Defence for their outstanding support for the Armed Forces Community.