iso

ISO 27001:2022
Information Security Management System
WHITE PAPER

ISO 27001
Information
Security

Background and
overview to the
ISO 27001:2022
revision

ISO/IEC 27001 is an internationally recognized standard published by the International Organization for Standardization (or ISO). The standard specifies the requirements for implementing and maintaining an effective ISMS to protect against the root causes of information security risks.
Organizations that achieve ISO/IEC 27001 certification strengthen their ability to protect themselves against cyberattacks and help prevent unwanted access to sensitive or confidential information. First published in 2005, ISO/IEC 27001 is based on BS 7799 Part 2, Information Security Management Systems Specification with guidance for use, issued in 1999. As originally published, ISO/IEC 27001 was largely based on the “plan-do-check-act” (PDCA) model then widely used by other management system standards. However, a 2013 revision of the standard adopted the framework detailed in Annex SL of the Consolidated Supplement of the ISO/IEC Directives. Annex SL mandates the use of a common structure and terminology in all new and newly revised management system standards, and maintains the PDCA model only as a basic principle.

 

ISO/IEC 27001:2013 is intended to bring information security under a formally specified management control. It has more than one hundred specific requirements.

The requirements set in ISO 27001 are generic, flexible and useful to all types of organizations. Thus, this ISO Standard, being a Management System, can be aligned with other Management Systems such as Quality Management, Business Continuity Management and other management systems due to their similar structure.

ISO 27001 specifies the requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a management system, as well as prepare, respond and deal with the consequences of information security incidents which are likely to happen.

An Information Security Management System (ISMS) helps determine how information is processed, stored, transferred, archived and destroyed. A secure ISMS is one which ensures:
  • Confidentiality: only those who are authorized to see the information have access
  • Integrity: accuracy and completeness of information is safeguarded by robust sourcing, processing, updating and storage processes
  • Availability: authorized users have access to information and associated assets, in the required forms, when they need it.

ISO 27001:2022
clauses

Key clauses of ISO 27001:2022

Following the new structure of the ISO 27001 is organized into the following main clauses:

 

Clause 4: Context of the organization

Clause 5: Leadership

Clause 6: Planning

Clause 7: Support

Clause 8: Operation Clause 9: Performance evaluation Clause 10: Improvement

Key
Areas

New ISO 27001:2022 Standard

What does the new ISO 27001 look like?

Clause 4

The standard requires that an organization evaluate and account for all internal and external factors that could affect its ability to successfully implement an ISMS. Such factors could include formal governance policies, contractual and legal obligations, regulatory requirements, environmental conditions and organizational culture

Clause 5

This clause of the standard requires an organization’s senior management to establish an information security policy, to provide overall leadership by assigning responsibility and authority to implement that policy, and to actively promote an organization-wide understanding of the importance of information security.

Clause 6

The planning clause involves assessing an organization’s specific risks regarding information security and developing a treatment plan to address those risks. This clause references Annex A for possible risk control mechanisms to be considered, but an organization is ultimately responsible for the determination of the specific controls necessary to address the risks it identifies.

Clause 7

The standard requires an organization to provide the necessary resources to establish, implement, maintain and continuously improve its ISMS. It also requires the development and control of documented information about the ISMS.

Clause 8

This clause addresses the execution of the policies, practices and processes that are covered in the earlier clauses, and the requirement to maintain suitable records that document the results. It also stipulates the conduct of performance assessments at planned intervals.

Clause 9

Performance evaluation, the requirements of this clause, an organization must monitor, measure, analyze and evaluate its ISMS at planned intervals to assess its suitability and effectiveness.

Clause 10

This final clause embraces the concept of continual improvement and the importance of identifying nonconformities, and taking corrective action to improve the effectiveness of the ISMS.

Documented
Information

The requirements for documented information are spread throughout the standard. However, in summary they are:
No Clause
4.3 Scope of the ISMS
5.2 Information security policy
6.1.2 Information security risk assessment process
6.1.3 Information security risk treatment process
6.1.3d Statement of Applicability
6.2 Information security objectives
7.2d Evidence of competence
7.5.1b Documented information determined by the organization as being necessary for the effectiveness of the ISMS
8.1 Operational planning and control
8.2 Results of the information security risk assessments
8.3 Results of the information security risk treatment
9.1 Evidence of the monitoring and measurement results
9.2g Evidence of the audit programme(s) and the audit results
9.3 Evidence of the results of management reviews
10.1f Evidence of the nature of the nonconformities and any subsequent actions taken
10.1g Evidence of the results of any corrective action

PDCA
Cycle

ISO 27001:2022
Information Security

Here is how you can recognize the PDCA cycle in the structure of ISO standards:

PLAN

Before you start implementing anything, you should know exactly what you really need, and exactly what it is you want to achieve (objectives) – this is the Plan phase.
Clauses 4 Context of the organization, 5 Leadership, 6 Planning, and 7 Support are nothing but the Plan phase

DO

Once you know what you want to achieve, you can start implementing your information security, business continuity, quality procedures, or whatever the ISO standard is focused on – this is the Do phase.
Clause 8 Operations speaks about the Do phase

ACT

Finally, if and when you realize that what you achieved is not what you have planned for, you have to fill the gap – this is called the Act phase.
Clause 10 Improvement is the Act phase

CHECK

However, the whole effort does not stop here – you want to make sure you have achieved what you have planned for, so you need to monitor your system and measure if you achieved your objectives – this is the Check phase.
Clause 9 Performance evaluation is, of course, the Check phase

ISO 27001
Links

Integration with
other management systems

Link between ISO 27001:2022 and other standards

The general requirements are ordinarily identified in every management system. These requirements assist in:

  • Determining and applying objectives according to the organization’s habits and needs
  • Upholding the objectives based on strong management commitment by monitoring and reviewing
  • Documenting pertinent management system processes
  • Regular ‘health-checks’ via internal or external audits
  • Gaining benefits through continual improvement as achieved by a regular management review
In addition, the table below presents the general requirements of several standards, which also serves as a comparing tool between ISMS and other management systems.

The following standards that relate to information security are:

  • OECD Principles (2002)
  • PCI-DSS - Payment Card Industry Data Security Standard (2004)
  • Basel II (2004)
  • COBIT – Control Objectives for Business and related Technology (1994+)
  • ITIL – Information Technology Infrastructure Library (1980+)

Link with ISO 22301 - Business continuity

The ISO 27001 International Standard is useful as part of the certification process against ISO 22301 (Business Continuity). The ISO 27001 objectives in clause A.14 (Business Continuity Management) can be used to comply with ISO 22301.

  • To implement and execute a risk assessment, an organization could refer to ISO/IEC 27005:2011, or in a broader context to ISO 31000:2009 – Risk management – Principles and guidelines
  • To execute the assessment itself, an organization could refer to ISO 31010:2009 – Risk management – Risk assessment techniques

Benefits

ISO 27001
What are the benefits?

Information Security Management System – The Business Benefits

The adoption of an effective quality management process within an organization will have benefits in a number of areas, examples of which include:

 

Systematic approach

ISO/IEC 27001 provides a formal, systematic approach to data security, increasing the level of protection of private and confidential information.

Reduced costs

By reducing the risk of security breaches, ISO/IEC certification can actually lower the total costs associated with IT security, as well as the costly consequences associated with data breaches.

Regulatory compliance

An ISO/IEC 27001-certified ISMS can help an organization meet the legal and regulatory requirements applicable in many jurisdictions, as well as contractual requirements for doing business with other entities.

Market advantage

Organizations that have received ISO/IEC 27001 certification clearly signal their commitment to the security of confidential information, and can enjoy an important advantage in the marketplace against non-certified competitors

ISO 27001
Certification

Certification
Steps

Certification of Organizations

The usual path for an organization that wishes to be certified against ISO 27001 is the following:

1. Implementation of the management system:

Before being audited, a management system must be in operation for some time. Usually, the minimum time required by the certification bodies is 3 months.

2. Internal audit and review by top management:

Before a management system can be certified, it must have had at least one internal audit report and one management review.

3. Selection of the certification body (registrar):

Each organization can select the certification body (registrar) of its choice

4. Pre-assessment audit (optional):

An organization can choose to perform a pre-audit to identify any possible gap between its current management system and the requirements of the standard

5. Stage 1 audit:

A conformity review of the design of the management system. The main objective is to verify that the management system is designed to meet the requirements of the standard(s) and the objectives of the organization. It is recommended that at least some portion of the Stage 1 audit should be performed on-site at the organization’s premises.

6. Stage 2 audit (On-site visit):

The Stage 2 audit objective is to evaluate whether the declared manage - ment system conforms to all requirements of the standard, is actually being implemented in the organi - zation and can support the organization in achieving its objectives. Stage 2 takes place at the site(s) of the organization’s sites(s) where the management system is implemented.

7. Follow-up audit (optional):

If the auditee has non-conformities that require additional audit before be - ing certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non- conformities (usually one day).

8. Confirmation of registration:

If the organization is compliant with the conditions of the standard, the Registrar confirms the registration and publishes the certificate.

9. Continual improvement and surveillance audits:

Once an organization is registered, surveillance activi - ties are conducted by the Certification Body to ensure that the management system still complies with the standard. The surveillance activities must include on-site visits (at least 1 per year) that allow veri - fying the conformity of the certified client’s management system and can also include: investigations following a complaint, review of a website, a written request for follow-up, etc

STAY
IN
TOUCH

GABRIEL
REGISTRAR

Contact us to know more about
ISO 27001:2022 Information Security Management System