Navigating ISO 27001:2022 and Maximising Cyber Security Compliance
By Alan Calder, Founder and Chief Executive Officer, GRC International Group and IT Governance
In the world of certification standards, ISO 27001 has emerged as a key player, albeit with fewer than 60,000 organisations certified worldwide as of December 2021.1 This is substantially fewer compared to more popular international standards, such as ISO 9001, to which more than 1 million organisations across the globe have certified against.
The rationale behind pursuing ISO 27001 revolves around its status as an international benchmark for an information security management system (ISMS). It entails receiving an impartial evaluation of whether an organisation adheres to information security best practices, culminating in – and proven by – independent certification. The certification bolsters the ability to assure customers that the organisation diligently follows those best practices, which can be pivotal in securing new business contracts and facilitating request for proposal (RFP) engagements. Instead of divulging sensitive information, organisations can simply provide a certificate number and its source, effectively addressing security queries in proposals.
This strategy has proven to be both cost-effective and efficient in winning business deals and retaining existing clients. Moreover, ISO 27001 certification can stand as a bulwark against potential financial penalties and losses stemming from security breaches or violations, enhancing the organisation’s credibility.
It is important to recognise that security breaches are indiscriminate, transcending organisational size and sector. ISO 27001’s purpose is to not just mitigate the risk of breaches, but also establish resilience against them by focusing on timely detection, recovery and maintenance of operational continuity. The reality is that no matter how well-protected you are, any organisation can be breached by a skilled and determined attacker. With that in mind, ISO 27001 certification demonstrates that your organisation, should it suffer an incident, can detect it quickly and recover from it effectively while continuing key business operations. This type of capability saves your organisation money and protects its reputation.
ISO 27001 does not solely pertain to information security risk management – it is a pragmatic conduit for demonstrating compliance with various business obligations, including legal, contractual and regulatory requirements. Certification provides a formidable competitive edge, positioning an organisation in the vanguard of cyber security. This can be invaluable in an era where data breaches are becoming increasingly common, causing businesses to falter and lose clients.
For those new to implementing ISO 27001, there are ten clauses in the Standard, as well as an annex:
- Clauses 1–3 expound on the Standard itself, covering scope, normative references, and terms and definitions. The remaining Clauses 4–10 delineate the concrete requirements for an effective ISMS.
- Clause 4 is dedicated to understanding the organisation’s context, so relevant internal and external issues, relevant requirements from interested parties, etc.
- Clause 5 concerns top management commitment, a top-level information security policy, and assigning roles and responsibilities.
- Clause 6 addresses risk assessment and treatment, information security objectives and planning changes.
- Clause 7 focuses on providing the necessary resources, ensuring the right competence, raising awareness, and developing a communications strategy and all necessary documentation.
- Clause 8 delves into translating the findings from Clause 6 into concrete actions.
- Clause 9 oversees monitoring, measurement, evaluation and management review of the ISMS. This includes conducting regular internal audits of the ISMS.
- Clause 10 focuses on continually improving the ISMS, and addressing nonconformities.
- Finally, Annex A lists the security controls, though without delving into their specifics; rather, it presents their purpose, allowing organisations to select applicable controls based on their risk assessment.
Preparing for certification – what to expect from your audit
Before embarking on the path to ISO 27001 certification, it is vital to comprehend the key expectations and requirements involved.
ISO 27001 employs specific terminology, notably the term ‘shall’ to establish its requirements. For instance, it prescribes that an organisation “shall conduct a risk assessment”. This signifies an obligation to conduct such an assessment. Similarly, it specifies that an organisation “shall formulate an information security policy”, indicating the mandatory nature of this requirement. Compliance with these requirements is the initial step.
Beyond complying with the mandatory provisions, there is a need to align with relevant legal, regulatory and contractual obligations pertaining to security. ISO 27001 seeks to ensure that organisations operate within a framework of compliance. For example, if a company processes payment cards, a contractual demand for adherence to the Payment Card Industry Data Security Standard (PCI DSS) may apply. Clients might also require conformity to ISO 27001 or Cyber Essentials. Such specifics must be acknowledged and documented as part of the process.
Demonstrating adherence to internally established policies and procedures within the ISMS is a third imperative. External auditors assess this when performing audits. They look for evidence of consistent and thorough compliance, not last-minute measures and afterthoughts. It is crucial to validate that chosen controls are applied effectively where relevant and operational. This extends to verifying that the risk treatment plan is executed as intended.
The internal audit role: assessing compliance internally
Internal audits serve as a prelude to the more comprehensive external audit process, thereby avoiding unnecessary expenditure. These assess whether the organisation has recognised contractual, legal and regulatory requirements and successfully implemented controls. Internal audits evaluate the efficacy of documented processes, the extent of compliance and whether actions align with established responsibilities.
Internal audits are a prescribed requirement of ISO 27001, serving as a strategic tool for enhanced compliance and performance. Though they can be managed internally, independence and impartiality are essential.
The significance of management reviews
Management reviews are another compulsory component of the ISO 27001 framework. They encompass an evaluation of various specified elements, including the outcomes of internal audits, breach details and the functioning of the management system. Management reviews facilitate an informed assessment of the system’s adequacy and identify any necessary adaptations.
External auditors usually require evidence of internal audits and management reviews before certification audits. These reviews affirm that the management system is operational and responsive to required standards. Flexibility is key and conducting a management review outside the standard schedule, if needed, demonstrates dedication to compliance.
External audits: ensuring compliance and improvement
External audits are essential for evaluating compliance against the Standard. Auditors scrutinise adherence to the Standard’s requirements, looking for evidence of conformity. Any nonconformities are recorded and subject to corrective actions. Audits should be embraced as an opportunity to enhance the ISMS, rather than a mere compliance hurdle.
The external audit process encompasses initial certification followed by regular surveillance audits. These audits scrutinise different facets of the management system, culminating in a comprehensive review at the end of a three-year cycle. A recertification audit occurs at this point, with a focus on the management system’s practical application.
Guidelines for a smooth transition to ISO 27001:2022
What if you are transitioning from the 2013 edition to the 2022 edition of ISO 27001? In the nine years since ISO 27001:2013 was published, changes have occurred, yet the core management system standard remains intact. Clauses 4 to 10 saw minor revisions. The most significant change lies in Annex A, a roster of controls from ISO 27002. The 2013 version contained 114 controls from ISO 27002:2013, whereas the 2022 version has 97. ISO 27002:2022 introduces new control structures and consolidates some controls, resulting in fewer controls but broader risk coverage.
Organisations with ISO 27001:2013 ISMS certification must adopt ISO 27001:2022 by 31 October 2025. However, per revised IAF guidance, certification bodies must cease (re)certification against the 2013 standard by 30 April 2024, potentially allowing less time for ISO 27001:2022 transition.
Moreover, even if an ISMS gains ISO 27001:2013 recertification by 30 April 2024, the certificate will expire on 31 October 2025, even for certificates with less than the usual three-year validity.
Transitional steps to consider
Start with a gap analysis, addressing Clause 6’s requirement for planned management system changes. Next, update staff training comprehensively, covering alterations in Clauses 4 to 10 and control changes. Ensure staff training reaches affected employees before the transition audit. Focus on the internal auditor and management review processes. Conduct internal audits specifically for management system and control changes. Perform an interim management review before the transition audit. Analyse the efficacy of new controls implemented before the transition audit.
Prioritise updating your risk assessment, especially after significant environmental changes or annually. By addressing emerging risks and adjusting controls, you reinforce risk management. Align the risk treatment plan with the internal management review, connecting the risk assessment, applicability statement and risk treatment plan.
Fortify incident response capabilities. Your workforce needs vigilance against convincing phishing and voice scams, safeguarding against fraud. Verify the functionality of incident response and continuity processes and communicate your ISO 27001 certification’s data protection commitment.
Elevate your risk assessment
Update your methodology when updating your risk assessment, ensuring compliance with the latest ISO 27001 version. Always deploy current standards across your management system. Distinguish between controls mandated by regulations and those selected to mitigate risks. With ISO 27002 as a reference, optimise control application and classification. Consider implementing additional standards such as ISO 27701, ISO 27017 or ISO 27018 to further improve security and strengthen your competitive edge.
Enhancing the ISMS and adapting to changing threats
Establish a continual improvement cycle, often denoted as ‘plan, do, check, act’. Review risks regularly – ideally quarterly – and align with external risk advisories. Document your processes, highlighting changes in risk assessment and control modifications. In the rapidly evolving cyber crime landscape, anticipate and outpace threats. Foster staff involvement to uncover vulnerabilities and learn from incidents. Cyber security incidents necessitate transparency and post-incident preventive actions. By enhancing your ISMS consistently, you lay a solid foundation for recertification.
The UK GDPR continues to apply, and alterations to the EU GDPR impose restrictions on data exports. For instance, the Digital Operational Resilience Act (DORA) in the EU impacts those offering information and communication technology services to the EU’s financial sector. The cyber security realm also involves SEC regulations and other, emerging frameworks. Recent data suggests that numerous small and medium-sized enterprises must now adhere to at least six distinct cyber security frameworks; some regulatory, others requested.
Achieving this economically through traditional paper-based methods or spreadsheets can be a major challenge. If the custodian of information security shifts roles or departs, the transition can become even more cumbersome as paper records are tracked down and spreadsheets updated.
Maximising the benefits of the CyberComply platform
Increasingly, organisations turn to comprehensive platforms like CyberComply. It offers an all-inclusive suite of services encompassing risk assessment, documentation management, incident response, GDPR compliance and centralised updates. This ensures a consistent approach, regardless of changes in information security leadership. Instead of overhauling security practices, a new appointee can seamlessly access CyberComply, readying them to embark on tasks without delay. In a dynamic landscape where cyber mandates rapidly shift, CyberComply maintains a cost-effective approach to ISO 27001 maintenance and development.
Our ISO 27001:2022 transition solutions
IT Governance has an array of accessible ISO 27001 solutions. Our offerings encompass internationally recognised, certified ISO 27001 Practitioner, Lead Implementer and Auditor training.
For those with Lead Implementer or Lead Auditor certifications, a concise one-day transition course is available. This course ensures that your credentials remain up to date and reflect your competency in implementing the 2022 standard. Additionally, IT Governance is an IECS distributor so you can procure copies of the Standard from us directly.
We can also help you implement your management system. Our services range from comprehensive guides with basic support to executing most of the work on your behalf. We also provide an assortment of books, software tools and staff awareness training.