New Paradigm Consulting - The Fresh Approach

Information Security Management Certification

ISO 27001:2022

20 December 2022
Information Security Management Certification

What is ISO 27001:2022?

ISO 27001 : 2022 is an internationally recognised standard that lays out requirements to which an organisation must adhere, to demonstrate that it’s information is managed within a framework committed to continually reviewing and improving the security of that information.

It provides a list of 93 best practice controls that you can implement to improve the security of information you manage. These controls are split into 4 key areas; People Controls, Organisational Controls, Technological Controls and Physical Controls.

The framework is commonly referred to as an Information Security Management System. As ISO 27001 : 2022 is an internationally recognised standard, most information security management systems are based on its requirements.

The standard focuses on how your organisation

  • Controls important documentation and records
  • Manages assets via which important information can be accessed, processed and transmitted
  • Manages information security processes in line with the 3 key principals of information security; Confidentiality, Integrity and Availability,
  • Manages risks to information security
  • Manages the physical security of your premises
  • Trains and informs staff on information security best practice
  • Reviews internal processes and information security related problems
  • Manages your commitment to continual improvement of the ISMS.

New Paradigm Consulting specialises in streamlining management systems and here is a tip for you to reduce some of the administration associated with meeting the requirements of ISO 27001:2022.

Many organisations that have already implemented an Information Security Management System that is certified against ISO 27001:2013 will be aware that the standard was updated and republished in October 2022. This will result in those organisations being subject to a new set of audit criteria following the completion of the transition period (Expected to end in October 2025). Once this transition period has been completed, all organisations will be audited against the requirements of ISO 27001:2022.

Until the transition period has been completed organisations can still be audited against the requirements of ISO 27001:2013, but in the mean time, it would be sensible to begin the process of updating your system to meet the requirements of the updated standard.

Those organisations will be pleased to know that instead of having to satisfy compliance with the 114 information security controls as detailed in ISO 27001:2013, they will have to satisfy compliance with 93 controls. This updated version has restructured the controls into 4 sections (Organisational Controls, People Controls, Physical Controls & Technological Controls), which should make the list easier to digest than the previous edition’s 14 sections. Whilst there are less controls (as a number have merged), there are some new requirements added (11 new controls) e.g Control 5.7 – Threat Intelligence. So there is an opportunity to amalgamate some policies and processes to reduce the amount of administration required to maintain the system.

Please contact New Paradigm Consulting if you wish to begin this transition and we can discuss other opportunities for streamlining your information security management system with the emphasis on reducing the effort required to manage it.

Please contact us if you wish to implement a management system compliant with ISO 27001:2022 within your organisation.

Get in touch

Standards

Is your company interested in gaining certification to any of the following standards?

We can discuss the implementation process, timescales and the availability of any funding for the project

Get in touch