Certification of Information Security Management SystemsISO/IEC 27001:2022

What is the ISO/IEC 27001 standard?

At a time when more of us are digitally connected and working remotely than ever before, protecting your information security has never been more important. The ISO/IEC 27001 standard is the international standard for Information Security Management Systems (ISMS). It helps organisations proactively manage their information security risks and protect their information assets.

ISO/IEC 27001 requires organisations to adopt a risk based approach to the security of all information. ISO/IEC 27001 is not a prescriptive document, rather it is intended to enable organisations to ensure the security of information through the assessment and treatment of information security risks, documented in a Statement of Applicability.

The ISO/IEC 27001 standard provides a framework that helps organisations secure the confidentiality, integrity and availability of their information assets. That means that only authorised people can access and alter information, and they can access the information when they need it.

Adopting the standard helps you manage the security of all kinds of information, including financial information, employee details, intellectual property or information entrusted to you by third parties. It also helps you meet the information security requirements of regional laws such as the EU GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations.

TQCSI can recertify your existing Information Security Management System or help you become newly certified if you are implementing an ISMS for the first time (please see below regarding certifying or transitioning to ISO/IEC 27001:2022). Our team of auditors have extensive real-world experience combined with an in-depth knowledge of the ISO/IEC 27001 standard.

Benefits of ISO/IEC 27001 Certification

An Information Security Management System that is ISO/IEC 27001 certified demonstrates your commitment to protecting information that has been entrusted to you. Whether that be by your employees, suppliers, or partners. It also helps you manage risks to your information security and identify potential threats before they become serious.

The benefits of achieving ISO/IEC 27001 certification for your Information Security Management System are varied and include:

How to prepare for ISO/IEC 27001 Information Security Management Systems certification

To help you achieve your ISO/IEC 27001 certification with ease, we have prepared a checklist of items we'll be examining during your audit.

Transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022

ISO/IEC 27001:2022 was published in October 2022.  It is not a fully revised edition; the main changes are:

• Annex A references the controls in ISO/IEC 27002:2022, which includes the information of control title and control
• The notes of Clause 6.1.3.c are revised editorially, including deleting the control objectives and using “information security control” to replace “control”
• The wording of Clause 6.1.3.d is re-organized to remove potential ambiguity.

The number of controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. Of those, 11 controls are new, 24 are merged from the existing controls, and 58 are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.

Clients may apply to be audited and certified to the old Standard (ISO/IEC 27001:2013) until 30 April 2023, after which only applications against the new Standard (ISO/IEC 27001:2022) will be accepted. Clients may request to be audited and certified to the new Standard (ISO/IEC 27001:2022) from 1 November 2022.

All clients must be audited and certified to ISO/IEC 27001:2022 no later than three years following its publication (30 October 2022). No certification to ISO/IEC 27001:2013 is permitted after 30 October 2025.