ISO 27001:2022 is one of the fastest-growing certifications worldwide, considered a way for organizations to demonstrate their commitment to information security. It protects the integrity, confidentiality, and availability of any business data, as well as instilling confidence in clients.
However, many questions still arise about ISO 27001, and today we will help you with this comprehensive guide.
What is ISO 27001:2022 certification?
ISO 27001:2022 was officially created in 2005. It is an international standard that deals with an organization’s Information Security Management System (ISMS), and we were using version 2013 until the recent update to version 2022.
The standard helps organizations identify, analyze, and implement specific and necessary controls to perform certain risk management, defining actions that can help prevent security breaches.
Every ISO certification is based on the PDCA cycle – Plan, Do, Check, Act, which means plan, execute, verify, and act. This cycle helps to identify an organization’s problems, think about solutions, and put them into practice, always seeking improvement.
How to obtain ISO 27001 certification?
To obtain ISO 27001:2022 certification, the company must implement the requirements established in the standard, so you have two possibilities:
- Hire a specialized consultancy to carry out this process with your company;
- Hire or train someone in internal auditor or leader courses in ISO 27001:2022.
After implementation, you must perform an internal audit to verify if the company is ready for a certification audit. If the answer is positive, it is time to hire a certification body, such as QMS, to conduct the certification audit.
After the audit, it is necessary to maintain continuous improvement, ensuring that all processes are constantly evaluated and risks monitored. As previously mentioned, the ISO standard should use the PDCA cycle to function.
How much does ISO 27001 certification cost?
The cost of certification is not fixed, but is calculated based on various factors, such as the number of areas involved in the process, the complexity of the certification scope, and whether it involves more than one audit location, among others.
However, it is important to emphasize that having ISO 27001 certification, one of the fastest-growing certifications worldwide, is a significant differentiator for the company. It is essential for clients who only hire suppliers who have established certification as a hiring prerequisite, such as Microsoft, as well as to facilitate compliance with regulations such as GDPR. It is worth noting that the standard has an extension, ISO 27701, which deals only with personal data.
Who performs ISO 27001 certification?
Only certification bodies are authorized to certify companies to the ISO 27001 standard. Individuals do not have this authority, and we’ll explain why. Here, we’ll discuss a more technical issue, but it’s important for you to know when hiring a certification body.
There is a hierarchy in the certification universe:
- IAF: determines which bodies can accredit certification bodies;
- Accreditors: accredit certification bodies;
- Certification Bodies: certify companies.
In other words, QMS is audited by IAS to certify ISO 27001 for your company, and IAS is audited by IAF.
In summary, whenever you hire a certification body, ask which accrediting body it belongs to. You can check the updated list of global accreditors on the IAF website.
What is the average time to obtain ISO 27001 certification?
Just as the cost is not fixed, neither is the average time.
Like any project, the time it will take to complete is calculated through a series of factors such as:
- How many people are involved in the process?
- Is the company dedicated to implementation?
- Will it need to make many changes? Are these changes complex?
Here at QMS, we have already certified companies that have implemented the standard in 6 months and others in 18 months, but one thing we can say is that the more committed top management is, the faster the process will be.
Top management directly impacts the determination of financial resources, people, and especially time.
What is the guarantee of ISO 27001 certification?
A company that has the ISO 27001 seal makes it clear that the organization is committed to information security, its internal data, and also its customers. In other words, credibility is always the biggest advantage.
What you need to know about the update of ISO 27001:2022
At the end of 2022, ISO 27001:2022 was published. Companies that are already certified are required to transition to the new version of the standard by the end of 2025. The main changes are:
Requirement 4.2 – Understanding the needs and expectations of interested parties
An item “c)” was added so that the organization, when determining the relevant requirements of interested parties, determines which of these requirements will be addressed in the Information Security Management System (ISMS).
Requirement 6.1.3 – Treatment of information security risks
The first part of Note 2 was changed to “Annex A contains a list of possible information security controls,” with the intention of making it clear that it is up to the organization to evaluate the applicability according to its scope and assessed risks.
The first sentence of Note 3 was deleted: “Control objectives are implicitly included in the chosen controls,” and in the second part of the same note, the term “control objectives” was also deleted.
Requirement 6.3 – Change Management
An additional requirement was created to maintain alignment with other ISO management standards that have this same requirement.
Requirement 9.3 – Management Review
The requirement was organized into 3 subclauses to make the process of management review and its expected results clear, as follows:
3.1 – General;
Added subclause “c)” to consider changes in the needs and expectations of interested parties as an input to management review.
3.2 – Inputs to management review;
3.3 – Outputs of management review.
Annex A
The structure of Annex A has been modified from 14 groups to just 4. It has also changed from 114 controls to 93. However, there were no exclusions of controls, they were only renamed, grouped, maintained, and new ones were also added. The structure is now as follows:
- Organizational Controls: 37 controls – group A.5;
- Personnel Controls: 8 controls – group A.6;
- Physical Controls: 14 controls – group A.7;
- Technological Controls: 34 controls – group A.8.
The new controls are:
Organizational
5.7 – Threat intelligence;
5.23 – Information security for cloud service use;
5.30 – ICT readiness for business continuity.
Physical
7.4 – Physical security monitoring.
Technological
8.9 – Configuration management;
8.10 – Information exclusion;
8.11 – Data masking;
8.12 – Data leak prevention;
8.16 – Activity monitoring;
8.23 – Web filtering;
8.28 – Secure coding.
SOURCE: ISO/IEC 27001:2022
How to transition to the updated standard
Here are 4 simple steps for companies that are already certified in ISO 27001 to transition to the updated standard.
Step 1: Purchase the ISO 27001:2022 standard and train your team and/or trainers. You can consult what Q Academy has available in this standard and which option is best for you.
Step 2: Conduct an internal gap analysis and review your risk analysis.
Step 3: Implement changes (Statement of Applicability – SoA), conduct an internal audit, and review the Management System.
Step 4: Request the transition in your maintenance or recertification audit.
Deadline for transition to ISO 27001:2022
- Initial or recertification certifications will only be conducted on the updated version until October 25, 2023;
- Maintenance audits can still be conducted according to ISO 27001:2013;
- Organizations can already request transfer audits to the 2022 version starting today;
In 2024, organizations should prioritize transition audits to the 2022 version and all new certifications and recertifications will be conducted in the new version;
Deadline for the transition period: April 25, 2025.
Make the transition with QMS Certification
These are all the changes, both in terms of requirements and Annex A. For the transition, additional audit days will be added (calculated for each organization).
At the time of the audit, the responsible auditor will verify the changes made, the SoA, the controls, and the risk assessment to determine if the organization is ready to transition to the ISO 27001:2022 standard.