ISO 27001 Certification

The topic of "Information Security" is becoming increasingly urgent for companies in the course of digital transformation. Without sufficient security precautions, there is a risk of data loss and data theft by hackers, of business breakdowns due to attacks via the web or misuse of data. One option for a structured approach is an Information Security Management System (ISMS) according to ISO 27001.

What is an ISMS?

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
It can help small, medium and large businesses in any sector keep information assets secure.

How does ISO 27001 Work?

Most organizations have some information security controls in place. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention.

Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole.

Moreover, business continuity management and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that the management to:

• systematically evaluate the organization’s information security risks, taking into account the threats, vulnerabilities, and impacts;
• establish and implement a comprehensive suite of information security controls and risk treatment (such as risk avoidance, reduction, or transfer) to address those risks that are deemed unacceptable; and
• adopt a management process to ensure that the information security controls and residual risks meet the organization’s information security needs on a continuous basis.

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

With EN ISO/IEC 27001:2017-06, a version coordinated by the European Committee for Standardization (CEN) has been published. It combines the two corrections (corrigenda) Cor 1:2014 and Cor 2:2015. The changes associated with the correction only include an improved description of the associated requirements, but no new, additional requirements. Certificates according to the ISO/IEC 27001:2013 version thus retain their validity.  The standard is currently under revision, the revised version is expected for the end of 2022.

The ISMS standard ISO 27001 applies worldwide. It provides companies of all sizes and industries with a framework for planning, implementing, and monitoring their information security. The requirements set out in ISO/IEC 27001:2013 or ISO/IEC 27001:2022 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

In reality, some may think that ISO 27001 can be applied to IT sector only, but it’s a misunderstanding. No doubt, a company in IT sector may be vulnerable to data leakage at a scalable size. Therefore, quite some companies in intensive IT operation have been the pioneers to go for ISO 27001 certification.

As time goes by, more and more companies in other industries realizes that the information security is no less important to them, so they are also going for Information Security Management System (ISMS) certification against ISO 27001.

Information surrounds us everywhere and is part of every process. Sometimes it may be inconsequential, but all too often it is critical and confidential. In order to make this important distinction for your organization, it is necessary to classify information. This is because the protective measures of an Information Security Management System (ISMS) according to ISO/IEC 27001 are based on this classification.

An ISMS creates the framework for protecting operational data and its confidentiality. At the same time, the globally recognized standard ensures the availability of the IT systems involved in corporate processes. In this context, ISO 27001 certification sends a strong signal to the market: namely, independent external evaluation and confirmation of the effectiveness of your ISMS.

The second edition of ISO/IEC 27001 dates back to 2013. Now, the internationally recognized standard for ISMS has been updated and republished in its third edition as ISO/IEC 27001:2022 on October 25, 2022. The revision is an inevitable consequence after ISO/IEC 27002, as the implementing guidance governing Annex A of ISO 27001, was comprehensively revised and published in February 2022. 

The transition period for existing ISO 27001 certificates is three years from the last day of the publication month of the new ISO/IEC 27001:2022, which means that all certificates according to ISO/IEC 27001:2013 must have been converted to the 2022  version of ISO 27001 by October 31, 2025, You can read about the new features of the ISO 27001 update in our article "The new ISO/IEC 27001:2022 - key changes". 

How to use ISO 27001?

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.

Certification to ISO 27001 ISMS

Certification to ISO/IEC 27001 is adopted by more and more organizations in order to benefit from the best practice it contains to reassure customers and clients that its recommendations have been followed.

The official title of the ISO 27001 standard is “Information technology — Security techniques — Information security management systems — Requirements”

ISO/IEC 27001 has ten clauses and an annex, including:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system’s performance
10. Corrective action

• Annex A: List of controls and their objectives

The introduction of an ISMS according to ISO/IEC 27001 is a strategic decision for your company. The fulfillment of the standard's deliberately general requirements must reflect the specific situation of the company. Implementation in your company depends on the needs and goals, the security requirements and the organizational processes, as well as the size and structure of the company.

Annex A of ISO 27001, which is to be used in connection with section 6.1.3 on the basis of company-specific risk analyses, is particularly valuable in practice. The information security controls listed in Annex A are directly derived from and aligned with the measures listed in the current ISO 27002, Sections 5 to 8. 

Previously, Annex A of ISO/IEC 27001:2013 included a total of 114 controls to address information security risks, subdivided into 14 sections and 35 control objectives. In the new ISO/IEC 27001:2022-10, Annex A now contains 93 controls on relevant security aspects, which are assigned to 4 topic areas.

The consistent alignment of company processes with ISO 27001 has been proven to lead to a number of benefits:

• Continuous improvement of the security level
• Reduction of existing risks
• Adherence to compliance requirements
• Greater awareness among employees
• Increased customer satisfaction

Internal audits and management reviews with the participation of top management are the internal levers for achieving this.

Other positive aspects are that interested parties such as supervisory authorities, insurance companies, banks, partner companies build up a higher level of trust in your company. This is because a certified management system signals that your organization deals with risks in a structured manner and subscribes to continuous improvement (CIP), making it more resistant to unwanted influences.

The international standard ISO/IEC 27001 can also be implemented, operated and certified, either integrated with or independently of, other management systems such as ISO 9001 (quality management) .

In order to certify an information security management system, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. ISO/IEC 17021 regulates topics related to conformity assessment, specifically requirements for inspection bodies that audit and certify management systems.

In addition, ISO/IEC 27006 defines strict requirements that certification bodies must comply with in order to certify an ISMS according to ISO 27001.

These include:

• Evidence of specified audit effort
• Requirements for the qualification of auditors.

DQS is accredited by the national accreditation bodies ANAB and DAkkS and therefore authorized to perform audits and certifications according to ISO 27001.

Regardless of the industry in which your company operates, you can rely on the distinctive expertise of DQS auditors. They have many years of experience in the assessment of information security management systems in various industries.

Relation with ISO 27701:2019 for Privacy Information Management

ISO 27701:2019 is an extension to ISO 27001 and ISO 27002 for privacy information management.

If personal data management is important to your business, you may consider to go for ISO 27701 PIMS certification together with ISO 27001 ISMS certification, to address the significant risks and challenges from a large number of privacy information related regulations, like GDPR of EU, CPRA of USA, PDPO of HK, and PIPL of Mainland China.

• ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of an organization.
• ISO 27002 is an international standard used as a reference for selecting and implementing information security controls listed in Annex A of ISO 27001. It is used as a reference and guidance on the best practices of information security management helping organizations in implementing the requirements and controls of ISO 27001.
• An organization can get a certification against ISO 27001, but not against ISO 27002.

ISO 27002 was updated on Feb 15, 2022. The number of information security controls decrease from 114 controls to 93 controls, covered in 4 sections instead of 14 sections in former version.

• Organizational controls (clause 5)
• People controls (clause 6)
• Physical controls (clause 7)
• Technological controls (clause 8)

Merged Controls

No controls in the previous version were excluded in ISO 27002:2022, but some of them are were merged.
For examples:

• Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security
  were merged into 5.1 Policies for information security.
• Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas
  were merged into 7.2 Physical entry.

New controls 

The ISO 27002:2022 introduced 11 new controls:

• 5.7 Threat intelligence
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 7.4 Physical security monitoring
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding

Two Annex are introduced to ISO 27002:2022:

• Annex A – Using attributes
• Annex B – Correspondence with ISO/IEC 27002:2013

Impact to ISO 27001 from ISO 27002:2022

An amendment to ISO 27001:2013 has been in progress. ISO 27001:2022 is expected to publish in 2022.

• The changes to ISO 27002:2022 will be reflected in Annex A of ISO 27001.
• The main part of ISO 27001 (i.e. Clauses 4 to 10) will remain no change.
• Number of controls decrease from 114 to 93.
• Controls are categorized into 4 sections instead of previous 14.
• There are 11 new controls, while none of the controls was deleted, and some controls were merged.

Similarities:

• Confidentiality, integrity and availability of data.
• Risk assessments.
• Breach notification.
• Access control.
• Data identification.

Differences:

• GDPR applies only to personal data, while ISO 27001 has a broader scope on the information.
• GDPR covers the right to be forgotten, data portability and the right to be informed about your personal data, which is not mandatory requirement in ISO 27001.

Interaction:

A management system based on ISO 27001 can support the achievement of compliance with GDPR.

Possible Solutions by the Organizations

• Arrange management and front-line employees to attend GDPR related training courses.
• Implement an Information Security Management System (ISMS) based on ISO 27001:2013.
• Implement controls on outsourced processes
• Implement regular internal and external audits on operations.
• Improve the ISMS based on risk levels.

Even though the ISO 27001 audit is to be performed according to structured specifications, the cost depends on various factors, such as the complexity of your organization. Therefore, there can be no one-size-fits-all offer for any given company.

• More than 35 years of experience in the certification of management systems and processes
• Industry-experienced auditors and experts with strong technical knowledge
• Value-adding insights into your company
• Certificates with international acceptance
• Expertise and accreditations for all relevant standards
• Personal, smooth support from our specialists - regionally, nationally and internationally
• Individual offers with flexible contract terms and no hidden costs