2 minute read
Transition to ISO 27001 2022
The way organisations are expected to handle information security has undergone several significant changes in the years leading to the release of the latest version of ISO 27001 in October 2022.
The Standard was last updated almost 10 years ago, meaning the introduction of ISO 27001:2022 has been long overdue and much awaited.
Advertisement
To account for those changes, the new version of the Standard contains a handful of changes. For example, Annex A now refers to the updated information security controls in ISO 27002:2022, and the Standard requires organisations to document and monitor objectives. Additionally, it uses terminology that is consistent with other ISO management system standards.
Organisations that have ISO 27001:2013 certification or are working toward certification won’t be immediately impacted by the introduction of ISO 27001:2022.
There is a three-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be plenty of time to make the necessary changes. However, it’s never a good idea to wait until the last minute to start planning. Since implementation will take several months, it’s important to be aware of your responsibilities as soon as possible.
Read the Standard for yourself to get started. You can purchase a digital copy of ISO 27001:2022 from our website. To determine what changes you’ll need to make, we advise comparing the revised version to the 2013 edition and your present compliance procedures.
If you’re unsure how to proceed, our team of experts are here to help. Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard.
How IT Governance can help you
Using our Certified ISO 27001 ISMS Foundation training course, you can learn the essential procedures for putting an ISO 27001:2022 ISMS into practise. With our ISO 27001 Implementation Consultancy service, you can fully benefit from IT Governance’s experience and expertise to see you through — from project setup through accreditation and beyond, ensuring that your staff gains the skills they need to continue managing your ISMS beyond certification.
What Is Cyber Essentials Plus?
As its name suggests, Cyber Essentials is an essential certification to have. Cyber Essentials helps your organisation guard against cyber attacks. It is a government backed scheme that encourages organisations to adopt good practice when it comes to cyber security. It is operated by the National Cyber Security Centre (NCSC) and whatever your company size, you can be accredited. The certification once completed, shows your customers and authorities that you have implemented recognised practices and tools to safeguard your business.
Cyber Essentials Plus is an expansion of Cyber Essentials and includes an audit of the company’s IT systems. The key elements are:
• An audit of a sample number of your computers will first be conducted. This is to ensure devices are configured
• A vulnerability scan will be performed on the samples of computers. This will be to ensure basic configuration is at an acceptable level
• An external port scan of your company’s internet facing IP addresses will be carried out to ensure no obvious misconfigurations or vulnerabilities can be identified
• Tests are conducted on the default email/intranet browser to confirm its configuration. This is to prevent execution of fake malicious files
• Screenshots are also taken to prove the system is Cyber Essentials compliant.
A certificate will be provided upon a successful competition of the plus scheme. The standard 12 months validation is provided, and companies can therefore start advertising the Cyber Essentials logo on their website. To apply for Cyber Essentials Plus, a company must already have a Cyber Essentials certification three months prior to applying.
Visit the Partner offers page on the Chamber website to find out more about Chamber Cyber Essentials.
