ISO 27001:2022 is the internationally recognized standard for Information Security Management Systems (ISMS).
This standard covers the requirements for applying appropriate controls to ensure the protection of information assets.
As a family of standards, the ISMS courses are intended to assist organizations of all types and sizes to implement and operate an ISMS.
The ISMS family of standards consists of the following:
The two standards in the ‘Requirements’ swimlane specify requirements; the others offer guidance. However, among the latter, the more important are ISO 27005 and ISO 27002.
The purpose of the Standard is to provide a framework for an organization to develop a management system that will control the risks associated with information and data to a high level of confidence.
Note carefully that this Standard does not deal with Information Technology (computerized data) alone. Data in all shapes and forms and the physical resources (the premises) used to protect them are included.
The Standard requires that management:
Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts (PLAN);
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable (DO) and
Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis (CHECK & ACT).
What is ISO 27001:2022?
ISO 27001:2022 is the latest version of ISO 27001, the Information Security Standard. It replaced the previous version, ISO 27001:2013.
How does ISO 27001:2022 Compare with ISO 27001:2013?
Many commentators in recent months have characterized the changes to ISO 27001 as ‘minor’, suggesting that little time will need to be devoted to implementing the necessary changes. We do not agree.
For the vast majority of organizations, a formal Migration Project will be needed if they are to get it right at the first attempt. When auditing your organization for the first time against the new Standard it is the changes that the CB Auditors will naturally focus on. So, you’d better be prepared.
What changes were introduced in ISO 27001:2022?
1. Changes to the Standard’s Text
To begin with, the Standard has a new title to emphasize that IT security alone is not the issue. It is now called ISO/IEC 27001:2022, Information Security, cybersecurity and privacy protection — Information security management systems – Requirements.
Since the last version of the standard was published in 2013, information and communication technology (ICT) and the way we do business has changed enormously. Today we all expect instant access to information, and we have expectations of higher individual and corporate performance while we deal with more complex supply chains and operate in a global economy.
ISO 27001:2022 has been revised to take these changes into account and to address two areas of vulnerability that were often overlooked previously, especially by ICT-focused businesses. These are People Controls and Physical Controls.
Overall. the main changes in ISO/IEC 27001:2022 are:
Annex A references to the Controls detailed in ISO/IEC 27002:2022, which includes the control title and the control;
The note in Clause 6.1.3 c) is revised editorially, including deleting the “control objectives” and replacing “information security control” with “control”;
The wording of Clause 6.1.3 d) is revised to provide clarity and eliminate ambiguity.
You may have read that the changes to the Standard text will be limited to Clause 6.1.3. Not so!
There are many small changes throughout the that will need to be carefully considered and acted upon. Let’s take two examples …
Clause 4.2 Understanding the needs and expectations of interested parties: Part c) has now been added and states – ‘c) which of these requirements will be addressed through the information security. Management system.’ Under the 2013 standard, many organizations provided a list of interested parties without further detail. This will no longer be enough as it will now be necessary under the 2022 standard to identify the needs, which will have to be specified, and then provide evidence of how the ISMS has addressed and satisfied these needs and expectations.
Clause 4.4 Information security management system: The following text has been added, ‘including the processes needed and their interactions.’ These are not the processes you may have in your ISO 9001 QMS which relate to operations and are often couched in very general terms. Here what will be required will be an analysis of the processes for the handling, storage, protection, etc., of all kinds of information used by the organization. It is doubtful if more than, say, 5% of organizations currently certified to ISO 27001 have done an adequate job here. Many will have documented IT processes but not the management of hardcopy data, premises, physical assets and the like.
2. Changes to Annex A – a radical restructuring?
The description of the changes above conceals the fact that Annex A has been completely restructured, and the companion standard, ISO 27002, has been massively expanded and can no longer be ignored (if for no other reason than your Certification Body Auditor will not be ignoring it).
The most significant change is, therefore, the organization of the 93 Controls into four domains (or Chapters), namely …
Chapter 5 – Organizational (if they do not fall under any other domain)
Chapter 6- People (if they concern individual people)
Chapter 7- Physical (if they concern physical objects)
Chapter 8 – Technological (if they concern technology)
The 2013 version had 114 Controls in 14 Domains, so organizations will require a complete restructuring of their Statement of Applicability with knock-on effects to their risk assessment, risk treatment documentation, etc. Additionally, new Controls regarding People and Physical domain requirements are likely and will require time, finances and other resources.
3. A 3-year Transition Period
No surprises here. The usual idle talk of a 2-year transition has proved false.
Certification Bodies must complete the transition to the new Standard within 36 months, that is, by the end of October 2025.
Certification Bodies must audit all new registrations against the new Standard within 12 months, that is, by the end of October 2023.
Currently, certified organizations can expect their Certification Body to switch to the new Standard at the end of the current 3-year certification cycle. And there’s nothing in the 2022 Standard to justify increased certification fees!
What is the difference between ISO 27001 and ISO 27005?
ISO 27005 provides the framework for managing risk so that you can customize your methods to suit your individual needs. ISO 27001 is intended to be applied to all types of organisations, and there is no ‘one size fits all’ approach upon which to depend. You need to use a specific approach to each economic sector to achieve maximum benefit.
The involvement of your (proposed) Information Security Team in developing an information risk management framework (as guided by ISO 27005) from the outset is a great way to get buy-in and commitment to your ISO 27001 Project. Don’t ignore this Standard, please.
Who should study ISO 27005?
ISO 27005 (also known as IEC 27005) will be, or should be, of particular interest to:
IT Managers and those who implement and maintain an ISMS for their organization,
Consultants and Advisers who develop, implement, and maintain ISMSs, and
Lead Auditors who wish for a deeper understanding of how risk should be addressed in an ISMS.
Those expecting to find techniques and methods for managing risk will be disappointed as ISO 27005 focuses on the issues and the thinking that should precede the selection of risk management tools and methods (you’ll find that in our ISO 27001 training). The best choice for risk management tools and methods remains IEC 31010:2019 Risk Management – Risk assessment techniques. With 40+ useful tools explained with examples, this is the ‘Gold Standard’ for risk management.
Who should study ISO 27001?
ISO 27001 is for you if you:
are required to perform internal audits within your organization
are required to perform supplier audit
wish to conduct external audits for other organizatioons
wish to develop and implement an information security management system for your organization
What is an Information Security Management System?
An ISMS is a systematic and formal approach consisting of processes, technology, and people that enables an organization to protect and manage its information assets, physical and virtual, through effective risk management.
It is designed to achieve business goals while managing risks based on risk assessment and the organization’s risk acceptance levels.
What is the Purpose of an Information Security Management System?
An ISMS helps coordinate and direct an organization’s attention to assuring the adequacy of controls against information security threats and, using Annex A of the Standard, to ensure that all commonplace vulnerabilities have been addressed.
Who needs an Information Security Management System?
Whether you realize it or not, you already have an informal ISMS. You back up your computer data, don’t you? You ensure that strangers can’t enter and walk about your premises. Do you check the backgrounds of potential recruits before you employ them? And so on.
You have many information security controls already in place. But the critical question is, are your current IS Controls enough to prevent all but the most technically advanced crypto criminals from breaching your cyber defenses?
You are most unlikely to be adequately protected without applying the rigorous requirements of ISO 27001 and applicable supplements.
Just think for a moment about what you would do if you arrived at work tomorrow morning to find a ransom demand on every screen, all your data encrypted, and unless you pay up immediately, you’re out of business.
What are the benefits of a formal Information Security Management System?
Recognized reputation as a security-conscious organization. Even more, you have an internationally recognized certificate to prove it.
Awareness at all levels and functions within the organization. As an organization, you must always be prepared for the existential threat that data theft poses (e.g., through phishing) for the business and for their individual responsibility in protecting that information.
Awareness that information security is about protecting physical assets. This awareness covers practices in the workplace, personal behavior, working from home, etc., and not just about computer systems.
Satisfaction at the Board level. Members of the organization can rest assured that information assets are being properly cared for.
Satisfaction for Suppliers and Customers. Both suppliers and customers can be reassured that their information assets and/or intellectual property is being professionally protected (your customers will be aware that attack through their Suppliers’ ICT systems is a well-known vulnerability).
Objective evidence for Senior Management, the C-Suite. With the help of independent auditing, senior management can be assured that information security policies are being adequately implemented.
The reassurance that Information Security processes are in place. This will help ensure that the organization learns from its mistakes and that such errors and breaches occur only once.
Reduced risk of data loss and reputational damage. This can be achieved by having a robust and tested ISMS implemented and maintained that is suited to the vulnerabilities and threats the business faces.
A larger pool of qualified candidates applying to work with your business. Attracting top talents to your organization is much easier when you have an excellent reputation.
Reduced absenteeism and employee turnover rates. Employees have objective reasons to feel secure in their jobs and to value them.
Improved ability to respond to regulatory compliance issues. With an enhanced relationship with GDPR and other personal data regulatory authorities, you don’t have to be on edge whenever new rules or guidelines get announced.
Reduced cost of security incidents. You have a system in place to investigate them and to take formal action to prevent their recurrence.
Reduced downtime and the costs of disruption to operations. Thanks to fewer information security incidents, issues can be dealt with systematically and efficiently.
Reduced cost of insurance premiums. This is because insurance companies recognize that certified businesses make fewer and less costly claims.
Peer recognition for having achieved an international benchmark. This, in turn, influences current and potential customers who are concerned about their intellectual property security.
Improved scoring in pre-tender documents. This helps ensure that your organization gets a chance to compete with established businesses (especially true for public sector organizations).
Reduced fines if prosecuted. Your Certification constitutes objective evidence to a court of the seriousness with which information security is treated.
Improved Management control. This covers all forms of business data and information.
A formalized approach to continual improvement. When it comes to information security performance, consistency is vital.
Continual review of the ISMS. Ensuring that the ISMS is aligned with the business’s strategic plan is essential.
What is ISO 27001 Certification?
An ISO 27001 Certificate is recognition from a Certification Body – CAB (usually an accredited Certification Body) that an organization has implemented and is maintaining an information security management system that meets the requirements of ISO 27001:2022.
Do You Need ISO 27001 Certification?
Yes and No. In many cases, ISO 27001 Certification is not mandatory. Still, it can be a useful tool to add credibility by demonstrating that you manage business information securely suited to your customers’ expectations.
For some industries, Certification is a legal or contractual requirement. An SLA – Service Level Agreement will specify information security requirements in other cases.
Who can benefit from ISO 27001 Certification?
Organizations globally, both public and private spheres, and from every economic sector, can benefit from maintaining an ISO 27001-compliant Information Security Management System (ISMS) for your entire supply chain.
What are the Benefits of Having ISO 27001 Certification?
Satisfy the security requirements of customers and other stakeholders.
Improve an organization’s plans and activities.
Meet the organization’s information security objectives.
Comply with regulations, legislation, and industry mandates;
Manage information assets in an organized way that facilitates continual improvement and adjustment to current organizational goals and the environment.
Furthermore, the independent Certification involved in ISO 27001 Certification will permit an organization to:
Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis.
Maintain a structured and comprehensive framework for identifying and assessing information security risks, selecting and applying applicable controls, and measuring and improving their effectiveness.
Continually improve its control environment;
Effectively achieve legal and regulatory compliance.
Management performance improved as less time is spent apologizing to customers and managing the unnecessary repetition of work.
How to Get an ISO 27001 Certificate?
Certificates are issued by CABs after they have gone through an ISO Certification process. This process is based on a comprehensive 2-stage audit (itself based on the auditing standard, ISO 19011), which involves a documentation review and an independent on-site audit.
The CAB gathers and documents objective evidence of compliance with the requirements of ISO 27001. After the CAB has confirmed that all the requirements of the Standard have been implemented and are being maintained, a Certificate is issued as is permission to use logos to publicize the fact.
There are two stages in securing ISO 27001 Certification:
Stage 1. Develop, implement, and maintain a suitable ISMS for your organization: Our Infographic shown here nicely illustrates the multi-step process of preparing for Certification (click on the infographic image to get a copy for yourself). Whichever of the three approaches you choose (or variants thereof), you will benefit from our ISO 27001 Lead Implementer Course in managing and directing your ISO 9001 Project.
Stage 2. Engage the services of a CAB to undertake the necessary evaluations and audits: When choosing a certification body, you should:
• Evaluate several certification bodies.
• Check if the certification body auditing activities include ISO 27001:2022.
• Check if it is accredited. Accreditation is not compulsory, and non-accreditation does not necessarily mean it is not reputable, but it does provide independent confirmation of competence. To find an accredited certification body, contact the national accreditation body in your country or visit the International Accreditation Forum.
Note: the terms certification and accreditation cannot be used interchangeably, though it is not uncommon to do so. The differences between Certification and Accreditation are as follows:
Certification – the provision by an independent body of written assurance (a certificate) that the product, service, or system in question meets specific requirements.
Accreditation – the formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards.
As every organization has information of value and is, therefore, a target for cyber-criminals, ISO 27001 is relevant and globally applicable to all kinds of organizations. Also, by implementing an Information Security Management System (ISMS) based on ISO 27001, it is easy to accommodate and demonstrate compliance with the requirements of GDPR, SOC 2 and other regulations and codes of practice, as applicable.
By going through ISO 27001 training, organizations can become more aware of the threat that weak defences to cyber-attack and other vulnerabilities pose to their business and learn of ways to address them.
Note:
There is as yet (31-Oct-22) no news as to when EN ISO/IEC 27001:2022, the EU Harmonized Standard, will be published. In recent times simultaneous publication with the international version has been the practice (thus avoiding similar if not identical standards having a different year of publication. We’ll have to wait and see but, in any case, a delay is going to have little consequence for most organizations.
Do Internal Auditors need training?
Again, training here is not mandatory. However, effective internal audits are essential to doing a professional job in maintaining your QMS and avoiding nasty surprises at your next Certification Body audit.
Also, if you don’t train them, your auditors won’t have any of the skills necessary to ‘harvest’ those improvement suggestions from the people in your organization who actually do the work. For more, visit the ISO 27001 Internal Auditor Course.
Do Management Representatives or others responsible for an ISMS need training?
The training of a Management Representative or others with day-to-day responsibility to maintain an ISMS is NOT mandatory. Training is implied as part of developing competence but not a specific stand-alone requirement.
So, unless you are determined to outsource this support indefinitely (technically, that’s not permitted), you need to train your Management Representative. And you’re in luck. We’ve got exactly the Course you need.
Why are there so many Standards (47+) in the ISO 27000 Series of Standards?
Let’s start with another question: Is Compliance with Other Standards and Guides in the ISO 27000 Series Mandatory? The answer is No and Yes! NO:
There is nothing in the standards and guides making their use obligatory, but: YES: External auditors are aware of these standards and guides and will be informally using them to frame their interview questions. For example, suppose an organization has Personally Identifiable Information.
In that case, the external auditors will ask how the organization has addressed the typical vulnerabilities identified in ISO 27701 – this is ‘low-hanging fruit’ for the auditor. So, you cannot afford to ignore the Standard, and your risk assessment (and opportunities) needs to add relevant vulnerabilities from ISO 27701 to those from the Statement of Applicability in Annex A of ISO 27001.
You will need to consider all 47 Standards to decide whether they apply to your ISMS (and don’t worry, as it’s unlikely that more than one or two of them apply); you should visit …
1. The chart with an overview of the ISO 27001 Series at To select your ISO 27001 Auditor Course and
2. The section What comprises the ISO 27001 Series of Standards.
What is the significance of ISO 27002?
To give it its full title, ISO/IEC 27002:2022 Information Technology — Security techniques — Code of practice for information security controls, provides guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of Controls taking into consideration the organization’s information security risk environment.
It is designed to be used by organizations that intend to:
select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
implement commonly accepted information security controls;
develop their own information security management guidelines. You should expect External Auditors to ask whether you’ve used this Guide.
Where do other established IS Standards like PCI-DSS or the Payment Card Industry Data Security Standard fit in?
Many data security standards other than ISO 27001, like PCI-DSS and COBIT, remain in everyday use. Where Certification to ISO 27001 and one or more of the other Standards are needed, a single ISMS addressing all the requirements is the norm.
Care needs to be taken to ensure that internal audits include the audit of all applicable requirements.
Can we get one site Certified to ISO 27001, or must it be the entire organization?
Certainly, an organization with multiple sites may have a single site certified to ISO 27001. However, the exchange of information between the site in question and the other sites of the organization will have to be controlled. And this is to a level that compares equally with the controls applied to information exchange with Customers and Suppliers.
Is GDPR Compliance compatible with ISO 27001 Certification?
Is GDPR Compliance compatible with ISO 27001 Certification? After the release of our ISO 27001 Course on implementing an Information Security Management System (ISMS), we were asked for advice regarding the relationship between GDPR documentation and ISO 27001 documentation.
There are three basic options (or strategies) to choose from when documenting GDPR and ISO 27001 compliance, namely:
1. Keep the GDPR documentation entirely separate from the ISMS and its documents,
2. Fully integrate the regulatory requirements into your ISMS Documents or
3. Keep GDPR Documents separate from and cross-referenced to ISMS Documents.
If you are a Management Representative or something similar, and don’t feel confident about ISO 27001:2022, this 39-hour lead implementer course is for you. See what an efficient and effective ISMS looks like here.
Take this 42-hour Lead Auditor course if you need an in-depth knowledge of ISO 27001: 2022. This is the certification you need if you hope to audit for a Certification Body.
This 39-hour Lead Implementer Course is what you need. It includes a 31-step Path to Certification, a 100+ page ISO 27001:2022 Implementation Handbook, a Documentation Toolkit with loads of example SOPs, Forms, sample Statement of Applicability, as well as Auditor Certification for yourself.
Our ISO 21001 Educational Organization status is shown on all Certificates we issue.
Shareable Credentials
Instantly verify your qualification to a potential client or employer with our ISO auditor certificates that come with QR codes.
Self-paced and On-demand
Speed through to review the topics you understand well but take your time, and repeat as you wish, sections that are new or challenging.
Adult-Oriented Learning
Lesson delivered using methods suited to adult learning, including lessons, FAQs, and quizzes.
Satisfied Customers Say:
See what actual people who have taken our courses have to say:
Affordable ISO Auditor Training Cost
The total cost of deGRANDSON’s ISO Auditor training and certification courses are relatively affordable compared to typical ISO auditor training and certification cost.
