Are you ready for ISO 27001:2022?
Certification to ISO standards is not new to any sector, however, the demand for ISO certification has been increasing consistently.
Certification to standards such as ISO 27001 (Information Security Management), ISO 9001 (Quality Management), ISO 14001 (Environmental Management) and ISO 45001 (Health and Safety Management) have largely become the norm.
This means that many companies without ISO certification may struggle to differentiate themselves from competitors and satisfy the increasingly challenging vendor approval requirements and conditions which organisations are applying to their supply chain.
Why implement ISO 27001?
The International Organisation for Standardisation is quoting annualised growth in ISO27001 certificates of 87%.
The UK is aiming to become one of the most secure countries in which to live and work and as a result certification to ISO standards is becoming the norm in many sectors.
On 31st October 2022 the UK Health Security Agency implemented a requirement that any company accessing protected YKHSA data will be required to have a system of assurance in place and ISO27001 has been stipulated as one of only two options.
The Health and Social Care Network (HSCN) (NHS Digital) has recently implemented a requirement under its compliance framework which includes a stipulation that suppliers to the Health and Social Care Network must have certification to both ISO 9001 Quality Management and ISO 27001 Information Security Management, which must be untaken by a UKAS affiliated auditor.
What's included in the ISO 27001 update?
In October 2022 ISO.org released the updated to reflect the planned restructure of Annex A. The release of ISO27001:2022 is important as this is the ISO standard that organisations are certificated to and any changes to clauses 4 to 10 are mandatory and cannot be excluded.
The updated version of ISO 27001 was always communicated as “evolution not revolution” so major changes to clauses 4 to 10 were not expected. ISO 27001:2013 was one of the first ISO standards to implement the common Annex SL structure.
It is expected that organisations will be given 2 years (there are also rumors of 3 years) to migrate their existing ISO 27001 certifications to the new 2022 version.
Ideally, organisations will be able to arrange the transition audits to fall at the same time as a recertification audit.
If the dates do not align, the organisation will need to contact their certification body to arrange a transition audit. Any transition audits will have additional costs (time and money).
What happens within the implementation process?
Over the past 30 years we have often heard of consultants quoting excessive figures to assist companies to achieve certification. The amount of external input required will vary from company to company, however, it is important to remember that funding may be available to assist with cost of advice and certification.
To implement an ISO Standard, the project timeline varies from company to company and depends on a range of factors such as, size, scope number of staff, number of locations and complexity of the operation. The average project will take usually around 6 to 9 months from the beginning of the project to reach obtaining certification.
There are a few downfalls, but these can be managed with a level head. Such as.
Consultant selection – if you decide to use an external adviser choose a company with experience in this field and a proven track record. Ask for references and take these up.
Scope – ensure that the scope for the ISO27001 information security management system is clearly defined and realistic and avoid ‘scope creep’ as the project progresses.
Certification body – always ensure that you select a properly ‘accredited’ certification body if you don’t the certificate is likely to be rejected as insufficient. Most certification bodies will carry UKAS or INAB accreditation, seek evidence of this before committing.
Now is the time to implement ISO Standards, especially ISO 27001, to help your organisation focus on information security threats and protect your information assets by establishing robust policies/procedures and the technical controls required to protect confidentiality, integrity, and availability of information.