ISO 27001 Update - What You Need To Know.
Certification to ISO standards is not new to any sector, however, the demand for ISO certification has been increasing consistently.
Certification to standards such as ISO 27001 (Information Security Management), ISO 9001 (Quality Management), ISO 14001 (Environmental Management), and ISO 45001 (Health and Safety Management) have largely become the norm.
This means that many companies without ISO certification may struggle to differentiate themselves from competitors and satisfy the increasingly challenging vendor approval requirements and conditions that organisations are applying to their supply chain.
The International Organisation for Standardisation is quoting annualised growth in ISO27001 certificates of 87%. (Source IS Partners).
The UK is aiming to become one of the most secure countries in which to live and work and as a result certification to ISO standards is becoming the norm in many sectors.
On 31st October 2022, the UK Health Security Agency implemented a requirement that any company accessing protected YKHSA data will be required to have a system of assurance in place and ISO27001 has been stipulated as one of only two options.
The Health and Social Care Network (HSCN) (NHS Digital) has recently implemented a requirement under its compliance framework which includes a stipulation that suppliers to the Health and Social Care Network must have certification to both ISO 9001 Quality Management and ISO 27001 Information Security Management, which must be untaken by a UKAS affiliated auditor.
In October 2022 ISO.org released an updated to reflect the planned restructure of Annex A. The release of ISO27001:2022 is important as this is the ISO standard that organisations are certificated to and any changes to clauses 4 to 10 are mandatory and cannot be excluded.
The updated version of ISO27001 was always communicated as “evolution not revolution” so major changes to clauses 4 to 10 were not expected. ISO27001:2013 was one of the first ISO standards to implement the common Annex SL structure.
It is expected that organisations will be given 2 years (there are also rumours of 3 years) to migrate their existing ISO27001 certifications to the new 2022 version.
Ideally, organisations will be able to arrange the transition audits to fall at the same time as a recertification audit.
If the dates do not line up the organisation will need to contact its certification body to arrange a transition audit. There will be additional costs (time and money) for any transition audits.
Over the past 30 years, we have often heard of consultants quoting excessive figures to assist companies to achieve certification. The amount of external input required will vary from company to company, however, it is important to remember that funding may be available to assist with the cost of advice and certification.
To implement an ISO Standard, the project timeline varies from company to company and depends on a range of factors such as, size, scope number of staff, number of locations, and complexity of the operation. The average project will take usually around 6 to 9 months from the beginning of the project to reach obtaining certification.
There are a few downfalls, but these can be managed with a level head. Such as.
Consultant selection – if you decide to use an external adviser choose a company with experience in this field and a proven track record. Ask for references and take these up.
Scope – ensure that the scope for the ISO27001 information security management system is clearly defined and realistic and avoid ‘scope creep’ as the project progresses.
Certification body – always ensure that you select a properly ‘accredited’ certification body if you don’t the certificate is likely to be rejected as insufficient. Most certification bodies will carry UKAS or INAB accreditation, and seek evidence of this before committing.
Now is the time to implement ISO Standards, especially ISO 27001, to help your organisation focus on information security threats and protect your information assets by establishing robust policies/procedures and the technical controls required to protect the confidentiality, integrity, and availability of information.
