ISO 27001
Information security standard
Everyone is searching for solutions to implement and comply to the requirements of standards as fast and as easily as possible. Unfortunately, there is no simple variant, but there are steps and if you follow them, the implementation will be easier to tackle.
The new ISO 27001:2022 standard
In February 2022, ISO 27002:2022 was updated – the standard that provides best control practices that organizations can implement to improve cybersecurity. As a result, a new version of ISO 27001 – the international standard for the requirements of an ISMS – was published on 25 October 2022. The new version of the standard introduces the controls outlined in ISO 27002:2022, and organizations will need to review their risk assessment to determine what updates need to be implemented.
Here are the key steps which you will go through with SMS Business Center for a successfully transition to the new ISO 27001:2022 standard:
• Analysis of changes brought by ISO 27001:2022;
• Establish the staff to be trained;
• GAP analysis;
• Update risk analysis and risk treatment plan;
• Update statement of applicability;
• Internal Audit;
• External Audit for transition (together with the certification body);
• Closing any non-conformities written in the audit report;
• Emphasizes continuous improvement;
How can we help and why you should chose SMS Business Center?
Our experience allows us to provide you with personalized insights into the unique threats your business faces. Working with us keeps you one step ahead of cyber risk.
Together we will identify the specific threats you face and build strategies to mitigate them. We will work together to certify your systems, identify vulnerabilities and help prevent attacks and incidents that could affect your business.
Changes to the management system:
The main part of the ISO 27001:2022 standard has minor changes and no important requirements from ISO 27001:2013/2018 have been deleted.
In Annex A, there are 11 new controls, some controls were merged, one control was split, some controls were renamed, and 35 of them remained unchanged.
The transition period is 3 years, meaning that the transition to ISO 27001:2022 must be completed by 31.10.2025. Starting from 31.10.2023, the audits for initial certifications will be carried out exclusively according to the requirements of ISO 27001:2022. For companies already certified ISO 27001, the transition must be carried out by 31.10.2025.
ISO 27001:2013 vs. ISO 27001:2022 -Main changes
A new version of ISO 27001 – the world’s leading information security standard, has been updated on 25 October 2022. Even if the new standard brings only moderate changes, it is important to analyze them carefully.
The new version of the standard introduces the controls outlined in ISO 27002:2022, and organizations will need to review their risk assessment to determine if updates need to be implemented.
Below, we present the main changes brought by the ISO 27001:2022 standard.
- Main part, clauses 4 to 10, changed only slightly;
- Moderate changes for security controls in Annex A;
- The number of controls decreased from 114 to 93;
- The 93 controls are grouped into 4 sections (ISO 27001:2022) instead of 14 (ISO 27001:2018);
• 11 new controls in ISO 27001:2022; none of the controls in ISO 27001:2018 were deleted and many of them were merged.
How can we help and why you should chose SMS Business Center?
Our experience allows us to provide you with personalized insights into the unique threats your business faces. Working with us keeps you one step ahead of cyber risk.
Together we will identify the specific threats you face and build strategies to mitigate them. We will work together to certify your systems, identify vulnerabilities and help prevent attacks and incidents that could affect your business.
Stage 1
- We sign the consultancy contract and we agree all the terms;
- We do the initial analysis together;
An overall inventory of processes, resources, threats and vulnerabilities; essential stage for a better planning of implementation;
- We define the scope;
Training on the aspects of SMSI, clarification of basic concepts, define the scope. It is important that we determine what information you intend to protect. Thus, it does not matter that this information is stored in your office or in cloud, is accessed locally or remotely, it is important that you are responsible that this information needs to be protected;
- We establish a policy according to the information security;
It’s the most important document of information security management system.
It has to contain objectives, the commitment of management that will fulfil the requirements of stakeholders and it will continuously improve. It has to be regularly revised and communicated to all the stakeholders from the company and not only;
Stage 2
- Analysis of physical and informational risks;
In order to facilitate the evaluation of risks, we will use spreadsheets, with threats and vulnerabilities displayed by columns; we will also include other information such as identification of risk, risk owners, impact and likelihood etc.
- drawing up and implementation oof procedures/implementation of technical security measures;
Our consultants will draw up the SMSI procedures. Then follows the most difficult part of the project: the implementation of ISO 27001 requirements, which involves the changing of certain behaviours or habits from the current management system. Do not worry, we have sufficient experience in similar projects, so that we can succeed in this stage;
- Business continuity plan;
BCP guides the organizations to answer, recover, resume and restore at a predefined operating level, after an unpredicted interruption;
Stage 3
- Internal audit and simulations of incidents;
At the completion of the project, we will carry out an internal audit and simulations of incidents. We can say that this is a rehearsal for the certification audit. Following the audit, we will carry out corrective and preventive actions.
- Analysis conducted by management;
The Management has to be aware of the implications of the new information security management system and whether it can bring the expected results. Following this analysis, the management will take important decisions regarding the company.
Do you want you and your team to implement the requirements of ISO 27001, without outsourcing certain services? We can help you with the Toolkit developed by our team.
INFORMATION NOTICE FOR PROTECTION OF PERSONAL DATA
According to the requirements of Law no. 677/2001 for protection of persons regarding the processing of personal data and free movement of these data, as further amended and supplemented and Law no. 506/2004 for processing of personal data and protection of private life in electronic communications sector, S.C SMS Business Center S.R.L., the owner of this website, will administer in safe conditions and only for the specified purposes, the personal data about you that you provide to us. We inform you that the personal data you provide to us are processed for the purpose of offering in optimal conditions the web service available on this website. According to Law no. 677/2001, you benefit from the right of access, intervention on data, the right not to be subject to an individual decision and the right to address the court of law. You also have the right to oppose the processing of personal data concerning you and to request the erasure of your personal data.