Protecting information through continuous improvement: ISO/IEC 27001

All organizations deal with information, whether it’s financial information, employee or customer details, or intellectual property. They set up an information security management system (ISMS) to ensure the confidentiality, availability and integrity of that information. By implementing ISO/IEC 27001, organizations can manage their information security, so they can reduce information security risks and prevent incidents.

ISO/IEC 27001 is an international standard that applies to any organization that manages information. As the globally recognized standard for information security, it enables organizations to demonstrate that they have set up an ISMS with a set of controls to protect information adequately, and therefore that they comply with the relevant information security requirements. It sets out the requirements for companies to establish, implement, maintain and continually improve their ISMS.

Kiwa certifies organizations to ISO/IEC 27001. “Certification helps organizations identify risks and areas for improvement in their processes so they can continuously optimize the way they secure and manage information,” said Marjolein Veenstra, Scheme Manager and Lead Auditor at Kiwa.

While compliance is not internationally mandatory across all sectors, many companies choose to be certified to reflect their focus on information security or meet their intrinsic need for improvement and professionalization. Certification is often requested as part of a tender, so compliance helps make companies more competitive. However, some sectors have made it mandatory. For example, occupational health and safety services can only work with suppliers that have ISO/IEC 27001 certification.

ISO/IEC 27001 is the certifiable standard, and it consists of two parts: HLS (chapters 4 to 10) and Appendix A (114 controls). ISO/IEC 27002 is an extension of ISO/IEC 27001, which contains the implementation guidelines for the controls and provides best practices for improving security. These controls are part of an organization’s ISMS.

Even though these standards are applicable to all organizations, they can be challenging to understand and use. This is especially the case for companies getting started on their ISMS without specialist in-house compliance knowledge. Because the standard can be difficult to decipher, organizations need to establish their own requirements and translate what is included in ISO/IEC 27001 rather than following a blueprint to the letter.

If an organization is seeking certification, it must first establish an ISMS. In the first year of certification, an initial audit is performed in two phases:

• Phase 1 – to determine whether the ISMS documentation meets the requirements of the standard.
• Phase 2 (started if phase 1 requirements are met) – to determine whether the organization has implemented an adequate and effective ISMS.

The length of time it takes to go through these phases depends on many factors, including the size, complexity and maturity of the organization, as well as the information security controls they have already implemented. It usually takes at least three months to carry out the initial audit, and when both phases are complete, certification advice can be given.

Follow-up audits take place in the second and third year following the initial audit, and recertification is carried out in the fourth year. At every stage, an organization needs to show they have implemented their ISMS in accordance with the requirements set out in the standard. The audit process itself also plays a role, as it helps the organization to improve its processes over time.

“Continuous monitoring, improvement, internal audits and implementation of corrective measures and the performance of risk analyses and management assessments are all important factors we take into account during certification,” said Marjolein.

“By performing certification audits, Kiwa becomes part of the continuous improvement cycle that a customer sets up by implementing the ISMS,” Marjolein added. “Through this step in the process, additional points for improvement are identified and followed up by the customer.”

As with all ISO standards, the standards within the ISO 27000 family are updated regularly. The latest version of ISO 27002 was published on 15 February 2022. Although ISO 27002 is not a certifiable standard, the changes have consequences for organizations that are (or want to become) ISO/IEC 27001 certified.

The updated ISO/IEC 27002 includes 11 new controls, focusing on the preventive and monitoring aspects of the ISMS. In addition, the standard features a new classification structure. Instead of being grouped into 14 chapters, the 93 controls are divided into four themes: organizational, people, physical and technological controls. “The aim is to make it easier to determine who will be the ‘owner’ of a control measure,” Marjolein explained.

Similarly, ISO/IEC 27001 has been published on 25 October 2022. It was originally published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It was revised in 2013 and 2017 (a European update). There will be a three-year transition period within which organizations will need to comply with any amended or additional requirements. This means that certified organisations must have switched to ISO 27001:2022 by autumn 2025. Read more about the new version here.

If you are ISO/IEC 27001 certified (or want to be), Kiwa can help you navigate the changes.