Prepare for ISO 27001:2013 and 27001:2021

What is ISO 27001?

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) consist of technical committees that come together to form global standardization for IT activity.

ISO 27001 consists of the requirements for establishing a lawful information security management system (ISMS) within an organization. The requirements are “one-size-fits-all” as the standardization should apply to any organization.

An ISO 27001 certificate for an ISMS is recognized worldwide. It’s a clear indicator that the organization aligns with the best practices of information security. An ISO 27001 certification shows that the organization can maintain its ISMS through review processes, and continually upgrade and maintain the system.

Standards created in 2005 have been replaced by the latest ISO 27001 standard. ISO 27001:2013 was released in September of that year. Over the past decade, the number of ISO certifications has increased by over 450%. 


Differences between ISO 27001 and ISO 27002

ISO 27002 refers to the process of choosing security controls within an organization’s ISMS. ISO 27002 is not a certification process like ISO 27001 but rather enhances the ISO 27001 process. If someone says they are ISO 27002 certified, they probably have no idea what they’re talking about.

ISO 27002 consists of guidelines for ISMS best practices. It’s almost like an open-book test, before the final examination where all your teachers are watching.

Both ISO 27001 and ISO 27002 have not received an update since 2013 – that is, until the most recent 2021/22 updates.


ISO 27001/02:2013 versus ISO 27001/02:2021

ISO and IEC announced last year that ISO 27001/02 is getting an upgrade. ISO 27002:2021 was published in February of this year, 2022. A month later, ISO 27001:2021 was published.

The International Accreditation Forum has given a grace period of two years for organizations to transition from the 2013 version to the 2021 version.

But what exactly has changed? It should be noted that ISO 27001 isn’t getting a direct upgrade, rather ISO 27002 has been upgraded, which inadvertently changes the guidelines within the ISO 27001 certification process.

The biggest change in ISO 27002 is the number of controls and the domains. 

ISO 27002:2013 has 114 controls over 14 areas. ISO 27002:2021 will have 93 controls over 4 domains.

These domains are organizational controls (37), people controls (8), physical controls (14), and technological controls (34).


ISO 27001 Compliance

Get Together an Implementation Team

This is a great way to start creating a stable ISMS plan. An implementation team allows the organization to focus on key questions such as:

  • What is the organization’s intent for the ISMS?
  • Over what period will the creation of the ISMS happen?
  • How much will the implementation of an ISMS cost?
  • Does the organization have proper management over this implementation?


Outline Objectives, Policies, and Risks

This includes information security objectives and reviewing any possible risks to the ISMS’s security. As well as outlining high-level policies for the ISMS. 

These policies should set out the duties and responsibilities of the employees involved. There should be a continuity plan for the consistent improvement of the ISMS. There should be communication plans to raise awareness of the project and allow for the progression of the ISMS setup.


Initiate the ISMS

An organization is allowed to use any model or system, as long as it meets the requirements, and has properly implemented and regularly reviewed the processes used within the ISMS.


Define the ISMS Scope

The ISMS scope is defined by the size of an ISMS and to what extent the ISMS affects normal operations within the organization. The ISMS must meet the organization’s basic needs. If the scope is too small, there is room for a security breach. If the scope is too large, it will be too complex to operate.


Establish a Risk Management Process and Plan

All the security aspects of a system rely on the information received from potential risks. A security system is only effective when it’s aware of the organization’s weaknesses. There’s nothing wrong with having weaknesses, only ignoring them.


Final Certification

Once an organization has securely established the ISMS, it’s time to check the guidelines against the ISO 27002 best practices. If the organization is sure they’ve met these requirements, they are free to go forward with the ISO 27001 certification.

This will include an external audit. The first part of the audit involves checking the ISMS against ISO 27001 requirements (which you’ve already done at this point). Once the auditor is happy, there will be a more thorough investigation. If the auditor is still happy, he’ll run back to the board with his findings.

And voila! Once an organization gets board approval, it will officially be ISO 27001 certified.



Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Contact us today for a free consultation. 

Enter your message below and we’ll reach out to you shortly.

Skip to content