ISO 27001:2013 has been updated to the new ISO27001:2022 revision!

Information Security

Today, companies have an ever-increasing dependence on data. The increased frequency of devastating data security breaches, or risk of computer-crime, has driven many companies to make information security a priority along with their regulatory and customer stakeholders.  For such companies, ISO27001:2022 offers improved information security performance, for both technological and non-technical assets.  Benefits include:

• Improved information security performance and effectiveness

• Risk assessment and residual risk reduction

• Understand and meet legal compliance obligations

• Prepare for emergencies and ensure continuity

• Test and ensure data integrity

• Monitor and ensure systems availability

• Meet customer requirements

Required controls are both technical and non-technical

ISO27001:2022 has two distinct components:

1. The management system requirements are defined in ISO27001:2022 and are standardized with Annex SL. This means that integration between ISO27001:2022 and other standards such as; ISO9001:2015, ISO14001:2015 and ISO45001:2018 is greatly improved.

2. The control requirements are defined in ISO27001:2022 Annex A. All 93 technical and non-technical controls are required to be considered during implementation.

Typical implementations result in 3 distinct manuals:

• Management System Policy and Procedure Manual (over-arching management controls)

• Employee Control Manual (non-technical controls)

• Information Security Control Manual (technical controls)

There are 6 Management System sections in the Standard:

4. Context of the organization
5. Leadership and worker participation
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

There are a total of 93 controls that are categorized into 4 sections in the Annex:

A5: Organizational controls (37 controls). Examples include: policies for information security, roles, responsibilities, classification of information, labelling of information, access control, access rights, threat intelligence.
A6: People controls (8 controls). Examples include: screening, terms of employment, information security awareness, remote working.
A7: Physical controls (14 controls). Examples include: physical security parameters, physical entry, working in secure areas, clear desk clear screen, equipment maintenance.
A8: Technology controls (34 controls). Examples include: user end point devices, privileged access rights, protection against malware.

Implementation Support

Whether you need ISO27001:2022 registration or just want to implement world-class, fundamental principles to get ahead of your competition, information security management is for any size business in all industries.  Improvements are focused on reducing risks and capitalizing on opportunities with regard to confidentiality, integrity and availability of information.

Getting registered to ISO27001 involves five steps:

1. Design and document your ISO27001 compliant system

2. Implement your processes and procedures

3. Audit yourself to ensure that you are following your own processes and procedures

4. Close any gaps found during your audit

5. Have a third party "registrar" audit your system to verify compliance and issue a certificate 

Call 416-884-3989 now to set-up your free, no-obligation, in-house presentation for more information and answers to your questions:

1. Who is Graham Hill Consulting?

2. What are we getting ourselves in to... what is ISO27001?

3. What does an ISO27001 project look like?

4. Can you customize the approach for our specific needs?