In the meantime, threats to information security continue to grow; hopefully you can see them on the horizon, but many companies can find it really easy to start lagging behind. Unfortunately, if you are still working to the 2013 edition of ISO 27001 then you’re now behind the curve.

Its easy to put off the transition; it has been so far anyway. But this will absolutely create unnecessary stress and potential complications down the line for you and your staff. The new updates to the standard introduce a number of controls that can be surprising time-sinks if you aren’t familiar with them. They can also end up costing a significant amount of time and money to implement if you aren’t careful.

The problem is, the longer you wait and mull this over, the greater your potential exposure is to emerging security and compliance threats. And, the greater number of resources and time you’ll need at the last minute to get it sorted. ISO 27001 certification isn’t just a tick-box exercise giving you a badge of compliance. It’s a commitment to proactive cybersecurity. If you fail to transition in time, you risk having your certificate revoked, this can impact existing client trust and even your ability to secure new contracts and customers.

What’s Changed in ISO 27001:2022?

The 2022 edition introduces some key updates that make the framework more relevant to today’s security landscape, some of these changes are quite crucial and can be surprisingly challenging:

1. Annex A, the Statement of Applicability (SOA) has been rejigged

Definitely the most significant update out of the lot, is the restructuring of Annex A, this now includes 93 controls (down from 114). Several controls have merged, some have been refined, and the overall structure of the SOA has been re-organised into four key themes:

• People
• Organisational
• Technological
• Physical

This restructuring is supposedly meant to make it easier to understand an implement the security measures ‘making implementation more effective’ but we’ll have to wait and see if it’s really that groundbreaking.

2. New Security Controls (As part of the SOA update)

The 2022 update introduces 11 new controls that address modern cybersecurity challenges. These cover:

• Threat Intelligence – Encouraging organizations to proactively collect and use threat intelligence.

• Information security for use of cloud services – Providing specific guidance on securing cloud-based environments.

• ICT Readiness for business continuity – Ensuring IT services are resilient against disruptions.

• Physical Security Monitoring – brings a more simplified but definitive stance on physical security than the previous edition.

• Configuration Management – Enhancing security through better control of system configurations.

• Information Deletion – introduces the concept from GDPR that you can no longer keep data forever, as much as your inner dragon likes hoarding gold; you’re no longer along to emulate Smaug in Erebor (but with data!)

• Data Masking – introduces the concept that if people don’t need to know specific info to do their job, then they shouldn’t be able to see it. A simple principle in concept but can become complicated when looking at ways to apply it in a meaningful way.

• Data Leakage Prevention – Strengthening data protection measures.

• Monitoring Activities – Adds a bit of Big Brother seasoning to the standard to make sure your networks, systems and applications aren’t going haywire with “anomalous behaviour”.

• Web Filtering – makes it a requirement for you to make sure your staff aren’t using their web browsers to access anywhere dumb during work hours / from a work device.

• Secure Coding – this makes industry best practice essentially a requirement. This covers things like code reviews, peer checks before publishing, making sure you apply Least Privilege methodology etc.

3. Enhanced Focus on Risk Management

The new standard places a stronger emphasis on risk-based thinking. Companies must ensure their ISMS is not just a static set of policies but that they are actually used, this also means making sure these policies are efficient and appropriate to the task.

4. More Flexibility in Implementation

ISO 27001:2022 does however allow for a more tailored implementation of controls based on an organisation’s specific risk environment. This should make compliance more efficient, but it also means companies must take a fresh look at how their security measures align with the new framework.

How to Get Started with the Transition

Switching to ISO 27001:2022 doesn’t have to be overwhelming. Here are some tips to make it more manageable:

1. You’ll need Leadership “Buy-In” so make sure they’re involved

All businesses need support from the leadership team when implementing new controls, policies, procedures or anything that disrupts the norm (sometimes even a new kettle needs approval). Without “buy-in” from leadership you may struggle with the resources you need to prioritise transitioning the system and making sure everyone understands and adheres to it.

2. Perform a Gap Analysis (if you want)

If you want to do the transition yourself, then you’ll need to assess your current ISMS against the new requirements; this is so you can identify any gaps and areas that need updating. This should then help you to create a clear action plan for the transition.

3. Update your Policies and Procedures

Many of the new controls require policy updates or even new policies writing from scratch. This is especially prevalent in areas like cloud security, threat intelligence and configuration management. You’ll need to make sure your documentation reflects the latest best practices too. (This is something we can help you do if you don’t have the time or knowledge).

4. Train Your Team

Your staff must understand the changes and their implications. So, you’ll need to provide training on the new controls, risk management approach, and updated compliance requirements. People will need to understand these changes and how they impact the day-to-day operations of the business.

5. Schedule Your Certification Audit

I’ve written this blog on the assumption you’re already certified to ISO 27001:2013, (if that’s not the case then I atleast hope you’ve enjoyed this read! And you should build your system around the 2022 edition from scratch instead of jumping through these hoops).

The certification body I imagine will have also been hounding you by this point; but you need to get booked in with them for your transition and tell them it’s a transition audit; they will undoubtedly want to add an extra day or more to your visit in order to transition you.

I had one customer who forgot to mention they were transitioning to the auditing body so when we were sat down infront of the auditor and I handed over our updated docs he was a little dumb struck; after a quick panic call to his head office we ended up managing to transition that visit but it was only because they were able to switch the auditors ‘office day’ to another assessment day.

They would have been well within their rights to have cancelled and rescheduled the visit along with slapping our customer with an extra charge for the issue had we not been so lucky. SO, plan your transition audit well in advance, this will also help avoid last-minute bottlenecks from the limited supply of 27001 auditors that the cert bodies have.

Final Thoughts

Most cert bodies like to see at least 3 months of evidence of a new system being in place; which means, if you want to show them evidence of your new system, that 7 months to deadline drops to 4 months from now (to get your system updated and audited).

You’ve also got to consider your staff and the availability of the auditors to come and do the transition. With the Summer Holidays and Easter half-term happening, this could make it even more strategically challenging to transition before the deadline.

Ultimately, this deadline for transitioning isn’t as far off as it seems. It’s also not optional – it’s necessary to maintain your existing certification. Companies that delay risk operational disruptions, security vulnerabilities, and compliance failures.

Getting started now will save you from even more last-minute stress. Making the switch sooner means your compliance efforts will be all-round smoother, and you’ll be able to catch up to those early birds already standing proud with their 2022 certs pinned to their chests.

More importantly, waiting and leaving it much longer could mean a rushed, ineffective transition that leaves your organization exposed.

Data Security? But we’ve got passwords and virus checking????

14 Sep 2020 18,000 Covid-19 test results put online by mistake

16 Oct 2020 British Airways fined £20m over data breach

30 Oct 2020 Marriott fined £18.4m for hotel guests data breach

13 Nov 2020 Ticketmaster fined £1.25m over payment data breach

23 Nov 2020 Children’s names published in email

26 Nov 2020 NHS data breach involving 284 patients uncovered

Source: https://www.bbc.co.uk/news/topics/c0ele42740rt/data-breaches

And those are just a few of the issues which hit the headlines, like many, many phenomena this is just the tip of a huge iceberg, the big names which make big headlines, beneath these monoliths are smaller companies losing millions, and rarely spoken about. ISO 27001 describes a routine system for assessing the risks to your business information and data, the controls to put in place to address those risks, and the periodic checks you need to complete to ensure those risks, and the new ones which will develop tomorrow, are identified, actioned and closed down.

Getting a UK government backed certificate to say that your system addresses ISO 27001 gives you, and all those affected by your operations, additional confidence. If you are sharing data with customers, suppliers or even colleagues they will all have more confidence in you if they know you have invested the time to make sure that such information is safe and secure.

What is the ISO 14001 standard? Lots of people ask this question. Is it a little too basic to ask? Not at all. I am an ISO consultant. I regularly find bad examples of ISO consulting. ISO certification should not be over-complex. Therefore, I will try and make things simple. But not simplistic.

The Short Version…

ISO 14001 – Environmental impact, and your business. Environmental responsibilities are fulfilled through an environmental management system. This means that your business practices will remain legal. This is not an exaggeration. Breaches of environmental law lead to fines and imprisonment. Furthermore a sensational pollution story is lapped up by the media. Your company will get well-known, but for the wrong reasons.

Common-Sense, Good Design, and Reality Equal Effectiveness.

Believe it or not, ISO Standards contain much common-sense. Bad ISO systems make rules. Conversely, a system designed around your company’s business means a well-applied standard. Therefore, ISO 14001 helps you do better business in a simple, efficient and understandable way. Furthermore, certification, in ideal circumstances, is not difficult achieve 

Sound Business Reasons

If you plan to sell into government or local government bodies, you will need ISO 14001. Likewise for tenders. Certification by a UKAS Accredited Certification Body to ISO 14001 will prevent your bid being rejected. Furthermore, many large companies hold ISO 14001. Therefore, they buy only from ISO 14001 suppliers and sub-contractors. Above all, many of the issues covered in ISO 14001 are now law. What is the ISO 14001 standard? Bluntly, a way of keeping your directors out of court and the news.

What Do I Need To Consider Right Now?

First, identify the areas of your business which pose environmental risk. Next, develop processes for the control and reduction of their effects.

Here are some typical areas of focus:

What Does “ISO 45001 Certified” Mean?

You may already have occupational health and safety (“OHSAS”) measures in place. Furthermore, you may even hold the former standard “OHSAS 18001”. However, you may be conscious that your enterprise needs to structure, monitor, and review its occupational health and safety activities. The process of certification to ISO 45001 will dismantle, analyse and rebuild your existing system, and create a replacement to an internationally-recognised standard (the “I” in ISO)

Marketing and Differentiation

ISO 45001 will immediately mark your company as responsible and trustworthy. You are of a sufficient ethical standard as to take their health and safety obligations seriously. ISO 45001 will say more about your company and it’s approach to business than glossy brochures and slick sales people. Ironically, investment in ISO 45001 will probably cost a fraction of a marketing budget. Furthermore, it will act as as a “distinctive” to your potential customers long after a full-page advert in a trade magazine has gone for recycling

You Plan To Have ISO 9001/14001? Even Better!

Following logically from the above, once the systems of ISO 45001 are in place, they form a solid management “framework” by which other standards can be quickly created.

How Can we Help?

Companies can do as much or as little of the certification preparation as they wish. By popular demand, We are creating a series of DIY “tool kits” to allow customers to save on consultant time. Read more here.

What Does ISO 45001 Certified Mean? Well, hopefully you now have an idea. Meanwhile, there’s much more to tell. Please be in touch.

Yet Another Standard? What Does This One Cover?

You may just remember GDPR. (By the way, you are compliant, aren’t you?). How do you prove to your customers or any other body that you are compliant? Put simply, ISO 27701 accreditation will prove this. Therefore, we thought it useful to address some ISO 27701 FAQ.

Isn’t There an Overlap with ISO 27001?

Yes indeed. Hence, it could be said that the PIMS is an advanced form of the ISMS. If you already hold ISO 27001, then transition to ISO 27701 is not difficult. However, your existing system needs to have been constructed correctly. Ideally, it is neither over-complex nor superficial.

It Gets Much Worse (Or,”Why You Really Need ISO 27701″)

Where a breach results in personal information relating to your customers, suppliers or staff, your company also becomes liable for individual legal action from the people involved. Furthermore, costs incurred from such cases, the resources it uses in terms of management time and general disruption can cripple a business.

Inspecting the Inspectors

ISO 17020 is similar to ISO 9001 in some ways. However, it is aimed at ensuring that inspection companies are genuinely independent. Furthermore, that they have processes to ensure their staff are unbiased.  Therefore, it’s a standard that verifies those who measure things. It’s “inspecting the inspectors”

ISO 9001 and ISO 17020 – Some Differences

Note a key difference: ISO 9001 is a “certification standard”. Therefore, a certification body needs to audit and approve ISO 9001. Furthermore, they themselves are approved by UKAS (the United Kingdom Accreditation Body). UKAS are a government body.

In contrast, ISO 17020 is an Accreditation Standard. This means that UKAS alone can grant certification to ISO 1702

What type of business activities does ISO 17020 apply to?

ISO 17020, is called “General Criteria for the Operation of Various Types of Bodies Performing Inspection”.

Typical users involve:

ISO 9001 – More Differences

The requirements of ISO 9001:2015 should cover any industry. It ensures that a product or service is of a known standard. Similarly, some of the requirements of ISO 9001 are used in ISO 17020., Control of non-conforming goods/services and documented records of corrective action are some examples.. However, it should ensure that the inspection is thorough, independent and statistically valid.

What is the difference between ISO 17025 and ISO 17020?

The scope of the standards. ISO 17020 is valid for inspection organisations. Conversely, ISO 17025 is valid for test and calibration organisations. Inspection entities (ISO 17020) only testify “conformity” in the form of “passed” or “failed”.

To clarify, ISO 17025 accreditation covers calibration and test houses. These confirm the accuracy of the measurements which a piece of test equipment gives. Thus, if you purchase a ton of something, you need to know it really is a ton  Calibration of the weigh bridge/scales used should be carried out to confirm accuracy. If the company who calibrate are accredited to ISO 17025 then you should be able to have confidence that their accuracy is true.

There’s more to tell.

This has been a brief and simplified over-view. Therefore, if you are still asking “What is ISO 17020?”, then we fully understand. It’s much more than an “off the shelf” standard. Therefore, this is one of the reasons that we don’t act as simply retailers of on-line templates – we are ISO Consultants, and are pleased when we can help a standard “fit” a customer’s business. Therefore, if you need help, please drop us a line.

What are the benefits of ISO 14001 ? Surprisingly, there is much common-sense found in ISO Standards. Sadly, some practitioners seem to enjoy making them over-complicated (and therefore over-expensive…).

Doing The Right Thing.

Environmental impact, and your business is at the heart of ISO 14001. Once certified, you will have a bespoke management system that keeps your directors out of court. Fines and imprisonment for breaches are imposed. Also ,a good pollution story gets media attention, but exactly the wrong sort

How Long Does Approval Take?

This depends on the nature and size of your business.  What resource can you apply to the approval process and on-going maintenance? You may already have the necessary internal procedures in place. However, around these, we can create a bespoke Environmental Management System. Then we can audit its application to ISO 14001 (that is, does your system comply with the standard?) Finally, can arrange an external audit by a UKAS approved certification body. Completion in eight weeks is possible in the right circumstances. However, it all depends on how your company operates.

What am I likely to need to do ?

Certain areas of your business will have a significant environmental impact. These need to be identified. Subsequently, the correct processes need to be developed for the monitoring and reduction of their impact.

Generally, there are three broad areas of focus :

What will certification cost ?

How ready is your organisation, and how quickly can you move? As our fees are based on a day rate, these factors determine cost. Typically 6-8 days would be sufficient for a small business. Additionally, certification is required by a UKAS approved certification body.. This is usually £ 4-5000 for a three year certificate.

Recently, I received an enquiry from a customer who needed a new ISO approval. He needed to reply to a tender, and hopefully enter a new market. I specialise in getting businesses approved quickly with concise management systems and minimum documentation.Improvement of the company’s performance is my focus.. Furthermore, I design my systems to give as small an additional administration burden as possible. Hence, I don’t think there are many consultancies who can implement a system to gain ISO approval much faster..

I cut it fine and quoted them X days to write, implement and gain approval for the system. The potential customer came back to me, and said “Very interested in your services, but I have a system already. Any chance you could update it instead of writing a new one? Surely that would be quicker and cheaper?”

At a similar time I was asked by another customer to look at a downloaded management system he’d purchased on line but was struggling with. I had a look. I’ve been involved with management systems for ISO approval most of my working life, and certification since 1993. The documentation was the worst set of nonsense I’ve ever seen, and I’ve read some rubbish in my time. Somebody had cobbled together different bits of a standard. Then they had copied in some forms they found somewhere. Finally, they had thrown in some more meaningless “wordage”, resulting in about 25 documents, some pointlessly lengthy. This had then been sold to my very nice, honest and ethical customer. Explaining to him that he’d basically been conned was difficult and embarrassing.

How To Start Well

So let’s go back to basics. To gain ISO approval, you need a system that describes how your business operates. It’s simple. Whether it be for Quality, Environment, Health and Safety, Information Security, is irrelevant. It should describe how YOUR business operates in order to be able to make sure YOUR business improves, doesn’t kill anybody, pollute the world or share your customers bank details with a fictitious African Prince.

Cars, Engines, and The Wrong Choice.

If It Fits Properly, It Might Just Work

So I’m sorry if you think ISO based management systems, defined by world leading industry experts, don’t work. But before scrapping them I would suggest that investing some time in making sure the system matches YOUR business. For successful ISO approval, it needs to be lined up and designed to deliver YOUR business aims and objectives and written around YOUR workforce and facilities. It could even make you do better business. If you want to know how to do this give me a ring or drop me an email.

A customer contacted me recently who needed a new ISO approval. The “driver” was to get the company through a tender process and into a new market.

I specialise in getting businesses ISO-approved quickly with concise management systems. They contain minimum documentation and focus on improving the company’s performance. They are designed to be maintained the system with as little an additional admin burden as possible.

A moment’s boasting: I don’t think there are many consultancies who can implement an effective system and get it approved much faster than I can. This is because, through experience, and by conviction, I have to write systems that are based on business reality. Creating thousands of words, and “playing for time”, in order to inflate fees, really isn’t my style.

Facing Something That Really Doesn’t Fit.

It Gets Worse.

Now, I’ve been involved with management systems most of my business life. I’ve worked with actual certification (as an auditor) since 1993. The documentation was the worst set of nonsense I’ve ever seen. I’ve read some rubbish in my time, but this was on a different level. Worse, it was also expensive rubbish.

What was wrong? Somebody had cobbled together different bits of a standard. Then copied in some forms they’d found somewhere. Finally, they had thrown in some more meaningless “wordage”. The result? About 25 documents, some very lengthy, but all very useless. Explaining to my contact that he had been deceived was difficult and embarrassing.

Reality Is Your Friend, Believe Me.

The objective of these stories? The essence of ISO approval is as follows, and it’s not difficult to grasp:

You are looking for a system describing how your business operates in reality. Whether this is for Quality, Environment, Health and Safety, Information Security purposes, is irrelevant. It should describe how YOUR business functions. Why? In order to be able to make sure YOUR business improves. It makes sure that your actual activities don’t kill anybody, pollute the world or share your customers bank details with cyber-scammers.

What’s Under The Bonnet?

ISO Approval Designed For Your Business. (It Only Works If It Fits)

So I’m sorry if you think ISO-based management systems, written by world leading industry experts, don’t work. Before rejecting them, I would suggest the following:- invest some time in making sure the system matches YOUR business. That it is lined up and designed to deliver YOUR business aims and objectives. Specifically that it is written around YOUR workforce and facilities.

I’m a passionate advocate of ISO approval that works in the real world. If you want to know how to do this give me a ring or drop me an email.