Inzinc's Motto: Passion to Deliver Quality

Introduction to ISO 27001:2022 -
Information Security Management System (ISMS)

The ISO 27001:2022 standard specifies requirements for establishment, implementation, maintenance and continual improvement of an Information security management system. The expert ISO 27001 consultants in India (ISMS consultants in India) of the Inzinc Team will ensure in providing professional consultancy solutions that puts a solid ISMS foundation.

What is an Information Security Management System?

An Information security management system (ISMS) is the part of an organization's management system that consists of a set of policies, objectives and procedures to ensure that the organization's information is kept secure, to manage & minimize the risk and ensure business continuity by pro-actively minimizing the impact of a security breach.

What is Information Security?

Information security is the practice of protecting organization's assets from unauthorized access, use, disclosure, falsification, modification, recording or destruction in order to achieve Confidentiality, Integrity and Availability (CIA)

What does our ISO 27001 Consulting services include?

Our ISO 27001 Consulting services in India includes

  • ISO 27001 Gap Analysis: Conduction of ISO 27001 gap analysis and submission of the gap analysis report
  • Documentation of ISMS Manual (ISO 27001 manual), ISMS procedures, ISMS policies (including ISO 27001 security policy), forms & formats. Our ISMS consultants will use the professional ISO 27001 documentation toolkit to cover the ISO 27001 documentation requirements of the ISO 27001:2022 standard.
  • Help and guidance in implementation of ISO 27001 controls (All of ISO 27001 controls list that are applicable as given in Annex A of ISO 27001:2022 standard)
  • Help and guidance in preparation of Statement of Applicability (SOA)
  • Help and guidance in conducting Risk Assessment and Risk treatment (Risk Management)
  • ISO 27001 Awareness training where we teach Information Security basics (ISO 27001 basics) and ISO 27001 overview
  • ISO 27001 Internal auditor training and help conduct ISO 27001 Internal audit and help conduct ISO 27001 Management Review.

Our ISO 27001 consultants in India (Bengaluru) India will ensure that the above ISO 27001 consulting services in India are executed with dedication and in a timely fashion. Our ISO 27001 Consultants in India make sure that the ISO 27001 implementation helps you to effectively establish, monitor and continually improve the Information Security Management System.

Benefits of ISO 27001 standard

The following are the advantages or Benefits of establishing a Information Security Management System (ISMS) in your organization

  • Provides a framework to ensure safety of sensitive information.
  • Builds trust and confidence among customers and stakeholders on how risk management is carried out.
  • Ensures the secure exchange of information.
  • The exposure to risk is minimized.
  • Helps in developing a security culture that gets embedded in the organization culture.
  • Helps to protect the Organization's assets, customers and stakeholders.
  • Gives the competitive edge compared to non-ISMS based companies.
  • Customer satisfaction and perhaps delight !

Transition from ISO 27001:2013 to 27001:2022

Organizations who are certified to ISO 27001:2013 need transition to ISO 27001:2022 which is the latest version. Inzinc provides ISO 27001 consultancy services in India to enable smooth transition from the 2013 version to the 2022 version.

The Second Revision of the Information Security Management System (ISMS) standard ISO/IEC 27001:2022 was published on 25-October-2022. This effectively replaces the earlier ISMS standard ISO/IEC 27001:2013. The new ISO 27001 standard was developed with inputs gathered from the practical experience of application of the ISO 27001:2013 standard worldwide. Apart from this, there are two other reasons namely:

  • Move towards integration of all future ISO standards which will have 10 clauses with common clause headings across ISO standards but with content pertinent to the management standard in context. This paves way for easy Integrated Management Systems.
  • Connect the ISO/IEC 27001:2022 standard to the risk management standard ISO 31000:2018.

In terms of ISMS controls, the ISO/IEC 27001:2013 Version had 114 controls classified under 14 domains. The New ISO/IEC 27001:2022 Version consists of 93 Controls classified under 4 Domains. Refer Annex A of the ISO 27001:2022 standard for ISO 27001 domains.

In terms of the management clauses, the ISO/IEC 27001:2005 had eight main clauses.

The new ISO 27001 : 2022 has 10 Main Clauses which are as below:

  • Scope
  • Normative references
  • Terms and definitions
  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

(Courtesy: ISO)

The new ISO 27001:2022 Information security management system standard brings up the context of the organization into picture. This is linked to the ISO 31000 risk management standard. Here we define internal context (internal issues) and external context (external issues).

The Section on PDCA cycle is removed. But PDCA continues to be one of the tools of Continual Improvement.
Instead of specific inputs and outputs of the management review, the clause 9.3 Management Review now places requirements on the topics for consideration during the review.
So, please contact our ISO 27001 consultants in India for transition from (upgradation from) ISO 27001:2013 to ISO 27001:2022./P>

ISO 27001:2022 Mandatory documents

Following are the Mandatory documents that are required by ISO 27001:2022 ISMS standard:

  • Scope of the ISMS (clause 4.3)
  • Information security policy (clause 5.2 and control 5.1)
  • Information security objectives (clause 6.2)
  • Information security risk assessment process (clause 6.1.2)
  • Information security risk treatment process (clause 6.1.3)
  • Statement of Applicability (clause 6.1.3 d)
  • Documentation related to operational planning and control (clause 8.1)
  • Definition of topic-specific policies (control 5.1)
  • Definition of security roles and responsibilities (control 5.2)
  • Inventory of assets (control 5.9)
  • Acceptable use of assets policy and procedures (control 5.10)
  • Procedure for labelling of information (control 5.13)
  • Information transfer rules and procedures (control 5.14)
  • Access control policy (control 5.15)
  • Processes and procedures for managing the information security risks associated with the use of supplier’s products or services (control 5.19)
  • Processes and procedures for managing the information security risks related to ICT products and services supply chain (control 5.21)
  • Processes for acquisition, use, management and exit from cloud services (control 5.23)
  • Incident management procedure (controls 5.24, 5.26 and 5.28)
  • Business continuity procedures (controls 5.29 and 5.30)
  • Legal, statutory, regulatory and contractual requirements related to information security (control 5.31)
  • Procedures to protect intellectual property rights (control 5.32)
  • Operating procedures for IT management (control 5.37)
  • Disciplinary process for breach of information security (control 6.4)
  • Rules for Clear desk and clear screen (control 7.7)
  • Documentation of security configurations of hardware, software, services and networks (control 8.9)
  • Information backup policy (control 8.13)
  • Procedure for Installation of software on operational systems (control 8.19)
  • Rules or policy on effective use of cryptography and key management (control 8.24)
  • Rules for the secure development of software and systems (control 8.25)
  • Secure system architecture and engineering principles (control 8.27)
  • Secure coding principles (control 8.28)
  • Security testing processes (control 8.29)
  • Change management procedure (control 8.32)

ISO 27001:2022 Mandatory Records

The mandatory records that are required by the ISO 27001:2022 standard are as below:

  • Record of information security risk assessment process and results (clause 6.1.2 and clause 8.2)
  • Record of information security risk treatment – the complete risk treatment plan along with results of risk treatment (clause 6.1.3 and clause 8.3)
  • Records of training, skills, experience and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2.2)
  • Results of internal audits (clause 9.2.2)
  • Results of the management review (clause 9.3.3)
  • Nature of non-conformities and actions taken (clause 10.2 f)
  • Results of corrective actions (clause 10.2 g)
  • Signed information transfer agreements (control 5.14)
  • Signed supplier agreements containing information security requirements (control 5.20)
  • Confidentiality or non-disclosure agreements (control 6.6)
  • Logs of user activities, exceptions, faults and security events (control 8.15)

We have experienced Lead auditors and information security consultants. We can depute our team for requirements of ISO 27001 Consultants in Dubai / Abu Dhabi in the UAE, ISO 27001 Consultants in Singapore, ISO 27001 Consultants in Kuwait, ISO 27001 Consultants in Mauritius, ISO 27001 Consultants in Maldives, and ISO 27001 Consultants in other parts of the World including UK, Australia, Canada, etc.

ISO 27001 Internal Audit services

As part of the ISO 27001 effectiveness measurement, our ISO 27001 consultants in India can conduct ISO 27001 Internal Audit on behalf of our clients. Through our rich experienced ISO 27001 consultants in India we can provide ISO 27001 Internal Audit services in India.

Our committed team of ISO 27001 Consultants in India will help conduct the Internal Audits on behalf of our clients and we will submit reports of the Internal Audit.

ISO 27001 Family of Standards

  • ISO/IEC 27000– Vocabulary
  • ISO/IEC 27001 – Information Security, Cyber Security And Privacy Protection – Information Security Management Systems - Requirements (This is the Auditable ISO 27001 standard)
  • ISO/IEC 27002:2022,Information security, cybersecurity and privacy protection — Information security controls
  • ISO/IEC 27003, Information technology — Security techniques — Information security management systems — Guidance
  • ISO/IEC 27004, Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation
  • ISO/IEC 27005, Information security, cybersecurity and privacy protection — Guidance on managing information security risks
  • ISO 31000:2018, Risk management — Guidelines
  • ISO/IEC 27006 - Information technology – security techniques – Requirements for bodies providing audit and certification of information security management systems
  • ISO/IEC 27007 – nformation technology – security techniques – Guidelines for auditors on Information Security Controls
  • ISO/IEC 27010 –Information technology -- Security techniques -- Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27011 – Information technology – security techniques – Information Security management guidelines for telecom organizations based on 27002
  • ISO/IEC 27013–Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

ISO 27001 domains (Domains as per the 2022 version of ISO 27001)

The Annex A of the ISO 27001:2022 Standard defines the complete list of ISO 27001 controls. These controls (which are 93 in number) are grouped under 4 Domains (or groups or ISO 27001 security domains) which are as under:

  • Organizational Controls.
  • People Controls
  • Physical Controls
  • Technological Controls

If you wish to get ISO 27001 implemented in your organization, contact our ISO 27001 Consultants in India at ic@inzinc.in

Top
Connect Us
Top