Discover your FREE UAE's NESA and KSA's ECC Compliance Assessment with DiGRC at GITEX2024—let’s secure your future, starting today!

ISO/IEC 27001:2013, 2022

Securing Excellence: Navigating Information Security with ISO 27001 Certification.

ISO 27001:2013

ISO/IEC 27001:2013 is an international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability.

Below are the key details and components of ISO 27001:2013:

Title: ISO/IEC 27001:2013 -Information technology -Security techniques -Information security management systems -Requirements.

Publication Date: October 2013

Objective: The primary objective of ISO 27001:2013 is to establish, implement, maintain, and continually improve an Information Security Management System within the context of an organization's overall business risks.

Structure: ISO 27001:2013 follows the Annex SL structure, a high-level structure shared by many ISO management system standards.

The standard is divided into several sections:

1- IntroductionProvides an overview of the standard and its purpose.

2- ScopeDefines the scope of the ISMS, specifying what information is covered and the boundaries of the management system.

3- Normative ReferencesLists other standards and documents referenced in ISO 27001:2013.

4- Terms and DefinitionsProvides a comprehensive list of terms and definitions relevant to the standard.

5- Context of the OrganizationRequires organizations to understand the internal and external context in which they operate, and to identify interested parties and their relevant requirements.

6- LeadershipEmphasizes leadership commitment, policy, and the role of top management in the ISMS.

7- PlanningAddresses risk assessment, risk treatment, and the development of the information security objectives and plans to achieve them.

8- SupportCovers resources, competence, awareness, communication, and documented information.

9- OperationDetails the implementation of the ISMS controls, including risk assessment, risk treatment, and the management of documents and records.

10- Performance EvaluationFocuses on monitoring, measurement, analysis, and evaluation of the ISMS, including internal audits and management reviews.

11- ImprovementDeals with nonconformity and corrective action, continual improvement, and the updating of the ISMS.

Key Concepts

1- Risk Assessment and TreatmentISO 27001 places a strong emphasis on identifying and managing information security risks through a systematic risk assessment and treatment process.

2- PDCA CycleThe standard follows the Plan-Do-Check-Act (PDCA) cycle for continual improvement, encouraging organizations to plan, implement, monitor, and continually improve their ISMS.

3- ControlsISO 27001 Annex A provides a set of 114 controls categorized into 14 sections, covering a broad range of information security areas.

4- CertificationOrganizations can undergo a certification process to demonstrate compliance with ISO 27001. Certification is typically conducted by accredited certification bodies.

ISO 27001-2022

ISO/IEC 27001:2022 is a standard for information security management systems (ISMS) that provides guidance for establishing, implementing, maintaining, and continually improving an information security management system. It specifies the requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The standard is applicable to organizations of any size and from all sectors of activity ISO/IEC 27001:2022 is the world’s best-known standard for information security management systems.

ISO/IEC 27001:2022 standard specifies 93 controls in 14 domains that organizations can use to improve their Information Security Management System (ISMS). The domains are categorized into four overarching groups: organizational, people, physical, and technological. Here is a non-exhaustive list of the type of controls they contain:

Organizational (37 controls):

Information policies, cloud service use, asset use, etc.

People (8 controls):

Remote work, confidentiality, non-disclosures, screening, etc.

Physical (14 controls):

Security monitoring, storage media, maintenance, facilities security, etc.

Technological (34 controls):

Authentication, encryption, data leak prevention, etc.

The standard is applicable to organizations of any size and from all sectors of activity

ISO/IEC 27001:2013 and ISO/IEC 27001:2022 Comparison

The ISO/IEC 27001:2022 standard has undergone a few changes compared to the ISO/IEC 27001:2013 standard.

The main changes are:

The number of controls has decreased from 114 to 93.
The controls are now placed into 4 sections, instead of the previous 14.
There are 11 new controls, while none of the controls were deleted, and many controls were merged .

The main part of the standard remains with 11 clauses, and the changes in this part of the standard are small. The text of the mandatory clauses 4 through 10 has changed only slightly, mainly to align with ISO 9001, ISO 14001, and other ISO management standards, and with Annex SL

By using this website, you consent to the use of cookies in accordance with our Privacy Policy.