ISO 27001 compliance: What you need to know in 2022

Nicky Whiting Headshot
Written by Nicky Whiting
Head of Compliance
07/03/2022

ISO 27001 (or ISO/IEC 27001) is the leading international standard on information security management. As part of a wider set of related ISO (International Organisation for Standardisation) standards - the ISO 27000 series – it provides a well-defined framework to help any business create, implement, and maintain an effective information security management system (ISMS).

The basic objective of ISO 27001, and any ISMS built to its specifications, is to protect the confidentiality, integrity and availability of an organisation’s information. This includes assets such as financial details, intellectual property, employee information and third-party data.


ISO 27001 2022 update

An update to ISO 27001 is due to be published in early 2022 and it is understood that the main change will be to Annex A to reflect the changes in ISO 27002 which was published in February. ISO 27002 is essentially a referential document that lists controls that an organisation can use within its information security management system, to help to mitigate identified risks to information assets.

Changes to ISO 27002 include:
  • A name change to remove the phrase “code of practice” from its title to better reflect its purpose as a reference set of information security controls
  • A reduction in the number of controls from 114 which were categorised by 14 information security domains, to 94 controls categorised by themes (organisational, people, technical, and physical controls.)
  • The addition of 12 new controls that are designed to address the changes in technology and threats since the last publication which cover:
    • Identity management
    • Threat intelligence
    • Information security for the use of cloud services
    • User endpoint devices
    • Configuration management
    • Information deletion
    • Data masking
    • Physical security monitoring
    • Data leakage prevention
    • Web filtering
    • Secure coding
    • ICT readiness for business
  • The removal of some controls by consolidating them into other controls including:
    • Password management system
    • Delivery and loading areas
    • Unattended user equipment
    • Policies for information security
    • Protection of log information
    • Removal of assets
    • Handling of assets
    • Restrictions on software installation
    • Electronic messaging
    • Securing application services on public networks
    • System acceptance testing
    • Technical compliance review
    • Protecting application services transactions
    • Ownership of assets
    • Reporting information security weaknesses
    • Mobile device policy

How does ISO 27001 work?

ISO 27001 is structured into a series of Clauses and an Annex, Annex A. The clauses 4-10 define the management system which covers off the following areas:

  • Clause 4: Context of the organisation
  • Clause 5: Leadership
  • Clause 6: Planning
  • Clause 7: Support
  • Clause 8: Operation
  • Clause 9: Performance Evaluation
  • Clause 10: Improvement

Annex A, defines the controls that can be used to mitigate information security risks identified during the risk assessment process that is carried out and, as stated above, the controls are defined in detail in ISO 27002.

Working through clauses 4 – 10 and applying the necessary controls will help an organisation to:
  1. Identify the relevant stakeholders in the business and what their information security requirements are
  2. Define information security objectives that align with the business objectives and needs of the stakeholders
  3. Define roles and responsibilities
  4. Set the tone from the top
  5. Identify risks to information assets in the business and apply controls to mitigate risks
  6. Continuously measure the effectiveness of the controls implemented
  7. Continuously improve the ISMS and the security posture of the organisation

Prepare for changes to ISO 27001

For now, businesses that already have ISO 27001 do not need to do anything until the revised version of the standard is released, after which point organisations will, likely have 2 years to update their certification (the transition period has yet to be released). In the meantime, companies can start familiarising themselves with the new controls and establish a plan of action to address the changes.


The business benefits of ISO 27001 compliance

ISO 27001 compliance is optional, but it can greatly improve your business in several ways:

  • Protection against cybercrime

    While most news stories around cybercrime focus on large organisations, businesses of all sizes and industries are at risk, and the consequences can be devastating. The ISO 27001 compliance process forces business owners to look in detail at the way they manage and protect information assets, highlighting weaknesses before breaches occur. The standard also uses a continuous improvement lifecycle model which helps organisations constantly adapt their security according to the threats they are facing.

  • Stronger stakeholder relationships

    In achieving ISO 27001 certification, you are demonstrating to all stakeholders that you take information security seriously. This can enhance relationships with existing customers, employees, and investors, opening new business opportunities, ability to tender, and helping businesses to distinguish themselves from competitors.

  • Reputational resilience

    It only takes a single data breach or mishap to damage a company’s reputation. Compliance with ISO 27001 will help you reduce the risk of data breaches that may have a reputational impact, and helping you maintain a positive position within the market.

  • Simpler regulatory compliance

    By voluntarily implementing ISO 27001, you will be better positioned to meet regulatory requirements under data privacy and security laws such as EU/UK GDPR (General Data Protection Regulation), FCA (Financial Conduct Authority) and the NIS Regulations (Network and Information Systems Regulations), as many of the criteria overlap. It can also save time for businesses who are required to complete supplier due diligence questionnaires, considerably reducing administrative overheads.

  • Freedom to grow confidently

    By becoming compliant with ISO 27001, you’ll build an ISMS that can be scaled to support the growth of your business. You’ll have a framework in place that will help account for changing risks and responsibilities, meaning you never lose sight of the best information management practices.


Bulletproof can guide you to ISO 27001 certification

While ISO develops standards and determines compliance criteria, it can’t help businesses achieve certification – but Bulletproof can.

We make the path to ISO 27001 compliance fast, simple and cost-effective for businesses of all types and sizes. Our experienced consultants will take you through a refined four-step process to gain certification and start reaping the rewards.

  • Assessment: Where required, we will carry out a detailed GAP analysis to identify areas for improvement and determine your readiness for certification.
  • Planning: We’ll work closely with your organisation’s key stakeholders to build a watertight implementation plan, detailing requirements, responsibilities and milestones.
  • Implementation: Your ISO consultant will guide you through the implementation process with practical advice and documentation to ensure you’re ready for your ISO audit.
  • Audit support: As well as helping you to prepare for an audit with the appropriate certification bodies, we support you to make sure everything goes smoothly on the day.

Ready to begin your ISO 27001 journey?

Become ISO 27001 certified with our step-by-step plan for achieving compliance. Book a 1-hour free ISO consultation & benefit from real security improvements.

Learn more

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.