ISO 27001:2022 is an internationally recognized information security management system (ISMS) standard. It gives a systematic approach to managing proprietary or sensitive business information, to ensure its confidentiality, integrity, and availability. Compliance with ISO 27001:2022 strengthens a company’s cyber security posture and demonstrates its commitment to protecting valuable data.
ISO 27001: 2002 vs. SOC2
Many times, clients ask us if they should do ISO 27001: 2022 or SOC 2 certifications. The answer to that depends on many factors that including:
- Are your customers only in the United States or Globally? If globally, ISO 27001: 2022 is a globally accepted framework vs. SOC 2 is specific to the United States.
- What are you being asked by your customers in terms of an audit requirement? There are times that the contracts mandate explicitly for a SOC 2 certification vs. ISO 27001. If this is the case choose the one being asked the most or convince your customer to allow for ISO 27001: 2022 as in the long run, this is a better framework.
- Do you already have a security framework and practice in place (e.g. NIST CSF) or need to establish one? If so ISO 27001:2022 is a better framework as it actually built to develop ISMS (Information Security Management System), whereas SOC 2 is based on COSO principles.
- What industry are you in? For some reason, industries like Manufacturing, and Legal have chosen ISO 27001: 2022 instead of other frameworks.
If you have decided on ISO 27001:2022 certification read below for what you need to consider and how to go about getting certified.
Mandatory Requirements
There are 2 sections of the standard:
- Mandatory requirements (Clauses 4 to 10) – 28 controls in scope
- Annex A controls (or ISO 27002: 2022 controls) – 93 controls in scope
- Risk Assessment Methodology and Risk Assessment. Note the risk assessment shall be conducted based on the methodology chosen but at a minimum ensure Annex A controls identified to reduce risk are mapped in the risk assessment
- Corrective Action Plan with due dates
- ISMS Steering Committee or similar meeting periodically with formal minutes of meetings and specific items to be covered in the agenda to ensure compliance with Clause 10 of continual process improvement
- Information Security Awareness and Training and evidence of competency of Information Security personnel
One recommendation on Mandatory requirements is to ensure that all clauses and requirements of the standard are documented and included as part of the governance documentation. Auditors look for these statements in ISMS Manual and information security policies.
Annex A Controls
The recommendation is that a gap analysis is performed on the controls based on the scope chosen (e.g. system in scope, locations, personnel). The standard provides specific implementation guidance to be followed.
Note that Annex A is separated by:
- Organizational Controls (e.g. governance-type controls)
- People Controls
- Physical Controls
- Technical Controls
A few controls for mandatory requirements overlap such as security awareness and training, information security policies, and risk assessment.
Note that in technical controls, from ISO 27001: 2013 version additional controls were included in scope such as:
- Ensuring Hardening Guidelines are documented and technically configured and tested
- Ensuring File Integrity Monitoring is taking place
- Ensuring Data Masking on sensitive data is taking place (when in scope such as PII, NPI etc)
- Ensuring there is a process and mechanisms for Cyber Threat Intelligence that is embedded in the organization’s security operational processes
- Secure Code Development best practices are embedded such as dynamic and static code analysis when SDLC is in scope
- Enhance Testing on Business Continuity
- Enhance Third Party Risk Management controls and reviews
Are You Ready to Take the Next Step?
There are many tools online to assist companies with the journey of getting certified. However, if you have limited time to do this, we do recommend seeking advice on getting certified to speed up the process and getting suggestions on best practices. Remember that ISO 27001: 2022 is an actual tool to improve your ISMS and cyber security posture. A checklist approach has been seen to work with some auditors but not a recommended approach. Let ISO 27001:2022 improve your Information Security Program.
Ready to take the next step? Schedule a consultation with Elevate to start your compliance journey today.