ISO 27001 Information Security Management System
ISO/IEC 27001 is an international standard that is easily recognized around the world. ISO/IEC 27001 standard provides requirements for establishing, implementing, maintaining and continually improving on Information Security Management System (ISMS).
The establishment of an organization’s ISMS is influenced by the following factors:
- organization’s needs
- objectives
- security requirements
- processes
- business complexity
- size
- structure
In the current digitalized word, it is important to include ISMS as an integrated part of the ongoing process. This is to enhance the information security and protect the organization business from cyber related threat.
The basis goal of ISO/IEC 27001 is to protect the:
- Confidentiality,
- Integrity
- Availability of information.
A certified ISO/IEC 27001 management system demonstrate the organization initiative to show his/her commitment to continuously address the risk in the ever changing threat landscape by implementing appropriate information security practices. ISO/IEC 27001 is an internationally recognized standard for information security management systems (ISMS) which includes the requirements for establishing, implementing, maintaining and continually improving an information security management system.
By being certified to ISO/IEC 27001, the organization has demonstrated their commitment to address cyber-related risks posed by constant threats in the ever-changing cyber landscape with the implementation of a robust and effective information security system and practices.
Benefits of ISO/IEC 27001 Certification
- Adopt a risk-based approach without over investing
- Comply with legal/regulatory requirement
- Competitive advantage with increase business opportunities due to increased trust
- Continuous improvement
Certification Process
What is the validity of the certification?
ISO/IEC 27001 Certification is valid for 3 years with yearly surveillance.
Transition to ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management system – Requirements.
The ISO/IEC 27001 standard was updated on 25th October 2022 and is set to be replaced by ISO/IEC 27001:2013 by 31st October 2025. Certified clients are given three years to transit to the new ISO/IEC 27001:2022 I.e. by 31st October 2025.
For organizations that wish to get certified to ISO/IEC 27001:2013 version, please take note that any failure to transit within the stipulated time will result in their current certification to expired or withdrawn at the end of the transitional period.
What are the changes and impact?
Refer to section 2.2 and 2.3 of IAF MD 26:2023 on the detailed requirements of transition. SETSCO Certification Body follows the transition arrangement as stated in IAF MD 26.
What are the actions needed by certified clients to prepare for the transition?
- 1. Review the new editions and make relevant changes to address the new/updated requirements of ISO/IEC 27001:2022 by attending the implementation training course
- 2. Update Statement of Applicability
- 3. If applicable, update risk treatment plan
- 4. Implementation and effectiveness of the new or changed information security chosen by the client
- 5. Conduct an internal audit and management review to the new edition
- 6. Submit revised documentation to SETSCO Certification Body
Transition audit with SETSCO Certification Body?
Client may choose from the following options:
Option 1: The transition audit may be conducted in conjunction with an existing audit
Option 2: The transition audit to be conducted as a special audit
Should option 1 be chosen, additional time may be added to the audit duration in order to cover the new requirement introduced under ISO/IEC 27001 edition.
In accordance with IAF MD 26:2023, section 4.2, the minimum man-day required for the transition audit is as follow:
- Minimum of 0.5 man-day for the transition audit when it is carried out in conjunction with a recertification audit
- Minimum of 1.0 man-day for the transition audit when it is carried out in conjunction with a surveillance audit or as a separate audit
*Note: The above man-day serves as a general guidance and will be subjected to changes based on client’s audit scope.
Upon completion of transition audit, what is my new certificate validity date?
- Transition through surveillance / unscheduled audit : Organization existing certificate validity date will be maintained
- Transition re-assessment: A new certificate validity date will be issued for the renewed 3 years period
For more information, please contact us at the following:
Mae Dela Cruz (6895 0650 / 9451 4718)
Cindy (9428 3210)
Elean Kwek (6895 0669)