Upgrade your ISMS to this year’s shiny new model

  Already have an ISMS? perhaps we can help you create a better one!

Optimise your ISMS

There is a new edition of the ISMS standard (ISO/IEC 27001:2022), and you are encouraged to start planning your transition now, if you already have an ISMS, or using the new standard if not. Here is how to optimise your ISMS.

Book cover for An introduction to ISO/IEC 27001:2022 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

One of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered, as can measuring performance, showcasing and exploiting your ISMS.

Critical success factors for operating an ISMS

ISO/IEC 27001 specifies what you must do to achieve conformance, not how to do it. It is like being given the ingredients and told to make a cake, but not being given the recipe. Whilst there are many good recipes, some are much better than others. For success:

  • The standard should be moulded to your organisation, not the other way round. Much of what you need, likely as not, will already be in place — it just might not conform to ISO/IEC 27001. Just how far off can be determined by a gap analysis, and that is an analysis between what you are doing and the requirements of Clauses 4–10 of the standard, not the Annex A controls, as those are not requirements.
  • Treat your ISMS as a journey, not a destination. Clause 10 explains what to do about nonconformities and improvements. Record all your ISMS related actions on a To-Do-List; assign target completion dates and responsibilities, and monitor regularly. Don’t forget to reassess your information security risks at planned intervals and when significant changes are proposed or occur; and update your risk treatment plans accordingly — the information security threat landscape changes frequently😮
  • Look forward to your certification audits — they are opportunities to showcase your ISMS — show it off with pride.
  • Lead from the top. When top management leads by example, it increases awareness, builds information security into the culture of the organization and makes it much easier for everyone else to implement.
  • Treat information security as a management issue. This is why top management plays a leading role. It is to direct and control the organisation in all of its respects, one of which is information security.
  • Read and understand each and every requirement. Use the definition of terms given in ISO/IEC 27000 and where necessary, ISO 31000, the ISO identical core text and the Oxford English Dictionary or Oxford Dictionaries Online. The requirements of ISO/IEC 27001 are in Clauses 4–10. Notes are not requirements. The controls in Annex A are not requirements.
  • Documented information is not required for everything. ISO/IEC 27001 is very clear on what is required
    Documented informationISO/IEC 27001 Clause
    Scope of the ISMS4.3)
    Information security policy5.2 e)
    Information security risk assessment process6.1.2
    Information security risk treatment process6.1.3
    A Statement of Applicability6.1.3 d
    Information security objectives6.2
    Evidence of competence7.2
    ‘documented information determined by the organization as being necessary for the effectiveness of the information security management system7.5.1
    ‘...to have confidence that operational processes have been carried out as planned.’8.1
    ‘...results of the information security risk assessments.’8.2
    ‘...results of the information security risk treatment.’8.3
    ‘...evidence of the monitoring and measurement results.’9.1
    ‘...evidence of the audit programme(s).’9.2
    ‘...evidence of the audit results.’9.2
    ‘...evidence of the results of management reviews.’9.3
    ‘the nature of the nonconformities and any subsequent actions taken...’10.1
    ‘the results of any corrective action.’10.1
    and you are permitted to supplement the requirement, if you determine that it is necessary for the effectiveness of your ISMS. Write down what you do, not what you think would please an auditor. Many nonconformities are caused by documenting your aspirations rather than what you do.

Want to know more?

David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

We also have some technology that can help you to create an ISMS with all the aforementioned desirable properties. Just because you already have an ISMS does not mean that you cannot take advantage of IMS-Smart On-Line. Think of it as upgrading to a brand new car, and take advantage of the ISO/IEC 27001 transition period to do it.

SOA page in IMS-Smart On-Line

If you have any question about ISO/IEC 27001:2022 or IMS-Smart On-Line, just or use the find facility above. We will be pleased to assist.