The Advancement of ISO 27001 Standards and Qualifications
In an increasingly connected world, organisations and people are heavily reliant on technology and digital processes. Protecting all forms of information and bolstering security measures have become vital to organisations’ sustainability and security, and people’s livelihoods and privacy.
The increase in cyber crime has resulted in entities such as the ISO (International Organization for Standardization) developing standards to ensure the safeguarding of digital assets and business continuity. One such standard is ISO/IEC 27001. The specification defines how an ISMS (information security management system) must be structured and organised to reduce the risk of information security threats. Considered the most prominent, efficient, and implemented standard, ISO 27001 is intended for organisations of all sizes and in all sectors.
The Standard has never been static and continues to evolve, with the most recent version, ISO 27001:2022, published in October 2022. IBITGQ aims to align its qualifications to the Standard’s progression continually. This article covers the history of the Standard and explores IBITGQ’s ISO/IEC 27001 qualifications.
19 years of ISO/IEC 27001
The 1980s and 1990s saw an unprecedented rise in cyber crime, compounded by organisations and people’s security negligence. To address these growing challenges, the UK government requested the CCSC (Commercial Computer Security Centre) to develop assessment processes for verifying the security measures of IT products. The CCSC also began establishing a programme of specifications for information security, the result being two standards: BS 7799-1 and BS 7799-2.
By the late 1990s, the objectives of BS 7799-1 and BS 7799-2 varied. The former defined a series of controls (removed control objectives), and the latter established a formal standard for the development of an ISMS. By 2000, BS 7799-1 was adopted by the ISO as the foundation for creating the ISO/IEC 17799 standard. The next few years saw further developments made to this standard, with an official version published in 2005, later being renamed ISO/IEC 27002 but remaining a support system for the implementation of information security controls. Also in 2005, the ISO formally adopted and publicised BS 7799-2 as ISO/IEC 27001:2005 as the first internationally recognised standard for an ISMS.
ISO 27001 has seen two revisions since 2005: the first in September 2013 and the latest in October 2022. The first revision amended several sections, including the following:
- The clause structure increased from five to seven, and the Standard did not require the clauses to be implemented in order.
- The 2005 version followed a PDCA (Plan-Do-Check-Act) model, whereas the 2013 version was more agile in its approach and disposed to improvements.
- In terms of governance changes, ISO 27001:2013 removed the board as a component of the management system as in minor organisations the board and senior management may overlap. The most notable amended category was risk assessment, with the following the most important revisions:
- Assigning baseline controls based on contractual, business and regulatory requirements before the risk assessment.
- The risk assessment can be asset or scenario based.
- Risk treatment and the acceptance of residual risk are handled by the risk owner.
The key advantages of ISO/IEC 27001:2013 were its agility, the interconnectedness of risk assessment, and risk management approaches, and the space for continual improvement of an ISMS.
Nine years later, the Standard was updated again – ISO/IEC 27001:2022 – providing organisations with a transition period of three years to conform before the deadline of 31 October 2025.
The amendments forming the 2022 version are minor to moderate. At its core, the Standard focuses on the 11 clauses; the text of Clauses 4 to 10 has been amended slightly to align with other ISO management standards, namely ISO 9001 and ISO 1400. The selectable controls in Annex A have been reduced from 114 to 93 and categorised into 4 sections rather than the 14 of the 2013 version. This may seem substantial, but 35 of the controls have remained unchanged, 23 have been renamed and 57 have been merged into 22. Furthermore, 1 control has been separated into 2, but the requirements continue unaltered, and 11 new controls have been added to account for developments within the IT and security industries.
The key to the Standard’s continued relevance is its ability to adapt, with amendments allowing for improvement rather than restructuring. Similarly, certification bodies such as IBITGQ are required to develop, maintain and improve qualifications as the Standard progresses. ISO 27001 is only as good as the qualification that certifies it, which IBITGQ has continued to do for nearly 13 years.
The progression of IBITGQ ISO/IEC 27001 qualifications
IBITGQ has certified more than 13,000 professionals in the fields of IT governance, information security, cyber security, and privacy. With its dynamic processes, IBITGQ is renowned for establishing in-demand compliance and framework-specific qualifications, including the first-to-market ISO/IEC 27001:2013 ISMS qualifications, now titled ISO/IEC 27001:2022 ISMS.
IBITGQ offers the following ISO/IEC 27001:2022 ISMS qualifications:
- ISO/IEC 27001:2022 Certified ISMS Foundation
- ISO/IEC 27001:2022 Certified ISMS Lead Implementer
- ISO/IEC 27001:2022 Certified ISMS Lead Auditor
- ISO/IEC 27001:2022 Certified ISMS Internal Auditor
- ISO/IEC 27001:2022 Certified ISMS Transition
IBITGQ has been at the forefront of ISO/IEC 27001 ISMS qualifications development in the last decade. In 2011, in response to the Standard’s first revision, IBITGQ developed the first ISO/IEC 27001:2013 ISMS qualifications within the same year, nearly two years before the deadline. Similarly, for ISO 27001:2022, IBITGQ amended the syllabi of the qualifications to account for the development of the clauses and Annex A controls, again nearly two years before the deadline.
The qualifications are developed by SMEs (subject matter experts) in the fields of information security, risk, compliance, governance, resilience and business continuity. Qualifications certify professionals from knowledgeable to a specialist depending on the role within an organisation. They are aimed at developing practitioners in the data and information security environments and providing opportunities for new practitioners to enter these disciplines.
Strong competition within the business environment has increased the demand for professional certifications such as ISO/IEC 27001:2022 ISMS. Ongoing compliance with the Standard demonstrates an organisation’s commitment to the highest security standards and procedures to ensure the protection of digital assets. In addition, as new regulations such as the GDPR (General Data Protection Regulation), the NIS Regulations and DORA (Digital Operational Resilience Act) have been established, ISO/IEC 27001:2022 ISMS is a pivotal starting point for complying with them.
The path to an IBITGQ ISO/IEC 27001:2022 ISMS qualification
To achieve an ISO/IEC 27001 ISMS qualification, candidates are required to pass an examination developed by IBITGQ on the key components of the Standard. Before taking an exam, training is recommended through an accredited training organisation, although this is not a prerequisite. Exams can be purchased in the form of a voucher from an accredited training organisation or IBITGQ’s official exam provider. Exam prerequisites are dependent on previous credentials: to take the Lead Auditor, Lead Implementer or Internal Auditor exam, the Foundation qualification is required.
The 2022 version of the Standard requires professionals holding one or more ISO/IEC 27001:2013 ISMS qualifications to transition to the latest version. This process has been simplified by the ISO/IEC 27001:2022 Transition exam, which allows a certified professional holding one or more ISO/IEC 27001 ISMS qualifications, namely Lead Auditor, Lead Implementer, and Internal Auditor, to transition to the latest version of the Standard by taking only one exam.
Alignment to ISO/IEC 27001 ISMS provides an opportunity for substantial learning and skills development for professionals and gives organisations the people resources to integrate the Standard into its operations, providing a starting point for regulatory compliance, and a demonstrable dedication to security and business continuity.