On 25 October 2022 it came into force – the new ISO/IEC 27001:2022, which will bring several amendments for affected companies. Christoph Zallmann knows everything there is to know about this standard transition. Our Head of ISMS has been working at TÜV TRUST IT since 2019 and consults our customers on all matters related to information security management systems. Today he talks to us about the challenges of the current ISO transition.
Mr Zallmann, you are head of the ISMS department at TÜV TRUST IT. How can one imagine your scope of work?
I always work closely with our clients, whether in setting up or optimising an information security management system or in risk analysis. My focus is on advising clients on all the steps involved in a company’s individual project. You could say that I am the intermediary between the sometimes quite dry standard and the practical content. And that is of course especially important now, in the interim period of the ISO transition.
Which developments made a revision of ISO 27001 necessary?
We live in a short-lived time. A lot of content is not yet integrated into a rather static standard and yet it is part of our daily routine. Cloud security and mobile working play a major role here. This includes not only working in the home office, for which the Corona pandemic certainly acted as a catalyst, but also working in the public sector with mobile devices. This needs to be a particular focus these days. However, when the last ISO 27001:2013 was introduced, cloud security did not yet play a role, which is why it has not been mentioned so far. In chapters 4-10 of the main part of the standard, where the mandatory requirements for ISMS are described, there were relatively few changes, but even small sentences can lead to a significant impact here. For example, according to chapter 4.4, required processes must now also be explicitly mentioned.
And how exactly does ISO 27002 relate to this?
This is explained by the fact that ISO 27001 does not contain any information on the concrete implementation of the described requirements. Only the requirements are defined here. To implement these requirements, ISO 27002 was drafted, which is practically an implementation recommendation supplementary to ISO 27001, more precisely to the controls listed in Annex A. It describes how the implementation could proceed and how the requirements should be interpreted. This informative standard can help anyone prepare for a certification audit.
So, which measures must companies introduce in order to comply with the new requirements?
In principle, companies have two options now: They can either implement the new contents of ISO 27001:2022 into their existing structures or plan a complete reorganisation according to the new standard. Which way is the right one is up to the respective company itself. As mentioned, companies can work on these adjustments themselves with the help of the standard and the associated implementation recommendations, but it should always be kept in mind that additional requirements, such as the integration of processes, will also become relevant with the transition. This means a significant additional effort in terms of maintenance. In addition, documents have to be rewritten. The additional controls may seem uncomplicated, but they generate a large number of tasks that take up a lot of resources in the company.
And how can TÜV TRUST IT support its customers in this respect?
We support our customers in the transition on several levels. First, of course, with our expertise. We consult a large number of customers on this topic and have years of experience in the area of setting up and developing an ISMS and also with audit preparation. Many of those responsible in the company would first have to build up this expertise and work out each control individually. We practically offer a shortcut for this. In addition, the construct of our established ISMS framework facilitates the work of our customers, both in the new set-up and in the transition. The modular building blocks of this framework can be integrated into a new or an existing ISMS. And last but not least, we also support with know-how transfer and offer various training courses and events in the area of ISMS. Whether it is training to become an ISMS auditor or manager, the exchange of experience among our existing customers or the popular ISMS working group that we have set up especially for energy suppliers. As you can see, we are happy to support companies in preparing themselves, but we also offer our expertise as an external service provider and are happy to answer any questions you may have.
Thank you very much for the interview, Mr Zallmann!