On February 15, 2022, the International Organization for Standardization (ISO) issued amended modifications to the information security best practice standards ISO/IEC 27001 & 27002 (ISO 27000 series). Every five to seven years, ISO standards go through a systematic review cycle, this procedure for ISO 27001 & ISO 27002 began in March 2018.

In January 2021, the Draft International Standard (DIS) for both standards was published. The evaluation period for such prospective revisions ended in April 2021, and the new standards are now fully implemented.

The ISO 27000 series is an internationally recognized standard that establishes guidelines for managing risks related to the security of information and data maintained by businesses and organizations. The first in the series is ISO 27001, which specifies the criteria for establishing an Information Security Management System (ISMS). ISO 27002 specifies information security rules and implementation standards for cyber security and privacy protection.

Information security standardization in Afrika

The best way to standardize the information security profession is a point of contention among security experts. There are vendor-specific certifications such as Cisco Certified Network Professional (CCNP) and Microsoft Security Administration (MS-500), and private sector organizations, and their associated certifications, such as the Certified Information Systems Security Professional (CISSP) and The Computing Technology Industry Association, are another option (CompTia).

Though both certification options provide a wealth of information security knowledge and defense techniques, they do not provide a definitive, sector-recognized qualification standard (local and international) that ensures minimum quality controls.

There are 37 Afrikan member countries that have signed onto the standardization body. The updated ISO 27000 certification is one of the most successful attempts to harmonize the information security profession.  

What does this mean for organizations certified on the 2013 version?

If your company is now certified to ISO 27001:2013, you will need to upgrade your certification in 2022 to comply with the new standard.

Furthermore certified organizations will have a two-year transition period to upgrade their certification to the new version. The good news is that organizations previously certified on the 2013 version, should be able to implement the necessary changes without too much difficulty, as the foundations have already been laid.

— By Bataung Qhotsokoane

Share this via