Information security management system (ISMS) update services according to the ISO/IEC 27001:2022 standard

ISO 27001 is an international standard that allows to implement information security management system (ISMS) that protects the confidentiality, integrity and availability of information through a risk management process and assures stakeholders that risks are properly managed.

In 2022 October 25 the updated international standard ISO/IEC 27001:2022 “Information security, cybersecurity and privacy protection – Information security management systems – Requirements” (hereinafter – ISO/IEC 27001:2022) was published.

The International Accreditation Forum has established general conditions:

• From 2024-05-01, initial and re-certification audits should be conducted only in accordance with ISO/IEC 27001:2022
• Existing certificates according to the standard ISO/IEC 27001:2017 from 2025-10-31 will be withdrawn
• All certification decisions regarding the certification transition of the existing ISO/IEC 27001:2017 standard should to be completed till 2025-10-31, otherwise a new certification has to be initiated

Organizations seeking to transition to the requirements of the ISO/IEC 27001:2022 standard and prepare for certification should evaluate their existing ISMS and update it according to the requirements of the ISO/IEC 27001:2022 standard.

Organizations can update the existing information security management system to the ISO/IEC 27001:2022 standard them self’s or can use our service – updating the Information Security Management System (ISMS) according to the ISO 27001:2022 standard.

• We perform ISO/IEC 27001:2022 standard GAP analysis
• We create an ISMS update plan, a list of ISMS policies and procedures to be updated
• We update a statement of applicability, an information security policy as well as, policies and procedures of information security policy implementation in accordance with the requirements of the ISO/IEC 27001:2022 standard
• We perform an additional information security risk assessment, during which we perform an ICT Business impact analysis – BIA, to determine and sign off RTO – Recovery Point Objective and RTO – Recovery Time Objective with the owners of information resources. We update the plan of risk management measures as needed
• We update the ISMS monitoring, measurement and control plan
• We perform introduction of the organization’s employees with ISMS changes
• We perform other activities as needed (ISMS internal audit, management evaluation analysis, etc.)
• As needed, we help to prepare for and provide assistance during recertification and/or maintenance audits

• Created ISO 27001 GAP analysis report and ISMS plan as well as list of ISMS policies and procedures will be updated
• Updated application statement, information security policy and policies and procedures governing its implementation in accordance with the requirements of the ISO/IEC 27001:2022 standard
• The impact of ICT activities on business and RTO and RPO indicators was carried out
• Updated ISMS monitoring, measurement and control plan
• Employees of the organization were introduced to the ISMS changes

• Adequately updated for the transition to the requirements of the ISO/IEC 27001:2022 standard and for recertification and maintenance audits
• Employees are introduced to ISMS changes
• Compliance with legal requirements is ensured

Lack of sufficient organizational and technical data protection controls may be considered as a violation of GDPR provisions and in such case administrative fines may be imposed, which may reach up to 2-4%. of the previous financial year’s total annual global turnover, or up to 10,000,000 – 20,000,000 euros.

• cV Group information security management system (ISMS) implementation and preparation for certification
• UAB ”Pigu” information security management system (ISMS) implementation and preparation for certification