Linkedin Youtube Facebook

ISO standards

ISO 27001:2022

Let's help you achieve ISO 27001 Certification

Need help with ISO 27001:2022?

We champion for ISO 27001 certification

book a consultation

What is ISO 27001

ISO 27001:2022 is a standard for Information Security Management System (ISMS). Its implementation involves establishing policies and procedures that ensure compliance with security regulations and protect sensitive information. Achieving ISO 27001 certification demonstrates an organization’s commitment to safeguarding data, mitigating risks, and maintaining a robust information security framework. 

 

ISO 27001 was developed to address the need for robust information security management. It originated from the British Standard BS 7799, published in 1995. ISO adopted it in 2005 as ISO 27001, with a major revision in 2013 to align with evolving security needs. The latest version released in 2022, further strengthens controls to tackle modern cybersecurity challenges.

ISO 27001 Certification Requirements

To get ISO 27001:2022 certified your organization should meet the requirements outlined in clause 4 to 10 of the ISO 27001 document.

The organization is required to:

  • Identify external and internal issues that may affect its information security. Internal issues are in the organization’s control and include organizational culture and policies while external issues  include technological advancements and laws.
  • Determine, monitor and review requirements of interested Parties relevant to the Information Security Management System (ISMS). Interested parties include regulators, competitors, shareholders, clients and employees.
  • Prepare information security management system scope. Scope outlines the activities or functions that are covered  under the information security management system. This scope should be available as documented information.
  • Senior Management must demonstrate leadership and commitment with respect to the ISMS.
  • Top Management must  establish,  implement  and   maintain an Information Security Policy and objectives. An information security policy outlines the organization’s stand on information security.

  • Top Management shall ensure the responsibilities and authorities for relevant information security roles are assigned, communicated and understood within the organisation.

  • The organisation is required to determine the  risks and opportunities that may affect the ISMS and plan actions to address them.
  • Additionally it is required to  define  information security risk assessment process to select appropriate information security risk treatment options. Risk treatment options are mitigate, transfer, accept and avoid.
  • Determine controls necessary to implement the treatment options. The controls can be designed by the organization or chosen from Annex A of ISO 27001:2022.
  • Information Security Objectives must be documented. These objectives should be specific, measurable, realistic and timebound (SMART)
  • The organization should provide resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS.
  • Determine the necessary competences of persons under the ISMS through education, training and experience.
  • Make people aware  of  the  Information  Security Policy, Objectives and how they can contribute to the   effectiveness of the ISMS.
  • Determine communications relevant  to the Information Security Management System.
  • The organization should maintain documented information required by the Standard and organisation’s Information Security Management System.

The organization should :

  • Plan and implement actions to fulfill its risk treatment plan.
  • Perform security risk assessments at planned intervals.
  • Implement the information security risk treatment plan.
  • Determine what is to be monitored and measured
  • The Organisation must plan, establish, implement and   maintain an internal audit programme and conduct internal audits at planned intervals.
  • Top management must review the ISMS at planned intervals. This is done during management review meetings.
  • The organization control nonconformity and implement any corrective actions. A non conformity is a non-fulfillment of a requirement
  • A corrective action shall be implemented to ensure the non conformity does not reoccur.
  • Annex A of ISO 27001:2022 contains 93 controls that organizations can choose to mitigate identified risks in clause 6 (Planning)        
  •  These controls are structured into 4 groups ; Organizational, People, Physical and  Technological
  • Organizational controls – These controls are numbered from 5.1 to 5.37. They dictate to pelvel controls or policies to maintain information security. An example of this is Control 5.2 Information security roles and responsibilities which dictates that responsibilities for information security should be allocated to persons in the organization.
  • People Controls – Numbered from 6.1 to 6.8.These controls are about the governance of humans in the information security management system. An example is control 6.3 Information Security awareness, training and education.
  • Physical Controls –  Numbered from 7.1 to 7.14. They focus on physical security of the information assets. An example is 7.2 Physical entry which outlines a procedure to control physical entry to facilities and offices.
  • Technological controls – These 34 controls focus on using technology to protect information assets. Example is control 8.7 Malware Protection which outlines measures for preventing, detecting and eliminating malware.

Who needs ISO 27001 certification

Implementing ISO 27001 is essential for organizations of all sizes and industries that prioritize the confidentiality, integrity, and availability of their information assets, ensuring comprehensive protection and instilling trust among stakeholders.

Benefits of ISO 27001

  • Safeguard sensitive information: This builds your customers’ trust and confidence.
  • Legal and regulatory compliance: ISO 27001 helps your organization meet legal and regulatory requirements related to information security such as compliance with data protection laws and privacy regulations.
  •  Competitive advantage: It demonstrates to your customers and business partners that your organization has implemented internationally recognized best practices for information security. This can help you win new business and maintain existing clients.
  • Ensures information security risks are mitigated: This helps in preventing security incidents, such as data breaches, unauthorized access, and cyber-attacks.
  • Continual improvement: Due the changing nature of cyber security it ensures your organization is up to date with new developments
book a consultation

information

  • Nairobi office: Kimathi Street, Nanak House, 3rd floor, Rm 301
  • (+254) 722 817 818​
  • info@valuemax.co.ke
Learn more

Got  ISO Certification Questions? We’ve Got Answers! Your FAQ Guide.

Frequently asked Questions (FAQ)

What are ISO standards?

ISO standards are internationally recognized guidelines and specifications developed by the International Organization for Standardization (ISO). ISO is an independent, non-governmental international organization composed of national standards bodies from different countries. ISO standards cover various fields and industries and are designed to provide best practices, consistency, and harmonization in processes, products, and services worldwide.

Why is ISO certification in Kenya important?
  1. Enhancing quality
  2. Facilitating international trade
  3. Ensuring safety and reliability
  4. Improving efficiency and productivity
  5. Mitigating risks
  6. Enhancing sustainability
  7. Building trust and credibility
How can my organization benefit from geting ISO Certified?
  1. Enhanced quality and customer satisfaction
  2. Increased market access and business opportunities
  3. Risk mitigation and compliance
  4. Continuous improvement culture
  5. International recognition and reputation
  6. Improved efficiency and productivity
  7. Employee engagement and satisfaction
How long does it take to get ISO certified?

The time it takes to get ISO Certified can vary depending on several factors, including the size and complexity of your organization, the specific ISO standard(s) being implemented, the level of existing processes and documentation, available resources, and the commitment and readiness of your organization to undergo the implementation and certification process.

How much does ISO certification in Kenya cost?

The cost of ISO Certification can vary significantly depending on several factors, including the size and complexity of your organization, the specific ISO standard(s) being implemented, the level of existing processes and documentation, available resources, and the approach taken for implementation and certification.

Contact Info

OUR SERVICES

QUICK LINKS

Copyright © 2025 Valuemax Consulting Ltd.

Solverwp- WordPress Theme and Plugin