Qualifying Business Entities for ISO 27001 Certification

ISO/IEC 27001:2022 Information Security Management System outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system.

Baker Tilly Kuwait is conducting ISO 27001 Consulting Service in Kuwait to assist business entities to qualify for the ISO 27001:2022 certification.

Why do business entities need to be qualified for ISO/IEC 27001:2022 certification?

This International Standard issued by ISO Organization is intended to establish an organizational framework that preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives assurance that they are practicing effective information security management systems.

What is the ISO/IEC 27001:2022 Certification Body?

There are several ISO/IEC 27001:2022 certification bodies where such bodies audit and check the existence and conformity of information security management systems in accordance with the requirements set forth in ISO/IEC 27001:2022.

Baker Tilly Kuwait will assist the business entity by providing ISO 27001 consulting services to identify the applicable ISO 27001:2022 certification requirements and implement them. If the system proves to be compliant, the certification is awarded to the business entity by the accredited ISO 27001 certification body.

In the third year after certification, the business entity needs to repeat the whole certification process again.

Audit Cycle

• Stage 1 Audit: During the first stage, the auditor(s) reviews the company’s ISMS from a design perspective.
• Stage 2 Audit (Certification Audit): The focus of this stage is on the operating effectiveness of controls and how they have been implemented. Then auditors will be able to indicate whether the business entity will be ISO 27001 certified, but the final decision will be taken by the certification body.
• Surveillance Audit: Following 2 years, an auditor from a certification body will conduct a surveillance audit to confirm whether the business entity still has adequate operating controls as designed.

It is worth mentioning that the International Organization for Standardization prevents the certification body from performing an advisory role for the clients.

Is there instruction by any regulator to regulate entities to obtain ISO/IEC 27001 certification?

Pursuant to the Central Bank of Kuwait Circular to all Banks for obtaining ISO 27001 certification in Kuwait for Information Security Management System dated 11 July 2019,

all banks are required to obtain ISO 27001 certification in Kuwait from an accredited ISO 27001 certification body not later than 31 December 2020 as well as ensure the renewal and continuing validity of the certification.

Baker Tilly Kuwait has IRCA-certified ISO 27001 Lead Auditors to conduct ISO 27001 Consulting Services in Kuwait to assist business entities to qualify for the ISO 27001 certification.

What is the role of Baker Tilly Kuwait in conducting ISO 27001 Consulting Service to assist business entities to qualify for the ISO 27001 certification?

Baker Tilly Kuwait performs an advisory role, which will help business entities implement the detailed aspects of ISO/IEC 27001:2022 in their operating policies and procedures within the IT functions in connection with information security. The such advisory role covers the following activities in ISO 27001 Consulting Service:

• Gap analysis.
• Developing information security management system manuals.
• Training.
• Supervising the implementation process.
• Internal audits.
• Technical support during the certification process.

If the business entity does not have competent and objective auditors among its own staff, a contracted service provider can conduct these audits. These are referred to as “second party audits” and the service provider acts as an “internal resource. Therefore Baker Tilly Kuwait will be acting as the internal auditor on behalf of the business entity and conduct ISO 27001 Consulting service.

It is worth mentioning that Baker Tilly does not award ISO/IEC 27001:2022 certification.

What’s new in ISO 27001:2022 version?

• Mandatory Clauses 4 to 10 have several minor updates.
• Annex A: the number of controls has decreased from 114 to 93.
• Annex A: 11 new controls were added.
• The 93 controls are now divided into four sections instead of 14.

The “Transition Period” will provide you with enough time to completely adapt to the new requirements. No matter if you have been certified for a while or are just getting certified, the optimum time to do that is before your next internal audit. Baker Tilly provides ISO 27001 Consulting Service through IRCA-accredited Lead Auditors to assist you to migrate or implement the latest version of ISO 27001:2022.

What is the added value to business entities from ISO/IEC 27001:2022 Certification?

1. ISO 27001 compliance helps to demonstrate good security practices, which can protect a business entity’s reputation and enhance the confidence of interest parties.
2. As a business entity with ISO 27001 certification, can seek out new business opportunities with the assurance that the claims are backed up and minimize risks and protect the interests of the business entity, shareholders, and other stakeholders.
3. Help business entities comply with regulatory and legal requirements.
4. Demonstrate to potential clients that the business entity takes security seriously and stands out from the competition.

What are the services offered by Baker Tilly Kuwait?

Baker Tilly Kuwait provides ISO 27001 Consulting Service in Kuwait to assist business entities to qualify for ISO/IEC 27001:2022 Certification.