QSCert Saudi - ISO 9001, ISO 14001, iSO 20000-1, ISO 22000, ISO 22301, ISO/IEC 27001, ISO 45001,ISO 50001, CSA STAR Certification


ISO/IEC 27001

With increasing information technologies in organisations difficult information systems are established. There is tendency of organisations to safe important information, information of partnership organisations and customers information.


Information Security Management System (ISMS) provides overall model modifying risk assessment, plan and information security establishment, information security management and information security reassessment.


Proposal and implementation of ISMS in an organisation is conditioned by needs and objectives of organisation activities and resulting requirements for security, used processes, size and structure of an organisation. ISMS ensures appropriate security inspections, adequate information resources security and it provides appropriate safety to customers and to other interested parties.


ISO/IEC 27001 Information Security Management Systems (ISMS) – Specification guideline for implementation – is the standard which specifies the requirements for implementation, establishment, operation, monitoring, research, maintenance and improvement of documented ISMS. It specifies requirements for establishment of safety inspections, adapted according to needs of an organisation.


The organisation declares the assurance of information security management system requirements by certification according to ISO/IEC 27001. A certified organisation is qualified to use a certification mark for certified scopes. Rules for usage of the QSCERT certification mark


27001                           Certification mark ISO/IEC 27001

 EXAMPLE: Certificate ISO/IEC 27001                  Certification mark ISO/IEC 27001



If you are interested in certification please click here.


Revision of standard ISO/IEC 27001:2022 management system of information security


In October 2022 was new version of standard ISO/IEC 27001:2022 issued, which replaces standard ISO/IEC 27001:2013. 3-years transition period that ends 31.10.2025 was set up.  


Main changes in new version of standard:

Annex A references to the controls in ISO/IEC 27002:2022, which includes the information of control title and control. Compared with the old edition, the number of controls in ISO/IEC 27002:2022 decreases from 114 controls in 14 clauses to 93 controls in 4 clauses. For the controls in ISO/IEC 27002:2022, 11 controls are new, 24 controls are merged from the existing controls, and 58 controls are updated. Moreover, the control structure is revised, which introduces “attribute” and “purpose” for each control and no longer uses “objective” for a group of controls.


Therefore certified organisations should do necessary following steps:

  • Ensure ISO/IEC 27001:2022 and ISO/IEC 27002:2022 standards in electronic/paper versions
  • Rework internal documentation (especially Statement of applicability) and implement into management system new and updated controls from ISO/IEC 27002: 2022
  • Ensure training of management, relevant workers and internal auditors on changed requirement
  • Verify the implementation of management system of information security in terms of new controls in Statement of applicability by internal audit

How QSCert can help?

For those, who are interested in more details, we recommend to attend our QSCert training.

ISO/IEC 27001:2013 transition

Make sure you have all the details you need to transition to ISO/IEC 27001:2013 

What are the main changes?

  • The revised standard has been written using the new high level structure, which is common to all new management systems standards. This will make integration straightforward when implementing more than one management system
  • Terminology changes have been made and some definitions have been removed or relocated
  • Risk assessment requirements have been aligned with BS ISO 31000
  • Management commitment requirements have a focus on “leadership”
  • Preventive action has been replaced with “actions to address, risks and opportunities”
  • SOA  requirements are similar, with more clarity on the need to determine controls by the risk treatment process
  • Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships.
  • Greater emphasis is on setting objectives, monitoring performance and metrics

For more information contact us