We spoke with Sue Parkinson, Compliance Manager, and Thomas Moss, IT Manager, to understand the motivations, strategic goals, and meticulous preparations that propelled PSL towards achieving this milestone.
What prompted your organisation to transition to the ISO 27001:2022 standard so soon?
“As a market leader in the print management field, it was important for PSL to become one of the first organisations within the UK to upgrade to the new ISO 27001:2022 standard. This shows new and existing clients that PSL are using the most up-to-date system for their Information security, cybersecurity and privacy protection programme, giving them the assurances, they need.” Says Thomas.
Sue adds, “We both agreed it would be beneficial to undertake the transition sooner, given all the work we had already undertaken and could be applied to the new controls as part of the new Annex A. This was agreed with our M.D as part of our Information Security Forum.”
Can you provide an overview of the key business drivers and strategic goals that influenced this decision?
Both Sue and Thomas felt that it was important to transition to the new standard in order to maximise cybersecurity protection across the organisation, and to centrally manage risk. Sue tells us, “PSL supplies organisations across many industry sectors, including Automotive, Finance, Construction, Retail and Leisure. Public bodies include the NHS, Police Forces, Housing and Local Authorities. Therefore, it is imperative that security of our infrastructure is of the highest level. As part of our contracts, we can demonstrate this by the five ISO certifications that we hold, including ISO 27001:2022.”
How did your organisation prepare for the ISO 27001:2022 audit process?
In order to prepare for the audit, Sue and Thomas both undertook the Alcumus Academy ISO 27001:2022 Transition course and ISO 31000 Risk Management Foundation course, to enable them to be prepared for facilitating the changes in-house, rather than engage with an external ISO Consultant on this occasion.
“We prepared for the ISO 27001:2022 audit process firstly by taking the Alcumus ISO 27001:2022 transition training course. This gave PSL expert insight to what the changes were, and how to go about implementing them. From there, we reviewed what we had prior with the ISO 27001:2013 standard, and then using the Statement of Applicability and ISO 27002:2022 as a gap analysis tool, we quickly identified areas that needed additional measures in place.” Thomas says.
Sue explains, “A significant amount of research was undertaken and with our interested parties, attending security events online and attendance, for example LANPAC – Lancashire Partnership Against Crime (LANPAC) is a unique collaboration between Lancashire Constabulary, Lancashire Businesses and Public Services working together to reduce levels of crime and disorder across the county. The skills of both Tom and I enabled us to complete the transition in-house and build on further improvements. This was also extremely motivating, once the transition audit was passed, as part of our own continued professional development.”
What advice would you give to organisations transitioning to the new standard?
Transitioning to the new standard is an important move for organisations aiming to enhance their information security framework and ensure compliance with clear control objectives.
Sue tells us, “I would recommend working towards the transition as soon as possible, so Annex A under the new standard, gives you a much clearer framework of controls and control objectives. This also gives the organisation an opportunity to demonstrate continual improvements to meet/exceed the standard where feasible.”
Thomas adds, “Using the ISO 27002:2022 gives you a lot more information regarding the individual requirements of the Statement of Applicability and can quickly help quickly identify whether you the requirement is being met or not.”
If you want to find out more about the changes to ISO 27001, you can read this blog. Download our ISO 27001 Gap Analysis to determine if you’re ready for your UKAS accredited ISO 27001 certification audit.