Introduction

What is ISO/IEC 27001:2022?

ISO/IEC 27001:2022 is a globally recognized international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within an organization.

This standard adopts a risk-based approach to information security, enabling organizations to systematically identify, assess, and manage information security risks. It ensures that appropriate controls are implemented to safeguard sensitive information against threats such as unauthorized access, data breaches, cyberattacks, and system failures.

The ISMS framework integrates people, processes, and technology, ensuring that information security is not treated as a standalone technical function but as a comprehensive organizational responsibility. It encompasses policies, procedures, guidelines, and associated resources designed to protect information assets in all forms—digital, physical, and intellectual.

The 2022 revision introduces updated controls aligned with current cybersecurity challenges, including cloud security, threat intelligence, data masking, and secure development practices, making it highly relevant in today’s rapidly evolving digital landscape.

The Background

The implementation of ISO/IEC 27001 within the university aligns with national directives and institutional strategic priorities, as outlined below:

  • 24 November 2010
    The Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), under the Prime Minister’s Department, issued a directive titled “Pelaksanaan Pensijilan MS ISO/IEC 27001:2007 Dalam Sektor Awam”.
    This initiative mandated all government agencies to adopt and implement ISO/IEC 27001 certification to strengthen information security governance across the public sector. The directive marked the beginning of a structured, nationwide effort to enhance the protection of government information assets.

  • 2022
    Under the University Key Risk (UKR) No. 2: Comprehensive Information and Communication Technology Policy, ISMS certification was formally identified as a required deliverable.
    This reflects the university’s recognition of information security as a critical risk domain, particularly in safeguarding academic data, research outputs, administrative records, and digital services.

  • 7 February 2024
    The IIUM ISMS initiative was officially approved during the University Management Committee (UMC) Meeting No. 3/2024.
    This approval signified top management commitment towards institutionalizing a structured information security framework aligned with international standards.

  • 11 March 2025
    The scope of the IIUM ISMS implementation was endorsed during the ICT Committee Meeting No. 1/2025.
    This milestone established the boundaries and applicability of ISMS across selected kulliyyahs, divisions, and systems.

  • 23 May 2025
    The IIUM ISMS Kick-Off Meeting was successfully conducted, marking the formal commencement of the implementation phase.
    The session was chaired by Prof. Emeritus Datuk Dr. Osman Bakar (IIUM Rector), demonstrating strong leadership support and institutional commitment towards achieving ISO/IEC 27001:2022 certification.