Pension Insight: PenCom attains ISO 27001:2022 recertification for information security

In yet another milestone, the National Pension Commission (PenCom) has successfully attained recertification under the internationally recognised ISO 27001:2022 standard for Information Security Management Systems (ISMS). This milestone follows an evaluation of PenCom’s ISMS compliance by the professional evaluation and certification board (PECB), Canada.

The ISO 27001:2022 standard, published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), represents the best practices for managing the security of information assets. It provides a robust framework for organisations to establish, implement, maintain, and continually improve information security management systems, ensuring the protection of sensitive data against an ever-evolving threat landscape.

RIGOROUS EVALUATION AND CERTIFICATION PROCESS

PenCom’s journey to ISO 27001:2022 recertification began with an audit of its ISMS by PECB. This audit meticulously examined PenCom’s information security policies, procedures, and controls across all core areas of its operations. The evaluation focused on four key control categories: organizational, people, physical, and technological controls, each essential for overall information security management.

The organisational controls assessed the governance structure and management processes that ensure information security policies are aligned with PenCom’s strategic objectives. The people controls scrutinised the human factor, ensuring that personnel are adequately trained, aware of security risks, and are compliant with security protocols. Physical controls addressed the protection of physical assets, including buildings and equipment, while technological controls evaluated the security of IT systems and networks, ensuring they are protected against cyber threats.

Upon successful completion of this evaluation, PenCom’s ISMS was found to be in compliance with the ISO 27001:2022 standards. This certification not only affirms that PenCom has established robust mechanisms for identifying and managing information security risks but also highlights its commitment to continual improvement in this critical area.

TRANSITION FROM ISO 27001:2013 TO ISO 27001:2022

PenCom’s previous certification under ISO 27001:2013 in 2021 was a testament to its dedication to safeguarding information assets. However, the transition to ISO 27001:2022 was necessitated by the evolving nature of information security threats and the corresponding need for updated and enhanced security measures.

The ISO 27001:2022 standard introduces several notable changes from its predecessor. These include the addition of new controls and the reorganisation of existing ones to better reflect the current technological environment and emerging risks. Notably, the new standard places a greater emphasis on addressing risks related to cloud services, supply chain security, and the increasing sophistication of cyber threats. PenCom’s successful upgrade to this new standard demonstrates its proactive approach to adopting the latest best practices in information security.

SIGNIFICANCE OF THE RECERTIFICATION FOR NIGERIA’S PENSION INDUSTRY

As the regulator of Nigeria’s pension industry, PenCom plays a critical role in overseeing the management and security of the nation’s pension data. The commission is responsible for maintaining the national databank on pension matters, a repository of sensitive information that includes data on contributors, retirees, pension funds, and other stakeholders.

Achieving ISO 27001:2022 recertification is a significant accomplishment that underscores PenCom’s commitment to the highest standards of data security. This certification assures stakeholders that PenCom has implemented a robust information security management system designed to protect the confidentiality, integrity, and availability of pension-related data.

The implications of this certification extend beyond mere compliance. In an era where data breaches and cyberattacks are increasingly common, PenCom’s adherence to the ISO 27001:2022 standard serves as a strong deterrent against potential threats. It provides assurance to contributors, retirees, and other stakeholders that their personal and financial information is secure and that PenCom has the necessary controls in place to mitigate risks effectively.

For contributors and retirees, the security of their personal and financial information is crucial. The ISO 27001:2022 certification serves as a guarantee that PenCom has put safeguard in place to protect their data from unauthorised access, breaches, and other security incidents.

PENCOM’S ONGOING COMMITMENT TO INFORMATION SECURITY

PenCom’s achievement of the ISO 27001:2022 recertification is not the end of its efforts in information security. The commission is committed to continuously improving its ISMS to address new and emerging threats. This commitment is reflected in its ongoing investment in technology, staff training, and process improvement to ensure that it remains at the forefront of information security management. The recertification also enhances PenCom’s capacity to guide licensed pension fund operators (LPFOs) towards adopting best practices in information security.

In conclusion, as cyber threats continue to evolve, PenCom’s commitment to information security will remain a cornerstone of its operations, ensuring that it continues to protect the interests of contributors, retirees, and all other stakeholders.

Based on information from the National Pension Commission (PenCom).