What likely changes are expected with the updated ISO/IED 27001 revisions?

The internationally acclaimed standard for information security management, ISO/IEC 27001, is currently being revised. ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organisations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

An initial draft international standard (DIS) was released to the national standards bodies in January and put out for public consultation in order to keep it relevant to the issues and challenges which companies face today along with accompanying ISO 27002, ‘Code of practice for information security management’. The international committee responsible for ISO/IEC 27001 met in April to discuss the feedback received from national standards bodies including BSI. Following a vote, both ISO/IEC 27001 and 27001 have passed their DIS ballots, and the final draft international standard (FDIS) has now been published. The final draft standard will now proceed to a FDIS ballot. The revised standard versions of ISO/IEC 27001 and 27002 should be published later this year and Krypsys will keep you updated on progress.

What changes are likely with ISO/IEC 27001/2013?

The final draft standard has been written using the new high level structure common to all new management systems standards. This will allow easy integration when implementing more than one management system. Other changes include some controls being deleted or re-worded and other requirements added. Specific controls have also been added around security in supplier relationships. The layout of ISO/IEC 27001/2013 is quite different. There are no duplicate requirements and the text is less prescriptive, thereby giving organisations greater freedom to implement the requirements in a manner that is best suited to them. Perhaps the most significant change is that the chapter on ‘risk assessment and risk treatment’ has been removed.

With ISO/IED 27002/2013 there are now only 114 controls, as opposed to the original 133, and they are listed under 14 headings, rather than the original eleven. Many controls are unchanged from the 2005 version although the guidance text has been updated. Some controls have been deleted as they are no longer considered commonplace in today’s interconnected world. Others have been merged together as they were really different ways of saying the same thing, and there are some new controls too. (Annex A of ISO/IEC FDIS 27001 reflects ISO/IEC FDIS 27002.)

What lies behind these changes and why are they necessary?

Speaking to ISO, Edward Humphreys, Convener of the working group responsible for the development and maintenance of ISO/IEC 27001, explained the thinking behind the changes and what differences organisations were likely to notice:

What will be the major benefits of ISO 27001/2013?

“We have brought the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005. The idea is to provide a more flexible, streamlined approach, which should lead to a more effective risk management.”

“We have also made a number of improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities.”

“Additionally the new ISO/IEC 27001 has been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easy option.”

What are the benefits of modifying the new ISO/IEC 27001 to fit the new high level structure for management system standards?

“Aligning ISO/IEC 27001 to the new structure will help organisations wanting to implement more than one management system at a time. The similarity in structure between the standards will save organisations money and time as they can adopt integrated policies and procedures. For example, an organisation might want to integrate their information security system (ISO/IEC 27001) with other management systems such as the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).”

What will the revised ISO 27001/2013 mean for organisations?

“Organisations certified to the 2005 edition of the standard will need to upgrade their information security management system to comply with the requirements of the new edition. The transition period for upgrading has not yet been decided but typically this is two-three years from when the new edition is published. In addition, accredited certifying bodies should also use the transition period to update their activities to fit the requirements of the new edition. At the end of this transition period, the only valid certificates will be those that state conformity to the new requirements of ISO/IEC 27001:2013.”

“Upgrading to the new edition of ISO/IEC 27001 should not prove particularly problematic. The transition period helps as it means the effort required can be part of a staged work programme and integrated into continual improvement activities and planned surveillances audits.”

Krypsys has helped companies of all types towards ISO 27001 certification. Through numerous ISO 27001 projects, our analysts have developed a clear and cost-effective methodology to deliver real, efficient, and effective results. We believe it is important to get to know your business, understand the objectives you want to achieve with ISO 27001 and ensure that you move smoothly from scope definition through risk analysis to the implementation of the Information Security Management System. Krypsys’ experts identify the risks your business faces, and work with you to help you achieve compliance. Our analysts are currently working with clients to ensure that they have the people and processes in place to maintain compliance and reduce the cost of re-certification and stay one step ahead of the game in implementing the 2013 ISO/IEC 27001 standard based on the FDIS version.

If your business needs help with security compliance, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].