New ISO/IEC 27001:2013 for Implementation of Information Security Management Systems
The International Organisation for Standardisation (ISO) aims to ensure relevancy of specifications for the here and now. As part of their commitment to ongoing improvement of their international standards, they have revised ISO 27001 for information security management systems along with the IEC. The revised edition was published for the first time in 2013. The revision has been widely accepted, evident in the over 16 800 registrations for certification globally. The ISO has, with the revision of the standard, brought its layout and structure in line with other revised management systems. This, of course, also means easier management of the system for enterprises working on the integrated management system principle. Now it is easier to comply with various ISO standards without having to manage each system separately. The standard can, for instance, be used along with ISO 22301, ISO 50001, ISO 31000, and ISO 9001.
The structure of ISO 2007:2013 differs vastly from the 2005 version. It is thus essential for modern enterprises that comply with the 2005 version for information security management systems to make the necessary changes to ensure conformance with the requirements of ISO/IEC 2007:2013. Enterprise managers will delight in the knowledge that duplication of requirements is something of the past and there is also more flexibility in the way that enterprises can implement the requirements. A company, for instance, can now identify particular information security issues without first having to identify the threats and the information assets.
Annex B and C have been dropped and enterprises don’t choose the controls from Annex A. The controls, instead, are dependent upon the particular risk management process. The annex, however, still has a function. It provides a checklist to help with the identification of possible relevant controls that the company may have missed in their risk treatment process.
Some of the concepts that have changed are:
- Preventative measures and actions have been replaced by issues, risks and opportunities.
- Asset owner has been replaced by risk owner.
- Leadership consists of the requirements relevant specifically to executive management.
- Plan-Do-Check-Act approach is replaced with choice of relevant ongoing improvement methodologies.
Various other concepts have also been replaced. WWISE offers training in the new ISO/IEC 27001 and assists companies in making the transition from the 2005 version to the updated 2013 version.
The standard consists of ten short clauses in addition to Annex A. The first clause deals with the scope of the standard, but is shorter than the 2005 version. The second clause deals with the documentation references. It includes only one normative reference to ISO 27000. The third clause covers the terms and conditions of ISO/IEC 27000 as relevant to the new ISO/IEC 27000, which was published only after the 2013 version. Enterprises must not use the old ISO/IEC 27000 as the terms and definitions will not be correct.
The fourth clause covers the organisation context; note that this is new. It is also important to understand the new uses of terms. Issue, for instance, extends beyond problems subject to preventative measures. It also covers aspects such as organisational governance goals. An important requirement of this clause is the establishment, implementation, maintenance, and ongoing improvement of the information security management system in conformance with the ISO/IEC 27001:2013 standard requirements.
The fifth clause focusses on leadership, which refers to the requirements for-top level management, including the directors in control of the enterprise. It is important for the executive management to be involved in the development and maintenance of the ISMS. Part of their responsibility is to set up the security policy according to the feature requirements as set out in the standard. The executive management must furthermore assign accountability in terms of roles and responsibilities relevant to the information security management of the enterprise.
The sixth clause deals with risk assessment and treatment in addition to the information security risk assessment. Assets, vulnerabilities, and threats do not have to be identified first before the risk can be identified. What it means is that the enterprise has more flexibility in the choices of risk assessment approach. Various levels of risks can be identified and assessed. The clause also deals with the treatment of the risk. The enterprise can use Annex A for checking that they have not perhaps missed an essential control. The information security objectives are also outlined. It is important to understand the terms used in the various clauses, such as functions and levels. The WWISE training in the standard helps to ensure that employees and top-level management understand and interpret the terms correctly.
The seventh clause covers support for the ISMS. Enterprises must assess and make available the required resources for the development, implementation, maintenance, and ongoing improvement of the information security management systems. It covers the awareness and communication requirements in addition to documented information. The latter is a new addition and covers the requirements related to the development, updating, and maintenance of relevant documentation.
Clause 8 covers the carrying out of the plans and the relevant processes to meet the requirements of an ISO/IEC 27001 ISMS. This includes the actions needed to achieve the various goals for information security, including the outsourcing of the security. It also covers performance of the risk assessments and execution of risk treatment plans.
The ninth clause is about the monitoring, assessment, analysis, and evaluation processes. The enterprise must identify what must be measured and monitored and how to go about doing so. The monitoring and measurement activities change over time as the enterprise information needs and risks change. At the start of the ISMS, it may only be necessary to monitor employee attendance of the training or awareness sessions. Thereafter the enterprise may also monitor the quality of the training and may set specific awareness goals. Clause 9 also deals with the internal auditing process with a focus on objectivity and impartiality. Management review is dealt with in detail, covering the inputs and outputs needed for regular management reviews. The final clause covers the need for ongoing improvement and corrective actions.
Let us help you make the transition from the old version to the new ISO/IEC 27001:2013 for information security systems through our consultancy expertise, auditing assistance, GAP analyses, certificate preparation services, training, and maintenance plans.