What to expect from ISO 27001 : 2013

As with all ISO Standards, ISO 27001 has recently undergone a revision and been re-published. The changes made should help to make this standard fit better alongside other management standards such as ISO 9001 and ISO 20000 with the adoption of the Annex SL approach.

The official title of the new standard is “Information technology— Security techniques — Information security management systems — Requirements” and as part of this recent revision annexes B and C of 27001:2005 have been removed.

ISO 27001 : 2013 puts more emphasis on measuring and evaluating how well an Organisation’s Information Security Management System is performing than ISO 27001:2005 did and a section on outsourcing has been introduced to address the fact that many Organisations rely on third parties to provide aspects of their IT services.

The requirements for management commitment previously found in ISO 27001: 2005 have also been overhauled and are now mainly contained within the Leadership clause. The terms and definitions previously found in ISO 27001: 2005 have additionally been removed with ISO 27000:2012 now referenced as the source of terms and conditions.

There is an increased focus on setting objectives, assessing performance and metrics, and much of the terminology within the standard has been updated with new concepts, such as:

• Issues, risks and opportunities replacing preventive action
• Interested parties replacing stakeholders
• Documented information replacing documents and records
• Risk owner replacing asset owner
• Identification of assets, threats and vulnerabilities no longer being a prerequisite for the identification of information security risks
• The effectiveness of the risk treatment plan now regarded as being more important than the effectiveness of controls
• Controls now determined during the process of risk treatment, rather than selected from Annex A
• Information security objectives now set at relevant functions and levels
• Performance evaluation covering the measurement of ISMS and risk treatment plan effectiveness

The latest revision gives more attention to the Organisational context of information security, with changes made to the way that risk assessment is carried out, leaving behind the former Plan-Do-Check-Act cycle that ISO 27001:2005 followed.

Within ISO 27001: 2013 there are now a total of 114 controls in 14 groups, instead of 133 controls in 11 groups; with the latest controls reflecting changes in modern technology and its impact on Organisations.

Overall ISO 27001:2013 is a substantially different and improved standard to ISO 27001:2005. To find out more about the ISO 27001 standard, the recent changes that have been made or to gain this certification call QMS today on 0845 86 26 246 or email us at [email protected].