ISO 27001 & ISO 22301

 

ISO 27001/BS 25999 documents, presentation decks and implementation guidelines


Free_Downloads
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 27001 & ISO 22301/BS 25999-2: Why is it better to implement them together?

    

Wednesday
June 19, 2013

    Register_now_green
     
 
 
 

A first look at the new ISO 27001 (2013 draft version)

'By 'Dejan Kosutic on January 28, 2013

When I heard the news that the DIS (draft) version of ISO 27001:2013 is publicly available at the BSI website (until 23 March 2013), I was very impatient to read it. Although one should not get too excited yet – this draft version might differ quite a bit from the final version of the standard (expected to be published in the second half of 2013) – the purpose of such a draft standard is to be revised based on many inputs during a public debate.

When compared to the old (still valid at the time of writing this article) ISO/IEC 27001 from 2005, the changes are actually not too drastic – here are the main differences I found:

The structure

As expected, the new ISO 27001 will be compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards – this is already evident in ISO 22301, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:

0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvement

Naturally, Annex A is still here in the new ISO 27001 – this is where all the controls are listed. The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.

The concept of determining the level of risk based on consequences and likelihood remains the same.

Further, Risk Assessment Methodology does not need to be documented, although the risk assessment process need to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.

Objectives, monitoring and measurement

A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.

This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because – once you have very clear figures as to how your security performs – you cannot turn your head away from it.

Corrective & preventive actions

The biggest change is there are no preventive actions anymore, at least not at first sight – they are basically merged in risk assessment and treatment, where they naturally belong.

Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.

Communication

This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.

What will this mean for the implementation?

I must admit I like all these changes – not only will the new ISO 27001 be easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard – because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.

In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.

P.S. I’ll examine the controls from Annex A more thoroughly in one of my next blog posts that will focus on new ISO 27002:2013.


«
»

This entry was posted on Monday, January 28th, 2013 at 18:49 and is filed under Main. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

  • Andy Rose

    You say “..you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions” and “Risk Assessment Methodology does not need to be documented”.

    Is this not a terrifying deviation from the existing standard, and one that will enable firms to continue with haphazard, ad-hoc processes that produce inconsistent output? The fact that the output is dealt with within a defined process is largely irrelevant – ‘garbage in garbage out’ and all that?

    What have I missed that makes you not so concerned about this?

  • http://blog.iso27001standard.com/ Dejan Kosutic

    It is not such a huge difference compared to the old standard because for risk assessment companies will still have to define the risk assessment process in advance, and they will need to document the outcome of this process. So basically if the process was not well defined, the outcome will be bad as well. And the same thing is for internal audits and corrective actions.

    However, I agree with you there is risk that some companies will take this opportunity in a negative way – as I noted in my post, some will try to satisfy the minimum, instead of trying to maximize the level of security.

  • Zyd

    when is the release of this new version?

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Zyd, it is expected that new revision of ISO 27001/ISO 27002 will be published in the second half of 2013

  • Aniket

    thanks Dejan Kosutic for sharing changes with us

  • Shreyas

    Thank you so much Dejan for the insight. Please keep us posted about the new version release. In my opinion the biggest change and most welcomed one was the change in CAPA. I am sure that will help a lot of organisations implementing ISO 27001.

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Thank you, Shreyas – yes, let’s hope this will help smoother implementation.

  • http://www.iso27001-certification.com/ ISO 27001 Certification

    A genuine competitive advantage –ISO 27001 Certification can instantly improve your reputation, opening up new markets, and with QMS’s support you can obtain maximum marketing from your achievement.

  • Atif

    Should we go for 27001:2005 Lead implementer certification in June 2013, when the new one is just around the corner.

  • http://blog.iso27001standard.com/ Dejan Kosutic

    If you’re not in a big hurry, I guess it would be better to wait.

  • Lee

    I’d add that there must be evidence of this ‘defined’ process, meaning that it is not simply a case of doing a risk assessment ad-hoc and producing a risk assessment report to be able to tick a box. The organization will still have to provide evidence that the process has been defined by competent persons, and approved, and is being systematically implemented to comply with the standard’s requirements – this will anyway lead to a paper trail in most cases covering things like assessment planning, analysis of the risks, management’s attitude to risk and risk acceptance, the criteria for evaluating risk,consultation with risk owners, etc, etc all aligned to business objectives and the ISMS policy.

    I agree that some might see this as being prone to loop holes, but ultimately if an organization is not committed to security and/or utilizes unqualified people for the task it is doomed anyway, regardless of there being a documented methodology at hand.

    As far as certification goes and having confidence in the management system of the certified company, that’s when we have to look to the reputation of the certification body to ensure that audits are indeed being carried out by competent auditors. I have to admit, those certification bodies are few and far between, evidenced by the number of certified companies with IT scopes and little in the way of effective information security management as a result. However, I guess this is only an issue when we care about security management in an organization other than our own.

    I guess the point is, documenting something is not necessarily the right answer for every organization. This just makes the standard a little more flexible, probably mostly for the benefit of smaller setups. At the end of the day, if I think something needs to be documented in order for it to be effectively implemented and managed, I’ll document it.

    As with any aspect of the requirement, what you actually do should be based on good judgement and business needs and not simply implemented because ‘the standard say so’.

  • http://blog.iso27001standard.com/ Dejan Kosutic

    Excellent comment! Thanks, Lee.

©2010-2013 Dejan Kosutic. Proudly powered by WordPress
Entries (RSS) and Comments (RSS).