When I heard the news that the DIS (draft) version of ISO 27001:2013 is publicly available at the BSI website (until 23 March 2013), I was very impatient to read it. Although one should not get too excited yet – this draft version might differ quite a bit from the final version of the standard (expected to be published in the second half of 2013) – the purpose of such a draft standard is to be revised based on many inputs during a public debate.
When compared to the old (still valid at the time of writing this article) ISO/IEC 27001 from 2005, the changes are actually not too drastic – here are the main differences I found:
As expected, the new ISO 27001 will be compliant with Annex SL of ISO/IEC Directives, in order to be aligned with all the other management standards – this is already evident in ISO 22301, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:
2 Normative references
3 Terms and definitions
4 Context of the organization
9 Performance evaluation
Naturally, Annex A is still here in the new ISO 27001 – this is where all the controls are listed. The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.
The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.
This is definitely an excellent way of defining key inputs into the ISMS.
The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.
The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.
Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.
Risk assessment and treatment
Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.
The concept of determining the level of risk based on consequences and likelihood remains the same.
Further, Risk Assessment Methodology does not need to be documented, although the risk assessment process need to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners” – so the responsibility is pushed to a higher level.
Objectives, monitoring and measurement
A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.
This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because – once you have very clear figures as to how your security performs – you cannot turn your head away from it.
Corrective & preventive actions
The biggest change is there are no preventive actions anymore, at least not at first sight – they are basically merged in risk assessment and treatment, where they naturally belong.
Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.
This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.
What will this mean for the implementation?
I must admit I like all these changes – not only will the new ISO 27001 be easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard – because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.
In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.
P.S. I’ll examine the controls from Annex A more thoroughly in one of my next blog posts that will focus on new ISO 27002:2013.