Information Security Management Systems (ISMS) are designed to protect the information of an organisation and related parties. However ISMS’s are not just about maintaining privacy of information (confidentiality as the standard describes it) but also about ensuring the integrity and appropriate visibility of the data.
As the old saying goes, “knowledge is power” therefore a management system which aims to protect the knowledge of an organisation is both a powerful and essential tool.
ISMS’s are not limited to addressing the risks associated with information technology as information can be stored in many ways. For example an information security management system equally applies to, physical security issues (such as doors, windows, locks and gates) as well as human issues (including the screening and vetting staff and ensuring appropriate access to confidential information).
ISO 27001 is not designed to be an intimidating maze of technological terms, nor is it meant to encourage a paranoid “super spy” mentality. It is designed to give organisations common sense guidance on how to protect both their own and their customers’ information.
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management system – requirements (to give it its full name) was launched in October 2013 and replaces the first version of the standard issued in 2005.
ISO 27002 (Code of Practice for information security controls), another valuable standard has also been updated. Whilst this is a guidance document (meaning it cannot be audited), it does provide clarification on clauses and controls and helps even the most experienced auditors around some of the trickier parts of the standard.
Is the old standard now completely obsolete?
ISO 27001:2005 has not been made redundant overnight. Like with other standards which have been revised, those organisations which are currently certified to the original standard will have a “transition period” to upgrade their existing certificates to the new standard. In this particular case that ‘period of grace’ is until 30 September 2015.
ISOQAR will be issuing guidance to all its existing ISO 27001:2005 clients and our auditors will discuss the most appropriate timescales and actions for those who will need to upgrade to the revised standard at surveillance visits.
Anyone embarking on a new ISMS certification will automatically work to the requirements of the 2013 standard. It is expected that the first ISO 27001:2013 certificates will be issued from March 2014.
What are the changes?
ISO 27001 can be divided into 3 areas; clauses 0 to 3, clauses 4 to 10 and Annex A.
Clauses 0 to 3
The major change to clauses 0 to 3 is that an organisation is no longer required to base its ISMS on the Plan-Do-Check-Act process improvement lifecycle. There has also been a change to the definition of risk.
Organisations are now free to choose the process approach that best suits them, however the PDCA cycle can still be chosen if preferred.
Risk is now defined as the “effect of uncertainty on objectives”, althoughnot defined in the standard itself but in ‘ISO 27000 Overview and Vocabular’y to which the standard refers. Also risk does not necessarily need to be linked as strongly to information assets.
Clauses 4 to 10
Clauses 4 to 10 are a re-write in terms of Annex SL (formally ISO Guide 83) – the new “blueprint” for all management system standards. The changes are a welcome streamlining and simplifying of the previous clauses 4 to 8 and aim make it easier to integrate different standards together.
Clause 4 requires organisations to create an ISMS taking into account the “context of the organisation” (this is a change from Annex SL and will apply to all management system standards going forwards). The context of the organisation includes internal and external issues and has elements of interested party focus and compliances with legislation.
Clause 5.2 clearly defines the requirements of the ISMS policy. The changes bring the requirements of an ISMS policy more closely in line with other standards and link to objectives.
Objectives (clause 6.2) are also more clearly defined in the new standard and are strongly linked to preventive actions, risk assessment and risk treatment plans and controls.
A clear flow is drawn; “context of the organisation” leads to objectives. Risk assessment identifies “the effect of uncertainty on objectives”. Preventive Actions are identified in the Risk treatment plan which leads to controls identified in Annex A (and/or other sources). These are listed in the Statement of Applicability.
ISO 27001:2013 still requires the organisation to take into account controls listed in Annex A, but they may choose to identify others “from any source”.
The restriction against internal auditors auditing their own work has been removed (this should help small organisations).
Also a mandatory procedure on “Documented Information” now combines the requirements of “Control of Documents” and “Control of records”.
Annex A has undergone significant streamlining and improvement. Gone are some of the repetition and more obscure controls.
There are now fewer controls spread over more objectives. And while many of the controls are the same or similar they often support different objectives so the emphasis may be different.
You can probably appreciate that there are many more changes to the standard which are far too numerous to list in this document alone however a check list is available to ISOQAR customers to make the comparisons.
It is also good practice for all organisations to review their controls and Statement of Applicability (SOA) at least annually. ISO 27001:2013 is a good exercise in a thorough re-evaluation of both.
In summary, ISO 27001:2013 has been an exercise simplifying the standard and bringing it into line with all other management system standards and makes objectives tactical rather than strategic. It is unlikely that organisations already certified to ISO 27001:2005 will suffer a major upheaval as a result of the changes – in fact they are likely to find the management of their ISMS more logical. And as for those looking to gain certification for the first time – hopefully they will find the standard pretty straight forward.
Information Security Sector Manager