Temme Sikkema, CEO CumulusTrust, November 2013
Recently the 2013 revisions of both ISO27001 and 27002 have been released. If you are looking to become certified or are thinking of strengthening your information security management, then there’s no question you should probably adhere to this new revision. If you are already certified against the ISO27001:2005 revision of the standard, then you are probably interested in the consequences of the latest changes. This summary should give you a good overview of the major changes. Fortunately, we have already aligned our subscription based Security Management Platform to the requirements in the 2013 version of the standard. So either way, we can help you. Whether you’re new to this or are looking for a smooth transition.
So what are the changes? Some of the changes have been made to align ISO27001 with a number of other more or less related „Management System” standards, such as ISO14001 Envronmental Management, ISO9001 Quality Management , ISO22301 Business Continuity Management and ISO20000 IT Service Management.
Looking at the information security controls in Annex A (and in ISO27002) of the standard, some other changes are apparent. The old 2005 revision used to have 11 sections, describing 133 controls. The current version, published September 25, 2013, now contains 14 sections, totaling 114 controls. Some security categories have mixed a bit, a number of controls has gone and some new controls have been introduced. All in all, we feel that the changes all make sense and intrinsically are not very controversial or new.
The major changes are in the ISMS itself. There’s a new clause that requires you to list all Interested Parties, such as shareholders, authorities, legal and regulatory requirements, business partners and clients - because these are important inputs for your ISMS. The content in our Security Management Platform will allow you to do this easily. Basically, the new standard has a lot more focus on interfaces and dependencies between activities performed within and outside of your organization. Which makes sense, in the current marketplace!
Another major change is that the old „documents” and „records” concepts have been replaced by the new concept of Documented Information. Basically, all the procedures for document control now relate to this documented information. In the meantime, there is no longer a need to have documented procedures for Document Control, Internal Audit and Preventive and Corrective Actions. While we have chosen to still facilitate the documentation of the procedures in our Security Management Platform, it is no longer a requirement, so we’ll leave it up to you whether or not to continue these procedures.
Clauses regarding preventive actions have all together vanished from the standard! These have now been made part of the risk assessment process, which in itself has also dramatically changed. Although we firmly believe in identifying and recording assets that need safeguarding and performing an analysis of threats and vulnerabilities as an industry best practice, these concept are no longer the basis of an ISO27001:2013 risk assessment! All the standard now requires you to do, is actually perform a risk assessment, determining the level of risk (for C, I and A) using business impact and likelihood. This also means that the old requirement to have a documented Risk Assessment Methodology is now gone. Instead, the standard forces you to define Risk Owners, which is a new concept. The risk owner is responsible for managing the risk to a proper level and this is really where the responsibility for preventive actions has now migrated to. This change will allow you to choose your own risk assessment approach a lot more flexibly, which is a good thing.
Another big game change is that some new clauses have been added to the standard that require you to set as well as measure clear Objectives for information security, with a specification of when/how the achievement of these objectives will be measured, as well as by whom. All this will require you to have comprehensive plans in place as well. Obviously, we applaud this move as in our humble opinion it will be a true driver for transparency and will ultimately become one of the main pillars for cascading these metrics to your customers and stakeholders! Especially, since there is now also a new clause related to Communication, summarizing all requirements for communicating relevant „information security- and ISMS-related” information. This will help align business and IT within an organization, but we also regard this as a welcome change that underlines CumulusTrust’s basic philosophy that trust can only be achieved by being transparant and communicative.
More information coming up
In future articles we will further elaborate on some of these changes. For now, please do not hesitate to contact us for assistance or further questions. We are ready for the transition and have updated Security Officer Online accordingly!