Ian Armstrong briefly outlines the facts about the new ISMS standard 27001:2013
What is it?
27001:2013 27001:2013 is the updated information security management system (ISMS) standard which was published on the 25th September 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It replaces ISO/IEC 27001:2005 which will no longer be valid after 1 October 2015.
Organisations which meet the new standard will gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process.
What does it do?
27001:2013 has ten short clauses covering the scope of the standard; through planning an information security management system to risk assessment and corrective action. An additional annex (Annex A) lists the controls and their objectives. The structure mirrors the structure of other new management standard, such as ISO 22301 (business continuity management) which helps organisations who wish to improve their IT from different perspectives by complying with multiple standards.
How is it different to ISO/IEC 27001:2005?
The new standard puts greater emphasis on measurement and evaluation to gauge how well an organisation is performing. It also emphasises objectives, monitoring performance and metrics.
In addition, there is now a section on outsourcing in recognition of the fact that many organisations rely on third parties to provide some aspects of their IT. It also pays more attention to the organisational context of a company’s information security and the terms of risk assessment have changed. Risk assessments are now aligned with BS ISO 31000.
New controls have been introduced which reflect changes to technology which affect many organisations; for example, the Cloud. Controls in Annex A have also been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have been added around cryptography and security in supplier relationships. Yet the new standard in fact has fewer controls than its predecessor with 114 controls divided into 14 groups compared to 133 controls in 11 groups.
Implementing ISO 27001:2013
Businesses wishing to take on the new standard will be expected to complete a Statement of Applicability which should be near completion at the time of the first audit. To make a start on an application, the key areas to focus on are:
• Establish management-approved information security objectives and assign specific security roles to key personnel;
• Agree an internal audit timetable to make sure that relevant audits are completed and schedule risk assessments and risk treatments so that they are completed in a timely manner;
• Communicate an information security policy to everyone who needs to be aware of it and have a communications plan which details how employees are kept up to date;
• Hold a minimum of one management review per year to establish these protocols and ensure that minutes of that meeting are available.
• Start collecting any evidence that is required as early as possible for the relevant controls. This will include things like evidence of relevant compliance from third parties: clients, suppliers and end users.
• ISO 27001 defines a comprehensive set of controls to provide the tools to assess and therefore reduce the information security risk of a company’s assets.
• It offers an integrated approach to information security to assist in building a system that takes into account all of the many possible information security risks that cover process, people and technology.
• It sets out the applicable controls and processes that need to be chosen to ensure that all information security risk is managed appropriately.
Ian Armstrong (PCI QSA, CISM, CRISC, PG Dio Inf Sec)