BSI ISO/IEC 27001:2005 is nearly 8 years old and information security threats have changed substantially during this time. As part of the normal revision cycle for standards, ISO/IEC 27001:2005 has been revised and the new version, ISO/IEC 27001:2013 was published September 26, 2013 with a release date of October 1, 2013.
The standard has been written in accordance with Annex SL; Directive 1, the new high level structure which will be common across all management systems allowing for much easier integration.
But more importantly the organization must now determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.
There is emphasis on ensuring that the scope covers any and all issues (external or internal) including Interested Parties. In the past, the requirements around scope were a little broad allowing some organizations to have a scope that was very small and not covering some critical aspects.
Scope now has to be fit for purpose. The organization must now determine the boundaries and applicability of the information security management system to establish its scope. Taking into consideration interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations clearly must now be addressed within the ISMS. This should include legal and regulatory requirements and contractual obligations along with the supply-chain considerations.
Anyone currently certified to ISO 27001:2005 will find there is a little bit of work to do but will find the changes refreshing and user friendly. Much more holistic in nature, fewer documentation requirements and easy to integrate with other standards.
John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards.
Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.