ISO/IEC 27001:2013 – A New Set Of Clothes And A Common Language

BSI ISO/IEC 27001:2005 is nearly 8 years old and information security threats have changed substantially during this time. As part of the normal revision cycle for standards, ISO/IEC 27001:2005 has been revised and the new version, ISO/IEC 27001:2013 was published September 26, 2013 with a release date of October 1, 2013.

The standard has been written in accordance with Annex SL; Directive 1, the new high level structure which will be common across all management systems allowing for much easier integration.

  • It does not emphasize the Plan-Do-Check-Act cycle in the same way that ISO/IEC 27001:2005 did – organizations can take a PDCA or a process approach.
  • Definitions in 2005 version have been removed and relocated to ISO/IEC 27000 (section 3) which is now a normative reference.
  • There have been changes to the terminology used, e.g. information security policy is used rather than ISMS policy.
  • Requirements for Management Commitments have been revised and are presented in the Leadership Clause and there is much more emphasis to require evidence that management is actually involved with the ISMS.
  • Preventive action has been replaced with “actions to address, risks and opportunities” and features earlier in the standard. This effectively puts preventive action as part of the risk process rather than just part of the corrective action process.
  • This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The risk assessment requirements are more general reflecting an alignment of ISO/IEC 27001 with ISO 31000.
  • Statement Of Applicability requirements are similar but with more clarity on the determination of controls by the risk treatment process. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in Annex A and potentially supplementing them with other extended control sets or compensating controls.
  • The new standard puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing.

But more importantly the organization must now determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

There is emphasis on ensuring that the scope covers any and all issues (external or internal) including Interested Parties. In the past, the requirements around scope were a little broad allowing some organizations to have a scope that was very small and not covering some critical aspects.

Scope now has to be fit for purpose. The organization must now determine the boundaries and applicability of the information security management system to establish its scope. Taking into consideration interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations clearly must now be addressed within the ISMS. This should include legal and regulatory requirements and contractual obligations along with the supply-chain considerations.

Anyone currently certified to ISO 27001:2005 will find there is a little bit of work to do but will find the changes refreshing and user friendly. Much more holistic in nature, fewer documentation requirements and easy to integrate with other standards.

John DiMaria is a BSI Certification Portfolio Expert, Six Sigma Black Belt, certified Holistic Information Security Practitioner (HISP), and Master HISP with over 28 years of successful experience in Management Systems and international standards.

Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.