ISO 27001 Certification

ISO 27001 White Paper

ISO27001:2013 Time to Change

ABSTRACT: In 2011 the International Standards Organisation (ISO) released figures showing that globally there are 17,500, companies that have achieved the ISO27001:2005 certificate in Information Security. (2012 figures will be released in December 2013)

In October 2013 the revised version of this standard was released which means that those already accredited must understand the key differences and begin a process of review, if they are to maintain their accreditation.

This Paper is intended to provide the reader with an honest and realistic analysis of the changes and evolution of the standard and how these changes may impact on your own information security processes and systems.

ISO 27001 White Paper In Full

ISO27001:2013: Time to Change 

ABSTRACT: In 2011 the International Standards Organisation (ISO) released figures showing that globally there are 17,500, companies that have achieved the ISO 27001 certification in Information Security.  (2012 figures will be released in December 2013) In October 2013 the revised version of this standard will be released which will mean that those already accredited must understand the key differences and begin a process of review, if they are to maintain their accreditation.
This Paper is intended to provide the reader with an honest and realistic analysis of the changes and evolution of the standard and how these changes may impact on your own information security processes and systems.

Introduction

In 1970, the American businessman and co-founder of Intel George E. Moore, stated that processor speeds and overall processing power of computers would double every two years. This ‘Moores Law’ as it came to be known may have seemed dramatic at the time, but now in 2013 few would argue with this case.

As computers become more powerful and business processes become ever more complex, the need to ensure security is in place has never been greater.  It is difficult to switch on the news without some story involving loss of information, hacked websites, stolen credit cards, or social media ‘mishaps’ involving errant ‘Tweets’ by a new breed of ‘Troll’.

It would appear that the risks are increasing and the vulnerabilities remain unattended.

Many organisations have however taken measures to protect themselves and the data they hold from loss, corruption or theft.  Since 1995 when the British Standard for Information Security BS7799 was introduced, 17,500 businesses have become certified to this standard and subsequently the International version ISO 27001 (introduced in 2005).

However it is time for a change.  October 2013 will see an updated and revised version of the ISO 27001 standard released for businesses wishing to demonstrate their Information Security processes are measurable.

Working closely with the British Standards Institute, Agenci have had advanced access to the revised  standard in order to bring you a paper which will provide the reader an insight into the changes to the standard and how it could affect their business.

Structure

On first glance of the revised standard it appears to be almost a complete re-working of the original ISO 27001:2005 version. For example, it certainly has a new structure (more on this later) and has some fundamental changes to the number of controls and where these controls reside. Whilst in actuality only around a third of the standard has changed, these changes are significant and should not be underestimated.

All standards will adopt a similar look and feel.

ISO 27001:2013 is the second standard which is in line with Annex SL (previously ISO Guide 83). This defines the framework for a generic management system and all new ISO Management System Standards (MSS) will adhere to this framework and all current MSS will migrate at their next revision in the coming years.  The first to be aligned to Annex SL was the international standard for Business Continuity, ISO 22301:2012, with ISO 27001 being the next inline and ISO9001 is earmarked for the same level of alignment in 2014.

This means that all standards will adopt the same look and feel and we can only hope this will mark the beginning of the end of the conflicts, duplication, confusion and misunderstanding from different MSS.

Plan, Do, Check, Act (PDCA)

In ISO 27001:2005, the Plan, Do, Check, Act cycle is an integral part of the standard and indeed in other standards released at the time.  However, the revised Annex SL format does not focus on this and instead has a revised structure and set of chapters which are;

  •       Introduction
  •       1 Scope
  •       2 Normative references
  •       3 Terms and definitions
  •       4 Context of the organization
  •       5 Leadership
  •       6 Planning
  •       7 Support
  •       8 Operation
  •       9 Performance evaluation
  •       10 Improvement

What’s new in ISO27001:2013?

As has already been stated, there are a number of changes to the standard, some of which are subtle, others less so.  However, even what appears to be a subtle change can suddenly become more important when considered as part of the entire standard. The following highlights just a few changes which on first inspection may not seem too dramatic, but could in actual fact cause organisations to fail if not considered carefully.

Context

Anyone who has already reviewed or implemented ISO22301 (Business Continuity Management) will be familiar with this structure and will recognise the ‘Context of the Organisation’ and how similar the sections in ISO 22301:2012 are to the new ISO 27001:2013;

  •       4.1 Understanding the organisation and its context
  •       4.2 Understanding the needs and expectations of interested parties.
  •       4.3 Determining the scope of the Information Security Management System
  •       4.4 Information Security Management System

Leadership and management are two separate things.

Commitment

ISO 27001 has always required a demonstration of Management Commitment (ISO27001:2005 (5.1)) however the revised edition now requires that clear Leadership is demonstrated – Management and Leadership are therefore clearly defined as two separate requirements.  Management of the standard refers to the day-to-day working of the management system and its implementation, where Leadership and Commitment from business ‘leaders’ is demonstrated by setting clear strategic goals and ensuring that Information Security is adequately resourced (with skills and tools to implement effectively).

i.e. If a business simply passes the implementation of ISO 27001:2013 to a member of the business and expects them to manage it, then this will be a clear sign that Leadership and commitment is not in place and is a clear non-conformity.

Planning

Section 6, “Planning” requires organisations to focus on preventative actions as well as countermeasures in the event of a data breach, with the key phrase ‘actions to address, risks and opportunities’ is used it goes on to say that organisations shall ensure these activities can be evaluated for their effectiveness. Therefore it is no longer simply about having plans in place, there must be ways to evaluate their effectiveness.

Performance

This is further demonstrated by the emphasis in a new chapter; Performance Evaluation (9), with the monitoring, measurement, analysis and evaluation (9.1) a clear indication that ‘Continual Improvement’ is still a fundamental part of the standard but is now offering a greater level of assistance in detailing what needs to be demonstrated.

Annex A – Control and Objectives

Those who are accustomed to ISO 27001 will undoubtedly be familiar with Annex A and will be pleased to know this is still a part of the revised standard.  However as you would expect there have been a number of changes including;

  •       Sections have increased to 14, where there used to be 11
  •       The number of controls has decreased from 133 to 113.

What this means is that organisations looking at the news standard will (as a minimum) need to review their current Statement of Applicability (SOA) to ensure that the controls included and excluded are noted as appropriate.

To summarise, the new sections are;

ISO 27001:2005

ISO 27001:2013

A5 Security Policy A6 Organization of information security A7 Asset management A8 Human resource securityA9 Physical and environmental securityA10 Communications and operations managementA11 Access ControlA12 Information systems acquisition, development and maintenanceA13 Information security incident managementA.14 Business continuity managementA15 Compliance  A5 Security Policies A6 Organization of information security A7 Human resource security A8 Asset management A9 Access control A10 Cryptography A11 Physical and environmental security A12 Operations security A13 Communications security A14 System acquisition, development and maintenance A15 Supplier relationships A16 Information security incident management A17 Information security aspects of Business Continuity A18 Compliance

 

Conclusion

This document has only highlighted a few of the many changes in the revised standard, but those discussed illustrate the desire to align different standards, to ensure security is truly understood and ensure it is implemented in a structured manner within any business, regardless of industry or size.

I set out at the beginning of this paper stating that the need to ensure security is in place has never been greater.  The world is far more connected than perhaps even George E. Moore could have anticipated; therefore the need to protect our information and data from deliberate or accidental loss has never been greater. 

Agenci are already helping businesses prepare for ISO27001:2013

ISO 27001:2005 enabled businesses to demonstrate that they had Data Protection under control and considered the most effective ways to secure their informational assets.

ISO 27001:2013 will continue to provide this assurance to customers and regulators that an organisation is implementing the most pragmatic controls applicable to its own business and thereby making it a very desirable certification to hold.

I foresee a time when companies will be required (through legislation) to hold an ISO 27001 certification and I hope this day comes soon.

The revised ISO27001:2013 is easier to understand, but this does not mean it is simple to implement.  A good understanding of the Information Security principals is still required.  But the revised standard is a step forward for standards, generally.  Being aligned to Annex SL means that cross over and duplication is reduced and for those businesses who are truly forward thinking enables them to consider a ‘blended approach’ to ISO27001, ISO22301 and in the future, ISO9001.

Agenci are pleased to work with the BSI and have access to the new standard prior to its full release in October 2013 and are working with a number of businesses to deliver training and review current ISO 27001 controls in readiness for the October release.

Speak to a member of the team now on 

03455 760 999


                             

Test de Penetrare, Scanare de Vulnerabilitati, MoldovaTeste de Penetrare, Scanari de Vulnerabilitati, Moldova