Home / Blogs

A Look at the New ISO27001:2013 Revision

Recently the 2013 revisions of the internationally acclaimed standard for information security management, ISO27001 and accompanying 27002, ‘Code of practice for information security management controls’ were released. Whether you’re new to this or are looking for a smooth transition, it’s important to reflect on the changes made.

Being compliant with the latest information security standards is becoming more and more important these days. Shareholders, business partners, clients and even the government demand a clear overview of your policies as well as the right certifications. But the certification process can be an administrative demanding task, especially when standards are changing.

The changes made were necessary to keep up with the fairly new digital age we now live in. In general, there is a focus on communication standards. From now on, you are asked to set as well as measure clear objectives for information security and identify the risk owner within your organization. This should create a transparent communication flow between you and any third party involved. In my view, without such transparency your information security plans won’t stand a chance. The new standard will ultimately help align business and IT within your organization as well as with third party stakeholders.

Let me walk you through the major changes in more detail.

ISMS

There’s a new clause that requires you to list all interested parties, such as shareholders, authorities, legal and regulatory requirements, business partners and clients—because these are important inputs for your ISMS. The new standard has a lot more focus on interfaces and dependencies between activities performed within and outside of your organization.

Since most IT eco-systems are complex and filled with services delivered by third parties, it is only logical to list them in your information security plans. Besides, this transparency should enhance cooperation as well as trust between your business partners and/or clients.

Clauses vanished

Clauses regarding preventive actions have all together vanished from the standard. These have now been made part of the risk assessment process, which in itself has also dramatically changed. You are now required to actually perform a risk assessment, determining the level of risk (for C, I and A) using business impact and likelihood. On top of that, the old requirement to have a documented risk assessment methodology is now gone.

I firmly believe in identifying and recording assets that need safeguarding and performing an analysis of threats and vulnerabilities as an industry best practice. The new standard now forces you to define risk owners who are responsible for managing the risk to a proper level. You are free in choosing your own risk assessment approach, best suitable to your policies, risk owners and organization. This new concept gives more flexibility in forming your security standards.

Objectives

Another big game change is that some new clauses have been added that require you to set as well as measure clear objectives for information security. You will be asked to specify when and how the achievement of these objectives will be measured, as well as by whom.

These objectives will ultimately become one of the main pillars for cascading these metrics to your customers and stakeholders. I applaud this move as in my humble opinion it will be a true driver for transparency. As I mentioned earlier, if find transparency the key in this modern day and age.

Alignment

Some of the changes have been made to align ISO27001 with a number of other more or less related “Management System” standards, such as ISO14001 Environmental Management, ISO9001 Quality Management, ISO22301 Business Continuity Management and ISO20000 IT Service Management.

To conclude, these changes were necessary and should fit in well within any modern organization. They all make perfect sense but are not very controversial or new and therefore should not have a major impact on your certification process.

By Temme Sikkema, Founding Partner at CumulusTrust

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com