Daily Archives: August 22, 2013

ISO 27001, ISO 27001:2014

ISO 27001:2014 – New Version SOON

Leave a comment

ISO 27001 is the main information security management system standard – it is being revised, with the new version due out next October. They’re long past the CD stage that 9001 is in, and into the second FDIS stage. Next, is Publication (IS).

I’m leaning toward the opinion that it is a significant change, and from what I can see it also brings the standard, originally made in the early 2000’s (a completely different Informational Age), into a more consistent level with the other popular ISO Management System Standards, like ISO 9001.

In fact, in some ways ISO 27001 will beat 9001 to the punch. For example, as mentioned in an earlier post, 9001 is doing away with Preventive Action and folding it into Risk – 27001 is doing the same thing, but sooner.

That aside, and because, this standard will be compliant  with what is know as Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2013. This is to increase compatibility with other ISO management system standards.

They will all get these parts:

  • Introduction
  • Scope
  • Normative references
  • Terms and definitions
  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

Here is a run-down of the major changes:

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

The requirement now is to identify the risks associated with the confidentiality, integrity and availability . Formerly, it was assets, vulnerabilities and threats.  Risk based on consequences and likelihood remains unchanged. Seems subtle, but this essentially gives more freedom in the way the risks are identified. Having said that, I don’t expect too many folks to move away from the assets-vulnerabilities-threats methodology.

And now, while the risk assessment process needs to be defined in advance, the Methodology does not need to be documented.

And lastly, the term”Asset owner” is replaced with “Risk owners” – subtle, right? But you see what that does – separates the asset from the risk; putting the responsibility on people.

Objectives, monitoring and measurement

Now there are separate clauses with rules establishing the need to set clear objectives, defining who will measure them, when; who analyzes and evaluates – and the need for action plans to meet them.

Fairly significant, and hugely vital. It should also serve to mesh requirements from other parts of the enterprise.

Corrective & preventive actions

As mentioned, preventive actions are history as a separate thing, now merged with the requirements for improvement and Risk Management.

Corrections made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity are now made more clear. Essentially what was sometimes called “Short-term” and “Long-term” corrective actions.

Communication

This is also a new clause where all the communication requirements are summarized – detailing the specifics; the what, when, who, how. Again, should bring IT and IS departments into the full fold of the operation.

Annex A Controls

There are now three more sections, bringing the total to 14 – while the number of controls has dropped from 133 to 113. Not that there are really fewer requirements, there’s a fair bit of combining and moving going on. I should also mention that there is now only Annex A.

Getting into each section and control is a bit more than I want to do here, but this is list of the new arrangement – glean what you will:

  • 5 Security Policies
  • 6 Organization of information security
  • 7 Human resource security
  • 8 Asset management
  • 9 Access control
  • 10 Cryptography
  • 11 Physical and environmental security
  • 12 Operations security
  • 13 Communications security
  • 14 System acquisition, development and maintenance
  • 15 Supplier relationships
  • 16 Information security incident management
  • 17 Information security aspects of business continuity
  • 18 Compliance

All in all, a pretty significant update and somewhat overdue. I’m afraid it won’t last more than a few years, given the rate of change in this industry.

Very much looking forward to how it all plays out.

Thanks for listening! Go forth, and calibrate thyself –

Sal