An Introduction to ISO 27001:2013

ISO 27001:2013

As information systems become more complex and vital to our global economy the need to ensure security risk is kept to a minimum has never been more important.

Loss of information is becoming more commonplace with stories involving across the many news channels such as stolen credit card information, hacked servers and websites and reputation mishaps through social media.

New technologies being used by businesses invite new risks to information assets that have to be managed correctly.

Measures have to be taken to protect organisations information assets they hold from loss, theft or corruption.

In 1995 a new information security standard was produced called the BS 7799. This information security standard was an information security management framework for organisations to use and comply with to ensure that their information assets were correctly managed and secured.  Over 17,000 organisations have now passed compliance with this standard.

Thereafter the International standards for organization (ISO) produced the ISO 27001 a more modern version of the information Security management system (ISMS). The latest version of this standard was the ISO27001: 2005. Eight years have passed and it’s now time for an update, in October 2013 we will see the new version properly named ISO27001:2013.

How will this new version affect Security Bastion subscribers

Security bastion have had advanced access to this new revised standard and will be using the finished version to revise all our information security policy templates. If you are a current subscriber you have no need to worry because you will have access to the updated policy templates when they are available later this year. All new subscribers will also have one years of updates so please download the latest version when it is available later this year from your membership area.

Here we will provide a little bit of advanced information into the changes of the standard and how it might affect your business.

The new standard format

The new version of the standard is virtually a complete rewrite of the original ISO27001:2005. The ISO has changed the format of the standard moving and reassigning control objectives, however on assessment around two thirds of the standard remain the same.

Along with the ISO 14001and ISO 9001, the structure of the new ISO27001:2013 will be common using Annex SL which (avoiding the jargon) provides a framework to create a generic management system across all standards. The new look and feel of the ISO27001:2013 seems less informative in an effort to give many businesses greater freedom on how they implement the standard in a way that suits their business requirements.

The changes that have been made a very significant and should be taken on board.

Noticeable changes to the ISO 27001:2005

Anybody who has been working in information security of the last decade will be familiar with the Plan, Do, Check, Act (PDCA). Here at Security Bastion we must have around 100 different documents and graphic images of this cycle that we have used on various client engagements over the years.

The Plan, Do, Check, Act cycle was a vital part of the ISO standard and indeed in other standards released over the years. However the revised Annex SL format will not focus on this and instead has a reviewed structure and set of chapters which are:

  • Introduction
  • Scope
  • Normative references
  • Terms and definitions
  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

In addition to this there are many subtle changes to the previous standard and some not so subtle. But like many high-level standards subtle changes can have big impacts when it gets to the implementation stage.

Anyone reading this that may have already reviewed or even implemented the ISO22301 (Business Continuity Management) standard will be very aware of the new structure called context. This replaces the (ISMS) as used in the last version:

The new context looks like the following:

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties.

4.3 Determining the scope of the Information Security Management System

4.4 Information Security Management System

Changes to Commitment

A bed stone of the ISO27001 has been the demonstration of Management commitment as stated in ISO27001:2005 (5.1) however the new version now requires that clear leadership is demonstrated. This leads to a clear definition of management and leadership as two separate requirements.

Management is defined as the day to day running of the management system including the implementation. The demonstration of commitment and leadership from business leaders is set by defining clear strategic goals and ensuring that information security is sufficiently resourced with the people and tools to implement it correctly.

A good example for this will be that if an organization decides to pass the implementation of the ISO27001:2013 to business personnel and expects them to manage it then this would be a clear violation of the standard and they would be in non-conformity due to the indication that leadership and commitment is not in place.

Planning

Preventive actions are the focus of the new standard requiring businesses to concentrate on preventive actions as well as countermeasures in the event of a security breach.

The key phrase actions to address, risks and opportunities’ is used and it goes on to say that organisations shall ensure these activities can be evaluated for their effectiveness. This means that the effectiveness of the plan must be implemented, tested and monitored and it is no longer sufficient just to have a paper plan.

Performance

Monitoring and management again comes to the forefront in a new chapter performance evaluation (9) , and monitoring, measurement, analysis and evaluation (9.1) a clear message that continuing to monitor and improve your security management system is a fundamental part of the new standard. The ISO 27001:2013 provides greater detail into what is needed to comply with these areas compared to its predecessor.

Risk

We found that the main noticeable difference was a more generic approach to risk management. The new standard is now aligned with the dedicated risk management standard ISO 31000 allowing the removal of previous of controls. However anyone who is already produced and implemented a risk management process will not find the new version of the standard difficult, most of the work in our opinion will be in translating controls.

Changes to Annex A - control and objectives

Anyone who has spent any time with ISO27001 will without doubt be very familiar with Annex A and will be pleased to know this is still a part of the revised standard. However as you would expect there have been a number of changes including:

There are now 14 sections, where there used to be 11,

and the number of controls has reduced from 133 to 113.

If an organisation is wanting to comply with this new standard at the very minimum it will need to review their current Statement of Applicability (SOA) to ensure that the controls included are relevant and up-to-date as appropriate.

To summarise, the new sections are;

ISO27001:2005

ISO27001:2013 (Draft)

Changes

0.2 Process Approach Eliminated from this new standard PDCA Model was a very important section in the older 2005 version. The 2013 version does use a model in the the mandatory clauses, but does not occupy a separate and dedicated section.
1. Scope1.1 General1.2 Applications These sub-sections are eliminated from this new standard Sub Sections 1.1 General and 1.2 Application of older version are now merged into one section 1.
4. Information security management system 4. Context of the organization ISMS is renamed as Context of the Organization
4.1. General Requirements 4.1. General Requirements The Old standard talks about Documented ISMS, whereas the New one strongly focuses on understanding the context of business. Reference to ISO31000/ Risk Management standard is added.
4.2 Establishing and managing the ISMS 4.2. Understanding the needs and expectations of interested parties Significance is placed on the importance of interested parties is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.
4.2.1 a) to j) Establish the ISMS 6.1. Actions to address risks and opportunities Risk assessment and treatment

Assets, vulnerabilities and threats are not the basis of risk assessment anymore!

It is only required to identify the risks associated with the confidentiality, integrity and availability;

Risk Assessment Methodology does not need to be documented, although the risk assessment process needs to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners”.

4.3 Documentation Requirements Documented information (No Dedicated Sub-Section)4.3. Determining the scope of the information security management system The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is removed – now there is no central list of required documents.

New Clause 4.4. Information security management system
5. Management responsibility 5. Leadership
5.1. Management Commitment 5.1. Leadership and commitment The newer version talks only about the need of Leadership and Management’s Commitment.

Policy related clauses are moved to a separate sub-section.

5.2. Resource Management 5.2. Policy This is a dedicated sub-section for the backbone document of ISMS; i.e. the IS Policy
5.3. Organizational roles, responsibilities and authorities New addition.

An individual sub-section in the newer version.

6. Internal ISMS audits 6. Planning PDCA not explained explicitly but embedded into the mandatory clauses in the newer version, with the mapping as under: P-6; D-7 & 8; C-9; A-10
7. Management Review of the ISMS 9.3. Management Review7. Support

  • 7.1 Resources
  • 7.2 Competence
  • 7.3 Awareness
  • 7.4 Communication
  • 7.5 Documented Information
Unlike the older version, in this newer version, Management Review has been made a sub-section, of the Performance Evaluation Clause.

7. New clause in the new standard

7.4. This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc.

8. ISMS Improvement 8. Operations10.2 of the newer version The Elaborated DO phase in the new version.Contains Risk Assessment RequirementsHowever, the older version talked about CAPA, and continual improvement, the “ACT” phase
None 9. Performance Evaluation The separate “CHECK” Phase, talking about, measurement, monitoring, analysis and evaluation along with Internal Audits and Management Reviews
None 10. Improvement Talks about NCs, Corrective Actions and Continual Improvement.No Explicit mention of Preventive Actions.