Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 25 March 2013

IS027001 Information Security Standard.

This Standard last reviewed and updated in 2005 is about to be re-issued as ISO27001:2013 later this year. The current position identifies that the draft has reached the "draft for public discussion" stage.

Two things are really obvious:

  • The PDCA (plan- do- check- act) method  is no longer mentioned.
  • There is no mention of cloud computing or storage.
The first change (PDCA) is to align  with the new ISO/IEC directives and is no great loss. The second is a bit disappointing; I would have thought that as Cloud computing and storage were a large part of current practice, it would have merited at least a sub-section if not a whole section in the new Standard, but no.

The proposed section in the new Standard are:

  1. Introduction
    1. General
    2. Compatibility with other management system standards
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
    1. Understanding the organisation and its context
    2. Understanding the needs and expectations of interested parties
    3. Determining the scope of the ISMS
    4. Information security management system
  6. Leadership
    1. Leadership and commitment
    2. Policy
    3. Organisational roles, responsibilities and authorities
  7. Planning
    1. Actions to address risks and opportunities
      1. General
      2. Information security risk assessment
      3. Information security risk treatment
    2. Information security objectives and plans to achieve them
  8. Support
    1. Resources
    2. Competence
    3. Awareness
    4. Communication
    5. Documented information
      1. General
      2. Creating and updating
      3. Control of documented information
  9. Operation
    1. Operational planning and control
    2. Information security risk assessment
  10. Performance evaluation
    1. Monitoring, measurement, analysis and evaluation
    2. Internal audit
    3. Management review
  11. Improvement
    1. Nonconformity and corrective action
    2. Continual improvement
Annex A remains but the useless Annex B and C are abandoned. The next stage will be a final draft which may or may not take notice of the comments submitted by interested parties.

The standard may change before final publication (4th qtr 2013) so readers should not amend their systems until the standard is formally issued. The standard ISO27002 is also in draft format and I will report on those changes in the next blog.

Monday, 11 March 2013

Environmental Standard ISO 14001 revision

In my last Blog I reported that ISO9001, the Quality Management Standard, was being revamped with a released date promised in 2015.  Now I can report that the 14001: 2004 Standard is being reworked with a planned release date of 2014. 

This Standard published in 2004 is overdue for revision and it is hoped that some of the proposals we have suggested will be included in the 2014 version.

All new and revised Standards will be following the 2012 issue of the ISO/IEC directive which sets out guidelines for high level structure and content.  This will enable all Management Standards to be able to integrate into an organisations overall strategy, rather than being "a bolt on".

The proposed 14001 (and of course 14004) have been subject to wide consultation and this has allowed environmental interested parties (some 1650 professionals responded to the consultation) to provide good input to the revision process.

Here are some of the suggested areas for inclusion put forward by IEMA, the Institute of Environmental Management and Assessment:

  • Clarity about the principal aims of any EMS to protect the environment;
  • Consider impacts from the changing environment to allow organisations to manage risks and opportunities as well as managing their impacts on the environment;
  • More emphasis on managing impacts across the product / service lifecycle;
  • There should be a greater emphasis on the demonstration of compliance with Statutory and Regulatory requirements;
  • And continual improvement of any environmental performance.

The next round of discussions by ISO are due to take place in June 2013 and no doubt we will be updated on their deliberations. 

Watch this space!!!

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design