Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo
"Quality Matters in your Business"

Monday, 25 March 2013

IS027001 Information Security Standard.

This Standard last reviewed and updated in 2005 is about to be re-issued as ISO27001:2013 later this year. The current position identifies that the draft has reached the "draft for public discussion" stage.

Two things are really obvious:

  • The PDCA (plan- do- check- act) method  is no longer mentioned.
  • There is no mention of cloud computing or storage.
The first change (PDCA) is to align  with the new ISO/IEC directives and is no great loss. The second is a bit disappointing; I would have thought that as Cloud computing and storage were a large part of current practice, it would have merited at least a sub-section if not a whole section in the new Standard, but no.

The proposed section in the new Standard are:

  1. Introduction
    1. General
    2. Compatibility with other management system standards
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
    1. Understanding the organisation and its context
    2. Understanding the needs and expectations of interested parties
    3. Determining the scope of the ISMS
    4. Information security management system
  6. Leadership
    1. Leadership and commitment
    2. Policy
    3. Organisational roles, responsibilities and authorities
  7. Planning
    1. Actions to address risks and opportunities
      1. General
      2. Information security risk assessment
      3. Information security risk treatment
    2. Information security objectives and plans to achieve them
  8. Support
    1. Resources
    2. Competence
    3. Awareness
    4. Communication
    5. Documented information
      1. General
      2. Creating and updating
      3. Control of documented information
  9. Operation
    1. Operational planning and control
    2. Information security risk assessment
  10. Performance evaluation
    1. Monitoring, measurement, analysis and evaluation
    2. Internal audit
    3. Management review
  11. Improvement
    1. Nonconformity and corrective action
    2. Continual improvement
Annex A remains but the useless Annex B and C are abandoned. The next stage will be a final draft which may or may not take notice of the comments submitted by interested parties.

The standard may change before final publication (4th qtr 2013) so readers should not amend their systems until the standard is formally issued. The standard ISO27002 is also in draft format and I will report on those changes in the next blog.

No comments:

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design