Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo
"Quality Matters in your Business"

Tuesday, 5 May 2015

Information Security Management Standard ISO 27001

Organisations that are certificated to ISO27001:2005 are required to upgrade to the 2013 version of the Standard.  ISO 27001:2013 was published in September 2013 and there was a transition period to allow organisations to review their systems and upgrade their operations to comply with the revised requirements specified in 27001:2013.
This transition period will expire in September 2015 and any organisation that has not upgraded their systems and had their certification body reassess and recertify to the 2013 Standard will automatically be deregistered.
The revised Standard addresses the new Annex SL format and has 10 main sections

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
  6. Leadership
  7. Planning
  8. Support
  9. Operation
  10. Performance evaluation
  11. Improvement.

ISO 27001: 2013 ISO 27001:2005
0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Normative references
3 Terms and definitions 3 Terms and definitions
4.1 Understanding the organisation and its context 8.3 Preventive action
4.2 Understanding the needs and expectations of interested parties 5.2.1(c) Identify and address legal and regulatory requirements and contractual security obligations
4.3 Determining the scope of the information security management system 4.2.1 (a) Define scope and boundaries
4.2.3 (f) Ensure the scope remains adequate
4.4 Information security management 4.1 General requirements
5.1 Leadership and commitment 5.1 Management commitment
5.2 Policy 4.2.1(b) Define an ISMS policy
5.3 Organisational roles, responsibilities and authorities 5.1 (c) Establishing roles and responsibilities for information security
6.1.1 Actions to address risks and opportunities - general 8.3 Preventive action
6.1.2 Information security risk assessment 4.2.1 (c) Define the risk assessment approach
4.2.1 (d) Identify the risks
4.2.1 (e) analyse and evaluate the risks
6.1.3 Information security risk treatment 4.2.1(f) Identify and evaluate options for treatment of risks
4.2.1 (g) Select control objectives and controls for the treatment of risks
4.2.1 (h) Obtain management approval for the proposed residual risks
4.2.1 (i) Obtain management authorisation to implement and operate the ISMS.
4.2.1 (j) Prepare a statement of applicability
4.2.2 (a) Formulate a risk treatment plan
6.2 Information security objectives and planning to achieve them 5.1 (b) Ensuring the ISMS objectives and plan are established
7.1 Resources 4.2.2 (g) Manage resources for the ISMS 5.2.1 Provision of resources
7.2 Competence 5.2.2 Training, awareness and competence
7.3 Awareness 4.2.2 (e) Implement training and awareness programmes
5.2.2 Training, awareness and competence
7.4 Communication 4.2.4 (c) Communicate the actions and improvements
5.1 (d) Communicating to the organisation
7.5 Documented information 4.3 Documentation requirements
8.1 Operational planning and control 4.2.2 (f) Manage operations of the ISMS
8.2 Information security risk assessment 4.2.3 (d) Review risk assessments at planned intervals
8.3 Information security risk treatment 4.2.2 (b) Implement the risk treatment plan
4.2.2 (c) Implement controls
9.1 Monitoring, measurement, analysis and evaluation 4.2.2 (d) Define how to measure effectiveness
4.2.3 (b) Undertake regular reviews of the of the ISMS
4.2.3 (c) Measure the effectiveness of controls
9.2 Internal audit 4.2.3 (e) Conduct internal ISMS audits
6 Internal audits
9.3 Management review 4.2.3 (f) Undertake a management review of the ISMS
7 Management review of the ISMS
10.1 Nonconformity and corrective action 4.2.4 Maintain and improve the ISMS
8.2 Corrective action
10.2 Continual improvement 4.2.4 Maintain and improve the ISMS
8.1 Continual improvement

Moving on to ISO  27002: 2013 Code of Practice.  This has been changed to take into account modern practices.  It also puts elements into far more logical sequences.  Much of the duplication has been removed.

Operations and communications security have been separated and cryptography has been given its own section.   A completely new section has been added for Supplier relationships.

This standard has been expanded from the previous 15 sections to 18 sections and 35 main security categories with 114 controls, reduced from 133.

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Structure of the standards
  6. Information security policies
  7. Organisation of information security
  8. Human resources security
  9. Asset management
  10. Access control
  11. Cryptography
  12. Physical and environmental security
  13. Operations security
  14. Communications security
  15. System acquisition, development and maintenance
  16. Supplier relationships
  17. Information security incident management
  18. Information security aspects of business continuity management
  19. Compliance
Remember time is running out and certification bodies need to plan well ahead so carry out the upgrade now.  If you need help, we are available.

No comments:

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design