The short answer is 'A lot more than many professionals currently think'.
To start, though, the basic facts: ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) for any organization, regardless of type or size. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO/IEC 27001:2013 is not obligatory in most jurisdictions, but the standard does provide much-needed market assurance. An ISO 27001:2013-certified Information Security Management System (ISMS) gives the market confidence in an organization’s ability to look after information securely. Confidence that it will maintain the 'confidentiality, integrity and availability' of customer information and as a result, protect its own and its partners' reputation.
What is the underlying purpose of the ISO 27001:2013 Standard?
Put simply, the ISO 27000 family of standards helps organizations keep information assets secure. They help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
Whereas in the past, government and large organisations required their suppliers to be ISO 9001-compliant, now those who provide lucrative contracts are also looking for assurances from their suppliers with regards to ISO/IEC 27001.
Large-scale enterprises have a duty of due care to preserve the security of the information in their custody - increasing founded on legal requirements for Data Protection. If that information is shared with a supplier, then the company would be failing in its duty of care if the supplier’s handling of that information was inherently insecure for lack of adequately defined policies, procedures and controls that form a management system. Whether the company chooses to do this for reasons of governance or market assurance, the pressure is mounting to do the right thing even if the cost of standards compliance seems high. Therefore, increasing numbers of organisations are choosing to adopt ISO 27001:2013.
Is your Information Security Management System (ISMS) ISO 27001:2013 compliant?
It will need to be if you are to achieve UKAS-accredited ISO 27001:2013 certification in the year to come.
One year after the publication of ISO/IEC 27001:2013, the IAF has issued a resolution stating that "...all new accredited certifications issued shall be to ISO/IEC 27001:2013". [See: Transition to ISO/IEC 27001: 2013 – Updated June 2014, UKAS]. This means that UKAS-Accredited Certification Bodies CBs have not been issuing any new accredited certificates to ISO/IEC 27001: 2005 since September 2014. Organizations that previously complied with the requirements of ISO 27001:2005 are required to transition promptly to the 2013 version of the standard, and transition audits will be carried out at the next scheduled visit to each certified client. It is time to embrace the changes in ISO/IEC 27001:2013.
So what can you expect from ISO 27001:2013 that is different? Two basic changes need to be understood straight away; they are:
- Move to the Annex SL structure
The ISO has determined that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. Conformance will mean that management system requirements that are not discipline-specific will be identically worded in all management system standards. This change will also apply to the much-anticipated revision of ISO 9001 Quality Management System standard when it is published in late 2015.
- Alignment with ISO 31000 Guidance for Risk Management
The ISO also decided to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). This is good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines, including information security risk. The asset-based risk assessment in the 2005 version of the standard required the identification of asset owners both during the risk assessment process and as control A.7.1.2 in Annex A.
The 2013 revision doesn’t have this requirement and only references asset ownership as control A.8.1.2 in Annex A - about which, more later. Although the A.8.1.2 Ownership of Assets control says that "Assets maintained in the inventory shall be owned", ISO 27001:2013 allows organisations to choose the risk assessment methodology most appropriate for their needs. The identification of assets, threats and vulnerabilities as a prerequisite to the identification of information security risks is no more!
The 2013 version says that the organization shall define and apply an information security risk assessment process that establishes and maintains information security risk criteria that include:
- the risk acceptance criteria; and
- criteria for performing information security risk assessments;
The information security risk assessment should produce "...consistent, valid and comparable results"; identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the ISMS; and, importantly in consideration of the changes, "identify risk owners". Analysis and evaluation of information security risks are also required, including determining the realistic likelihood of a risk occurring and the levels of risk posed. You are required to compare the results of risk analysis with the risk criteria established in 6.1.2 a) and prioritize the analysed risks for risk treatment.
In Part II of this post, I will look at the following considerations:
How to apply the CIA requirements mentioned in the standard at business objectives level. In particular, at how to conduct a Risk Assessment on business objectives at a high level that will drill down to the actual risk present at the information level, taking account of the InfoSec objectives that are fundamental to the control of specific vulnerabilities and threats.
This guest post was written by Michael Shuff. You can email him here.
Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM