The Transition to ISO 27001:2013 - How the Revisions Impact Existing Management Systems

ISO 27001, the international management systems standard for Information Security was extensively revised since its first edition in 2005 and published on 25th September 2013. The significant change is that it has been aligned to the ISO principals for harmonisation of standards so management systems relating to more than one standard can be more easily integrated and much duplication removed.

Since the financial crisis in 2008 all management system standards will now include a content of risk management. Though risk management has always been the basis of the ISO 27001 methodology, the risk process within ISO 27001:2013 has become more aligned with the general risk management standard ISO 31000. However ISO 27005 will probably remain the staple starting point for the risk process within the ICT industry as it specifically addresses IT risks.

The key quality initiative of continuous improvement is also pronounced in the 2013 revision, giving the traditional Plan-Do-Check-Act approach a more fluid role and allowing organisations more freedom to choose how they achieve continuous improvement and mange potential nonconformities appropriately.

"The revised standard allows organisations much more flexibility in the way they implement risk management and control for their IT systems", says Alan Rutterford, Excel's lead tutor for Information Management Systems auditor training. "Bringing the standard more in line with the ISO 31000 and expected new ISO 9001 and the process approach enables information management to be more easily integrated with higher level corporate risk strategies."

  • Structure
    The most obvious change in the 2013 revision is in its structure: its alignment to the harmonised requirements and emphasis on the 'Context of the Organisation' which ensures the ISMS is aligned with the business objectives and processes of the organisation and that contractual and regulatory obligations are met from the start.
  • Risk Process
    Companies are required to identify risks in relation to confidentiality, integrity and availability, giving more flexibility in the choice of methodology used to identify risk. Although the specifics of how risk management should be undertaken have been taken out, companies are still required to have a risk management process but they are able to choose which risk standards or practices are most appropriate for their organisation. So, although ISO 27005 provides a level of best practice in this area for the ICT industry, the ISO 31000 (Risk Management) standard may be equally applicable. A welcome addition is the inclusion of companies being required to identify opportunities as well as the threats, and explore ways these opportunities can be realised.
  • Risk Ownership
    ' Risk Owners' are to be defined within the organisation's structure. This is a more flexible term than that used in the previous edition of ISO 27001 and aligns this more to process rather than specific assets. A risk owner defines how to treat risk, approves risk treatment plans and accepts residual risk.
  • Non-conformity
    This has been included in the standard; a non-conformity is a deviation from the implemented management system and the controls within it which are usually discovered during the internal audits. Non-conformities can also be security incidents and how such incidents are dealt with.
  • Monitoring and Measurement
    There is an increased emphasis for companies to monitor and measure the efficiency of their IT controls that are in place and this is open to external review. Implemented security measures must be evaluated through Key Performance Indicators, making the whole process more rigorous.

It is expected that companies that have already achieved certification to ISO 27001:2005 will be given a 2 or 3-year grace period to transition to and implement the new 2013 requirements. All Excel's training courses reflect current Management System Standard's and are revised accordingly as new revisions are released. We endeavour to facilitate our customer's transitions to new versions by publishing Comparison Documents which can be found on our Technical Information page, as well as current news bulletins

Delegates attending Excel's ISO 27001 Introduction, Implementation, Internal Auditor and Lead Auditor courses will be briefed on the changes incorporated into the 2013 edition and the implications these may have on companies