The NEW ISO/IEC 27001:2013 – Update from the Editor
Overview of Revision Process
The last version of ISO/IEC 27001 was published in 2005, and the standard has been extensively
used around the world ever since. Every three years, standards are considered for revision in ISO/IEC JTC1 SC 27 – this is the standard body responsible for the development of ISO/IEC 27001 and the related standards – and it was agreed that the standard should be revised.
The revision started by discussing the aims and objectives of the revision, and
the overall strategy that should be applied. It was agreed to maintain backwards compatibility from the old to the new version, and to only carry out changes that are identified as being necessary. It was further agreed that any existing overlap between ISO/IEC 27001 and ISO/IEC 27002 should be removed (for example, the relationship between the ISMS policy required in ISO/IEC 27001 and the information security policy mentioned in ISO/IEC 27002 was not clear to all users of the standards).
The revision started half a year later (SC 27 only meets twice a year) and carried on based on the agreements that had been achieved. Whilst these activities were taking place, a far bigger initiative was started by the ISO Technical Management Board (TMB). The ISO TMB observed the production of many different management systems in ISO, which all have common elements (such as internal audit, management review and requirements for competence), but address these elements in different parts of the respective standards, using different words and sometimes even definitions. This situation is making the combination of more than one management system difficult
for the end users, and so ISO TMB established two Task Force Groups with the aim to develop:
- High level structure – all management systems that apply this high level structure will have the same clauses and sub-clauses up to the first level (e.g. 5.1 Leadership and Commitment) to support interoperability and consistency amongst different management systems
- Identical core text – all management systems will have some high level identical text, which describes activities that are relevant for all management systems, irrespective of the discipline-specific requirements that can be added (e.g. The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.)
- Common terms and core definitions – topics relevant to all management systems (e.g. organization, objective, competence, etc.) have been defined for all management systems
In 2009, the ISO TMB activities became visible to SC 27, and
we discussed our approach to this new harmonized approach for
management systems. Whilst all National Bodies supported the idea
of harmonizing management systems, not all supported the type of information provided by the identical core text, and others also did
not support the amount of changes involved to comply with the ISO TMB initiative. Finally, SC 27 resolved to accept and implement the new high level structure, identical core text and common terms and core definitions, and also sent liaison officers to the Task Force meetings to ensure that all experiences SC 27 made when applying this to ISO/IEC 27001 can find input into the development process. The final version of the new high level structure, identical core text and common terms and core definitions has been published by ISO in Annex SL of the ISO Directives in Spring 2013, and this is now applied to many different management systems, including ISO 9001 and ISO 14001, which are addressing this development in their current revision.
ISO/IEC 27001: 2005 – ISO/IEC 27001:2013 What are the Changes?
The application of the high level structure, identical core text and common terms and core definitions to ISO/IEC 27001 led to a considerable amount of changes. This starts by the structure of the standard, which has to follow the high level structure, and is followed by detailed text changes to incorporate the identical core text within the information security specific requirements of ISO/IEC 27001. One of the biggest challenges in the adoption of the identical core text was the avoidance of duplicate requirements. Duplicate requirements cause a lot of problems to users of the standard as it is very difficult to identify how these are to be addressed – especially if not exactly the same words are used, users might take action to address both of the duplicate requirements. A lot of effort was taken to avoid such situations,
and the most fundamental changes made are:
- Removal of existing requirements: some of the requirements, e.g. the requirements to identify attempted and successful security breaches and incidents relates more to a control than the management system – such requirements have been removed
- Introduction of new requirements, e.g. for information security objectives and communication – most of the new requirements were resulting from the identical core text for all management systems
- Streamlining of requirements – the identical core text helped to reduce requirements simply to stating WHAT needs to be done to achieve the information security management system, without getting into implementation-specific HOWs
- Changes to the information security risk assessment – the new requirements for information security risk assessment have been changed to be entirely compatible to ISO 31000, and the following requirements have been removed:
a. Asset identification
b. Identification of threats and vulnerabilities, and the link to the existing controls
The new requirements for information security risk assessment (in direct alignment with ISO 31000) simply refer to
• Risk identification
• Risk analysis
• Risk evaluation
- Changes to information security risk treatment – the main concepts have been maintained, the risk treatment options have been aligned with SIO 31000, the Statement of Applicability is still required, but now as the pure comparison between the controls in Annex A and the actions identified for information security risk treatment
- It was also chosen to maintain the link to the ISO/IEC 270002 controls and to leave Annex A – with the necessary updates because of the ISO/IEC 27002 revision – in the same way as before
- Introduction of “documented information” – this is a concept from the identical core text to replace “documents and records” by “documented information”; for anybody not in favour of this concept, a simple re-definition can solve this problem
- Removal of “preventive action” – the new ISO/IEC 27001 does no longer use the concept of “preventive action” as it has been used before; the reason for this change is that the whole management system in itself acts as a preventive action.
Some of the changes made were not uncontroversial, but agreed following the typical ISO consensus process, so the final support for the new standard was almost unanimous. SC 27 is working on a Standing Document describing all changes that have been made to ISO/IEC 27001 and ISO/IEC 27002 in detail, which will be available on the SC 27 site for download. This document will be available shortly after our next meeting, which will take place at the end of October.
Consequences for Users of ISO/IEC 27001
Organizations that have implemented ISO/IEC 27001:2005 can use most of the processes, policies and procedures in place can re-use most of these with small or even no changes – the arrangements to address management commitment, resourcing, competence, awareness, internal ISMS audits or management reviews will just require some updates. The risk assessment that has been carried out in accordance with the 2005 version should also be useable for the 2013 version, organizations should nevertheless at least consider whether a change over to the new version is beneficial. The risk assessment that has been carried out in accordance with ISO/IEC 27001:2005 took place on an
asset basis, and this can lead to a large amount of detail. The new version of information security risk assessment is truly risk based, and this can help to reduce unnecessary repetitions. There are – of course – a couple of new requirements that need to be addressed (see also above), and an organization needs to ensure that all requirements are addressed. Overall, the implementation efforts required for the 2005 and the 2013 version are comparable, for ISO/IEC 27001:2013, some more emphasis has been placed on the management system requirements, and the details for information security have been reduced to the requirements needed for the management system. The new standard provides more opportunity to determine the most suitable way of how to implement the requirements by the organization, and as long as an organization can make full use of this, the implementation should be easier and more beneficial to the organization.
The author Dr. Angelika Plate is „Head of UAE Delegation“ (United Arab Emirates) in the international Committee ISO/IEC JTC1 SC 27 and Co-author of the revised standard ISO/IEC 27001:2013. Likewise she is a well known consultant in the area of information security. CIS had invited her as a key speaker to the 7. Information-Security-Symposium in Vienna. Angelika.Plate@helpag.com