ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. An ISO 27001:2013-certified Information Security Management System (ISMS) gives the market confidence in an organization’s ability to look after information securely. Confidence that it will maintain the ‘confidentiality, integrity and availability’ of customer information and as a result, protect its own and its partners’ reputation.

What is the underlying purpose of the ISO27001:2013 Standard?

Put simply, the ISO 27000 family of standards helps organizations keep information assets secure. They help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

Whereas in the past, government and large organisations required their suppliers to be ISO 9001-compliant, now those who provide lucrative contracts are also looking for assurances from their suppliers with regards to ISO/IEC 27001.

Enterprises have a duty of due care to preserve the security of the information in their custody – increasing founded on legal requirements for Data Protection. If that information is shared with a supplier, then the company would be failing in its duty of care if the supplier’s handling of that information was inherently insecure for lack of adequately defined policies, procedures and controls that form a management system. Whether the company chooses to do this for reasons of governance or market assurance, the pressure is mounting to do the right thing even if the cost of standards compliance seems high. Therefore, increasing numbers of organisations are choosing to adopt ISO27001:2013.

Is your Information Security Management System (ISMS) ISO 27001:2013 compliant?

One year after publication of ISO/IEC 27001:2013, the IAF has issued a resolution stating that “…all new accredited certifications issued shall be to ISO/IEC 27001:2013″. This means that Accredited Certification Bodies CBs have not been issuing any new accredited certificates to ISO/IEC 27001: 2005 since September 2014. Organizations that previously complied with the requirements of ISO27001:2005 are required to transition promptly to the 2013 version of the standard, and transition audits will be carried out at the next scheduled visit to each certified client. It is time to embrace the changes in ISO/IEC 27001:2013.

So what can you expect from ISO27001:2013 that is different? Two basic changes need to be understood straight away; they are:

• ✓Move to the Annex SL structure

The ISO has determined that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. Conformance will mean that management system requirements that are not discipline-specific will be identically worded in all management system standards. This change will also apply to the much-anticipated revision of ISO 9001 Quality Management System standard when it is published in late 2015.

• ✓Alignment with ISO 31000 Guidance for Risk Management

The ISO also decided to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). This is good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines, including information security risk. The asset-based risk assessment in the 2005 version of the standard required the identification of asset owners both during the risk assessment process and as control A.7.1.2 in Annex A.

The 2013 revision doesn’t have this requirement and only references asset ownership as control A.8.1.2 in Annex A – about which, more later. Although the A.8.1.2 Ownership of Assets control says that “Assets maintained in the inventory shall be owned”, ISO27001:2013 allows organisations to choose the risk assessment methodology most appropriate for their needs. The identification of assets, threats and vulnerabilities as a prerequisite to the identification of information security risks is no more!

The 2013 version says that the organization shall define and apply an information security risk assessment process that:

a) establishes and maintains information security risk criteria that include:

• ✓The risk acceptance criteria; and
• ✓Criteria for performing information security risk assessments;

The information security risk assessment should produce “…consistent, valid and comparable results”; identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the ISMS; and, importantly in consideration of the changes, “identify risk owners”. Analysis and evaluation of information security risks are also required, including determining the realistic likelihood of a risk occurring and the levels of risk posed. You are required to compare the results of risk analysis with the risk criteria established in 6.1.2 a) and prioritize the analysed risks for risk treatment.