ISO 27001:2013, also written as ISO/IEC 27001, is an information security management system that provides security controls for effectively managing an organization’s information risk management. It includes policies and procedures to establish and improve security management structure of an organization. Any organization that desires to implement effective and productive security controls needs to comply with ISO 27001.
ISO 27001:2013 follows a sex step risk-based approach. These are as follows:
- Implement a security policy.
- Define the scope of ISMS
- Carry out Risk Assessment.
- Manage the identified risk
- Select the objectives and controls accordingly to implement.
- Prepare a statement of applicability.
Major Changes Introduced in ISO 27001:2013
- it aligns requirements of risk management with ISO 31000 principles
- it allows for easy integration to more than one management system because of mandatory requirement to conform to High Level Structure, as do other management systems of ISO
- it includes relocation and/or removal of definitions and changes in terminology
- it replaces preventive actions with “actions to address, risks and opportunities”
- it modifies controls in Annexure A for countering evolving threats
- it puts immense emphasis on objectives, performance, monitoring and metrics
Contrary to 2005 version which follows the Plan-Do-Check-Act model, the 2013 revision does not follow any model. Organizations that have already complied with ISO 27001 can continue to follow the PDCA model but those who are implementing it now need to identify their methodology for continuous improvement.
In ISO 27001:2005 there were two forms of documentation i.e. Documents and Records. Documents included process structure, policies and procedures. Records included work history, log records, audit records, etc. ISO 27001:2013 does not classify the documents into categories.
The basic difference, though, between the two versions is the structure. The 2005 version has five sections while 2013 has seven basic sections. The latter one is based on Annex SL template. All future Management System standards of ISO will use this template to give the same look and uniformity to all.
The following table shows the basic clauses of the two versions of the standard. The ISO 27001:2013 has more clauses but it is easier to manage than the previous version.
New Controls Have Been Added
ISO 27001:2013 comes with the addition of some new controls to the standard. These can be summarized as follows:
A.6.1.5 It makes information security a compulsory part of project management, regardless of the nature of project.
A.12.6.2 It restricts every user to install any unauthorized software on the company systems without taking permission and verification of the analyst.
A.14.2.1 It checks and ensures the integration of security during all software development phases.
A.14.2.5 It mandates the security of system engineering principles and its documentation.
A.12.2.6 It ensures that all risks have been properly identified and assessed.
A.14.2.8 It makes it compulsory to implement and follow software testing procedures.
A.15.1.1 It makes it mandatory to develop a security policy for the supplier’s access, which is in line with the access control policy.
A.15.1.3 It ensures agreements discussing the security and risks of the supply chain are carried out.
A.16.1.4 It checks that there should be a procedure to analyze and classify security issues.
How to Carry Out the Transition from ISO 27001:2005 to ISO 27001:2013
ISO 27001:2013 is the first revision of the standard, with the first version published in 2005. The following steps can help organizations in undergoing an easy transition from earlier to the revised version:
1.Make a Stakeholders List
As a starting point, make a list of all those people and organizations who will directly or indirectly affect or be affected by your organization’s information security. If your organization has already complied with A.15.1.1 control of 2005 version, which includes regulatory, contractual and statutory requirements consider half of your work as done.
2.Identify the Interfaces
According to the revised version, you need to include every interface between your organizational activities and those of third parties, in your scope definition.
3.Align ISMS objectives with Organizational Strategy
Your ISMS objectives should be integrated into the strategic path of your organization.
4.Develop a Risk Assessment Process
There is no longer a need to devise your risk methodology on the basis of assets, threats and vulnerabilities. You need to identify your risk owners and develop a methodology of your own. You also need to identify outsourced processes along with their control methodologies.
5.Get Approval of Risk Owners
According to ISO 27001:2013, you need to gain consent or approval of your Risk treatment plan and acceptance of remaining information security risks.
6.Create an Effective Communication Plan
A clear and effective communication plan should be devised which clearly states the communication links of who will communicate to whom, both internally and externally outside the organization.
7. Decide Upon Management Procedures
In 2013 version Preventive Actions have been made a part of risk assessment process. The rest of the management procedures i.e. Internal Audit, Document Control and Corrective Action have been entirely removed. Decide upon whether you want to delete these procedures or document them. Even if you do not document these management procedures, you still need to maintain them.
8. Develop New Policies and Procedures
According to ISO 27001:2013, after choosing related controls to be applicable, you need to develop the following new policies and procedures:
- Secure System Engineering Principles (A.14.2.5)
- Incident Management Procedure (A.16.1.5)
- Supplier Security Policy (A.15.1.1)
- Business Continuity Procedure (A.17.1.2)
9. Manage your Security Controls and mention their Status in SoA
In the Statement of Applicability (SoA), you need to specify against every control, whether you have implemented it or not. Annex A has added a few new controls, which are as follows:
- 6.1.5 Information security in project management
- 14.2.1 Secure development policy
- 14.2.5 Secure system engineering principles
- 14.2.6 Secure development environment
- 14.2.8 System security testing
- 16.1.4 Assessment of and decision on information security events
- 17.2.1 Availability of information processing facilities