1 ISO/IEC 27001 :2013. Technical guidance for transitioning from ISO/IEC 27001 :2005. January 2015. Protect IT Governance Ltd 2015. Comply 1 Thrive Technical Guidance for ISO 27001 :2013. v2. ISO/IEC 27001 :2013. Technical guidance for transitioning from ISO/IEC 27001 :2005. focuses on protecting three key aspects of Introduction information: ISO/IEC 27001 :2005 has been superseded by ISO/IEC 27001 :2013. The International Confidentiality Accreditation Forum (IAF) has announced The information is not available or that, as of 1 October 2014, no more disclosed to unauthorised people, accredited certificates to ISO 27001 :2005 entities or processes. will be issued. From that date, certification Integrity bodies may only issue certificates to the The information is complete and new version of the Standard, ISO accurate, and protected from 27001 :2013. corruption. The deadline for certification bodies (CBs) Availability to transition from ISO 27001 :2005 to ISO The information is accessible and 27001 :2013 has been set as 1 October usable by authorised users.
2 2015. Once transitioned, CBs will look to ISO/IEC 27000, which provides the transition their clients promptly, and will standard definitions used in ISO. carry out transition audits at their next 27001 :2013, states that information scheduled surveillance visits. security can also involve other properties, If your ISMS is currently certified to the such as authenticity, accountability, non- 2005 version of ISO27001, then you need repudiation and reliability. to act now to comply with the requirements Overview of notable changes to of the 2013 version of the Standard. ISO27001. This green paper explains the differences The 2013 version of ISO27001 is between the two versions of the Standard substantially different from the 2005. and outlines the changes you will need to iteration. This section lists the notable make to your ISMS to maintain its changes to the Standard. See Summary of compliance with and certification to changes to management system ISO27001. clauses, below, for detailed information The information security management about specific changes.
3 System (ISMS) The Standard no longer formally adopts the ISO27001 sets out the requirements of an Plan-Do-Check-Act (PDCA) process model, ISMS, which is defined as a systematic leaving it to the organisation to determine approach for establishing, implementing, and adopt a continual improvement model operating, monitoring, reviewing, that suits its own environment. maintaining and improving an The Standard states that the order in which organisation's information security to requirements are presented does not reflect achieve business objectives'1. An ISMS. 1. ISO/IEC 27000:2014, section IT Governance Ltd 2015 2 Technical Guidance for ISO 27001 :2013. v2. their importance or the order in which they Management involvement is strengthened should be implemented. in leadership and review. The Terms and definitions clause has been Documentation is no longer addressed removed, and reference is instead made to through control of documents' and control the current version of ISO27000, which of records'.
4 The Documented information provides terms and definitions for all subclause now describes documented ISO27000-series standards. While this information required by this International change at first appears purely cosmetic, it Standard' and documented information does result in a change of definition for determined by the organisation as being such key terms as risk' (now the effect of necessary for the effectiveness of the uncertainty on objectives' rather than the information security management system'. combination of the probability of an event This allows the organisation greater latitude and its consequence'). It also means that in determining the necessity of specific when ISO27000 is updated, the terms and records and documents. It also simplifies definitions for ISO27001 are automatically the security procedures for the handling of updated. documents and information. The scope now requires that organisations There is a significant expansion of the consider external and internal issues', requirements relating to setting information interested parties', and the information security objectives, evaluating information security requirements of those interested security performance, and measuring the parties.
5 This is intended to ensure that the effectiveness of the ISMS. ISMS is relevant to the organisation's The requirement that internal auditors shall activity, and to provide assurance to its not audit their own work is absent in the stakeholders that it is appropriate. 2013 version of ISO27001, but the need to The ISO 27001 :2013 information security ensure objectivity and impartiality remains. risk assessment requirements are less Preventive action is no longer a separate prescriptive than those of ISO 27001 :2005, requirement. and are aligned with ISO 31000:2009, the international standard for risk Finally, a number of requirements for management: communication have been introduced. Threats and vulnerabilities are no The new structure of ISO27001. longer referred to in the ISO 27001 :2013 adopts Annex SL2, the management system requirements. harmonised structure now used for all ISO. The risk assessment does not have management system standards. This new to be asset-based. structure provides a clearer view of the Risk treatment is to be achieved requirements of the ISMS than before, as through the selection of controls there are now more top-level clauses into determined necessary by a risk which the requirements have been assessment.
6 These controls are rearranged: then compared with the Annex A 0. Introduction controls to ensure that no essential 1. Scope controls have been omitted. 2. Normative references Risks are treated and residual risk 3. Terms and definitions is accepted by risk owners' rather 4. Context of the organisation than asset owners'. 5. Leadership 6. Planning 7. Support 2. Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2013. IT Governance Ltd 2015 3 Technical Guidance for ISO 27001 :2013. v2. 8. Operation Physical and environmental 9. Performance evaluation security Operations security 10. Improvement Communications security Annex A has also been restructured into System acquisition, development fewer controls (114), which have been and maintenance divided into a larger number of categories: Supplier relationships Information security incident Information security policies management Organisation of information Information security aspects of security business continuity management Human resources security Compliance Asset management Access control ISO 27001 :2005 ISO 27001 :2013.
7 Structure Structure The ISMS requirements are spread across five The ISMS requirements are spread across clauses, which approach the ISMS from a seven clauses, which do not have to be managerial perspective: followed in the order they are listed: 4. Information security management 4. Context of the organisation system 5. Leadership 5. Management responsibility 6. Planning 6. Internal ISMS audits 7. Support 7. Management review of the ISMS 8. Operation 8. ISMS improvement 9. Performance evaluation 10. Improvement Implications for transition The most obvious feature of the new structure is the addition of clause 4, Context of the organisation. The 2013 version of the Standard now ensures that the ISMS is aligned with the organisation's business objectives and processes, as well as ensuring that it fulfils business, regulatory and contractual obligations from the very beginning. The new Standard also provides greater focus on communication, spreading the responsibility for information security further across the enterprise and business partners.
8 Cryptography Summary of changes to management system clauses 0. Introduction It is worth acknowledging that the ISO. The Plan-Do-Check-Act (PDCA) process Directive for management system approach to establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS has been removed, as have all references to it. (The 2005 version of the Standard referenced it in clause 4, General requirements.). IT Governance Ltd 2015 4 Technical Guidance for ISO 27001 :2013. v2. standards3 says: An effective management Note 4 to entry: Risk is often system is usually based on managing the expressed in terms of a combination organisation's processes using a Plan-Do- of the consequences ( ) of an Check-Act' approach in order to achieve the event (including changes in intended outcomes . circumstances) and the associated likelihood ( ) of occurrence. 1. Scope Note 5 to entry: In the context of Subclauses and have been information security management condensed into one paragraph, removing systems, information security risks any overlap with the requirements in can be expressed as effect of clauses 4 to 10.
9 Uncertainty on information security 2. Normative references objectives. ISO27000 is quoted as a normative Note 6 to entry: Information security reference and is described as risk is associated with the potential indispensable' for the application of ISO that threats ( ) will exploit 27001 :2013. vulnerabilities ( ) of an information asset or group of The code of practice ISO 27002 is no longer defined as a normative reference. information assets and thereby cause harm to an organisation. 3. Terms and definitions Please see ISO 27000:2014 for other The list of terms and definitions has been definitions. replaced by a reference to the current 4. Context of organisation version of ISO 27000, which standardises terms and definitions for the entire Understanding the organisation and its ISO27000 family of standards. (At the time context of writing, the current version is ISO. This subclause requires the organisation to 27000:2014.). determine external and internal issues that This change means risk is now defined as are relevant to its purpose and affect its the: ability to achieve the intended outcome(s)'.
10 Of the ISMS. effect of uncertainty on objectives [SOURCE: ISO Guide 73:2009] It references subclause of ISO. 31000:2009 (Risk management - Principles NOTE 1 to entry: An effect is a and guidelines), which considers deviation from the expected . positive or negative. establishing the external and internal context of the organisation, and the context NOTE 2 to entry: Uncertainty is the of the risk management process. This state, even partial, of deficiency of includes ensuring that the objectives and information related to, concerns of external stakeholders are understanding or knowledge of, an considered when developing risk criteria'. event ( ), its consequence and should align the organisation's security ( ), or likelihood ( ). stance with its stakeholders' expectations. Note 3 to entry: Risk is often (See comments on subclause Policy, characterised by reference to below.). potential events ( ) and Understanding the needs and consequences ( ), or a expectations of interested parties combination of these.