ISO 27001:2013 – Understanding the New Standard
Part 1: Scoping and the approach of implementing the ISMS
Organizations currently implementing or planning to implement a management system based on ISO 27001 will have a tough decision to make in the near future: Should management implement the information security management system (ISMS) based on ISO 27001:2005 or should ISMS implementation be delayed until the issuance of the new standard, ISO 27001:2013? The decision of selecting either ISO27001 standard will have major implications as to how your organization approaches and designs your ISMS.
Organizations currently certified should not expect much difficulty in transitioning from the 2005 version to the 2013 version. Organizations that are not currently certified will be impacted by the revised 27001 standard, which is expected to be released later in 2013.
The draft version of the updated 27001 standard was recently released for review. The draft version format of the updated 27001 standard was redesigned to better align with other ISO standards, such as ISO 9001 and ISO 20000. Moreover, the draft version received slight modifications in both the management system requirements and the controls included in Annex A. These modifications better interconnect software-based infrastructures (i.e. cloud computing) that have predominantly emerged within the last few years.
The intent and focus of the standard hasn’t changed in the 27001:2013 draft. The standard remains focused on information security and an organization’s approach to design, plan, implement, and monitor a management system to effectively manage information security risk. However, the foundation for designing and planning the management system has shifted to better align with the practical matters of today’s organizational environment. This will come as a positive shift for several organizations as the scope moves away from assessing the risk approach, which organizations have historically struggled with during the implementation of their management system.
Scoping Your Information Security Management System Under ISO 27001:2013
By adopting the draft version of the standard, organizations will now have the ability to base the scope of their ISMS on the issues and objectives most meaningful to the organization’s risk environment. The draft version takes into consideration the dependencies between the organization and third parties. This is a critical component for organizations that have third party relationships (specifically data centers) that provide a key system or service to the organization. Likewise, by adopting the draft version it is assumed that the organization will have a greater acceptance and understanding of scope limitations pertaining to third party relationships and dependencies.
See below for a comparison of the 2005 and 2013 versions of the standard:
|27001:2005 Establishing the ISMS||ISO 27001:2013 Context of the Organization|
|Define the scope and boundaries of the ISMS in terms of the following:|
- characteristics of the business;
- the organization;
- its location;
- assets and technology; and
- details of and justification for any exclusions from the scope.
Determine external and internal issues that are relevant to its purpose and that affect the ability to achieve the intended outcome of its ISMS.
Determine interested parties that are relevant to the ISMS and their requirements relevant to information security.
Determine the boundaries and applicability of the ISMS to establish its scope and consider the following:
- the previously determined external and internal issues;
- the previously noted requirements of interested parties; and
- interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.
The draft version’s approach for defining the scope provides more directed guidance regarding necessary considerations which should ultimately formulate a more grounded scope. This could potentially lead to a better defined implementation process for the foundations of their ISMS. Organizations in the process of planning their ISMS or those that expect to undertake the project during the latter part of the year may have the opportunity to reassess their approach to implementation, should difficulties arise in defining the scope and/or potential scope creep.
What to do Today?
Organizations currently in the process of implementing an ISMS using the 27001:2005 standard may find it in their best interest to obtain and review the draft 27001:2013 standard so that the appropriate decision for the organization can be made. In addition, please do not hesitate to contact Schellman to schedule a call to discuss the ISO 27001 certification process and upcoming changes. We are happy to provide your organization with a free consultation.
About RYAN MACKIE
Ryan Mackie is a Principal and ISO Certification Services Practice Director at Schellman & Company, LLC. Ryan manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery and also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000, and ISO 22301 as well as CSA STAR certification services. He has over 18 years of experience. Ryan also is an active member of the CSA and site on the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.