With the unveiling of the new 2013 standard, we have had several discussions with clients on the options to become ISO certified, specifically which standard should they use in 2014. In general terms, organizations can get certified against the 2005 version of the standard today, as long as the certificate is issued prior to October 1, 2014 and the organization transitions to the 2013 version once certified - but before October 1, 2015. Or, the organization has the option to get certified against the 2013 version and bypass the transition process. However, before making your decision, below are three areas to consider.
1. Availability of Resources
The first area of concern is usually the abundance of resources (online and elsewhere) based on the 2005 version versus the 2013 version. Based on my research, this is not entirely accurate. There are a greater number of toolkits and templates to use in designing and implementing a management system against 2005 –primarily due to the number of years the version was in place. However, several organizations and professionals were quick to compile 2013 resources. Even though for the most part everyone had the same amount of exposure to the newly revised standard – the abundance of commentary and the want to offer organizations assistance has provided the industry with quality resources.
2. Ease of Implementation
As of today, even though only a few organizations have been certified against the 2013 version, it may be a valid point that designing and implementing a management system against 2013 is a more relevant process – which in turn, may be easier to implement. One of the reasons for the update was the new version would be applicable to the current environment, risks, and mitigation strategies. For example, organizations with multiple outsourcing partners or those that rely on cloud service providers may find that defining their scope is a simpler approach in the 2013 version than the 2005 version it is now required to take into account the relationships with, and risks around, these partners and providers. Moreover, the control set within Annex A is more suited to the current information technology environment whereas controls in the 2005 version were removed due to their obsolescence.
3. Professional Experience
There are several professionals that have extended experience with designing and implementing a management system against the 2005 version, some even since 2005. If an organization chooses to contract with outside assistance to obtain consulting, design and/or implement services, it may be beneficial to do so against the 2005 version. Several of these organizations may have turnkey and readily applicable methodologies that have been hardened through the years. As for 2013, there are only a few professionals that will have real-world implementation experience as the standard has only been in existence for a little more than six months.
Ultimately and eventually, every ISO 27001 certificate will have to conform to 2013. However, organizations have the decision to make -what will they do today? Some organization may see a benefit in conforming to only one version of the standard within the next 18 months as opposed to having to do so against two. Regardless of the choice, it is without a doubt that the certification is held in the highest regard and clearly shows an organization's ability to effectively manage information security risks within a management system.