ISO 27001 For the New Year

ImageThey’ve gone and changed ISO 27001.  Normally, if it ain’t broke don’t fix, but the ISO team obviously thought differently and here we have a whole new version.  What does it mean?  And more importantly what do we need to do to comply?  Or, more accurately

What is the minimum we need to to in order to get the certificate?

We know that compliance is not security, but we also know that there are a couple of reasons to chase formal certification:

  • It ticks the box and puts the certificate on the wall;
  • It’s bid candy;
  • It gives us a stick to beat our suppliers; and
  • It might just help up to improve our game.

So we do the minimum and then focus on the real-world need of INSTALLING THE NEXT GEN FIREWALL.

In our shiny new version, the sections have been moved around and the controls have been shifted.  But there are some real changes around system security and managing risk.

Here is a breakdown.

First, the table of contents.


What’s New


0 Introduction



Process approach

Compatibility with other management systems

1 Scope




2 Normative references

As 2005

3 Terms and definitions

As 2005

4 Context of the organization

New for 2013

4-1 Understanding the organization and its context

New for 2013

4-2 Understanding the needs and expectations of interested parties

New for 2013

4-3 Determining the scope of the information security management system

New for 2013

4-4 Information security management system

Previously section 4

5 Leadership

New for 2013

5-1 Leadership and commitment

New for 2013

5-2 Policy

New for 2013

5-3 Organizational roles, responsibilities and authorities

New for 2013

6 Planning

New for 2013

6-1 Actions to address risks and opportunities

New for 2013

6-2 Information security objectives and planning to achieve them

New for 2013

7 Support

New for 2013

7-1 Resources

New for 2013

7-2 Competence

Previously section 5-2-2

7-3 Awareness

Previously section 5-2-2

7-4 Communication

New for 2013

7-5 Documented information

New for 2013

8 Operation

New for 2013

8-1 Operational planning and control

New for 2013

8-2 Information security risk assessment

New for 2013

8-3 Information security risk treatment

New for 2013

9 Performance evaluation

New for 2013

9-1 Monitoring, measurement, analysis and evaluation

New for 2013

9-2 Internal audit

Previously section 6

9-3 Management review

Previously section 7

10 Improvement

New for 2013

10-1 Nonconformity and corrective action

Previously section 8.1

10-2 Continual improvement

Previously section 8.1

Annex A (normative) Reference control objectives and controls

New for 2013


New for 2013

The detailed walk-through of the standard, excluding the controls

0 Introduction
0-1   General
Slightly longer pre-amble.  No material additions.

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization. The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization. All of these influencing factors are expected to change over time.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

It is important that the information security management system is part of and integrated with the

organization’s processes and overall management structure and that information security is considered in the design of processes, information systems, and controls. It is expected that an information security management system implementation will be scaled in accordance with the needs of the organization.

This International Standard can be used by internal and external parties to assess the organization’s

ability to meet the organization’s own information security requirements.

The order in which requirements are presented in this International Standard does not reflect their

importance or imply the order in which they are to be implemented. The list items are enumerated for reference purpose only.

ISO/IEC 27000 describes the overview and the vocabulary of information security management systems, referencing the information security management system family of standards (including ISO/IEC 27003[2], ISO/IEC 27004[3] and ISO/IEC 27005[4]), with related terms and definitions

0-2   Compatibility with other management system standards
No material requirements.

1         Scope
No material requirements

2         Normative Refernces
No material requirements

3         Terms and definitions
No material requirements

4         Context of the organisation
4-1 Understanding the organisation and its context
Fortunately this requirement

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

Is too vague

4-2 Understanding the needs and expectations of interested parties

Determine interested parties relevant to the information security management system and their requirements.  Vague.

4-2 Determining the scope of the ISMS

The requirement is

The organization shall determine the boundaries and applicability of the information security management system to establish its scope.

So the scope document needs to be changed to specifically show, in the pre-amble:

a) the external and internal issues referred to in 4.1;

b) the requirements referred to in 4.2; and

c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations.

Which probably means that the existing scope can stay as it is and we need a couple of hours to write some more introduction.  Net effect: no material change.

4.4 ISMS

We need one.  Same as before.  No material change.

5         Leadership
5-1   Leadership and commitment

“Leadership” is a new word.  But fortunately the actual requirements of “top management” is pretty much the same as before and it’s sufficiently vague to mean No material change.

5-2   Policy
A policy is required.  Pretty straight forward, but need to include two sentences:

c) includes a commitment to satisfy applicable requirements related to information security; and

d) includes a commitment to continual improvement of the information security management system.

And we also need to make the policy

available as documented information

Which means No material change.

5-3   Organizational roles, responsibilities and authorities
Make sure that people are available.  No material change.

6         Planning
6.1 Actions to address risks and opportunities

6.1.1 General
Plan stuff.  No material change.

6.1.2 Information security risk assessment
Requires the same criteria as in 2005. A new requirement:

ensures that repeated information security risk assessments produce consistent, valid and

comparable results;

So, no material change.  But also requires these

c) identifies the information security risks:

1) apply the information security risk assessment process to identify risks associated with the loss

of confidentiality, integrity and availability for information within the scope of the information security management system; and

2) identify the risk owners;

d) analyses the information security risks:

1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;

2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and

3) determine the levels of risk;

e) evaluates the information security risks:

1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and

2) prioritize the analysed risks for risk treatment.

Looks like the risk assessment process needs to include some words about these specific requirements.  A couple of hours to update the document, but No material change.

6.1.3 Information security risk treatment
This now requires

The organization shall define and apply an information security risk treatment process to:

Which implies a specific document titled “risk treatment process”.  It also requires

produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;

This could be interpreted as a SOA for every system, which could be a considerable effort.  It also requires

obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.

This is new and could require actually changing a real process and involving real people.

6.2 Information security objectives and planning to achieve them
A requirement to

The organization shall establish information security objectives at relevant functions and levels.

Which is all very well, but they must also be

Measurable […] communicated

Which sounds like a fag to do well.

7         Support
7.1 Resources
No material change

7.2 Competence
Staff need to be competence.  A new requirement, but No material change.

7.3 Awareness
Staff are now required to be aware of:

a) the information security policy;

b) their contribution to the effectiveness of the information security management system, including

the benefits of improved information security performance; and

c) the implications of not conforming with the information security management system requirements.

This might mean an hour adding in these three lines into the awareness pack.  No material change.

7.4 Communication
No material requirements

7.5 Documented information
7.5.1 General
Documentation in the ISMS now includes

documented information determined by the organization as being necessary for the effectiveness of the information security management system

Which could be interpreted as including all the HR documentation too.  This could be a major effort to update and maintain as part of the ISMS.

7.5.2 Creating and updating
No material change

7.5.3 Control of documented information
No material change

8         Operation
8.1 Operational planning and control
Change control needed.  No material change.

8.2 Information security risk assessment
No material change

8.3 Information security risk treatment
No material change

9         Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
Specifically asks for monitoring, but no material change

9.2 Internal audit
Internal audits now specifically requested, but no material change

9.3 Management review
No material changes

10     Improvement
10.1 Nonconformity and corrective action
No material changes


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s