2013 was a year with no shortage on news about hacker attacks, data leaks, digital espionage, privacy issues (hi Obama!) and the result is that Information Security is now – more than ever – into the spotlight.
In this context comes the revised version of ISO 27001, the international standard that, for more than a decade, has been one of the main references for managing Information Security. A series of questions may come into the minds of IS professionals: What does really change? Is the standard more effective?
Of course, professionals in charge of ISMS management are imagining the amount of new controls and documents required to obtain/maintain certification.
So, let’s check it out!
Greater alignment with other management systems
One of the difficulties for ISMS implementers is having to handle more than one management system (e.g. 27001 x 9001 x 14000) that despite common requirements, have several major differences when it comes to definitions.
One of the changes 27001: 2013 is the alignment with Annex SL (formerly known as ISO Guide 83), which standardizes definitions and structures for different ISO standards. With this update, 27K is now fully aligned with other ISO standards such as ISO 9001, ISO 14000, ISO 20000, ISO 22000, ISO 22301.
Companies with more than one management system will be able to centralize and integrate it in an effective way, reducing administrative overhead.
ISO 27001: 2013 international version is already validated and published. Brazil’s localization is expected later this year. But one question remains: what about those who are still using the 2005 version?
If your company is about to be certified or already have certification 27001: 2005 do not panic! You can still obtain or renew certification in the old version until September 2014.
The deadline for migrating to ISO 27001:2013 is two years, until September 2015.
The list of required documents is no scare, especially if you are used to the requirements of the previous version:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Of course, if a document referenced above is part of Annex A, it is mandatory only if there is an associated risk. But now that we are talking about the infamous Appendix A, let’s have a closer look:
Annex A: Comparing versions!
Ok, the standard is now more aligned than ever with other management systems and we will have quite some time for adaptation. Great! However, what really changes?
Well, the purpose of the update was to make 27001 more efficient and adhering to the current context of information security in organizations. The standard has changed a lot, but it does not mean a lot of work.
Let’s take a quick view at the main changes for Controls and Controls Objectives in Annex A:
Sections: the number of sections increased. The previous standard version was distributed on 11 items, the 2013 update has 14! This change mainly helps the framework organization, which in its previous installment had controls in places that simply did not make any sense. This issue has been resolved!
An example is encryption, which has now has its own section (10) and is no longer part of the Acquisition, Development and Maintenance of information systems item, this makes perfect sense. Another item that gained its own section was Relationship with Supplier (15).
This is the new organization:
- 5 Security Policies
- 6 Organization of information security
- 7 Human resource security
- 8 Asset management
- 9 Access control
- 10 Cryptography
- 11 Physical and environmental security
- 12 Operations security
- 13 Communications security
- 14 System acquisition, development and maintenance
- 15 Supplier relationships
- 16 Information security incident management
- 17 Information security aspects of business continuity
- 18 Compliance
Number of controls: If you thought an update on the standard would automatically increase the number of controls … well, you were wrong! Sure, there are new controls, but several controls considered very specific or outdated were removed.
- New controls:
- 14.2.1 Secure development policy – rules for development of software and information systems
- 14.2.5 System development procedures – principles for system engineering
- 14.2.6 Secure development environment – establishing and protecting development environment
- 14.2.8 System security testing – tests of security functionality
- 16.1.4 Assessment and decision of information security events – this is part of incident management
- 17.2.1 Availability of information processing facilities – achieving redundancy
- Removed controls:
- 6.2.2 Addressing security when dealing with customers
- 10.4.2 Controls against mobile code
- 10.7.3 Information handling procedures
- 10.7.4 Security of system documentation
- 10.8.5 Business information systems
- 10.9.3 Publicly available information
- 11.4.2 User authentication for external connections
- 11.4.3 Equipment identification in networks
- 11.4.4 Remote diagnostic and configuration port protection
- 11.4.6 Network connection control
- 11.4.7 Network routing control
- 12.2.1 Input data validation
- 12.2.2 Control of internal processing
- 12.2.3 Message integrity
- 12.2.4 Output data validation
- 11.5.5 Session time out
- 11.5.6 Limitation of connection time
- 11.6.2 Sensitive system isolation
- 12.5.4 Information leakage
- 14.1.2 Business continuity and risk assessment
- 14.1.3 Developing and implementing business continuity plans
- 14.1.4 Business continuity planning framework
- 15.1.5 Prevention of misuse of information processing facilities
- 15.3.2 Protection of information systems audit tools
Obviously you must be wondering: What version of the standard should I use? 2005 or 2013?
Well, the update of 27001 – which should be available in Portuguese later this year – aims to something that seems very cool to me: “a more effective risk management” including updated controls and organized in a more intuitive way.
In addition, the 27001: 2013 is easier to align with other management systems, which will save a lot of time on a new project or reduce the administrative burden into an existing environment.
With all these benefits it is obvious that the recommendation for new projects is “go ahead an use updated version”. But if you already have an ongoing project, which should be completed in the next six to eight months, I would recommend keeping the 2005 version, but you better be quick, the deadline is just a couple months away!