ISO/IEC 27001:2013 and ISO/IEC 27002:2013 are scheduled for publication on October 17th.
This will be the first release of the only internationally accepted standard framework for information security since it was adopted by the International Standard Organization (ISO) in 2005.
The ISO/IEC 27001 series has been growing in recognition since its original conception by the UK Government in 1995. The UK Government created this standard, known as BS7799, originally in an attempt to standardize security practices internally and externally with its service providers.
Expert Mark Edward Stirling Bernard says:
At the time of its adoption by ISO harmonized, known as ISO 17799, the standard framework was harmonized with existing standards ISO 9001 for Quality Management Systems and ISO 14001 for Environmental Management Systems. This was actually an important decision that helped add clarity to the all important Information Security Management System (ISMS)Â which up to this point was confusing many subject matter experts (SME) and even today a large number of SMEs struggle with ISMS. Another important change was the alignment with a green IT movement. The ISO 14001 standard helped clarify that the environment was also important to security as much so as security was important to safeguard the environment.
Nearly eight years later a lot has changed in the world of information security in terms of threats, vulnerabilities and risks associated with cloud computing, big data, and most recently cybersecurity. Over the past two years standards organizations from participating countries around the globe have been holding meetings with industry professionals seeking input for improvements to ISO/IEC 27001:2013 and ISO/IEC 27002:2013. The results have been very positive and will streamline the adoption process by adding yet another level of clarity that hasn’t been there before. The revised standard is scheduled to be published in October 2013.
Table One: ISO/IEC 27001:2013 control summary
There are plenty of changes to both ISO 27001 and 27002 standards that will affect 17,509 organizations who are currently certified and registered.
Once ISO/IEC 27001:2013 and ISO/IEC 27002:2013 have been officially published organizations will have a grace period of 12 months before they need to become re-certified. Mark says this should not be a problem for any organization that has made the initial investment as their current ISMS programs have already conformed to the mandatory and discretionary controls. Mark adds: “If we were to compare ISO/IEC 27001:2005 to ISO/IEC 27001:2013 we would identify an increase is mandatory control points. In 2005 they totaled 102 and in 2013 they will increase to 148.
While Annex A is the best known series of security control objectives the reality is that without the mandatory clauses 4 – 10, referred to as the Information Security Management System or ISMS, the all important management system would not exist.” ISMS is the backbone for the ISO/IEC 27000 series and it includes important standard operating procedures like governance, risk management, document control, record management, internal audit, continuous improvement, training & awareness.
The importance of mandatory clauses is punctuated by the fact that during ISMS audits if the auditor discovers that any of the mandatory clauses are missing or ineffective it is considered a major non-conformity and reason to not be recommended for registration/certification or to be decertified. Discretionary control weakness is treated much differently, which we will discuss in the next section.
Mark indicates that the latest release of ISO/IEC 27001:2013 will see an increase in mandatory topics from 5 to 7 increasing the number of control points from 102 to 148. He says this is a huge increase of 46 net-new mandatory control points; and that the shift highlights the growing importance of the management systems and the need for more attention to information security management. In fact within the 2005 version one of the mandatory topic areas was the title information security management system. Mark said that has been removed because it created confusion as many of the original topic section titles did concerning the purpose and function of all mandatory clauses. Mark added that the new subject titles are much clearer and should help the adoption process.
Table Two: ISO/IEC 27001 mandatory control summary
“If we were to compare ISO/IEC 27001:2005 to ISO/IEC 27001:2013 Annex ‘A’ control objectives we would see a drop. In 2005 they totaled 133 and in 2013 they will total 113. That’s a drop of 30 shifting the emphasis to security management,” Mark said. “While Annex A has become the best known internationally accepted information security framework the reality is that without the mandatory clauses 4 – 10 ISO/IEC 27001:2013 is just another security standard.”
From Mark’s indications the shift in control point totals appears to single more emphasis within the auditable specification on security management and conversely more integration between the management system and accompanying child specifications like ISO 27002:2013 and ISO 27010 for Information technology—Security techniques—Information security management for inter-sector and inter-organizational communications and ISO 27011 for Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 etc…
Table Three ISO/IEC 27001 discretionary control summary
In closing, Mark added that the total number of topic areas has increased from 11 to 14 . The majority of topical areas has remained the same while some new ones have appeared, these include A5 Management direction for information security, A12 Operations Security, A13 Communications Security, A15 Supplier Relationships.
My sincere thanks to Mark for helping us dive into this new ISMS.
Here’s hoping many have already started putting this valuable information to good use.