ISO 27001:2013 - Information Security Management Systems was released in September and slipped into use relatively quietly. The standard replaces ISO27001:2005. Whilst the overall intent of the standard remains the same and when you peel back the changes, most of the old standard remains. There are however enough changes that may require some effort to address.
One of the main changes is the format, instead of the 8 sections in the previous standard, plus the annex. There are now 10 sections and the Annex. This new format is the Annex SL format which is what will be used in all ISO quality standards going forwards. Yes standards have been standardised. One of the cheeky changes is that the Normative references and Terms and Definitions have been removed from the standard and are published separately (so yes you have to buy those). The new sections are:
So still the same elements, but moved about a bit so you will end up having to make changes in your documentation. The main thing that has gone from the standard is the plan-do-check-act cycle, but when you read between the lines it is still there. You are still expected to plan the controls to be implemented, implement them, measure and update as needed just like the old one.
The Annex still links through to the ISO 27002 document and reduces the number of controls from 133 down to 114. A few have been removed and some have been combined. The number of domains has been increased to 14.
These are all pretty self explanatory.
With regards to the documentation and evidence you need keep in order to be compliant there are no significant changes. the main addiiton for most organisations will be the documentation requirements for Performance evaluation. The organisation will need to determine what needs to be measured and what evidence needs to be kept. As many organisations are weak in this, that will be the biggest change for many
You will have to check with your certifying body, but most of you will have between 12-24 months to implement the changes and certify to the new standard.
Mark H - Shearwater
Dec 5th 2013
5 years ago