Latest developments in the ISO 27001:2013 Standard

EQA’s summary of the revision of the ISO/IEC 27001:2013 standard, which aims to communicate in an agile, direct and simple way the main requirements and modifications established in the new publication.

Additional, more detailed documents on the changes established in each clause, together with the relationship between versions to facilitate adaptation work, are available to all organizations currently certified by EQA, as well as to all those interested in the work that EQA has been providing in the field of information security for years and which we make available to them.

A quick summary of the 32 new requirements of the new version is presented in the following 10 clauses that address the new published version of 2013. Additionally, several modifications in the way the requirements are worded in the new version should be highlighted, with the aim of clarifying their purpose and rationale and which merit a detailed reading of the contents of the standard.

The ISO/IEC 27001:2013 publication follows the new scheme defined by ISO for management systems according to the format called “Annex SL” of 10 clauses, already applied initially in standards such as ISO/IEC 22301 and which will be soon to be applied to revisions of relevant standards such as ISO/IEC 9001:2015, ISO/IEC 14001:2015, among others.

This common framework is derived from ISO Guide 83 and substantially improves the ability to integrate various management systems independently of the reference standards. The typical tables located in the annexes of the standards (e.g. Annex C of ISO/IEC 27001:2005) are eliminated by applying direct equivalences in the clauses.

0 – INTRODUCTION

The fundamentals are maintained in both versions, i.e. the preservation of Confidentiality, Integrity and Availability of critical information through an adequate risk management process.

Another of the most outstanding novelties is the possibility of achieving continuous improvement through the implementation of an ISMS not necessarily based on the “process approach” represented by the diagram with the “PDCA” model, also known as the “Deming cycle”.

1 – PURPOSE AND SCOPE

The ISO/IEC 27001:2013 publication follows the new scheme defined by ISO for management systems according to the format called “Annex SL” of 10 clauses, already applied initially in standards such as ISO/IEC 22301 and which will soon be applied to revisions of relevant standards such as ISO/IEC 9001:2015, ISO/IEC 14001:2015, among others.

2 – NORMATIVE REFERENCES

In the new 2013 version, the reference to ISO/IEC 27002 has been removed so that, although the good practices compiled in the ISO/IEC 27002 standard remain a practical and direct aid for locating and determining valid security controls in risk management, this standard can be supplemented or even replaced by other references (regional, sectoral, regulatory or statutory) that are more useful depending on the particular need.

3 – TERMS AND DEFINITIONS

All definitions from the 2005 version have been removed from this section and relocated to the ISO/IEC 27000 standard in order to consolidate the validity and interpretation of the same terms and definitions in all 27000 series publications.

4 – ORGANIZATIONAL CONTEXT

The organization shall determine external and internal issues that are relevant to its purposes and that affect its ability to achieve the desired outcome(s) of its information security management system.

4.1 – Knowledge of the organization and its context

The organization shall determine external and internal issues that are relevant to its purposes and that affect its ability to achieve the desired outcome(s) of its information security management system.

The definition of the current scope should be reviewed, especially as it relates to external entities as a new development. The aim is to improve and develop a higher degree of analysis capability on a preventative basis.

Related: ISO/IEC 27001:2005 Clause: 8.3.

4.2 – Knowledge of the needs and expectations of interested parties

1. a) The organization shall determine the interested parties that are relevant to the information security management system.

The definition of the current scope should be reviewed, especially in its relation to external entities as a new development. The aim is to improve and develop a higher degree of analysis capacity on a preventive basis.

Related: ISO/IEC 27001:2005 clause: 5.2.1 c), 7.2 b), 4.2.3 b), 4.2.4 d).

4.3 – Determining the scope of the ISMS

When determining the scope, the organization shall consider: a) external and internal issues referred to in 4.1; c) interrelationships and dependencies between the activities developed by the organization and those developed by other organizations.

The definition of the current scope should be reviewed, especially in its relationship with external entities as a novelty. The aim is to improve and develop a higher degree of analysis capacity with a preventive nature. Unlike the certification scope, the redefinition of the requirements for the scope in the new version is an excellent opportunity to indicate more clearly and specifically all relevant aspects in the field of safety management.

Related: ISO/IEC 27001:2005 clause: 4.2.1 a), 4.2.3 f).

4.4 – Information Security Management System

Without fundamental innovations, the considerations to the PDCA cycle of the 2005 version located Plan: 4.2.1 – Do: 4.2.2 – Check: 4.2.3 – Act: 4.2.4 are transferred in the new version to Plan: 5, 6, 7 – Do: 8 – Check: 9 – Act: 10.

Related: ISO/IEC 27001:2005 Clause: 4.1.

5 – LEADERSHIP

Without fundamental novelties, the considerations to the PDCA cycle of the 2005 version located Plan: 4.2.1 – Do: 4.2.2 – Check: 4.2.3 – Act: 4.2.4 are transferred in the new version to Plan: 5, 6, 7 – Do: 8 – Check: 9 – Act: 10.

Related: ISO/IEC 27001:2005 Clause: 4.1.

5.1 – Leadership and commitment

The top management shall demonstrate its leadership and commitment to the information security management system by:

1. b) ensuring the integration of the requirements of the information security management system into the organization’s processes.
2. d) communicating the importance of effective information security management and of adapting to the requirements of the information security management system.

The top management, in addition to managing (2005 version), is required to lead the actual integration of ISMS requirements into the organization’s processes as a novelty. The change from the role of “manager” to “leader” indicates a greater commitment to relevant activities and the role of top management in propagating the scope of security to all personnel in scope for the achievement of goals and objectives.

Related: ISO/IEC 27001:2005 Clause: 5.1.

5.2 – Policy

Without fundamental novelties, the new version of the standard no longer differentiates between “ISMS Policy” and “Information Security Policy”. It is only considered an “information security policy” (which can be documented under the denomination “Policy” or in another particular way admitted by each organization).

Related: ISO/IEC 27001:2005 clause: 4.2.1 b).

5.3 – Roles, responsibilities and attributions in the organization to inform top management of security status

Without fundamental changes, the need already included in the previous version for a definition of roles and responsibilities and the form of interrelation between personnel is emphasized, especially in the mechanisms for informing top management of the state of security.

Related: ISO/IEC 27001:2005 Clause: 5.1. c).

6 – PLANNING

6.1 – Actions to detect risks and opportunities

6.1.1 – General

Without fundamental changes, preventive actions in the new standard disappear under this specific denomination and are now part of the actions to identify risk and opportunities for improvement.

Related: ISO/IEC 27001:2005 Clause: 8.3.

1.1.2 – Information security risk analysis

The methodology used in the ISO/IEC 27001:2005 version is aligned with the new version of ISO/IEC 27001:2013, although currently it is no longer required within the risk identification process to identify all those information assets and their owners, neither threats nor vulnerabilities in a specific way.

The new figure of “risk owner” is included. Without fundamental novelties, the new version of the standard no longer differentiates between “ISMS Policy” and “Information Security Policy”. It is only considered an “information security policy” (which can be documented under the name “Policy” or in another particular way accepted by each organization).

The alignment of ISO/IEC 27001:2013 with the ISO 31000:2009 standard (“Risk Management – Guidelines and principles”) therefore opens up possibilities for changes in the risk analysis process to other more intuitive possibilities and methodologies, close to the business management mode or adapted to the capabilities and resources possible for this process as appropriate for each organization.

Related: ISO/IEC 27001:2005 Clause: 4.2.1 b).

Related: Clause ISO/IEC 27001:2005: 4.2.1 c), 4.2.1 d), 4.2.1 e).

1.1.3 – Treatment of security risks

The mode of use of Annex A may now be slightly different and clearer than in the 2005 version. The determination of controls for reducing the levels of identified risks can now be determined in direct relation to ISO/IEC 27002 and/or to any other documentary reference (e.g. NIST, National Security Schemes, Best Practices of other institutions, etc.) or to the organization’s own analysis logic.

Annex A therefore loses some character of requirement in the 114 controls it includes, although clear justifications must be maintained on the considerations for the application or not of related actions. When developing this justification activity, attention should be paid to the correct interpretation of the controls indicated, especially in the new ones included.

Annex A therefore loses some requirement character in the 114 controls it includes, although clear justifications must be maintained on the considerations for the application or not of related actions. When developing this justification activity, attention should be paid to the correct interpretation of the controls indicated, especially in the new ones included.

Related: ISO/IEC 27001:2005 clause: 4.2.1 f), 4.2.1 g), 4.2.1 h), 4.2.1 j), 4.2.2 a); 4.2.2 b).

6.2 – Information security objectives and planning to achieve them

Information security objectives, especially those with generic approaches that are usually part of the ISMS policy, should be reconsidered in order to apply an approach oriented towards actions and measurement of truly concrete results.

In planning how to achieve its information security objectives, the organization must clearly determine what will be done, what resources will be required, who will be responsible, when it will be completed, and how the results will be evaluated.

Considering the applicable information security requirements, as well as the results of risk assessment and treatment and their orientation with respect to the objectives is a clearly targeted approach for the organization to confirm the effectiveness of the ISMS and its correspondence with business intentions.

Related: ISO/IEC 27001:2005 Clause: 5.1 b).

7 – MAINTENANCE

7.1 – Resources

No fundamental changes.

Related: ISO/IEC 27001:2005 clause: 4.2.2 g), 5.2.1.

7.2 – Competencies

No fundamental changes.

Related: ISO/IEC 27001:2005 Clause: 5.2.2.

7.3 – Awareness

The scope is broadened so that now all persons performing their work under the control of the organization must be aware of the information security policy.

Related: ISO/IEC 27001:2005 clause: 4.2.2 e), 5.2.2.

7.4 – Communication

The organization shall determine the need for internal and external communications relevant to the information security management system including: a) what is to be communicated; b) when it is to be communicated; c) to whom it is communicated; d) who is to communicate it; e) the processes by which communication is to be effected.

The organization should determine the need for internal and external communications relevant to the information security management system including: a) what should be communicated; b) when it should be communicated; c) to whom it is communicated; d) who should communicate it; e) the processes by which communication should be effected.

Related: ISO/IEC 27001:2005 clause: 4.2.4 c), 5.1 d).

7.5 – Communication

The term ‘Documented information’ is introduced, which encompasses in one the traditional differentiation between “documents” and “records” of the 2005 version.

7.5.1 – General

There is an important difference in concept and the elimination of a specific list (previous clause 4.3) where the minimum documentation requirements are indicated. Documented procedures (internal audit, documentation and records control, preventive and corrective actions) are eliminated as requirements in themselves, and organizations should be looking for that “documented information” required by the new version of the standard.

Related: ISO/IEC 27001:2005 Clause: 4.3.

7.5.2 – General

No fundamental changes.

7.5.3 – Control of Documented Information

No fundamental changes.

8 – OPERATION

No fundamental changes.

8.1 – Operational planning and control

The organization shall plan, implement and control the processes necessary to meet the information security requirements, and to implement the actions determined in 6.1. The organization shall monitor planned changes and review the consequences of undesired changes, taking measures to mitigate possible adverse effects, as necessary.

Possible improvements to the control mechanisms currently in place are expected, as appropriate, especially in the aspect of mitigating potential adverse aspects typically associated with a prior risk assessment and “step back” measures to an initial or previous safe and controlled state.

Related: ISO/IEC 27001:2005 Clause: 4.2.2 f).

8.2 – Information security risk analysis

Without fundamental changes in the periodicity of review (planned intervals or when significant changes are proposed or occur) and taking into consideration the criteria set out in clause 6.1.2 a).

Related: ISO/IEC 27001:2005 Clause: 4.2.3 d).

8.3 – Treatment of Security Risks

No Fundamental Novelties.

Related: ISO/IEC 27001:2005 clause: 4.2.2 b), 4.2.2 c).

9 – PERFORMANCE EVALUATION

9.1 – Monitoring, measurement, analysis and evaluation

The organization shall evaluate information security performance and the effectiveness of the information security management system in a clearer and more defined way by determining: b) the methods of monitoring, measurement, analysis and evaluation, as applied, to ensure the validity of the results; c) when the monitoring and measurements shall be carried out; d) who monitors and measures; f) who analyzes and evaluates the results.

Related: ISO/IEC 27001:2005 clause: 4.2.2 d), 4.2.3 b), 4.2.3 c).

9.2 – Internal audits

Without fundamental novelties, the aspect of selecting auditors and conducting audits that guarantee the objectivity and impartiality of the audit process is emphasized.

Related: ISO/IEC 27001:2005 Clause: 4.2.3 e), 6.

9.3 – Management review

It is now allowed to determine a more flexible and customized period in the management review intervals (it should not be annual as a requirement) and it is mainly added the need to review the compliance with the information security objectives in line with other related clauses of the new version.

Related: ISO/IEC 27001:2005 clause: 4.2.3 f), 7.

10 – IMPROVEMENT

10.1 – Non-conformities and corrective actions

The fundamental novelties are in the way of reacting to nonconformities and avoiding recurrence in the same or other places. The aim is to avoid the lack of localized depth in the way of undertaking cause analysis for nonconformities and the consequent deficiency in the actions undertaken are one of the main causes of the novelties in this new version and for management systems in general.

Related: Clause ISO/IEC 27001:2005: 4.2.4, 8.2.

10.12 – Continuous improvement

No fundamental changes. The requirements for continual improvement and corrective actions (clauses 8.1 and 8.2 of the 2005 version) become part of clause 10.2 and 10.1 of the new standard respectively. The requirements for preventive actions (clause 8.3) are restated in the new section 6.1.1 as part of the general risk assessment requirements. In this sense, the requirements of the 2005 version do not disappear, they are just mentioned in a different way.

Related: ISO/IEC 27001:2005 clause: 4.2.4, 8.1.

Contact us for more information about ISO 27001