Monday 15 April 2013

Three ways the ISO 27001 revision will affect your company


It has been eight years since the ISO 27001 standard was last revised but now changes are coming.

When 2013 nears its end we will see a new version of the information security standard ISO 27001. If you belong to those who must comply with the standard, or just consider it good practice, then you will experience a transitional period where your company must change its processes. It can be a time consuming process but luckily a draft of the revision has already been made publicly available.

Below you'll find the three most important changes in the ISO 27001 update so you can begin to prepare yourself immediately.

1. Increased flexibility in your choice of risk method
In the current ISO 27001 version it is a requirement that an active owner is identified and that a threat based vulnerability assessment is implemented. In the new draft the term risk owner is used instead and it is only a requirement to identify risks in relation to confidentiality, integrity and availability. Thereby, there is an attempt to adapt the risk process to the risk management standard ISO 31000.

It will, however, still be the ISO 27005 standard most people will use as a starting point for the risk process as it deals specifically with IT risks unlike ISO 31000 which provides a framework for analysis of all risk types in a business.

2. Sharpened demands to the Information Security Management System context
In the current draft the section about the establishing of the ISMS and the scope is brief and imprecise. The requirements for organisations ISMS context has been highlighted with the requirement that all relevant external stakeholder demands should be described as a part of the ISMS.

3. Demands to surveilance and measurements get their own section
Where they are currently spread among other requirements, the requirements for surveillance and measurement of efficiency have now been given their own section. There is an increased focus on ensuring that companies identifiy, describe and can document the efficiency of the implemented IT controls. Companies must draw up Key Performance Indicators for the evaluation of all implemented security measures and can document the KPI's output.

The ISO 27001 update is still open to changes but these three points should give you a headstart so you can have a smoother transition.

See also Six questions about the ISO 27001 revision (with answers)

For a more in-depth look you might be interested in this free on-demand webinar: http://www.neupart.com/events/webcasts.aspx

About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.

31 comments:

  1. ISO 27001 Audit
    The ISO 27001 Lead Auditor training course will give you the ability to successfully audit an existing information security management system against iso27001. You will be taught the techniques to use when auditing a management system. During the course you will go through the standard, clause by clause, to ensure that you understand what questions you should be asking, who you should be asking those questions to and what evidence you should be seeking during an audit.

    ReplyDelete
  2. Wonderful blog..!Thanks for providing such great information abot ISO 27001. I have also suggest you e-learning course such as ISO 27001 internal auditor training e-learning course now available that helps to implement Information Security management system.

    ReplyDelete
  3. My cousin recommended this blog and she was totally right keep up the fantastic work!

    iso 27001 lead auditor online training

    ReplyDelete
    Replies
    1. Great reading and extremely comprehensive post. much covers everything.ISO 27001 Lead Auditor

      Delete
  4. Great reading and extremely comprehensive post. much covers everything

    ISO 27001 Requirement

    ReplyDelete
  5. Great reading and extremely comprehensive post. much covers everything

    ISO 27001 Certification

    ReplyDelete
  6. Good Blog, well descrided, Thanks for sharing this information.

    ISO 27001 Certification

    ReplyDelete
  7. Nice post. Thanks for sharing this post. ISO 27001 Qatar

    ReplyDelete
  8. I agree with all of you that this information is pretty useful which definitely deserve
    for bookmark.

    ISO 27001 Lead Auditor Course Online

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. Good day. I was impressed with your article. Keep it up . You can also visit my site if you have time. Thank you and Bless you always.
    ISO 27001 hong kong

    ReplyDelete
  11. Really wonderful post and i think this is very important topic .... ISO 27001 Lead Auditor Course Qatar

    ReplyDelete
  12. This post is really good and blog is very interesting. There are good details. Thank you for sharing….iso 45001 lead auditor training

    ReplyDelete
  13. Thanks for sharing this great content. It is really informative and useful., You can also check this Similar siteiso-31000-internal-auditor-training

    ReplyDelete
  14. Thanks you for sharing this unique useful information content with us. Really awesome work. ISO 27001 Certification in Qatar

    ReplyDelete
  15. Nice post. I learn something totally new and challenging on sites . It's always helpful to read content.
    iso 27001 hong kong

    ReplyDelete
  16. I would definitely thank the admin of this blog for sharing this information with us. Waiting for more updates from this blog admin.
    iso 27001 hong kong

    ReplyDelete
  17. Thanks you for sharing this unique useful information content with us. Really awesome work.. ISO 14001 certification in Saudi Arabia

    ReplyDelete
  18. Informative Post. Thanks for sharing. ISO 31000

    ReplyDelete
  19. Nice post. I learn something totally new and challenging on sites . It's always helpful to read content.
    iso 27001 internal auditor training philippines

    ReplyDelete
  20. Awesome! Amazing list of blog thanks you so much for sharing this awesome piece I always love to read. this is really helpful to us
    CE Certification requirements

    ReplyDelete
  21. Nice post. I was checking constantly this blog and I am impressed! Extremely helpful information specially App development I care for such info a lot.

    ISO 27001 internal auditor training

    ReplyDelete
  22. I found your blog and it was really useful as well as informative thanks for sharing such an article with us. We also provide services related to ISO 31000 Internal Auditor Course Online

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. Thanks for sharing such a great blog Keep posting..
    iso 9001 internal auditor training

    ReplyDelete