For Infosec professionals

The new ISO 27001


So, the new ISO 27001 is here. After 8  years, the entire ISMS approach has been revamped. The newer version of ISO 27001 aka. ISO 27001:2013 is a much slimmer document. There is no introduction to the process approach and – surprise surprise, no diagram of the Deming’s cycle. No beating around the bush for the new standard. It gets straight to the point. I guess that it assumes the reader is not a novice learning the ropes of infosec, but a professional who knows his threats from his vulnerabilities.

The never ending ‘Terms and Definitions’ section is gone. Instead, there is a terse reference to ISO 27000 – almost like saying “If you kids want definitions, read the standard that is meant to provide definitions, do not look here.

If you want a detailed analysis of the differences between the 27001:2013 and the 27001:2005, (sort of like the analysis that I did for BS25999 vs. ISO 22301) you will need to wait a bit longer. However,  I will try to answer the question that will be at the top of every ISMS implementer’s mind. What do I need to add/ change in my current ISMS to be compliant to 27001:2013.

Here is a quick and dirty analysis from me:

1. Scope Document – Don’t worry. Your old scope document is still good enough. What you need to add, however, is a section that ‘establishes the context’ – a trend that every ISO standard insists on bringing in now. What do we mean by establishing the context? Basically two things – a) what are the issues that the organisation faces that inhibits the achievement of the ISMS goals, and b) all relevant stakeholders (interested parties) and their requirements. You need to add these to the scope document and you are good to go.

2. SOA – A no brainer. Your SOA will change to reflect the 14 domains and 114 controls. If you need a detailed analysis of the differences here, please write to me.

3. Information Security Objectives – This is probably one of the biggest changes that 27001:2013 has over 27001:2005. Based on your risk assessment, you are expected to document your information security objectives. My guess again is that a summary of the risks that you plan to action upon should be the basis for developing your security objectives. Not only do you need to document these objectives, you will need to also document how you plan to achieve them – who will do it? What will they do? By when? How will you know it is done, etc. If you are used to having a formal implementation plan for your ISMS, you can derive a lot of content for your ‘Information Security Objectives’ document from here.

4. Competence of personnel working on the ISMS – You need to now explicitly keep a record of the competence of the person working your ISMS. A good point to get those training budgets approved and attending that training that you always wanted to :). Records of training are evidence in audit of the competency of the person working on the ISMS.

5. Communication Plan – You may have addressed some portion of this as a part of your incident response or your BCMS, but the key point is that you need to be able to prove that have determined the need for communication under various scenarios – the classic who, what, when, where, whom, why and how. Though the standard does not specify that you need to have a documented process, I recommend having a ‘communication plan’ separated out and ready.

This is a very quick analysis of the new standard. A more detailed comparison to come in later.

3 replies on “The new ISO 27001”

Thanks for the quick explanation of the differences between the old and the new ISO, your contribution is important because we have not yet formal document ISO27001: 2013.

Two Questions:
About SOA, I have understood that ISO 27001:2005 has 11 domains, 39 control objectives and 133 controls, now you talk about 18 domains and 114 controls. Could you share information on this point?.

Additionally the required documentation you indicating in Score Document: Add “Establishes the contest”.
Do you refer to have more justification for defining the scope of the ISMS?

I will appreciate your help.

The Annex A for the new version has 14 domains (A.5 to A.18) (I wrote 18 in error – corrected now), 35 control objectives and 114 controls. Some controls have been removed, some have been added. Your SOA will need to be modified to reflect the new structure and controls.

There is a lot of emphasis on ‘establishing the context’ for the ISMS. What are the issues that the organisation is facing that the ISMS will try to address? Who are the key stakeholders in all this? What are the requirements of these key stakeholders? (It could be a client who wants access restriction to his data, or it could be the CEO who wants to protect the organisation’s reputation). In the new version, my reading is that your scope document should answer these questions.

Hope this helps!

Nice article, CK – am sure AB will like the point made on getting budgets for training!

Joking apart, a nice start and looking forward to the more detailed analysis of the changes needed.

Leave a Reply to Practical Information Security Cancel reply

Your email address will not be published. Required fields are marked *