For Infosec professionals

ISO 27001-2013. What’s Different – Part 1

When the ISO 27001:2013 was released, I did a quick write up about it here. Now that I have had some time to spend with the standard (get to know it better!), I am writing a more detailed comparison. This comparison will follow the typical comparison that I did for the BS25999 vs. ISO 22301. You can read about it starting from here.

ISO 27001:2013 (as I am too lazy to type these words over and over again, I am just going to refer to the ISO 27001:2013 as the ‘new standard’ and the ISO 27001:2005 as the ‘old standard’) clearly defines it objectives in its first section. It would like to ‘preserve the confidentiality, integrity and availability of information by applying a risk management process’. You would think that it is merely stating the obvious, but the objectives are quite vague in the old standard. The old standard wants an organisation to ‘establish, implement, operate, monitor, review, maintain and improve a documented ISMS within the context of the overall business activities and the risks they face’. Not nearly as clear and confident as the new standard. It feels like the new standard knows exactly what it wants to do, while the old standard was trying to find its feet.

Moving on to something more tangible – compatibility with other management systems. The old standard was built to be compatible with ISO 9001 and ISO 14001. The entire ‘process approach’ philosophy is from these standards. The new standard, however, is compatible to the Annex SL of ISO directives. This is a major shift of perspective. You can expect that the new standard will not look at the ISMS from the lens of the QMS! This has the making of a standard that wants to stand on its own, not on the crutches of the 9001 or the 14001. So far, the new standard is really promising.

Another interesting difference in the philosophy of approach towards the new standard can be seen in the generally ignored section titled ‘Normative References’. This is a section that specifies other documents that are necessary to completely understand and implement a standard. For the old standard, the normative references are ISO 17799. ISO 17799 is the code of practice for information security management (a detailed guideline on how to implement each control in the ISMS). It appears that, in 2005, the implementation guidance had already been written. The old standard was merely trying to put a ‘management system’ around a set of controls already identified! The new standard, does not make the code of practice an ‘indispensable’ document. Instead, it says that the only indispensable document is the overview and vocabulary used in ISO 27000 (basically terms and definitions). The two standards, it appears, have two different ways to approach the ISMS. The old one trying to put a management system around a set of controls, and the new one trying to set up an independent management system.

I always appreciate people taking a step back and looking at things from a fresh perspective. Let us see if the new standard can really live up to the task it has set itself… More on that later.

Leave a Reply

Your email address will not be published. Required fields are marked *