ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It was recently updated and Dr. Angelika Plate formerly of the German Information Security Agency and now an independent consultant, walked through the changes at AusCERT 2015.
The standard, says Plate, is founded on five key concepts; it is a risk-based standard, it is focussed on continual improvement, there is measurement of effectiveness, management involvement is critical, and it uses best practice controls.
Revision of the standard, from the 2005 release, was focussed on maintaining backwards compatibility with only changes that were deemed necessary considered. However, there were some significant changes.
“We did have something that was totally new, that was not in the previous version at all. It was to think of the risks to the management system. In the old version it talked about information security but what has happened is an additional requirement to look again to the risks, tools and management systems,” Plate says.
A number of standards were harmonised as a result of the work done to ISO/IEC 27001. These were
- ISO 30301 – Management systems for records – Requirements
- ISO 22301 – Business continuity management systems – Requirements
- ISO 20121 – Event sustainability management systems – Requirements
- ISO 39001 – Road-traffic safety (RTS) management systems – Requirements with guidance for use (in progress)
- ISO/IEC 27001 – Security techniques – Information security management systems – Requirements
- ISO 55001 – Asset management - Requirements
- ISO 16125 – Fraud countermeasures and controls – Security management system - Requirements (in progress)
- ISO 9001 – Quality management systems (Requirements (in progress)
- ISO 14001 – Environmental management systems – Requirements with guidance for use (in progress)
The updated ISO/IEC 27001:2013 standard is broken into ten main sections, or clauses.
- Clause 1: Scope
- Clause 2: Normative references
- Clause 3: Terms and Definitions
- Clause 4: Context of the organisation
- Clause 5: Leadership
- Clause 6: Planning
- Clause 7: Support
- Clause 8: Operation
- Clause 9: Performance Evaluation
- Clause 10: Improvement
Plate’s presentation covered some of the key changes made to some of the sections.
In Clause 4, she made specific reference to the need for companies to understand the needs of external parties as they pertain to security management. This reflects changes made in industry where parties are more acutely aware that their partners and suppliers are an important element in managing information security.
The importance of planning, in Clause 6, was also highlighted with Section 6.1, Part 1 putting the spotlight on risks relating to the management system. This was important, according to Plate, as while a lit of focus is given to securing data, there is a need to focus on management systems as well.
In this, while the risk assessment process is noted, the key is ensuring a risk owner is properly identified and appropriate controls are placed around risk treatment options.
This focus on accountability continues in Clause 9 if the updated standard where the risk evaluation process puts emphasis on identifying who will be measuring risks and who will be evaluating them.
Plate’s presentation summarised the revisions made to ISO/IEC 27001:2013. In all, she identified 18 areas of change.
Of these, only the focus on supplier relationships was completely new.
Changes to the organisation of information security, asset management, access control, operation security, communications security, system acquisition, development and maintenance, information security aspects of business continuity, and compliance have undergone significant change since the 2005 version of the standard.
Less substantive changes were made to security policies, cryptography, physical and environmental security and information security incident management.
This article is brought to you by Enex TestLab, content directors for CSO Australia.