Back on the 11th October, Steve Watkins Chair of the ISO/IEC27001 User Group, delivered an ISO 27001:2013 transition webinar – probably the world’s first webinar explaining the changes and timescales in detail. With more than 600 people registering from all around the world, it’s safe to say that this free webinar was a huge success. Such a huge success in fact that Steve decided to run a second webinar on 22 October to satisfy demand.
Here is a selection of answers Steve provided during the Q&A session at the end of the webinar.
What are the timescales to re-certify from 2005 to 2013 for ISO27001?
The transition of certification from the 2005 to 2013 version of the standard will be determined by each Certification Body separately once they are clear on when they are likely to transition themselves.
Would you advise an organisation to go directly for the 2013 certification even if they are ready to be certified to the 2005 version or it is advisable to go for 2005 certification and then a transition to 2013?
We recommend you proceed to certification based on the 2005 version, as this is the fastest route to accredited certification. Due to the uncertainties around timelines of when accredited certification will be available, the 2005 version is still the quickest route.
Is an Information Security Management System (ISMS) Policy still required or is it just the Information Security Policy which is required?
The specification only requires an Information Security Policy and not an ISMS policy. Some ISO27001:2005-compliant scope statements may need addressing in order to provide the reassurance that it meets the requirements of the new version. The policy statement will also need reviewing to align to any revisions to the scope statement.
What are the new mandated documents?
• Scope (4.3)
• Information security policy (5.2 e)
• Information security risk assessment process (6.1.2)
• Information security risk treatment process (6.1.3)
• Information security objectives (6.2)
• Evidence of competence (7.2)
• The organization’s information security management system shall include: documented information determined by the organization as being necessary for the effectiveness of the information security management system (7.5.1 b)
• The extent necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
• The results of information security risk assessments (8.2)
• The results of information security risk treatment (8.3)
• Evidence of the information security performance monitoring and measurement results (9.1)
• Internal audit programme(s) and the audit results (9.2 g)
• Evidence of the results of management reviews (9.3)
• Evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective actions (10.1)
The ISO27001/ISO27002 Pocket Guide covers this information in more detail and is the perfect introduction to ISO 27001:2013.
Does ISO/IEC 27001:2013 allow you to use your own risk treatment methodology?
Yes, however you will need to compare the selection of controls you have assigned to those in Annex A to ensure that none have been missed. The risk assessment will no longer be asset based. The risk assessment and treatment plan are aligned to ISO31000. The risk owner determines how to treat the risk.
Is it mandatory to update the qualification for lead implementer?
All implementers will need to refresh themselves regarding the new, revised requirements of the ISO27001:2013 versions, whether this is through updating ISO 27001 qualifications is a matter for the individual and their employer. For auditors, they will want to be able to demonstrate their competence in relation to the 2013 version so an updated qualification would be advisable.
Due to the volume of questions asked, there will be a second instalment of questions and answers within the next week so watch this space! In the meantime, you are welcome to download IT Governance’s three ISO 27001:2013 green papers (they’re free!).