From a survey conducted in October and November 2013 with 190 attendees of the recent IT Governance ISO 27001: 2013 Transition Webinar, it was clear that some uncertainty existed about how to start tackling the transition process. Amongst the concerns that were listed, challenges existed regarding risk assessments, concerns were raised about changes to the controls and uncertainty prevailed regarding audit requirements.
Although accredited certification to the new standard, ISO 27001:2013, is not yet widely available in the UK, many ISO 27001-certified organisations are already reviewing the new standard and scouring various sources of information in order to initiate the first steps in their intended transition process. Here is a list of books that you may find useful.
Once ISO 27001:2013 accredited certification becomes available in 2014 – which is dependent upon Certification Bodies having transitioned their accreditation to cover the new standard – these early adopters will be well placed to transition towards the new standard with relative ease.
If you are still wondering where to start and what to do, the below brief approach can help guide you to getting started.
1. Purchase a copy of the new standard
Experts agree that no ISO 27001 implementation or transition process can comprehensively be undertaken without access to the standards, ISO/IEC 27001:2013 as well as the code of practice guideline ISO/IEC 27002:2013. In addition, ISO/IEC 27000:2012 provides a reference to all the terms and definitions which have now been removed from the new versions of ISO 27001/2 and so is itself an essential reference document.
2. Be informed about the transition process of your Certification Body
Certification audits against ISO 27001:2013 can start taking place as early as your first CAV (Continuing Assessment Visit, also known as a Surveillance Visit) following the transition to ISO 27001:2013 by your Certification Body (CB). Each CB however has their own transition arrangements, and therefore it is important to consult your CB on this process as soon as possible.
3. Conduct a gap analysis between your existing ISMS and the new version of the standard.
This will lay the groundwork for the tasks you will be required to undertake in your transition process. If you are already certificated to ISO 27001, there are a number of free guides that can help you identify how ISO 27001:2005 aligns with the new standard. Any changes that you make to existing documented information should be handled in order to comply with Clause 7.5. A detailed health check that compares your existing ISMS to the requirements of the new standard, and provides a road map of actions and recommendations needed, is probably the easiest way to assess your transition readiness and it may even identify other benefits that could be realised whilst making the necessary changes.
4. Review and document who the ‘interested parties’ are that have dealings with your organisation, which should extend to entities such as customers, the community, suppliers, regulators, nongovernment organizations, investors, and employees. Include their security requirements in this review process.
5. Align the ISMS with organisational and business objectives
Clause 5.1 requires top management to ensure integration of the ISMS requirements into the organisation’s business processes. One way of starting to work toward this could be by developing a workflow diagram indicating business functions and corresponding activities according to the ISMS.
6. Review the information security policy
It is recommended that you include the following information in your policy:
- Information security objectives, or the basis for establishing them (5.2 b)
- A commitment to satisfy applicable information security requirements(5.2 c) and
- A commitment to continual improvement of the ISMS (5.2 d)
Policies and procedures templates can be purchased from toolkits to help speed up the process.
7. Review and where necessary redefine the ISMS scope
According to clause 4.3, the scope of the ISMS should consider issues and requirements relevant to the ISMS – and include factors such as a potential natural disaster or attacks on an outsourced service centre. The organisation should ensure that the scope of the ISMS considers all entities (even those that may have been excluded before), or at least the interfaces and dependencies of activities with them.
8. Allocate management roles and responsibilities for your ISMS
Review clauses 5.1 and 5.3 to establish whether, and how, roles and responsibilities need to be assigned and how top management will demonstrate their commitment to the ISMS. In addition, there is a need to develop arrangements for reporting the performance of the ISMS to top management.
9. Review the risk assessment and management process
The new standard does not require an asset-based risk assessment process, allowing organisations to choose the risk assessment methodology most appropriate for their needs. Thus, the identification of assets, threats and vulnerabilities as a prerequisite to the identification of risks is no longer needed. However, the general requirement of identifying risks and then assessing consequences and likelihoods remains the same as ISO/IEC 27001:2005. There is now a need to identify and appoint risk owners who are required to sign off on risk treatment plans and acceptance of the residual risks. By using a recognised information security risk assessment tool you will be able to conduct risk assessments much faster than doing it manually.
10. Review the Statement of Applicability
Organisations do not need to select controls from Annex A, but will need to use it as a reference to establish whether any necessary controls have been overlooked (6.1.3). The SOA doesn’t need to be different, but because the control set is different, organisations will be required to update their SOAs. There is a greater requirement for justification for the inclusion of controls, while there is also a requirement that exclusions of controls from Annex A are justified. Do not forget to update the version control status of the revised SoA!
11. Map risks to new Annex A controls
There are a number of mapping resources available – some more extensive than others, which will provide a framework for mapping between the two standards.
This Conversion Tool maps the controls of ISO 27001:2005 to ISO 27001:2013, identifying where controls have been deleted, relocated, adjusted and added to the new standard.
Summary of new controls
A) A.6.1.5 – Information security in project management
B) A.14.2.1 – Secure development policy
C) 14.2.6 – Secure development environment
D) 14.2.8 – System security testing
E) 15.1.3 – Information and communication technology supply chain
F) 16.1.4 – Assessment of and decision on information security events
12. Review all documentation
Review all the “old” documents in order to establish what is still needed and what needs to be added, based on any of the new controls. This comprehensive documentation toolkit will help you to develop all the required policies and procedures in no time. The following documents are required in ISO 27001:2013:
- The scope (4.3)
- The information security policy (5.2 e)
- The information security risk assessment process (6.1.2)
- The information security risk treatment process (6.1.3)
- Statement of Applicability (6.1.3 d)
- The information security objectives (6.2)
- Evidence of competence (7.2)
- That documentation ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (7.5.1 b)
- The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
- The results of information security risk assessments (8.2)
- The results of information security risk treatment (8.3)
- Evidence of the information security performance monitoring and measurement results (9.1)
- Internal audit programme(s) and the audit results (9.2 g)
- Evidence of the results of management reviews (9.3)
- Evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective actions (10.1)
13. Review the Risk Treatment Plan
Preventive action procedures will need to be revised or replaced (Clauses 4.1, 4.2 and 6.1.1 are the new clauses referring to preventative action).
14. Review all the metrics and measures for reporting on the performance of your ISMS.
ISO 27001:2013 has a heightened emphasis on reporting and performance measurements. Refer to clause 9.1 for more information on this.
15. Ensure you have the necessary skills and competencies for transitioning
Clause 7.2 specifically refers to documented evidence of competencies which can be achieved through awareness, training or skills development – this could also take the form of external consultants providing the required competencies in the short-term.
For more relevant articles and to continue the discussion on ISO 27001 transitioning, you can go to the ISO 27001 community website