A summary of ISO27001:2013 transition requirements

For those who are already certified to the global information security standard, ISO27001, you will be aware that a transition of your information security management system (ISMS) to the 2013 version of the Standard is imminent.

For those not too familiar with the Standard, the term ‘information’ covers all forms of information, including data, documents, messages, communications, conversations, transmissions, recordings, drawings and photographs.  These types of information are all protected within the ISMS according to the philosophy of ISO27001.

Although the new Standard isn’t too different from its 2005 predecessor, there is still quite a bit of legwork that needs to be done before a successful transition can take place. The International Accreditation Forum (IAF) has already stated that it wants to see global conformance to the new standard by October 2015, which means that certification bodies (that have already transitioned to ISO27001:2013) will be urging their clients to follow suit.

Of course, it is essential to understand the changes that have been introduced, and what they imply for transitioning, before getting started. A number of useful documents have been published that offer detailed guidance on what should be done in order to align your systems, processes, documents and policies with the requirements of ISO27001:2013.  The IT Governance green paper on transitioning to ISO27001:2013 is a good starting point. By purchasing the Standard and attending a one-day online transitioning training course, you will be able to make the most of your preparation, if you plan to undertake the transition yourself.

A quick recap of some of the major changes:

  • A heightened emphasis on leadership, interested parties, competence, performance metrics and reporting.
  • Changes to the scope, the risk assessment methodology and continual improvement
  • New concepts have been introduced (consult ISO27000 for terms and definitions).
  • Changes to the structure of the Standard and the sections contained therein.
  • Changes to record keeping and documentation.
  • The Standard states that controls should be determined through the process of risk treatment (and do not have to be selected from Annex A).
  • Changes to the inclusions and exclusions in theStatement of Applicability (SOA).
  • A ‘harmonised management system standard‘ structure (for use with all future ISO management system structures and referred to as Annex SL) has been adopted. This will enable all ISO standards to be audited simultaneously in future, thereby reducing costs and saving time.
  • Annex A has been restructured into fewer controls spread across a larger number of categories. 11 controls have been added and 25 controls removed.

The following documents are mandatory (where relevant):

  • 4.3 The scope of the ISMS
  • 5.2 Information security policy
  • 6.1.2 Information security risk assessment process
  • 6.1.3 Information security risk treatment process
  • 6. 1.3 d) Statement of Applicability
  • 6.2 Information security objectives
  • 7.2 d) Evidence of competence
  • 7.5.1 b) Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
  • 8.1 Operational planning and control
  • 8.2 Results of the information security risk assessment
  • 8.3 Results of the information security risk treatment
  • 9.1 Evidence of the monitoring and measurement of results
  • 9.2 g) Evidence of the audit programmes and the audit results
  • 9.3 Evidence of the results of management reviews
  • 10.1 f) Evidence of the nature of the non-conformities and any subsequent actions taken
  • 10. 1 g) Evidence of the results of any corrective actions taken.
  • A 8.1.1 Inventory of assets
  • 8.1.3 Acceptable use of assets
  • A.9.1.1 Access control policy

Many of the controls in Annex A also assert the necessity of specific documentation, including the following in particular:

  •  12.4.1 and A.12.4.3 Logs of user activities, exceptions, and security events
  • 12.1.1Operating procedures for IT management
  • 14.2.5 Secure system engineering principles
  • 15.1.1 Supplier security policy
  • 16.1.5 Incident management procedure
  • 17.1.2 Business continuity procedures
  • 18.1.1 Statutory, regulatory, and contractual requirements
  • 7.1.2 and A.13.2.4 Definition of security roles and responsibilities

So, in short, what should you do to transition to ISO27001:2013?

 The logical starting point is to conduct a gap analysis between your existing ISMS and the new version of the Standard. This will then form the basis for the activities required in your transitioning process.

 The following are key areas that will require a thorough review and update (or, in the instance of a new requirement, an implementation):

  •  Interested parties and their issues
  • The scope of your ISMS
  • Information security objectives
  • Key ISMS documentation
  • The Statement of Applicability (SoA)
  • ISMS policy
  • Terms of reference for top management
  • Risk assessment process and risk treatment plan
  • Leadership, roles and responsibilities
  • Staff awareness processes and communications
  • Competence
  • Communications
  • Supplier management
  • Corrective action
  • Management review
  • Internal audit

Companies wishing to take advantage of the know-how of external expertise will be pleased to know that IT Governance has launched an ISO27001 Transition Consultancy service, available at a fixed price, to companies all over the world.  The service has been developed to provide a cost-effective route to transitioning to the new Standard, under the expert guidance and support of an ISO27001 specialist implementation team.

green papers 2