With the release of ISO/IEC 27001:2013 on the 25 September 2013, there have definitely been differing opinions as to what is and what is not important about the new standard. Saying that, sitting at home one evening watching the latest episode of Continuum (yes, I am a sci-fi fan) it came to me. Flexibility! I realised that the core message of the new standard was flexibility:
- The Plan-Do-Check-Act (PDCA) cycle is no longer mandated as the method to use, implement and continually improve an ISMS. Now you can select other continual improvement processes.
- With regard to undertaking a risk assessment, the 2005 edition of the standard mandated an asset-based approach. Whilst you can still use this approach with the 2013 edition of the standard, you can also use a number of other approaches. Advice and guidance on suitable other approaches is given in ISO/IEC 31010.
- In ISO/IEC 27001:2013 you can now select to use either the controls in Annex A of the standard or use your own or third-party controls.
ISO/IEC 27001:2013 Your Flexible Friend
In all, the new edition of the standard is a lot more flexible; it allows you to employ methods that are more practical and efficient for your organisation. The standard now is finally something organisations can look to implement and certify against much more readily.
Being so flexible, the new standard reminds me of the Access credit card advert character from the 1980s. Could it now be argued that ISO/IEC 27001:2013 is your new ‘flexible friend’?
You can now buy a multiuser licence to ISO/IEC 27001:2013 and ISO/IEC 27002: 2013 from the IT Governance Webshop