For those who are transitioning from ISO27001:2005 to ISO27001:2013, the new standard is clear that the selection of controls should be determined through the process of risk assessment and treatment, and not only from Annex A.
Clause 4.2 of ISO27001:2013 specifically details the importance of the needs and expectations of interested parties: “The organisation shall determine a) interested parties that are relevant to the information security management system; and b) the requirements of those interested parties relevant to information security.”
ISO27001 is explicit in requiring a risk management process
According to Steve Watkins, UKAS advisor on ISO27001:2013 and director of IT Governance, “ISO/IEC 27001 is a management system specification that sets out the requirements for an information security management system (ISMS). ISO27001 is explicit in requiring that a risk management process be used to review and confirm the selection of security controls in light of regulatory, legal, contractual and other business objectives.
“The pragmatic approach is to identify the requirements of the organisation’s legal, regulatory and contractual commitments first (i.e. baseline security criteria) and compare them to the controls that are already in place. Any shortfall needs to be considered and addressed one way or another – this is likely to include creating an implementation plan for any areas that fall short.”
Steve goes further, explaining , “The organisation can then complete the information security risk assessment to determine what additional measures over and above the baseline security criteria it needs to implement in order to protect itself to the degree it determines necessary, allowing for the controls that have already been identified to meet the baseline security criteria.”
A solid understanding of your legal obligations is critical
This explains why it is critical to have a very good understanding of your regulatory and contractual obligations as they refer to your ISMS – in addition to the controls that have been implemented – to ensure that these are covered sufficiently and effectively, before adding any additional necessary controls from Annex A. Annex A continues to serve as a cross-check to help ensure that no necessary controls have been overlooked.
The ISO27001 Compliance Database identifies the specific clauses within each legal instrument that you must comply with, provides best practice guidance on how to comply with that clause, and enables you to select appropriate controls – again, at the individual clause level. The Compliance Database contains all of the critical statutory and regulatory documents in one place – saving you the time, hassle and expense of trying to track them down and make sense of them yourself.
The tool highlights which controls are relevant to the specific requirements of the various Acts. In addition, the Compliance Database includes a section on contract retention periods by document type, which will help you to apply the correct controls in line with certain contractual obligations as it refers to your ISMS.
IT Governance provides a range of transition resources, products and services to help you to achieve a smooth and fast conversion to ISO/IEC 27001:2013. Alternatively, contact our key account management team today (0845 070 1750 or email us) to find out how we can help you transition to ISO27001:2013 fast.