The Joint ISO/IEC committee (JTC 1/SC 27) that is responsible for the ISO27000 family of standards has released (16 January 2013) a draft of what might, in due course, become the new versions of ISO/IEC 27001 and ISO/IEC 27002. It must be emphasized that these are DRAFTS, published for the purpose of public consultation.
The public consultation period closes on 23 March 2013.
As these are international standards, the consultation process operates internationally, via national standards bodies. Anyone can comment on the proposed standard and all the comments will then be assembled and reviewed by the committee.
The review process enables you to access, freely, online copies of the draft standards and to comment on them, here:
Once the new standards are officially published, the existing standards are withdrawn, however there is always a transition timetable that enables organisations to move, in an orderly manner, from the existing standard to the new one.
What are the propsed changes to the standards
- There is an extended focus on understanding the organisational context (clause 4)
- The requirement for management leadership and commitment is stronger than in the current version (clause 5)
- PDCA approach is no longer a requirement, opening the possibility for the organisation to adopt other continual improvement methods
- There is a significant change in the approach to risk assessment (clause 6)
which allows for a much broader, more generic approach to risk assessment,
rather than focusing on risks to specific assets
- There is alignment between the risk management process in the draft and that which is used in ISO31000; this is useful, as it will promote greater alignment between enterprise level risk management and information security risk management
- The requirements around monitoring, measurement, analysis and evaluation (clause 9) are more extensive and explicit
- The Continual Improvement requirement of clause 10.2 (“the organisation shall continually improve the suitability, adequacy and effectiveness of the ISMS”)
- Annex A still exists, and the ISMS must include a Statement of Applicability that references the controls in Annex A. Control categories are numbered 5 – 18 (ie there are now 14 categories of controls) but the total number of controls is reduced from 133 previously to 113 now. There is greater clarity in a number of control areas and there are clearer compliance controls with fewer in the operational category.
However there is the absence of a control category covering cloud services, dealing with issues such as trust boundaries.
- The terms and definitions section is effectively removed with a simple reference to ISO 27000 being added