In an exclusive interview with Alan Calder, acknowledged international cyber security guru and leader of the world’s first successful implementation of ISO 27001 (then BS 7799), he answers the most popular questions asked surrounding ISO 27001:2013.
1. Why was ISO 27001:2013 published?
It’s normal for international standards to be revised on a regular basis. Management systems evolve, mature and reflect changing requirements across the world and become more widely used as a result, hence why we now have ISO 27001:2013.
2. What are the major changes in the ISO 27001:2013 version?
Apart from the updating of controls to bring them more in line with today’s technology and threats, the key areas of change have been:
- The organisation (it’s context, the business contractual and regulatory requirements) should be much more in centre stage in terms of determining what types of information security controls they have in place
- The role of the board is much more of a governance role than a management role, and they should not get involved with the day-to-day running of the organisation
- PDCA is no longer the required continual improvement process
3. What does this new standard mean to companies who are already certified to ISO 27001:2005?
The existing certification scheme will probably continue for another 12-18 months.
During that time, national accreditation bodies will publish transition rules which will set out how to transition from a management system that’s certified to the 2005 standard to certify to the 2013 standard.
Most of the things that organisations have already done to achieve certification will still be valid. They’ll need to change some:
- Structural aspects
- Documentation (this is relatively straightforward and is one of the core services IT Governance offer their clients)
- The way they’ve done risk assessment,
- The continual improvement process they’ve used… All of that remains valid in the new environment.
4. What should a company’s first steps be who are looking to seek ISO 27001 certification for the first time?
My core advice is unless you are, by definition, an early adopter, you should stick with ISO 27001:2005 for the next 5-6 months. There isn’t yet a national or international accreditation scheme that you can be certified under, so it makes sense to pursue the existing standard and then transition in due course to the 2013 version. However, if you are an early adopter then come to IT Governance, we can talk you through the early steps, we have tools and training available, we’ll help you tackle ISO 27001:2013 in a way that will help you be ready for certification by the time there is a certification available.
A copy of the new ISO/IEC 27001 2013 ISMS Requirements is available from IT Governance.
For more information and advice on the new standard, contact IT Governance today.
Watch the full interview with Alan here >>