The week commencing 22nd April sees the UK’s information security profession (and others) visit InfoSec Europe at Earls Court and the Standards Bodies’ SC27 technical committees meet in southern France to review comments on the public consultation for new versions of ISO/IEC 27001 and ISO/IEC 27002. As this takes place, Steve Watkins (Director, Trainer and Consultant for IT Governance Ltd) reflects on what a change of Specification means for users of the Standard and their certification.
Why update the Standards?
As with technology, the latest thinking and good practice in management systems evolves over time, and hence the specification setting out that good practice needs to change to keep pace with it. Every 5 to 8 years Standards are reviewed to determine whether they need revising, retiring or remain fit for purpose and should remain as they are. In the case of ISO 27001:2005, the decision was taken that it needs to be refreshed to reflect the latest thinking, and to move it into the harmonised structure that all management system standards are to adopt going forwards.
At the same time it was decided that ISO 27002:2005 should be reviewed so that the guidance offered in the Code of Practice reflects the candidate security controls listed in Annex A of the revised version of the Specification (that was once it was decided that Annex A would remain!).
So when is the new version of ISO 27001 due?
The honest answer is that no-one knows. It could even come to pass that consensus on a new version is not reached and so the current 2005 version would remain as it is, however this outcome is thought to be unlikely.
The timescale to publication will depend on the events in France this coming week and until the results of those meetings are known, any guestimates are just that. Drafts of both ISO 27001 and ISO 27002 were put out to public consultation earlier this year and the technical committees are charged with considering the comments received; if they reach a consensus as to the final version of the standards then publication will follow.
What does it mean for those already holding certification?
As with all management system standards and the accredited certification schemes, when a new specification is issued the National Accreditation Bodies will issue a transition statement that the Certification Bodies they accredit need to adhere to; in turn each Certification Body will issue its transition statement explaining to its clients their position. This is likely to state that those already holding certification have 18 months in which to ensure their ISMS reflects the new specification, and that in the meantime their auditors will be auditing against the 2005 version of the standard for a defined period, referencing shortfalls against the new version of the standard as observations for a period and then non-conformities after that.
This is good news for those that already hold accredited certification as part of the worldwide recognised scheme before the new version of the standard is published as it results in the longest period to affect changes whilst maintaining a valid certificate.
What does it mean for those pursuing certification?
If your organisation has its certification audit booked then the chances are the contract specifies ISO/IEC 27001:2005 and so it is this version you should have your initial audit against. However if the agreement references ISO/IEC 27001 without a year, then the implication is that it will be the current version of the standard at the time of the audit that is used as the audit criteria. Either way, I would expect your Certification Body to be in contact shortly after the publication of a new specification to explain the consequences.
If you have been diligently managing your ISMS project to achieve accredited certification to ISO 27001:2005 at some stage in the future, but have yet to engage with a certification body then contact the/those certification bodies you have in mind and ask what it means for you; it could be that they still have capacity to accommodate your audit within the period in which they can offer certification to the 2005 version of the standard. If not then you could do a lot worse than speak to someone at IT Governance who can explain the consequences of the new specification and advise on how best you can accommodate the changes in your ISMS.
Want to know more? Come and visit IT Governance (stand F98) at InfoSec 2013 at Earls Court and talk to one of our experts who will be happy to talk through your queries, or even book a 15 minutes session with one of our consultants: https://www.itgovernance.co.uk/infosec2013.aspx.
Alternatively contact us 0845 070 1750 or email us at firstname.lastname@example.org.