ISO 27001: 2013 Information Security Management Standard has been now published (officially on 25th September 2013).
The changes are to update the requirements of the 2005 Standard since there have been:
1. Significant changes in Information Technology in the last 8 years
2. New Common layout for Management Standards, the “high level structure”
Specifically the changes are
• The revised standard has been written using the new high level structure, which is common to all new management systems standards. This will allow easy integration when implementing more than one management system
• Terminology changes have been made and some definitions have been removed or relocated
• Risk assessment requirements have been aligned with ISO 31000
• Management commitment requirements have a focus on “leadership”
• Preventive action has been replaced with “actions to address, risks and opportunities”
• Statement of Applicability requirements are similar, with more clarity on the need to determine controls by the risk treatment process
• Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships.
• Greater emphasis is on setting objectives, monitoring performance and metrics.
The transition arrangements for existing certified Organisations has not yet been issued but in view of the significance of the changes, modification to the ISMS should start sooner rather than later.
Contact us for further information or assistance at firstname.lastname@example.org or 01635 595123