ISO 27001:2013 – What has changed from the 2005 version?

Title

VI-404570-TM

Version Author Issue Date

3 Michael Shuff 16 Jan 2015

ISO 27001:2013 – What has changed from the 2005 version?

Page 1

Summary ISO/IEC 27001:2013 - A Modern Management System Standard based on Risk Assessment Structurally, ISO/IEC 27001:2013 is different to ISO/IEC 27001:2005. Gone are the duplicate requirements. The 2013 requirements are phrased in a way that allows greater freedom of choice on how to implement them. Some of the significant changes described in this paper have far-reaching and positive consequences for organizations. It is true whether they are implementing the information security standard for the first time or if they are transitioning to this version from ISO 27001:2005. In ISO 27001:2013, the identification of assets, threats, and vulnerabilities is no longer a prerequisite for the identification of information security risks. The standard now makes it clear that controls should not be selected from Annex A, but are determined through the process of risk treatment. Nevertheless, Annex A ensures that no necessary controls have been overlooked. The key to select applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, by using an appropriate risk methodology. Furthermore, management may elect to avoid, transfer, or accept information security risks under ISO 27001:2013 rather than mitigate them with controls - a risk management decision.

Contents 1 2

3

4

5

Introduction ..................................................................................................................................... 2 1.1 ISO 27001................................................................................................................................. 3 ISO27001:2013 - what has changed? .............................................................................................. 4 2.1 What is the purpose of the ISO27001:2013 Standard? ........................................................... 4 2.2 Is your ISMS ISO 27001:2013 compliant? ................................................................................ 5 2.3 What is different in ISO27001:2013? ...................................................................................... 5 Information Security Risk Assessments ........................................................................................... 6 3.1 ISO27001:2005 and 'asset-based risk assessment' ................................................................. 6 3.2 Identify risk owners for each risk. ........................................................................................... 7 3.3 Selection of controls from Annex A: No longer a requirement? ............................................. 8 3.4 Statement of Applicability (SOA) - is it required and what format? ....................................... 8 Documentation Requirements ........................................................................................................ 8 4.1 Which documents and records are required by ISO27001:2013? .......................................... 9 4.2 Documentation of Risk Assessment ...................................................................................... 11 Conclusions .................................................................................................................................... 12

1 Introduction It is customary to start a document such as this one with a roll call of the biggest cyber-security breaches and failures of recent times. There is never a shortage of high-profile examples. They fall into patterns: data loss at some major company; catastrophic flaws found in an essential internet infrastructure component; alarming malware infections; or our perennial inability as users to create secure passwords for our devices. The threats seem limitless, and the dictionary definition of

Page 2

security as "the state of being free from danger or threat" seems unattainable when the rollout of new apps, devices, data models, et al, continues at a frenetic pace. However, it is not all doom and gloom. Cybersecurity methodologies and early warning systems are also increasing in sophistication. Security is now a boardroom concern. There is awareness among large and small corporates that these are real risks with tangible financial and other impacts. For example, Target, Inc. costs associated with a data breach reached $148 million in 2Q14; the incident occurred in 2013. One of the two primary functions of CogniDox is to protect intellectual property and secure sensitive data from unauthorized access. The other is to maximize working efficiency by making information readily available and easy to find. There is a tension between these goals. Integration with security controls already in place, such as authentication and authorization helps relieve that tension. It helps to provide a set of features, such as security profiles and private workspaces, which allow a company to decide its own preferred security risk tolerances. One important framework for these decisions is provided by ISO 27001 and "27K certification". References to it are important as shorthand for "proving" information security. We see a retailer or a consultancy assert "The ISO 27001 certificate assures our customers that their data are protected.” Alternatively, a cloud-based service provider may say, "Our servers are hosted at Tier III, SSAE-16, or ISO 27001 compliant facilities." This paper briefly explains ISO 27001 and looks at an important recent event – the publication of ISO 27001:2013. It assesses how it affects any company about to use this standard.

1.1 ISO 27001 It is within the mix of cyber-security threats and responses that we find the ISO/IEC 27000-series - a family of standards for information security. It is not a new idea. It evolves from a British standard from 1995. International recognition and the "family" aspect really came together around ISO/IEC 27001:2005, published in October 2005. The most commonly referenced members of the family are:   

ISO/IEC 27000 - Overview and vocabulary ISO/IEC 27001 - Requirements. ISO/IEC 27002 - Code of practice for information security management

ISO 27001 defines Information security as “Preservation of confidentiality, integrity, and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation, and reliability can also be involved.” These terms are defined thus:

Page 3

Confidentiality Integrity Availability Authenticity Accountability

Non-repudiation Reliability

Assurances that only intended and authorized users or systems have access to information Assurance that information has not been altered in storage or transmission except by authorized persons or processes Assurance that information is available to authorized users or systems at the times they are authorized to access it Ability to verify the identities of persons or other systems accessing the system The nomination of a person with authority to be responsible for the ISMS and to delegate responsibility for security and information management as appropriate Ability of a system to prove (with legal validity) whether an event occurred or whether a party participated in an event Assurance that a system provides consistent intended behaviour and results

To these, another two definitions could be added: Auditability Privacy

Ability to ensure persistent, immutable monitoring of all actions performed by humans or machines within the system Compliance of a system with privacy legislation and assurance that individuals can control personal information disclosure

ISO/IEC 27001:2013 was published in September 2013. It cancels and replaces ISO/IEC 27001:2005, and any organization seeking "27K certification" must now look to it.

2 ISO27001:2013 - what has changed? The short answer is 'A lot more than many professionals currently think'. To start, though, the basic facts. ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. ISO/IEC 27001:2013 specifies the requirements to establish, implement, maintain, and continually improve an information security management system (ISMS) for any organization, regardless of type or size. Some organizations implement the standard to benefit from the best practice it contains. Others also want to be certified to reassure customers and clients that the recommendations have been followed. ISO/IEC 27001:2013 is not obligatory in most jurisdictions, but the standard does provide much-needed market assurance. An ISO 27001: 2013-certified Information Security Management System (ISMS) gives the market confidence in an organization’s ability to look after information securely. Confidence that it maintains the 'confidentiality, integrity, and availability' of customer information and as a result, protects its own and its partners' reputation.

2.1 What is the purpose of the ISO27001:2013 Standard? Put simply, the ISO 27000 family of standards helps organizations keep information assets secure. They help your organization manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to you by third parties. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

Page 4

Whereas in the past, government and large organizations required their suppliers to be ISO 9001, now they are also looking for assurances from their suppliers about ISO/IEC 27001. Large-scale enterprises have a duty of due care to preserve the security of the information in their custody increasingly to comply with legal requirements for Data Protection. If that information is shared with a supplier, then the company would be failing in its duty of care if the supplier handles that information in an insecure manner. This could be due to lack of adequately defined policies, procedures, and controls to form a management system. Whether the company chooses to certify for reasons of governance or market assurance; the pressure is mounting to do the right thing even if the cost of standards compliance seems high. Therefore, an increasing number of organizations are choosing to adopt ISO27001:2013.

2.2 Is your ISMS ISO 27001:2013 compliant? It will need to be if you are to achieve UKAS-accredited ISO27001:2013 certification in the year to come. One year after publication of ISO/IEC 27001:2013, the IAF has issued a resolution stating that "...all new accredited certifications issued shall be to ISO/IEC 27001:2013". [See: Transition to ISO/IEC 27001: 2013 – Updated June 2014, UKAS]. This means that UKAS-Accredited Certification Bodies CBs have not been issuing any new accredited certificates to ISO/IEC 27001: 2005 since September 2014. Organizations that previously complied with the requirements of ISO27001:2005 are required to transition promptly to the 2013 version of the standard, and transition audits are carried out at the next scheduled visit to each certified client. It is time to embrace the changes in ISO/IEC 27001:2013.

2.3 What is different in ISO27001:2013? Two basic changes must be understood straightway; they are: 1. Move to the Annex SL structure The ISO has determined that all new and revised management system standards must conform to the high-level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. Conformance means that management system requirements that are not disciplinespecific are identically worded in all management system standards. This change also applies to the much-anticipated revision of the ISO 9001 Quality Management System standard when it is published in late 2015. 2. Alignment with ISO 31000 Guidance for Risk Management The ISO also decided to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). It is good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines, including information security risk. The asset-based risk assessment in the 2005 version of the standard required the identification of asset owners both during the risk assessment process and as control A.7.1.2 in Annex A. The 2013 revision does not contain this requirement and only references asset ownership as control A.8.1.2 in Annex A - about which, more later. Although the A.8.1.2 Ownership of Assets says "Assets maintained in the inventory shall be owned", ISO27001:2013 allows organizations to choose the risk

Page 5

assessment methodology most appropriate for their needs. The identification of assets, threats, and vulnerabilities as a prerequisite to the identification of information security risks is no more! The 2013 version says that the organization shall define and apply an information security risk assessment process that: a) Establishes and maintains information security risk criteria that include: 1) the risk acceptance criteria; and 2) criteria for performing information security risk assessments; The information security risk assessment should produce "...consistent, valid, and comparable results"; identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the ISMS; and, importantly in consideration of the changes, "identify risk owners". Analysis and evaluation of information security risks are also required, including the determination of the realistic likelihood of a risk occurring and the levels of risk posed. You are required to compare the results of risk analysis with the risk criteria established in 6.1.2 a) and prioritize the analyzed risks for risk treatment.

3 Information Security Risk Assessments ISO/IEC 27001:2013 aligns with the principles and guidance given in ISO 31000 (risk management). Therefore, organizations with integrated management systems can apply the same risk assessment methodology across several disciplines. But what are the likely differences between this approach and the risk assessments conducted as part of ISO27001:2005? Let us remind ourselves of what an 'asset-based risk assessment' is about.

3.1 ISO27001:2005 and 'asset-based risk assessment' The first step in a risk assessment was the identification of all information assets in the organization. That is to say, all assets that affect the security of information in the organization. A value was assigned to each asset in terms of the worst-case impact that the loss of Confidentiality, Integrity, or Availability (C-I-A) may have on the organization. In essence, this was intended as an asset prioritization mechanism. The higher value assets went through to the next stage, namely identification of the threats and vulnerabilities associated with the higher value assets. Assets could be associated with several threats. In addition, every threat could be associated with several vulnerabilities. With the battlefield now laid out in this way, that is, with all the organizations assets assigned an appropriate value and the potential impacts in worst-case scenario determined - the probability of threats exploiting the vulnerabilities was assessed; along with the impact should this occur, assuming that no controls were in place. A pre-control (or inherent) risk score was then calculated. Risks that scored medium to high were taken to the next step in the process.

Page 6

Existing controls or mitigating factors that reduce the impact or probability of each risk were identified. Impact and probability scores were reassessed to reflect the impact of these controls. Risks with scores that were deemed 'unacceptable' (that is, above the acceptable risk threshold) were then raised on the Information Security Risk Register, where mitigating actions were tracked by the Information Security team, and reported and escalated. The end game of this process was to design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that were deemed unacceptable. So what does ISO27001:2013 expect you to do differently to assess Information Risk? Let us start with Clause 6, which is headed Planning. 1.1 Actions to address risks and opportunities When planning for the information security management system, ISO27001:2013 says that the organization "shall consider the issues referred to in 4.1 [Understanding the organization and its context]". It means determining external and internal issues that are relevant to its purpose. If we skip to 5.3 Organizational roles, responsibilities and authorities, we find that it is the role of "top management" to ensure that the responsibility and authority for roles relevant to information security are assigned and communicated. Specifically, they shall assign responsibility for ensuring that the information security management system (ISMS) conforms to the requirements of the International Standard, and, that the performance of the ISO27001:2013-compliant ISMS is reported to top management. Note as well that in 6.1.1, actions to address risks and opportunities include in 6.1.1(c) achieving "...continual improvement'. Top-level Information security policy in ISO 27001:2013 does not need to establish criteria against which risks are evaluated – this was the requirement of ISO 27001:2005 4.2.1 b); however, you still need to define the risk assessment criteria, but not as part of the top-level policy.

3.2 Identify risk owners for each risk. The 2013 revision does not require a so-called asset-based risk assessment, as outlined above, where it is necessary to identify the risks based on assets, threats, and vulnerabilities. Remember, there are thousands of assets to consider, and most are shared by numerous users! Rather, in ISO27001:2013, your organization can identify risks using some other risk methodology (perhaps one more familiar to risk managers?) Significantly, in ISO 27001:2013 'asset owners' are replaced by 'risk owners' [See Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013, published by BSI UK, Page 4.] What exactly is a 'risk owner'? ISO 27000:2014 defines the risk owner as a “person or entity with the accountability and authority to manage a risk". It is worth remembering that the 'asset owners' as defined in ISO/IEC 27001:2005 often did not have the authority to resolve potential information security risks. The 2013 version addresses this problem by requiring that risk owners approve the information security risk treatment plan and accept of the residual information security risks. Risk owners are also responsible for monitoring risks assigned to them. Clause 6.1.2, Information security risk assessment, specifically concerns the assessment of information security risk. In aligning with the principles and guidance given in ISO 31000, this clause removes the identification of assets, threats, and vulnerabilities as a prerequisite to risk Page 7

identification. This widens the choice of risk assessment methods that an organization may use and still conform to the standard. The clause also refers to ‘risk assessment acceptance criteria’, which allows criteria other than just a single level of risk. Risk acceptance criteria can now be expressed in terms other than levels, for example, the types of control used to treat risk. This is the clause that refers to ‘risk owners’ rather than ‘asset owners’; and later in Clause 6.1.3 (f) requires their approval of the risk treatment plan and residual risks.

3.3 Selection of controls from Annex A: No longer a requirement? Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. It is similar to its counterpart in ISO/IEC 27001:2005; however, it refers to the ‘determination’ of necessary controls rather than selecting controls from Annex A. The 114 controls in the 14 groups listed in Annex A are now used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)). Annex A has effectively become a reference source against which you can crosscheck the controls determined in 6.1.3 b) with "a comprehensive list of control objectives and controls", in order to ensure that "...no necessary controls are overlooked". - A significant change.

3.4 Statement of Applicability (SOA) - is it required and what format? In keeping with ISO 27001:2005, organizations are still required to produce a Statement of Applicability (SOA). The format of an ISO/IEC 27002:2013 conformant SOA does not need to be different from the previous standard. However, be aware that the control set is different. Organizations transitioning to ISO/IEC 27001:2013 are required to update their SOAs. When doing so, you need to ensure that control implementation strictly conforms to the new wording given in Annex A.

4 Documentation Requirements For those of you who are currently ‘transitioning’ to the 2013 version of ISO27001, and who want to keep any additional workload down to a bare minimum, let us start with the optimistic news: No changes should be required to your existing documented procedures concerning control of documentation. However, as for the documents themselves, a lot depends on the approach that you take to the transitioning process itself. Here is why. A transition strategy might use one of the following options: 1

A straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation; or

Page 8

2

Take a fresh look at the ISMS, using the revised standard to make improvements, which might be significant for some organizations.

There are some very good reasons to go for option 2 that merit longer discussion, but for the time being, I shall assume that you simply want to make the necessary updates to your existing ISMS documentation in time for the assessor’s next visit. In addition, because you are human, you have left this rather late and do not want to look as if you have not prepared as well as you should before the fateful day dawns. As always with ISO compliance, the main thing to remember before you make a start is that you need to attend to the Requirements of the Standard first; however tempting it may be to reorganize your Controls. This is especially given the fact that by now you have probably had the time to peruse for yourself the 114 Control objectives and Controls in the 2013 version of Annex A and realize that they have, to quote an authority on ISO27001 “got mixed up quite a bit”. It is also worth delivering a timely reminder of the fact that no two organizations are identical in terms of their documentation needs. A Note in Clause 7.5 of ISO27001:2013 says “The extent of Documented Information can differ from one organization to another due to: 1. The size of organization and its type of activities, processes, products, and services 2. The complexity of processes and their interactions; and 3. The competence of persons. As was the case with the 2005 version, the best advice is not to make life complicated for yourself and your organization by generating too many documents or going for the ‘fine-grained’ detail – no matter how appealing this task may at first appear to those who underestimate the time it takes! Identify first what Documented Information is required by the Standard.

4.1 Which documents and records are required by ISO27001:2013? The requirements for documented information are spread throughout the standard. Here is a document checklist and the relevant clause numbers.

Required Documents

ISO 27001:2013 clause number

Scope of the ISMS Information security policy (Information on the) Information security risk assessment process (Information on the) Information security risk treatment process Statement of Applicability Information security objectives (and Planning to achieve them) Evidence of Competence Documented information determined by the organization as being necessary for the effectiveness of the ISMS.

4.3 5.2 6.1.2 6.1.3 6.1.3 d) 6.2 7.2 d) 7.5.1 b)

Page 9

Documented Information of External Origin 7.5.3 (necessary for the planning and operation of the ISMS) Operation planning and control (Information 8.1 necessary to have confidence that processes are being carried out as planned) Results of the information security risk 8.2 assessments Results of information security risk treatment 8.3 plan Evidence of the monitoring and measuring of 9.1 results Evidence of the audit programme(s) and the 9.2 g) audit results Evidence of the results of the management 9.3 reviews Evidence of the nature of non-conformities 10.1 f) Evidence of the results of corrective action 10.1 g) Annex A Control Objectives and Controls - Document Requirements In addition to the Requirements, there are a number of Controls listed in the Annex A that requires documented information; see the Table below. Inventory of Assets A.8.1.1 (formerly A.7.1.1) Acceptable use of assets A.8.1.3 (formerly A.7.1.3) Access Control Policy A.9.1.1 (formerly A.11.1.1) Documented Operating Procedures A.12.1.1 Confidentiality or non-disclosure agreements A.13.2.4 (formerly A.6.1.5) Secure systems engineering principles A.14.2.5 Information security policy for supplier A.15.1.1 relationships Response to information security incidents A.16.1.5 Implementing information security continuity A.17.1.2 (formerly A.14.1.3) Relevant legislative, statutory, and contractual A.18.1.1 (formerly A.15.1.1) requirements Table 1: Required Documents Checklist Cautionary note:– The standard allows other documents to be added to improve the level of information security; therefore, what you see above is by no means a definitive list of documents and records that can be used during the ISO 27001 implementation. For example, organizations often include in their information security management system non-mandatory policy, procedure and control documents such as the ones shown below:

Documents

ISO 27001:2013 clause number

Procedure for document control Controls for managing records Procedure for internal audit

7.5 7.5 9.2

Page 10

Procedure for corrective action Bring your own device (BYOD) policy Mobile device and teleworking policy Information classification policy Password policy Disposal and destruction policy Procedures for working in secure areas Clear desk and clear screen policy Change management policy Backup policy Information transfer policy Business impact analysis Exercising and testing plan Maintenance and review plan Business continuity strategy

10.1 A.6.2.1 A.6.2.1 A.8.2.1, A.8.2.2, A.8.2.3 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3 A.8.3.2, A.11.2.7 A.11.1.5 A.11.2.9 A.12.1.2, A.14.2.4 A.12.3.1 A.13.2.1, A.13.2.2, A.13.2.3 A.17.1.1 A.17.1.3 A.17.1.3 A.17.2.1

Table 2: Common policy, procedure and control documents After you have determined the boundaries and applicability of the ISMS to establish its scope, it is then necessary to make the scope available, both within the organization and to interested parties. The 2013 wording says: "the scope shall be made available as documented information (4.3), and this term is used in other clauses; for example, from Clause 5.2 Policy: The information security policy shall: e) be available as documented information; f) be communicated within the organization; and g) be available to interested parties, as appropriate.

4.2 Documentation of Risk Assessment Documented Information in ISO27001:2013 includes the definition of the risk assessment process that establishes and maintains risk acceptance criteria and criteria for performing risk assessments. The documented results of the risk assessment should identify security risks associated with loss of Confidentiality, Integrity, and Availability and the Risk Owners. These risks are then analyzed in terms of their potential consequences, the realistic likelihood of occurrence is determined, and the levels of risk. It is necessary to define and apply an information security risk treatment process to; select treatment options,     

Determine controls "from any source" Compare controls with Annex A Produce a Statement of Applicability Formulate a treatment plan Obtain owners approval of treatments and residual risks

And...

Page 11



Retain documented information.

It is worth a moment to reflect that ISO27001:2013 aligns with the principles and generic guidelines provided by ISO31000, a family of standards in which risk management principles, policy, framework and process documentation, the risk culture of the organization, and the risk recording and sharing system, are all touched upon in the documentation.

5 Conclusions The 2013 changes to ISO27001 have far-reaching practical impacts on information security. I suggest that these changes will prove to be significant in modernizing ISO 27001 ISMS - more so than is believed by many, who think that they are "subtle, not dramatic" - we shall of course, see later! As I have outlined above, the most far-reaching updates are (1) the use of the broader concept of risk in the context of the management system. There is also (2) emphasis on preventive action as a broader concept than simply preventing an incident from reoccurring - see my thoughts on this further down.

A list of the changes made would, I suggest, contain the following items - starting with Annex SL: 1. ISO 27001:2013 has been written using the new high-level structure, which is common to all new management systems standards. Known as ISO’s Directive Annex SL, the new structure will mean that implementing multiple ISO management standards will be far easier in the future. 2. The PDCA (plan–do–check–act) cycle is not expressly displayed in the introduction of the standard (which has caused many people to assume that it has gone altogether - a mistaken belief). This is because Annex SL requires all ISO standards to structure its main clauses around the PDCA cycle.  Clauses 4 Context of the organization, 5 Leadership, 6 Planning, and 7 Support are nothing but the Plan phase  Clause 8 Operations speaks about the Do phase  Clause 9 Performance evaluation is, of course, the Check phase, and  Clause 10 Improvement is the Act phase 3. Changes have been made to terminology. Some definitions have been removed or relocated. 4. Management commitment requirements focus on “leadership” (Clause 5) - specifically: top management (that is, C-Suite managers) must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities, and authorities. 5. Statement of Applicability (SOA) requirements are similar to ISO 27001:2005, however, there is more clarity on the need to determine the appropriate controls for your organization by the risk treatment process. The risk assessment requirements have been aligned with BS ISO 31000 and, importantly, an asset-based risk assessment process is no longer a requirement of the standard. 6. Preventive action is replaced with “actions to address, risks, and opportunities” - see below. 7. Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships. See the Table below for the Annex A Control groups. 8. There is a greater emphasis is on setting management objectives, monitoring performance, and metrics.

Page 12

Regarding the above, consider the growing importance of management system integration. It is a fact that ISO Management System Standards (MSSs) were written in a language that was difficult to understand, contained elements that suggested the systems were bureaucratic, and intended only for large organizations - the ones that had the necessary staff and could afford them. ISO 27001:2013 fits seamlessly into an integrated management system alongside other standards such as ISO 9001 (the new '2015' version), ISO 14001, ISO 22301 and ISO 20000. Integration will be achieved in this way because, to quote ISO News on Integrated Management Systems (February 13, 2013), ISO MSSs are based on the same fundamental concepts; which can be summed up as follows: 1. Process management and control: ensure that processes deliver the intended results and that applicable requirements are complied with. 2. Plan-Do-Check-Act approach to management and process control: establish objectives, define the processes needed, monitor progress and compliance, take action where necessary, and consider improvement opportunities. 3. Risk management: identify the risks that provide threats and opportunities, and implement controls to minimize negative effects on performance and maximize potential benefits. Annex SL certainly assists not only SMEs but also all organizations in applying multiple MSSs to their business processes. The use of the same structure as well as commonly used terms and definitions make it far simpler, less time consuming and so cheaper to implement, integrate and maintain standards. If your organization plans to implement ISO 9001:2015 in the coming months, the fact that ISO 27001:2013 also uses Annex SL could be the incentive you need to do this? In the end, it pays to demonstrate that your organization has robust management systems in place especially if you plan to win contracts from larger enterprises, government and the public sector. The change to risk assessment is valuable - it is not 'business as usual' for the asset-based approach There are, as I have described in this paper, major changes to the ISO27001 risk assessment clauses. In my view, these represent a chance to make the standard more appealing to business audiences and much more affordable in terms of the workload involved. By removing details on how the risk assessment phase should be conducted, the requirements to identify assets, threats, and vulnerabilities, et al, have also gone. At the same time, the new ISO 27001:2013 approach to risk management has been aligned with ISO 31000 Definitions; such as those used for ‘control’ and ‘risk treatment’. This was principally because the 2005 requirements were considered too prescriptive: they described how organizations should manage their information security risks rather than what the goals are. The 2013 version defines an ISO27001-compliant ISMS ... and not how to do your job! ISO 27001: 2013 is relevant to today’s outsourced IT services and cloud software applications The wording of Clause 4.3 (and in particular 4.3 c)) is intended to make it clear that the scope of the ISMS (as distinct from the scope of certification) includes everything that is of interest to the ISMS. Therefore, the scope includes external risk sources, such as hackers and internet outages, as well as any functions like IT services that are outsourced. An “outsourcing” section has been added; and a new control (A.15.1.3) that addresses Information security in supplier relationships; specifically, the risks associated with suppliers outsourcing some or all of the provided IT services. Clause 8.1 deals with the execution of the actions determined in Clause 6.1, that is, the achievement of the information security objectives and outsourced processes. In this way, ISO27001:2013 addresses

Page 13

the increasing reliance of today's organizations on various forms of IT outsourcing and internetbased applications. The Controls in Annex A are fit for purpose given changes in technology Annex A reference control objectives and controls have been revised. They are aligned with the 2013 revision of the ISO/IEC 27002 standard, which is used by organizations that intend to:  Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;  Implement commonly accepted information security controls;  Develop their own information security management guidelines. Once again, the strength of ISO27001:2013 is in its ability to fit the many different requirements of real organizations. The standard allows you to select the controls that are appropriate to your needs. There are too many changes to the A Controls to list them all. It suffices to say here that new requirements have been added, some existing references from the 2005 version have been modified and regrouped, and other references have been deleted. The total number of controls in the 2013 version has reduced from 133 controls in 11 groups, to 114 in 14 groups. New groups have been included, shown marked red in the Table below. Finally, preventive action requirements are gone from ISO 27001:2013. These were often a source of confusion since the concept itself was unclear and overlapped with risk management. The core text in two places now covers the intent of preventive action at the organizational level: 4.1 > a requirement to assess external/internal issues 6.1 > a requirement to determine risks and opportunities. These two sets of requirements (4.1 and 6.1) are considered to cover the concept of "preventive action" and to take a wider view that looks at risks and opportunities in the way that business works. The purpose of these and other improvements made to the wording of ISO 27001 can be summed up as giving you the ability to "assure the [information security] management system can achieve its intended outcomes; prevent, or reduce, undesired effects; [and] achieve continual improvement". Where to start? The most sensible place to start is with a gap analysis between the existing ISMS and the new version of the standard. This then forms the basis for the tasks required in the transition “project”. Knowing how your current ISMS conforms to the previous standard may also be of assistance, as it helps to identify existing documented information that requires changing. For further advice and guidance on implementing ISO27001:2013, see my CogniBlog posts. A.5: A.6: A.7: A.8:

Information security policies (2 controls) [note: 'policies' replaces 'policy]. Organization of information security (7 controls) Human resource security - 6 controls that are applied before, during, or after employment Asset management (10 controls)

Page 14

A.9: A.10: A.11: A.12: A.13: A.14: A.15: A.16: A.17: A.18:

Access control (14 controls) Cryptography (2 controls) Physical and environmental security (15 controls) Operations security (14 controls) Communications security (7 controls) System acquisition, development, and maintenance (13 controls) Supplier relationships (5 controls) Information security incident management (7 controls) Information security aspects of business continuity management (4 controls) Compliance; with internal requirements, such as policies, and with laws (8 controls)

Table 3: Annex 'A' Control Groups for ISO27001:2013 (114 Controls in 14 Groups, A.5 to A.18)

Page 15

Company Information Registered Office:

Cognidox Limited St John’s Innovation Centre Cowley Road Cambridge CB4 0WS UK

Registered in England and Wales No. 06506232 Email

[email protected]

Telephone

+44 (0) 1223 911080

Smart Document Management CogniDox helps teams in Engineering, Marketing, Sales, Operations and other departments to capture, share and publish product and design documentation. This easy-to-use tool helps break down the barriers to find information, share solutions and enjoy a faster, more productive development workflow inside your company. In addition, CogniDox helps you manage and publish documents and other content to licensed customers. It reduces technical support load and accelerates your customers' time to market. www.cognidox.com

Page 16