sábado, 16 de noviembre de 2013

New ISO27001:2013

Since last quarter of 2013 it is available the new version of ISO27001. This version 2013 includes many changes and the purpose of this post is to take a high-level look over them.
First, the new version fits the ISO Annex SL. This means that the distribution of sections and phases of the standard will be extremely similar to the rest of ISO standards that are also adapting to this Annex. In practice, what is proposed is that organizations can have a common management framework in which they are integrated the different ISO that have implemented.The following will list other significant changes introduced by the new version:
  • The definition of context will have a key importance as the beginning of the ISMS planning.
  • A new specific section to deal with the Leadership in the ISMS. Therefore, this concept will be particularly important in the transitions to the 2013 version.
  • "Preventive actions" concept is replaced by "management of risks and opportunities". 
  • ISO31000 is referred to as the risk management framework. Aligned with Annex SL it is intended that risk management will become homogeneous at the corporate level. In this way, organizations could compare risks of different types ( information, people, financial, etc.). 
  • The adoption of ISO31000 as risk analysis framework causes that the requirements of risk analysis turn more generic and less detail than those defined in ISO27001:2005 and ISO27005. The purpose is to facilitate the implementation of risk analysis in other management systems that not incorporated it (such as environmental management, quality or IT services ). 
  • Security objectives must be approved by business and should allocate the necessary resources to achieve them. There will be special emphasis on this aspect, so that the allocation of resources should be appropriately evidenced .
  • Appears a new concept of great importance will be the communication to interested parts.
  • Another important change is that it abandons the concept of asset owner and is replaced by risk owner. 
  • It passes the 133 controls in Annex A to 114 controls. Actually controls are not removed, only a rearrangement proceeds to reformulate many of them.
Althought PDCA is not mandatory in this new version you can easily match the clauses with the PDCA scheme (note that the structure is identical for all standards that are adopting ISO Annex SL): 
  • Clause 4 Context: In the new version becomes of paramount importance to properly define the context, both internal and external to the organization. That is, bear in mind the ecosystem in which we live for the rest of decisions taken in the ISMS. Furthermore, the concept of context is perfectly aligned with the ISO31000 regarding context definition to be performed on risk analysis. 
  • Section 5 Leadership: As mentioned earlier, this is an entirely new clause. In this new version the definition of leadership and responsibilities will be central, with the aim of ensuring that the necessary resources are allocated to ensure the achievement of the security objectives. 
  • Clause 6 Planning: This clause defines the requirements of risk analysis using ISO31000 as a framework and define the requirements to be met in terms of goal setting and planning. The applicability statement remains almost unchanged . 
  • Clause 7 Support: This clause defines the requirements in terms of training , resource allocation, awareness, communication and document management. Also, as mentioned before, is given great importance to the management of communication to interested parts, to be established what should be reported, to whom to communicate and how to communicate it.
Clause 8: This is the clause of Annex SL more change for each ISO as the DO of the 27001 will be totally different to the DO on environmental management, quality or any other ISO. This clause is where, based on the declaration of applicability must be implemented the relevant controls.
Clause 9: The ninth clause define the requirements for the ISMS metrics and indicators. In this new version reinforces the requirement in terms of definition and implementation of metrics. 
Clause 10: The last clause puts the focus on continuous improvement. In this respect, the changes from version 27001:2005 are minimal.

Finally, I must say that after my experience working in the transition from an ISMS based on ISO27001:2005 to the new version  ISO27001:2013 I am convinced that the changes are very positive and that will result in improved efficiency for those ISMS that uses this standard as a basis for implementation.
I hope you've enjoyed this post and have found it useful.
twitter: @omarbenjumea
linkedin: http://www.linkedin.com/in/omarbenjumea

No hay comentarios: