{"id":4682,"date":"2013-01-28T18:49:10","date_gmt":"2013-01-28T18:49:10","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/013\/01\/28\/a-first-look-at-the-new-iso-27001-2013-draft-version\/"},"modified":"2024-12-21T16:11:15","modified_gmt":"2024-12-21T16:11:15","slug":"a-first-look-at-the-new-iso-27001-2013-draft-version","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2013\/01\/28\/a-first-look-at-the-new-iso-27001-2013-draft-version\/","title":{"rendered":"A first look at the new ISO 27001"},"content":{"rendered":"<p><em>Update 2013-09-25<\/em>: This blog post was updated according to the final version of ISO 27001:2013 that was published on September 25, 2013.<\/p>\n<p>When I heard the news that the DIS (draft) version of ISO 27001:2013 is available, I was very impatient to read it. When compared to the old ISO\/IEC 27001 from 2005, the changes are actually not too drastic \u2013 here are the main differences I found:<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">The structure<\/h2>\n<p>As expected, the new <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> is compliant with Annex SL of ISO\/IEC Directives, in order to be aligned with all the other management standards \u2013 this is already evident in <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a>, the new business continuity management standard. So, here are the main clauses that you will see in all the management standards:<\/p>\n<p style=\"padding-left: 30px;\">0 Introduction<br \/>\n1 Scope<br \/>\n2 Normative references<br \/>\n3 Terms and definitions<br \/>\n4 Context of the organization<br \/>\n5 Leadership<br \/>\n6 Planning<br \/>\n7 Support<br \/>\n8 Operation<br \/>\n9 Performance evaluation<br \/>\n10 Improvement<\/p>\n<p>Naturally, Annex A is still here in the new ISO 27001 \u2013 this is where all the controls are listed (<a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2013\/02\/11\/main-changes-in-the-new-iso-27002-2013-draft-version\/\">click here to see new controls<\/a>). The quite useless Annex B from the old standard is gone, while there is no need for Annex C anymore.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Interested parties<\/h2>\n<p>The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 \u2013 there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.<\/p>\n<p>This is definitely an excellent way of defining key inputs into the ISMS.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Documented information<\/h2>\n<p>The concepts of &#8220;documents&#8221; and &#8220;records&#8221; are merged together; so, now it is &#8220;documented information.&#8221; Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven&#8217;t changed much from the old ISO 27001.<\/p>\n<p>The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone \u2013 however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don&#8217;t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.<\/p>\n<p>Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone \u2013 there is no central list of required documents.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Risk assessment and treatment<\/h2>\n<p>Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability \u2013 although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified; however, I assume that the assets-vulnerabilities-threats methodology will remain as a best practice for a long time.<\/p>\n<p>The concept of determining the level of risk based on consequences and likelihood remains the same.<\/p>\n<p>The concept of asset owner is gone \u2013 a new term is used: &#8220;risk owners&#8221; \u2013 so the responsibility is pushed to a higher level.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Objectives, monitoring and measurement<\/h2>\n<p>A big change here: these are not mentioned within some other requirements, but now there are separate clauses with very concrete rules. The rules are that you need to set clear objectives, you need to define who will measure them and when, and you need to define who should analyze and evaluate those results. Further, comprehensive plans need to be developed that will describe how the objectives will be achieved.<\/p>\n<p>This is definitely something that will bring ISMS closer to other management processes in a company. Hopefully, it will push information security onto the management agenda because \u2013 once you have very clear figures as to how your security performs \u2013 you cannot turn your head away from it.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Corrective &amp; preventive actions<\/h2>\n<p>The biggest change is there are no preventive actions anymore, at least not at first sight \u2013 they are basically merged in risk assessment and treatment, where they naturally belong.<\/p>\n<p>Further, a distinction is made between corrections that are made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity. This way another ambiguity from the old standard is resolved.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Communication<\/h2>\n<p>This is also a new clause where all the requirements are summarized \u2013 what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an &#8220;IT thing&#8221; or &#8220;security thing&#8221; \u2013 the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">What will this mean for the implementation?<\/h2>\n<p>I must admit I like all these changes \u2013 not only will the new ISO 27001 be easier to integrate with other management standards like <a href=\"https:\/\/staging.advisera.com\/9001academy\/what-is-iso-9001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 9001<\/a>, ISO 22301, <a href=\"https:\/\/staging.advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a> and others, but it also allows more freedom for companies (especially smaller ones) to scale the ISMS to their real needs and thereby avoid unnecessary overhead. But this may also turn out to be the greatest weakness of this new standard \u2013 because of its loose definitions, some companies may try to focus on satisfying the minimum instead of focusing on increasing security.<\/p>\n<p>In other words, companies that mean well and really want to increase their level of security will find it easier to comply with this standard; however, the companies that not so positive and are looking for loopholes to implement it only for the sake of certification will see this standard as an opportunity.<\/p>\n<p><span class=\"notion-enable-hover\" data-token-index=\"0\"><em>To get step-by-step guidance and templates for all ISO 27001 required documents, try out<\/em>\u00a0<\/span><a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/staging.advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"1\"><span class=\"link-annotation-unknown-block-id-1092142182\">Conformio<\/span><\/a><em><span class=\"notion-enable-hover\" data-token-index=\"2\">, ISO 27001 compliance software, for free.<\/span><\/em><!-- notionvc: c1cfa27a-f736-4268-9ca2-1c75729cd8f0 --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 2013-09-25: This blog post was updated according to the final version of ISO 27001:2013 that was published on September 25, 2013. When I heard the news that the DIS (draft) version of ISO 27001:2013 is available, I was very impatient to read it. When compared to the old ISO\/IEC 27001 from 2005, the changes &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[235,277,381,402,504,528,597,600],"class_list":["post-4682","post","type-post","status-publish","format-standard","hentry","category-blog","tag-measurement","tag-risk-assessment","tag-iso-27001","tag-iso-27002","tag-document-management","tag-corrective-and-preventive-actions","tag-iso27001-2013-revision","tag-security-objectives"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4682"}],"version-history":[{"count":2,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4682\/revisions"}],"predecessor-version":[{"id":104297,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4682\/revisions\/104297"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}