The internationally recognised Information Security Management System ISO/IEC 27001 has been formally revised with a new revision since September 2013. The structure of the new standard is very different to the older ISO/IEC 27001:2005. But the changes will be good news for organisations implementing an integrated management system with one or more standards. The new standard aligns to ISO 31000 for risk management. This allows companies to apply the same risk assessment methodology across several standards.
So what are the main changes?
- The revised standard has been written using the new high level structure, which is common to all new management systems standards. This will allow easy integration when implementing more than one management system
- Risk assessment requirements have been aligned with ISO 31000
- Preventive action has been replaced with “actions to address, risks and opportunities”
- SOA (Statement of Applicability), requirements are similar, with more clarity on the need to determine controls by the risk treatment process
- Controls in Annex A have been modified to reflect changing threats and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships
- Greater emphasis is on setting objectives, monitoring performance and metrics
Almir Business has helped many clients with their implementation and certification to ISO/IEC 27001. If you have any queries on ISO/IEC 27001:2013 or on the transition to the new standard we would be welcome to assist you. Please contact us at firstname.lastname@example.org