In November 2013, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) will formally release long-anticipated updates to ISO/IEC 27001 and 27002. The last time these standards were updated was in 2005.
WHAT ARE ISO AND IEC?
Founded in 1947, ISO is the world’s largest developer of voluntary international standards. ISO has published more than 19,500 standards, which are used in government, businesses and industries. Representing more than 160 countries and attracting over 30,000 experts a year, ISO gathers their opinions to form consensus around an international standard.
Developed in collaboration with the IEC (an international standards organization dealing with electrical, electronic and related technologies), ISO has supported long-recognized standards for information security called ISO/IEC 27001 and ISO/IEC 27002. The effective use of these standards can help companies achieve best practices in information security; avoid reinventing security controls; optimize the use of scarce resources; and reduce the occurrence of major risks such as project failures, wasted investments, security breaches, system crashes, data compromises, and failures of service providers to understand and meet customer requirements.
WHY SHOULD COMPANIES CARE?
Tens of thousands of companies have adopted ISO/IEC 27001 and 27002 as their standards for information security programs and controls. Together, they are the de facto standards for many governance, risk & compliance (GRC) frameworks and provide the requirements and code of practice for security regulations, assessments, insurance premiums and frameworks. They provide a baseline for initiating, implementing, maintaining and improving an information security management system in any size organization.
There have been significant changes made to these two standards. Since many organizations use these standards as a framework/baseline/target, there may be ramifications for their policies, standards and processes that warrant careful consideration. Many of the changes represent the standards’ catching up with ever-changing technology. Other changes are restructuring and clarifying the existing controls. Therefore, the changes reflected in the new security standards will need to be incorporated into most companies’ information security policies, standards and processes.
Companies currently certified with the old ISO standards (around 7,940 in total) will need to update to the new standards and recertify using the new standards after September 2015, but many companies may want to use the new standards to recertify before the deadline.
Companies that use ISO/IEC as a baseline or framework for their security programs can update when they are comfortable with the changes because it is their choice to use these standards. However, one of the justifications for using ISO/IEC as standards is to take advantage of updates and current thinking, so many companies may choose to adopt the new standards sooner rather than later.
WHAT HAS CHANGED?
The following changes are divided into two categories: (1) changes to the information security management system (ISMS) and (2) changes to controls. The ISMS remains the cornerstone of the ISO/IEC 27001 and 27002 standards. Changes made to the ISMS include:
- The familiar Plan-Do-Check-Act (PDCA) process framework has been removed.
- The interested parties and their requirements need to be listed in the ISMS and may include legal, regulatory and contractual obligations.
The concepts of “documents” and “records” are merged. They are now called “documented information.” The requirement in the old standard for documented procedures (document control, internal audit, corrective action and preventive) has been removed. However, documenting the results of processes is required. As a result, procedures are not required, but the documented information related to managing documents, performing internal audits and executing corrective actions is required. The required documents listed in the old standard (reference 4.3.1) have been removed.
The risk assessment using an asset’s value, vulnerabilities and threats has been removed in the new standard. Risks are now associated with the confidentiality, integrity and availability of information, and risks are assessed using the level of risk based on their consequences and the likelihood they will materialize. Risk ownership is also required.
The objectives for information security need to be defined, measurable and account for requirements. Risks and results need to be communicated, updated and documented. Also, the plans to achieve the objectives should include what will be done, required resources, responsibility, time frame and how results will be evaluated.
Many GRC frameworks use ISO/IEC and will need to be updated at some point to reflect the changes made in the new standards. The following differences to note include:
- There were 11 control domains; now there are 14, including three additional sections. The three new sections are not new since these were included in the previous ISO/IEC 27001.
- Cryptography was part of the systems acquisition, development and maintenance domain (old control 12.3).
- Supplier relationships were part of communications and operations management (old control 6.2).
- Communications security was part of the communications and operations management (old control 10.6).
- There are 19 fewer controls. (The old version had 133 controls and the new one has 114.) There are six new controls, and 25 controls were eliminated because they were too specific or outdated.
The following is a list of the new controls:
- 14.2.1: Secure development policy: Standards for the development of software and systems should be established.
- 14.2.5: System development procedures: Principles for developing secure systems should be established, documented, maintained and applied to any information system.
- 14.2.6: Secure development environment: Organizations should establish and appropriately protect secure development environments for system development and integration.
- 14.2.8: System security testing: Security functionality testing should be carried out during development.
- 16.1.4: Assessment and classification of information security events: Information security events should be assessed, and decided on if they should be classified as information security incidents.
- 17.2.1: Availability of information processing facilities: Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.
IN CLOSING
While many will say that these changes to ISO/IEC 27001 and 27002 are long overdue and perhaps more changes are required, the revised standards provide a package of security techniques that is practical in assisting an organization when identifying its security requirements and risks and selecting controls to address those requirements and mitigate those risks. Two areas that will require attention are realigning policies, standards and awareness training to align with the new standard and assigning risk owners and having them approve risk treatment plans and residual risks. The updated standards will better align ISO/IEC with other frameworks and evolving management and governance practices. Companies using ISO/IEC as a framework or those that are ISO/IEC certified should consider adopting the new ISO/IEC standards as time and resources permit. Many of the changes will better align security objectives with business goals and objectives and that alignment will help everyone better appreciate the importance of information security to the company’s sustainability, viability and reputation across the whole organization.
Learn more about governance, risk & compliance by exploring these related tools on KnowledgeLeader:
Risk Management Policy
Record Disposal and Retention Policy
Business Self-Assessment Methodology
