KnowledgeLeader Blog

ISO/IEC 27001 and 27002: What Are the Significant Changes?

Posted by Sharise Cruz on Wed, Oct 30, 2013 @ 12:27 PM

itflashreportIn November 2013, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) will formally release long-anticipated updates to ISO/IEC 27001 and 27002. The last time these standards were updated was in 2005. 

What are ISO and IEC?

Founded in 1947, ISO is the world’s largest developer of voluntary international standards. ISO has published more than 19,500 standards, which are used in government, business and industry. Representing more than 160 countries and attracting over 30,000 experts a year, ISO gathers their opinions to form consensus around an international standard.

Developed in collaboration with the IEC (an international standards organization dealing with electrical, electronic and related technologies), ISO has supported long-recognized standards for information security called ISO/IEC 27001 and ISO/IEC 27002. The effective use of these standards can help companies achieve best practices in information security, avoid re-inventing security controls, optimize the use of scarce resources, and reduce the occurrence of major risks such as project failures, wasted investments, security breaches, system crashes, data compromise, and failures of service providers to understand and meet customer requirements.

Why should companies care?

Tens of thousands of companies have adopted ISO/IEC 27001 and 27002 as their standards for information security programs and controls. Together, they are the de facto standards for many governance, risk and compliance (GRC) frameworks and provide the requirements and code of practice for security regulations, assessments, insurance premiums and frameworks. They provide a baseline for initiating, implementing, maintaining and improving an information security management system in any size organization.

There have been significant changes made to these two standards. Since many organizations use these standards as a framework/baseline/target, there may be ramifications for their policies, standards and processes that warrant careful consideration. Many of the changes represent the standards’ catching up with ever-changing technology. Other changes are restructuring and clarification of the existing controls. Therefore, the changes reflected in the new security standards will need to be incorporated into most companies’ information security policies, standards and processes.

Companies currently certified with the old ISO standards (around 7,940 in total) will need to update to the new standards and recertify using the new standards after September 2015, but many companies may want to use the new standards to recertify before the deadline.

Companies that use ISO/IEC as a baseline or framework for their own security programs can update when they are comfortable with the changes because it is their choice to use these standards. However, one of the justifications for using ISO/IEC as standards is to take advantage of updates and current thinking, so many companies may choose to adopt the new standards sooner rather than later.

This Flash Report will help companies anticipate the requirements of the new standards and the possible ramifications for the organization.

What has changed?

As summarized below, the changes are divided into two categories – (1) changes to the information security management system (ISMS), and (2) changes to controls.

Changes to ISMS: The ISMS remains the cornerstone of the ISO/IEC 27001 and 27002 standards. Changes made to the ISMS include:

  • The familiar Plan-Do-Check-Act (PDCA) process framework has been removed.

  • Interested parties and their requirements need to be listed in the ISMS and may include legal, regulatory and contractual obligations.

  • The concepts of “documents” and “records” are merged together; they now are called “documented information.” The requirement in the old standard for documented procedures (document control, internal audit, corrective action and preventive) has been removed. However, documenting the results of processes is required. As a result, procedures are not required, but the documented information related to managing documents, performing internal audits and executing corrective actions is required.

    • Required documents listed in the old standard (reference 4.3.1) have been removed.

  • Risk assessment using an asset’s value, vulnerabilities and threats has been removed in the new standard. Risks are now associated with the confidentiality, integrity and availability of information, and risks are assessed using the level of risk based on their consequences and the likelihood they will materialize. Risk ownership is also required.

  • Objectives for information security need to be defined, measureable and account for requirements, and risks and results communicated, updated and documented. Further, plans to achieve the objectives should include what will be done, resources required, responsibility, time frame and how results will be evaluated.

Changes to controls: Many GRC frameworks use ISO/IEC and will need to be updated at some point to reflect the changes made in the new standards. Differences to note include:

  • There were 11 control domains; now there are 14, including three additional sections. The three new sections are not really new since these were included in the previous ISO/IEC 27001:

  1. Cryptography was part of the systems acquisition, development and maintenance domain (old control 12.3).

  2. Supplier relationships were part of communications and operations management (old control 6.2).

  3. Communications security was part of the communications and operations management (old control 10.6).

  • There are 19 fewer controls. (The old version had 133 controls and the new one has 114.) There are six new controls, and 25 controls were eliminated because they were too specific or outdated.

  • The following is a list of the new controls:

    • 14.2.1: Secure development policy – Standards for the development of software and systems shall be established.

    • 14.2.5: System development procedures – Principles for developing secure systems shall be established, documented, maintained and applied to any information system.

    • 14.2.6: Secure development environment – Organizations shall establish and appropriately protect secure development environments for system development and integration.

    • 14.2.8: System security testing – Testing of security functionality shall be carried out during development.

    • 16.1.4: Assessment and classification of information security events – Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents.

    • 17.2.1: Availability of information processing facilities – Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

In Closing

While many will say that these changes to ISO/IEC 27001 and 27002 are long overdue and perhaps more changes are required, the revised standards provide a package of security techniques that is practical in assisting an organization in identifying its security requirements and risks and selecting controls to address those requirements and mitigate those risks. Two areas that will require attention are realignment of policies, standards and awareness training to align with the new standard, and assigning risk owners and having them approve risk treatment plans and residual risks. The updated standards will better align ISO/IEC with other frameworks and evolving management and governance practices. Companies using ISO/IEC as a framework or those that are ISO/IEC certified should consider adopting the new ISO/IEC standards as time and resources permit. Many of the changes will better align security objectives with business goals and objectives and that alignment will help everyone across the whole organization to better appreciate the importance of information security to the company’s sustainability, viability and reputation. 

 

Download this flash report:

Topics: Protiviti, information technology risk, IT audit, IT governance, IT infrastructure, security, flash report

Add a Comment:

Subscribe to Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

 Tour the Site

Recent Posts

Posts by Topic

see all