Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 - Part 2

Clause 4: Context of the organization 

This is a new clause that in part addresses the depreciated concept of preventive action and in part establishes the context for the ISMS. It meets these objectives by drawing together relevant external and internal issues (i.e. those that affect the organization’s ability to achieve the intended outcome(s) of its ISMS) with the requirements of interested parties to determine the scope of the ISMS. 

It should be noted that the term ‘issue’ covers not only problems, which would have been the subject of preventive action in the previous standard, but also important topics for the ISMS to address, such as any market assurance and governance goals that the organization might set for the ISMS. Further guidance is given in Clause 5.3 of  ISO 31000:2009.

Note that the term ‘requirement’ is a ‘need or expectation that is stated, generally implied or obligatory’. Combined with Clause 4.2, this in itself can be thought of as a governance requirement, as strictly speaking an ISMS that did not conform to generally-accepted public expectations could now be ruled nonconforming with the standard.

The final requirement (Clause 4.4) is to establish, implement, maintain and continually improve the ISMS in accordance with the requirements the standard.

Clause 5: Leadership 

This clause places requirements on ‘top management’ which is the person or group of people who directs and controls the organization at the highest level. Note that if the organization that is the subject of the ISMS is part of a larger organization, then the term ‘top management’ refers to the smaller organization. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. 

A particular responsibility of top management is to establish the information security policy, and the standard defines the characteristics and properties that the policy is to include. This is important for software development companies.

Finally, the clause places requirements on top management to assign information security relevant responsibilities and authorities, highlighting two particular roles concerning ISMS conformance to ISO/IEC 27001 and reporting on ISMS performance.

Clause 6: Planning 

Clause 6.1.1, General: This clause works with Clauses 4.1 and 4.2 to complete the new way of dealing with preventive actions. The first part of this clause (i.e. down to and including 6.1.1 c)) concerns risk assessment whilst Clause 6.1.1 d) concerns risk treatment. As the assessment and treatment of information security risk is dealt with in Clauses 6.1.2 and 6.1.3, then organizations could use this clause to consider ISMS risks and opportunities.

Clause 6.1.2, Information security risk assessment: This clause specifically concerns the assessment of information security risk. In aligning with the principles and guidance given in ISO 31000, this clause removes the identification of assets, threats and vulnerabilities as a prerequisite to risk identification. This widens the choice of risk assessment methods that an organization may use and still conforms to the standard. The clause also refers to ‘risk assessment acceptance criteria’, which allows criteria other than just a single level of risk. Risk acceptance criteria can now be expressed in terms other than levels, for example, the types of control used to treat risk.

The clause refers to ‘risk owners’ rather than ‘asset owners’ and later (in Clause 6.1.3 f)) requires their approval of the risk treatment plan and residual risks.

In other ways the clause closely resembles its counterpart in ISO/IEC 27001:2005 by requiring organizations to assess consequence, likelihood and levels of risk. Assessment of consequences, likelihood and levels of risk is essential for software development companies.

Clause 6.1.3, Information security risk treatment: This clause concerns the treatment of information security risk. It is similar to its counterpart in ISO/IEC 27001:2005, however, it refers to the ‘determination’ of necessary controls rather than selecting controls from Annex A. Nevertheless, the standard retains the use of Annex A as a cross-check to make sure that no necessary control has been overlooked, and organizations are still required to produce a Statement of Applicability (SOA). The formulation and approval of the risk treatment plan is now part of this clause.

Clause 6.2, Information security objectives and planning to achieve them: This clause concerns information security objectives. It uses the phrase “relevant functions and levels”, where here, the term ‘function’ refers to the functions of the organization, and the term ‘level’, its levels of management, of which ‘top management’ is the highest. The clause defines the properties that an organization’s information security objectives must possess. This lets software application development companies to move from ISO 27001:2005 to ISO 27001:2013.

Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 - Part 1

ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. First and foremost, the revision has taken account of practical experience of using the standard: there are now over 17,000 registrations worldwide. However, there have been two other major influences on the revision. The first is an ISO requirement that all new and revised management system standards must conform to the high level structure and identical core text defined in Annex SL to Part 1 of the ISO/IEC Directives. Conformance to these requirements will have a tendency to make all management system standards look the same, with the intention that management system requirements that are not discipline-specific are identically worded in all management system standards. This is good news for software application development companies that operate integrated management systems, i.e. management systems that conform to several standards, such as ISO 9001 (quality), ISO 22301 (business continuity) as well as ISO/IEC 27001. The second influence was a decision to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). Again, this is good news for integrated management systems as now an organization may apply the same risk assessment methodology across several disciplines.

The result is that structurally ISO/IEC 27001:2013 looks very different to ISO/IEC 27001:2005.In addition, there are no duplicate requirements, and the requirements are phrased in a way, which allows greater freedom of choice on how to implement them.  A good example of this is that the identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks. The standard now makes it clearer that controls are not to be selected from Annex A, but are determined through the process of risk treatment. Nevertheless, Annex A continues to serve as a cross-check to help ensure that no necessary controls have been overlooked.

Clause 0: Introduction 

This is a much shorter clause than its predecessor. In particular the section on the PDCA model has been removed. The reason for this is that the requirement is for continual improvement (see Clause 10) and PDCA is just one approach to meeting that requirement. There are other approaches, and organizations are now free to use them if they wish. Many software application development companies are adopting such approaches.

The introduction also draws attention to the order in which requirements are presented, stating that the order does not reflect their importance or imply the order in which they are to be implemented. 

Clause 1: Scope 

This, too, is a much shorter clause. In particular there is no reference to the exclusion of controls in Annex A.

Clause 2: Normative references 

The only normative reference is to ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Clause 3: Terms and definitions 

There are no longer any terms or definitions in ISO/IEC 27001:2013. Instead, readers are referred to ISO/IEC 27000. However, please ensure that you use a version of ISO/IEC 27000 that was published after ISO/IEC 27001:2013 otherwise it will not contain the correct terms or definitions. This is an important document to read. Many definitions, for example ‘management system’ and ‘control’ have been changed and now conform to the definitions given in the new ISO directives and ISO 31000. If a term is not defined in ISO/IEC 27000, please use the definition given in the Oxford English Dictionary. This is important, otherwise confusion and misunderstanding may be the result.


Author Signature: Shreyans Agrawal (ifour.shreyans.agrawal@gmail.com)