Governance, Risk Management, and Compliance blog

Six questions about the ISO 27001 revision (with answers)

[fa icon="calendar"] Tuesday, 30 April 2013 / by Jakob Holm Hansen

How does the ISO 27001 revision impact your risk management?

1. What else is new in ISO 27001, is it only about risk?

No, there are plenty of other changes. For example, management will have an increased responsibility in IT Risk Management. There will also be increased flexibility in your choice of risk method.

The revision is still only a draft so changes can still occur.


2. Will it take a great amount of effort to shift to the new ISO 27001?

No, quite the contrary. ISO 27001 is not filled with technical demands to your security, internal audit, or other. The 2013 draft has the same main content as the 2005 version; The purpose and many activities are the same.

The main difference is that the way it is presented has been altered creating sharper formulations and some areas are given more flexibility.

A transition would therefore not require lots of extra effort on your part.

Further, you have absolutely nothing to fear if your company is already ISO 27001 certified.


3. Are there any consequences for the management (risk owner) if you do not live up to the compliance?

There will only be consequences for the risk owner if your company has decided such should exist. It can, however, have consequences for your ISO 27001 certification and may result in a reprimand when an audit visits.


4. Is there a good mapping between NIST SP 800-53 controls and ISO 27001?

Yes, the National Institute of Standards and Technology has even released a paper regarding the issue. You can find it here.


5. When will the platform reflect the new ISO 27001 standard?

Shortly after the new ISO 27001 changes are finalised and made public.

6. Is there already a paper about risk management in the new ISO 27001?
There are currently, to my knowledge, no specific papers available on this topic. 
However, we will publish a paper, on the topic. Once it is finished it will be available on our website and everyone on our mailing list will be informed.


If you have any questions not listed here then feel free to contact me and I'll do my best to answer them.

Emner: ISO 27001, NIST SP 800-53, Information risk management, BrightTalk, Risk management

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts