Governance, Risk Management, and Compliance blog

Three ways the ISO 27001 revision will affect your company

[fa icon="calendar"] Monday, 15 April 2013 / by Jakob Holm Hansen

It has been eight years since the ISO 27001 standard was last revised but now changes are coming.


When 2013 nears its end we will see a new version of the information security standard ISO 27001. If you belong to those who must comply with the standard, or just consider it good practice, then you will experience a transitional period where your company must change its processes. It can be a time consuming process but luckily a draft of the revision has already been made publicly available.


Below you'll find the three most important changes in the ISO 27001 update so you can begin to prepare yourself immediately.


1. Increased flexibility in your choice of risk method

In the current ISO 27001 version it is a requirement that an active owner is identified and that a threat based vulnerability assessment is implemented. In the new draft the term risk owner is used instead and it is only a requirement to identify risks in relation to confidentiality, integrity and availability. Thereby, there is an attempt to adapt the risk process to the risk management standard ISO 31000.


It will, however, still be the ISO 27005 standard most people will use as a starting point for the risk process as it deals specifically with IT risks unlike ISO 31000 which provides a framework for analysis of all risk types in a business.


2. Sharpened demands to the Information Security Management System context

In the current draft the section about the establishing of the ISMS and the scope is brief and imprecise. The requirements for organisations ISMS context has been highlighted with the requirement that all relevant external stakeholder demands should be described as a part of the ISMS.


3. Demands to surveilance and measurements get their own section

Where they are currently spread among other requirements, the requirements for surveillance and measurement of efficiency have now been given their own section. There is an increased focus on ensuring that companies identifiy, describe and can document the efficiency of the implemented IT controls. Companies must draw up Key Performance Indicators for the evaluation of all implemented security measures and can document the KPI's output.


The ISO 27001 update is still open to changes but these three points should give you a headstart so you can have a smoother transition.

Emner: ISO 27001, KPI, ISMS, ISO 27001 revision, ISO 27005, ISO 31000

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts