It has been eight years since the ISO 27001 standard was last revised, but now changes are coming.
When 2013 nears its end we will see a new version of the information security standard ISO 27001. If you belong to those who must comply with the standard or consider it good practice, you will experience a transitional period in which your company must change its processes. It can be a time-consuming process, but luckily, a draft of the revision has already been made publicly available.
Below are the three most important changes in the ISO 27001 update, so you can begin preparing immediately.
In the current ISO 27001 version, it is required to identify an active owner and implement a threat-based vulnerability assessment. In the new draft, the term risk owner is used instead, and it is only required to identify risks related to confidentiality, integrity, and availability. Thereby, an attempt is made to align the risk process with the risk management standard ISO 31000.
It will, however, still be the ISO 27005 standard most people will use as a starting point for the risk process, as it addresses explicitly IT risks, unlike ISO 31000, which provides a framework for analysing all risk types in a business.
In the current draft, the section about establishing the ISMS and the scope is brief and imprecise. The requirements for organisations' ISMS context have been highlighted, including the need to describe all relevant external stakeholder demands as part of the ISMS.
Where they were previously spread among other requirements, the requirements for surveillance and efficiency measurement have now been given their own section. There is an increased focus on ensuring that companies identify, describe, and document the efficiency of the implemented IT controls. Companies must draw up Key Performance Indicators to evaluate all implemented security measures and document the KPIs' outputs.
The ISO 27001 update is still open to changes, but these three points should give you a head start so you can have a smoother transition.