Since its initial publication in 2005, the International Organization for Standardization's ISO 27001 framework...
has served as the information security industry's gold standard for the design of information security programs. ISO 27001 defines the high-level requirements that all information security programs should address and provides a structure for evaluating the completeness of an organization's program. While relatively few organizations pursue formal ISO 27001 certification, many use the standard as both a blueprint for designing a comprehensive set of security controls and a yardstick for measuring existing security programs.
While relatively few organizations pursue formal ISO 27001 certification, many use the standard as both a blueprint for designing a comprehensive set of security controls and a yardstick for measuring existing security programs.
Last September, ISO 27001 received its first major update with the release of ISO 27001:2013. The 2013 ISO 27001 update accomplishes two main objectives: updates to the content of the standard to reflect developments in the security world over the past decade, and a reorganization of ISO 27001 to better align with other international security standards.
The good news is that most of the ISO 27001 updates are cosmetic -- they rearrange many of the principles from the 2005 standard into the consistent format used by other ISO standards. Organizations won't need to worry much about those, other than reorganizing compliance plans to align with the new standard. However, you need to review a few new areas in ISO 27001 carefully.
Flexibility in risk assessments
The cornerstone of any information security program is a sound risk assessment that identifies, evaluates and appropriately manages the many risks facing an organization's information assets. Organizations had to follow a very specific risk assessment technique under the guidance of the 2005 version of ISO 27001. The old process was quite prescriptive, describing four specific steps that organizations must follow to identity assets, threats, vulnerabilities and the impact of confidentiality, integrity and availability losses on those assets. The revised standard relaxes those requirements and, while still requiring a formal risk assessment that identifies, analyzes and evaluates risks, does not dictate the specific process that an organization must follow when performing that assessment.
Meeting the needs of interested parties
The 2013 version of ISO 27001 also introduces the new concept of "interested parties," which is an acknowledgement of the fact that outside entities may have an interest in an organization's information security program. Interested parties may include government regulators and other entities that assert contractual compliance obligations on an organization, such as the Payment Card Industry Security Standards Council.
Organizations seeking certification under ISO 27001:2013 must obtain a thorough understanding of the needs and expectations of these interested parties. The standard specifically requires that organizations "determine interested parties that are relevant to the information security management system" and also identify "the requirements of these interested parties relevant to information security." If an organization has been following a standard process for documenting your compliance with IT regulations, it's probably already in good shape for this new requirement.
Monitoring security performance
Section 9.1 of the updated standard requires that organizations evaluate "information security performance and the effectiveness of the information security management system." It goes on to outline the general structure of such a monitoring program, including requirements to identify monitoring techniques, assign timelines and responsibilities for monitoring, and define formal analysis procedures.
As with all of the ISO 27001 requirements, the standard does not delve into the specifics of how an organization should monitor its information security program. It merely outlines the general requirements of a monitoring program, and then allows management to decide the best way to fulfill those requirements within each organization's unique technical and business environment.
How will changes to ISO 27001 affect me?
The extent to which the updated standard will affect an organization depends upon its approach to ISO 27001. If a company simply uses ISO 27001 as an advisory standard, it can choose whether or not to adopt the new requirements and do so on its own schedule.
If a company is already formally certified or is currently pursuing certification, it has the option to not conform to the new requirements straightaway. Though the new standard was published on Sept. 25, 2013, organizations seeking initial certification between now and Oct. 1, 2014, may choose to use either the 2005 or 2013 version of the standard. Organizations seeking recertification have one additional year, until Oct. 1, 2015, to become fully compliant with the 2013 standard.
The changes to ISO 27001 are reasonable adaptations to the changing reality of information security. Fortunately, organizations seeking formal certification under the standard have a generous amount of time to update security controls, revise any required documentation and seek certification under the updated program.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.