ISO27001:2013 – The new information security standard published

Add to: Digg Add to: Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Tuesday October 29, 2013 at 9:00am

At last the new information security standard - ISO27001: 2013 has been published in the UK by British Standards. This was a much awaited Standard, as the previous version, the 2005 model, was starting to show its age.

So what has changed? The new Standard now has ten headings, with some more business focused issues such as; ‘Organizational Context and Stakeholders’, ‘Leadership’, ‘Resources’, ‘Communication and Awareness’ and ‘Objective Setting’.

If we juxtapose the new ISO27001: 2013 against ISO9001: 2008 we can see there is some similarity. Clear responsibilities, communications, resources, objectives and targets and effective implementation and measurement to verify effectiveness, all feature heavily.

In my view this Standard allows for easier integration with other business models, which is indeed the idea of PAS99, the integrated management certificate. Any organisation that holds registration to other Standards, will see how the higher level processes may be mutually congruent.

In addition to the changes at the higher level there are the addition of eleven new controls which are transferred to Annex A again of the Standard.

Some interesting new elements are:

  • Information security in project management
  • Secure development policy
  • Information security policy for supplier relationship
  • Information & communication technology supply chain issues

The number of overall controls has reduced down to 114 and they are now grouped around 14 headings. The old ISO27001: 2005 having 133 controls in total.

Researching other scholarly articles on the subject, various authors confirm that the new Standard is designed to be aligned with other Standards in force. Indeed it is anticipated that ISO9001: 2015 will be more ‘risk focused’ not to the same degree of ISO27001: 2013 but promoting ‘risk / threat’ issues.

BSI has announced its transition programme for organizations holding existing registrations. All others will follow suit aligning with UKAS guidance on transfer periods.

In all a much more rounded standard I think, less fragmented in its lexicon and easier for non IT practitioners to digest. Hopefully it will stir business managers to embrace the wise concepts of information security to safeguard their biggest asset: data!

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here