The revised version of ISO 27001 – Information Security Management System standard has just been published this month.
There have been a number of influences on the revision, the primary one has taken account of the practical experience of using the standard, there are now over 17,000 registrations worldwide. A further influence is an ISO requirement that all new and revised management system standards must conform to a high level structure and identical core text with a tendency to make all management system standards look the same. Finally a decision was made to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). There are over fifteen alterations made in the revised document encompassing concepts/updates and annexes making this document a major revision of the 2005 standard.
The main changes from the previous version include the following:
In addition the content of Annex A – the extensive section on Control Objectives and Controls – has changed, with more sections but amalgamation of some controls. This will certainly require reviewing and updating any Statement of Applicability as it covers theses controls (or justifies any exclusions).
So although a lot of the changes are to the structure, there are also some significant differences in intent, emphasis and content which will require revision of existing ISO 27001 Information Management systems and a change of outlook for those intending to implement the standard in the future.
You can purchase a copy of the new Standard from us at a £15 discount by following this link www.penarth.co.uk/bsi-standards-shop.html
There have been a number of influences on the revision, the primary one has taken account of the practical experience of using the standard, there are now over 17,000 registrations worldwide. A further influence is an ISO requirement that all new and revised management system standards must conform to a high level structure and identical core text with a tendency to make all management system standards look the same. Finally a decision was made to align ISO/IEC 27001 with the principles and guidance given in ISO 31000 (risk management). There are over fifteen alterations made in the revised document encompassing concepts/updates and annexes making this document a major revision of the 2005 standard.
The main changes from the previous version include the following:
- Change of content/layout to conform with the structure now defined for all future management system standards (Annex SL of ISO/IEC Directive) – (see ISO 22301 for an example). This change introduces a clause on Organisational Context and understanding the needs and expectations of interested parties.
- Preventive action is replaced by “Actions to address, risks and opportunities”.
- Document and Records Control amalgamated into one clause.
- Specific inclusion of Outsourcing – very important where the maintenance of IT services is contracted out, or where data is stored remotely by a third party data centre (Cloud storage).
- Emphasis increased regarding setting objectives and monitoring and measuring performance.
In addition the content of Annex A – the extensive section on Control Objectives and Controls – has changed, with more sections but amalgamation of some controls. This will certainly require reviewing and updating any Statement of Applicability as it covers theses controls (or justifies any exclusions).
So although a lot of the changes are to the structure, there are also some significant differences in intent, emphasis and content which will require revision of existing ISO 27001 Information Management systems and a change of outlook for those intending to implement the standard in the future.
You can purchase a copy of the new Standard from us at a £15 discount by following this link www.penarth.co.uk/bsi-standards-shop.html
RSS Feed