8 Step Guide to Bring Your Current ISMS from ISO 27001:2005 to ISO 27001:2013
A new version of ISO 27001 has been issued and you have been tasked with updating your company’sISO 27001 program from 2005 to 2013… What does that mean and how should you get started? We have broken down the steps necessary to bring your current Information Security Management System (“ISMS”) that utilizes ISO 27001:2005 to the newest version. The timeline for transition depends on the current state of the ISMS, so here is a breakdown of deadlines for transition:
New Implementations
- Can be performed using the ISO/IEC 27001:2005 until October 1, 2014
Transition
- Can be performed (2005 to the 2013 standard) until October 1, 2015
Complete Transition
- After October 1, 2015 all new certifications are required to use the 2013 standard
There is no better time than the present to get started!
Why was the standard revised?
- There have been over 17,000 certificates issued around the world generating relevant experience and knowledge
- To address new organizations and technology (i.e. outsourcing, cloud computing, etc.)
- To comply with the ISO/IEC directive to align with a structure of management system standards
- To simplify compliance for organization that are certified with more than one management system (i.e. ISO 9001, etc.)
Highlights and key differences:
- Realignment of the management system requirements
- Internal and external issues, requirements, needs and expectations
- Risk owners
- Documentation requirements
- Effectiveness measurement requirements
- Statement of Applicability (SoA) framework
- Controls Annex A realignment
Main 7 clauses include:
- 4: Context of the organization
- 5: Leadership
- 6: Planning
- 7: Support
- 8: Operation
- 9: Performance evaluation
- 10: Improvement
Step 1 – Context of the organization
- Understanding the organization and its context:
- The key is determining what the intended outcome of the ISMS is to the organization.
- Determine the mission of the organization (if it has not already been determined).
- How does the mission relate to information security and governance and compliance?
- Understanding the needs and expectations of interested parties:
- Determine what is relevant to the ISMS, such as:
- Contracts
- Laws or regulations
- Internally interests
- Any additional external interests
- Determining the scope of the ISMS:
- The scoping is required to be much more detailed in the latest version.The standardprovides requirements to include for the context of the organization and interested parties:
- Include any vendors or contracts that reduce the scope.
- Include any areas that are under the primary business requirements.
- Include interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.
- Additionally, the scoping requires very defined boundaries to be laid out. Items to consider:
- Firewalls and network diagrams
- Physical facilities
- Network segments
- Descriptions of how data is received / processed, the systems used for data entry, how data output is produced and the systems used
Step 2 – Leadership
- Leadership (“top management”) is what drives the implementation / administration / maintenance / improvement process of the ISMS
- Maintain accountability of the ISMS
- Ensure that the ISMS achieves its intended outcome(s)
- Direct and support persons to contribute to the effectiveness of the ISMS
- Communicate the importance of conforming to the ISMS requirements
- The ISMS Policy is no longer required.
- There does need to be an overarching information security policy,as this is a requirement in clause 5.2
- Include the objectives of the framework
- Allow for the dissemination to all interested parties, including:
- Contract holders
- Vendors
- Contractors/third parties
- All internal personnel
- Show commitment to the ISMS
- Show commitment to the improvement of the ISMS
Step 3 – Planning
- The 2013 standard no longer calls out all the necessary requirements in performing risk assessments (i.e. identify assets, threats, vulnerabilities, etc.), but now gives more control with the owner(s) of the ISMS to determine the best approach when performing its information security risk assessment.
- Risks should be tied to loss of confidentiality, integrity, or availability of information within the scope of the ISMS.
- Utilizing risks associated with assets is still an acceptable method.
- Identification of assets, vulnerability, and threats are no longer called out.
- You should identify risks to the organization with a means to quantify (numeric, color scheme, etc.) them.
- Finally, you need to analyze all third party vendors, contractors, and outsourced resources as part of the risk assessment approach.
- Determining the risk associated with these parties is critical.
- Breaches resulting from lack of due care and due diligence on third parties and vendors should always be a consideration.
- Risk Treatment
- Determine all controls necessary to implement risk treatment options (can design as required or identify from any source)
- Compare controls identified to those in Controls Annex A and produce the SoA (update is necessary when conforming to the Controls Annex A for 2013)
- Must justify why controls are included or not included
- Need to justify with an explanation
- Formulate risk treatment plan and obtain risk owner approval
Step 4 – Support
- Resources
- Required to be determined and provided
- Competence
- Determine necessary competence
- Ensure that persons are competent based on education, training, or experience
- Take actions to acquire the competence level needed
- Awareness
- Required to be aware of the information security policy, their contribution to the effectiveness of the ISMS, and implications of not conforming with the ISMS requirements.
- Communication
- The ability to successfully communicate internally and externally requirements related to the internal audit, risk assessment, review of documentation, and metrics monitoring is vital to the success or failure of the ISMS
- Internal and external communication relevant to the ISMS:
- What to communicate
- When to communicate
- With whom to communicate
- Who will communicate
- The processes by which communications will be effected
- Documented information
- Definition, availability and maintenance
Step 5 –Operation
- Operation planning and control
- Processes needed to meet information security requirements
- Actions necessary to address information security risk
- Plans to achieve the information security objectives
- Information security risk assessment (described in Step 3)
- Perform at planned intervals or when significant changes are proposed or occur
- Allow for upper management to continue to review the risk assessment and be the risk owners
- Information security risk treatment (described in Step 3)
- Implement the information security risk treatment plan
Step 6– Performance Evaluation
- Internal audits and management reviews need to be conducted at least annually and, as in the 2005 standard, management reviews need to capture internal audit results, prior nonconformities, etc. to ensure ISMS effectiveness measurement
- Monitoring, measurement, analysis, and evaluation
- Information security performance and effectiveness, should include:
- What needs to be monitored and measured
- The methods for monitoring, measurement, analysis and evaluation
- When the monitoring and measurement are performed
- Who will perform the monitoring and measurement activities
- When the results will be analyzed and evaluated
- Who will perform the evaluation and analysis
- Internal audit
- Plan, establish, implement and maintain an audit program
- Define audit criteria and scope
- Select auditors and conduct audits to ensure objectivity (some type of independence)
- Report the audit results to relevant management
- Management review
- Top management performs at planned intervals (at least annually)
- Similar required inputs and outputs
Step 7–Improvement
- The 2013 standard has changed to no longer separate preventative and corrective actions; each are treated as action necessary to ensure continual improvement of the ISMS
- Nonconformity and corrective action
- React to the nonconformity
- Evaluate the need for action and implement needed action
- Review the effectiveness of corrective action and make changes to the ISMS as necessary
- Continual improvement
- Continually improve the suitability, adequacy, and effectiveness of the ISMS
Step 8 – Controls annex
- There are minor changes between the documentation in the ISMS and Annex Controls.
- Number of domains grew from 11 to 14
- Number of controls dropped from 133 to 114
- These changes, removals, and additions will mainly affect the SoA.
- Changes include the following:
# / Version 2005 / Version 2013
A5 /
- Security policy
- Information security policies
A6 /
- Security organization
- How information security is organized
A7 /
- Asset management
- Human resources security
A8 /
- Human resources security
- Asset management
A8 /
- Physical and environmental security
- Access control and managing user access
A10 /
- Communications and operations management
- Cryptographic techniques
A11 /
- Access control
- Physical security of the organization’s sites and equipment
A12 /
- Information systems acquisition, development, and maintenance
- Operational security
A13 /
- Information security incident management
- Secure communications and data transfer
A14 /
- Business continuity management
- Secure acquisition, development and support for information systems
A15 /
- Compliance
- Security for suppliers and third parties
A16 / N/A /
- Incident security incident management
A17 / N/A /
- Information aspects of business continuity
A18 / N/A /
- Compliance
- Controls that have been removed include:
- A.6.1.1 Management commitment to information security
- A.6.1.2 Information security coordination
- A.6.1.4 Authorization process for information processing facilities
- A.6.2.1 Identification of risks related to external parties
- A.6.2.2 Addressing security when dealing with customers
- A.10.2.1 Service delivery
- A.10.7.4 Security of system documentation
- A.10.10.2 Monitoring system use
- A.10.10.5 Fault logging
- A.11.4.2 User authentication for external connections
- A.11.4.3 Equipment identification
- A.11.4.4 Remote diagnostic and configuration port protection
- A.11.4.6 Network connection control
- A.11.4.7 Network routing control
- A.10.8.5 Business information systems
- A.11.6.2 Sensitive system isolation
- A.12.2.1 Input data validation
- A.12.2.2 Control of internal processing
- A.12.2.3 Message integrity
- A.12.2.4 Output data validation
- A.12.5.4 Information leakage
- A.15.1.5 Prevention of misuse of information processing facilities
- A.15.3.2 Protection of information systems audit tools
- Added controls include:
- A.6.1.5 Information security in project management
- A.12.6.2 Restrictions on software installation
- A.14.2.1 Secure development policy
- A.14.2.5 Secure system engineering principles
- A.14.2.6 Secure development environment
- A.14.2.8 System security testing
- A.15.1.1 Information security policy for supplier relationships
- A.15.1.3 Information and communication technology supply chain
- A.16.1.4 Assessment of and decision on information security events
- A.16.1.5 Response to information security incidents
- A.17.2.1 Availability of information processing facilities
Overall, there are some significant changes to ISO 27001 in the newest 2013 edition. However, there is nothing that is a great stretch for an organization that has a successful ISMS already operating. The changes in 2013 provide better clarity with existing requirements in the standard and include some additional requirements around our evolving world of technology.
Utilizing the guidelines in ISO 27001:2013 will improve the standardization and operations of the information security program in your organization.
1
©2014 A-lign. All Rights Reserved.