8 Step Guide to Bring Your Current ISMS from ISO 27001:2005 to ISO 27001:2013

8 Step Guide to Bring Your Current ISMS from ISO 27001:2005 to ISO 27001:2013

A new version of ISO 27001 has been issued and you have been tasked with updating your company’sISO 27001 program from 2005 to 2013… What does that mean and how should you get started? We have broken down the steps necessary to bring your current Information Security Management System (“ISMS”) that utilizes ISO 27001:2005 to the newest version. The timeline for transition depends on the current state of the ISMS, so here is a breakdown of deadlines for transition:

New Implementations

Can be performed using the ISO/IEC 27001:2005 until October 1, 2014

Transition

Can be performed (2005 to the 2013 standard) until October 1, 2015

Complete Transition

After October 1, 2015 all new certifications are required to use the 2013 standard

There is no better time than the present to get started!

Why was the standard revised?

There have been over 17,000 certificates issued around the world generating relevant experience and knowledge
To address new organizations and technology (i.e. outsourcing, cloud computing, etc.)
To comply with the ISO/IEC directive to align with a structure of management system standards
To simplify compliance for organization that are certified with more than one management system (i.e. ISO 9001, etc.)

Highlights and key differences:

Realignment of the management system requirements
Internal and external issues, requirements, needs and expectations
Risk owners
Documentation requirements
Effectiveness measurement requirements
Statement of Applicability (SoA) framework
Controls Annex A realignment

Main 7 clauses include:

4: Context of the organization
5: Leadership
6: Planning
7: Support
8: Operation
9: Performance evaluation
10: Improvement

Step 1 – Context of the organization

Understanding the organization and its context:
The key is determining what the intended outcome of the ISMS is to the organization.
Determine the mission of the organization (if it has not already been determined).
How does the mission relate to information security and governance and compliance?
Understanding the needs and expectations of interested parties:
Determine what is relevant to the ISMS, such as:
Contracts
Laws or regulations
Internally interests
Any additional external interests
Determining the scope of the ISMS:
The scoping is required to be much more detailed in the latest version.The standardprovides requirements to include for the context of the organization and interested parties:
Include any vendors or contracts that reduce the scope.
Include any areas that are under the primary business requirements.
Include interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.
Additionally, the scoping requires very defined boundaries to be laid out. Items to consider:
Firewalls and network diagrams
Physical facilities
Network segments
Descriptions of how data is received / processed, the systems used for data entry, how data output is produced and the systems used

Step 2 – Leadership

Leadership (“top management”) is what drives the implementation / administration / maintenance / improvement process of the ISMS
Maintain accountability of the ISMS
Ensure that the ISMS achieves its intended outcome(s)
Direct and support persons to contribute to the effectiveness of the ISMS
Communicate the importance of conforming to the ISMS requirements
The ISMS Policy is no longer required.
There does need to be an overarching information security policy,as this is a requirement in clause 5.2
Include the objectives of the framework
Allow for the dissemination to all interested parties, including:
Contract holders
Vendors
Contractors/third parties
All internal personnel
Show commitment to the ISMS
Show commitment to the improvement of the ISMS

Step 3 – Planning

The 2013 standard no longer calls out all the necessary requirements in performing risk assessments (i.e. identify assets, threats, vulnerabilities, etc.), but now gives more control with the owner(s) of the ISMS to determine the best approach when performing its information security risk assessment.
Risks should be tied to loss of confidentiality, integrity, or availability of information within the scope of the ISMS.
Utilizing risks associated with assets is still an acceptable method.
Identification of assets, vulnerability, and threats are no longer called out.
You should identify risks to the organization with a means to quantify (numeric, color scheme, etc.) them.
Finally, you need to analyze all third party vendors, contractors, and outsourced resources as part of the risk assessment approach.
Determining the risk associated with these parties is critical.
Breaches resulting from lack of due care and due diligence on third parties and vendors should always be a consideration.
Risk Treatment
Determine all controls necessary to implement risk treatment options (can design as required or identify from any source)
Compare controls identified to those in Controls Annex A and produce the SoA (update is necessary when conforming to the Controls Annex A for 2013)
Must justify why controls are included or not included
Need to justify with an explanation
Formulate risk treatment plan and obtain risk owner approval

Step 4 – Support

Resources
Required to be determined and provided
Competence
Determine necessary competence
Ensure that persons are competent based on education, training, or experience
Take actions to acquire the competence level needed
Awareness
Required to be aware of the information security policy, their contribution to the effectiveness of the ISMS, and implications of not conforming with the ISMS requirements.
Communication
The ability to successfully communicate internally and externally requirements related to the internal audit, risk assessment, review of documentation, and metrics monitoring is vital to the success or failure of the ISMS
Internal and external communication relevant to the ISMS:
What to communicate
When to communicate
With whom to communicate
Who will communicate
The processes by which communications will be effected
Documented information
Definition, availability and maintenance

Step 5 –Operation

Operation planning and control
Processes needed to meet information security requirements
Actions necessary to address information security risk
Plans to achieve the information security objectives
Information security risk assessment (described in Step 3)
Perform at planned intervals or when significant changes are proposed or occur
Allow for upper management to continue to review the risk assessment and be the risk owners
Information security risk treatment (described in Step 3)
Implement the information security risk treatment plan

Step 6– Performance Evaluation

Internal audits and management reviews need to be conducted at least annually and, as in the 2005 standard, management reviews need to capture internal audit results, prior nonconformities, etc. to ensure ISMS effectiveness measurement
Monitoring, measurement, analysis, and evaluation
Information security performance and effectiveness, should include:
What needs to be monitored and measured
The methods for monitoring, measurement, analysis and evaluation
When the monitoring and measurement are performed
Who will perform the monitoring and measurement activities
When the results will be analyzed and evaluated
Who will perform the evaluation and analysis
Internal audit
Plan, establish, implement and maintain an audit program
Define audit criteria and scope
Select auditors and conduct audits to ensure objectivity (some type of independence)
Report the audit results to relevant management
Management review
Top management performs at planned intervals (at least annually)
Similar required inputs and outputs

Step 7–Improvement

The 2013 standard has changed to no longer separate preventative and corrective actions; each are treated as action necessary to ensure continual improvement of the ISMS
Nonconformity and corrective action
React to the nonconformity
Evaluate the need for action and implement needed action
Review the effectiveness of corrective action and make changes to the ISMS as necessary
Continual improvement
Continually improve the suitability, adequacy, and effectiveness of the ISMS

Step 8 – Controls annex

There are minor changes between the documentation in the ISMS and Annex Controls.
Number of domains grew from 11 to 14
Number of controls dropped from 133 to 114

These changes, removals, and additions will mainly affect the SoA.
Changes include the following:

# / Version 2005 / Version 2013
A5 /

Security policy

Information security policies

A6 /

Security organization

How information security is organized

A7 /

Asset management

Human resources security

A8 /

Human resources security

Asset management

A8 /

Physical and environmental security

Access control and managing user access

A10 /

Communications and operations management

Cryptographic techniques

A11 /

Access control

Physical security of the organization’s sites and equipment

A12 /

Information systems acquisition, development, and maintenance

Operational security

A13 /

Information security incident management

Secure communications and data transfer

A14 /

Business continuity management

Secure acquisition, development and support for information systems

A15 /

Compliance

Security for suppliers and third parties

A16 / N/A /

Incident security incident management

A17 / N/A /

Information aspects of business continuity

A18 / N/A /

Compliance

Controls that have been removed include:
A.6.1.1 Management commitment to information security
A.6.1.2 Information security coordination
A.6.1.4 Authorization process for information processing facilities
A.6.2.1 Identification of risks related to external parties
A.6.2.2 Addressing security when dealing with customers
A.10.2.1 Service delivery
A.10.7.4 Security of system documentation
A.10.10.2 Monitoring system use
A.10.10.5 Fault logging
A.11.4.2 User authentication for external connections
A.11.4.3 Equipment identification
A.11.4.4 Remote diagnostic and configuration port protection
A.11.4.6 Network connection control
A.11.4.7 Network routing control
A.10.8.5 Business information systems
A.11.6.2 Sensitive system isolation
A.12.2.1 Input data validation
A.12.2.2 Control of internal processing
A.12.2.3 Message integrity
A.12.2.4 Output data validation
A.12.5.4 Information leakage
A.15.1.5 Prevention of misuse of information processing facilities
A.15.3.2 Protection of information systems audit tools
Added controls include:
A.6.1.5 Information security in project management
A.12.6.2 Restrictions on software installation
A.14.2.1 Secure development policy
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.8 System security testing
A.15.1.1 Information security policy for supplier relationships
A.15.1.3 Information and communication technology supply chain
A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.17.2.1 Availability of information processing facilities

Overall, there are some significant changes to ISO 27001 in the newest 2013 edition. However, there is nothing that is a great stretch for an organization that has a successful ISMS already operating. The changes in 2013 provide better clarity with existing requirements in the standard and include some additional requirements around our evolving world of technology.

Utilizing the guidelines in ISO 27001:2013 will improve the standardization and operations of the information security program in your organization.