The New ISO 27001 Standard: Some FAQ’s – From IT Governance
Some useful information on the new standard from IT Governance. Other “green papers” are also available - http://www.itgovernance.co.uk/green-papers.aspx
What are the timescales to re-certify from 2005 to 2013 for ISO27001?
The transition of certification from the 2005 to 2013 version of the standard will be determined by each Certification Body separately once they are clear on when they are likely to transition themselves.
Would you advise an organisation to go directly for the 2013 certification even if they are ready to be certified to the 2005 version or it is advisable to go for 2005 certification and then a transition to 2013?
We recommend you proceed to certification based on the 2005 version, as this is the fastest route to accredited certification. Due to the uncertainties around timelines of when accredited certification will be available, the 2005 version is still the quickest route.
Is an Information Security Management System (ISMS) Policy still required or is it just the Information Security Policy which is required?
The specification only requires an Information Security Policy and not an ISMS policy. Some ISO27001:2005-compliant scope statements may need addressing in order to provide the reassurance that it meets the requirements of the new version. The policy statement will also need reviewing to align to any revisions to the scope statement.
What are the new mandated documents?
• Scope (4.3)
• Information security policy (5.2 e)
• Information security risk assessment process (6.1.2)
• Information security risk treatment process (6.1.3)
• Information security objectives (6.2)
• Evidence of competence (7.2)
• The organization’s information security management system shall include: documented information determined by the organization as being necessary for the effectiveness of the information security management system (7.5.1 b)
• The extent necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
• The results of information security risk assessments (8.2)
• The results of information security risk treatment (8.3)
• Evidence of the information security performance monitoring and measurement results (9.1)
• Internal audit programme(s) and the audit results (9.2 g)
• Evidence of the results of management reviews (9.3)
• Evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective actions (10.1)
Does ISO/IEC 27001:2013 allow you to use your own risk treatment methodology?
Yes, however you will need to compare the selection of controls you have assigned to those in Annex A to ensure that none have been missed. The risk assessment will no longer be asset based. The risk assessment and treatment plan are aligned to ISO31000. The risk owner determines how to treat the risk.
Is it mandatory to update the qualification for lead implementer?
All implementers will need to refresh themselves regarding the new, revised requirements of the ISO27001:2013 versions, whether this is through updating ISO 27001 qualifications is a matter for the individual and their employer. For auditors, they will want to be able to demonstrate their competence in relation to the 2013 version so an updated qualification would be advisable.