ISO 27001 2013 Changes. An ISO Consultant Advises on How They Affect Your Business
ISO standards are all reviewed and updated every few years and ISO 27001 is no exception.
Changes affecting many of the Management System Standards over the next few years fall into two categories :-
1) Format, Integrated Systems, and Annex SL. The layout, or configuration of the standards is changing to bring them into line with Annex SL, previously known as ISO Guide 83. ISO committees follow this when preparing standards and it now encourages all Management System Standards to follow a common, simplified configuration, making integrated systems easier to produce. So, if you want to stay out of trouble with your certification body it’s best to amend the structure of your own documents to reflect this configuration. If you don’t, then at every certification visit you are probably going to have to explain why. ISO 27001 has been changed like this already, but ISO 9001, ISO 14001 and OHSAS 18001 are all going to be affected in the next couple of years so you might as well get used to the restructuring !
2) Content and Requirements. These are also changing, and will need to be addressed if you want to stay compliant. For ISO 27001 2013 these changes are :-
a. Context of the Organisation (4) – Paragraphs 4.1 and 4.2 which talk about defining your organisation and context, and the needs and expectations of interested parties have been amended. The changes are a little cryptic, and personally I can’t see many major non-compliances likely.
b. Leadership (5) – The Leadership and Commitment section has been amended. Again, I think compliance with the newly worded section require simple rewording, rather than changing any of the implemented processes.
c. Planning(6) – The paragraphs referring to risk assessment and treatment, and security objectives and how you plan to meet them have been amended. Such changes will need to be reflected within the risk assessment process used, a significant change being that the standard no longer mandates risk assessments being based on asset, threat and vulnerability.
d. Communication (7)- A communication section has been added. This is similar to the communication section of ISO 14001 etc, and although it is a new requirement, most companies will probably have already addressed many of its requirements.
e. Operations (8) – The need to repeat risk assessments when necessary has been clarified, but this isn’t really a new requirement as repeating them is essential following significant change under the 2005 version of the standard.
f. Performance Evaluation (9) – Monitoring, measurement, analysis and evaluation requirements have been amended, and introduces measurement of the “effectiveness” of the implemented security controls. I can see this being a change which will cause much debate and controversy during surveillance visits!
g. Annex A – The number of sections has increased from 11 to 14, although the number of controls has decreased from 133 to 114. The 114 includes 11 new controls. Responding to the individual controls will be a fairly tedious job, but at least the overall number is moving downwards!
As ever, if you need clarification or advice, please be in touch. I have significant experience in the telecomms/IT industries, especially in relation to ISO 27001 so you’re more than welcome to drop me a line.
Written by Colin Brown of ISO Consultants