8 Step Guide to Bring Your Current ISMS from ISO 27001:2005 to ISO 27001:2013
A new version of ISO 27001 has been issued and you have been tasked with updating your company’s
ISO 27001 program from 2005 to 2013… What does that mean and how should you get started? We
have broken down the steps necessary to bring your current Information Security Management System
(“ISMS”) that utilizes ISO 27001:2005 to the newest version. The timeline for transition depends on the
current state of the ISMS, so here is a breakdown of deadlines for transition:
New Implementations
o
Can be performed using the ISO/IEC 27001:2005 until October 1, 2014
o
Can be performed (2005 to the 2013 standard) until October 1, 2015
Transition
Complete Transition
o
After October 1, 2015 all new certifications are required to use the 2013 standard
There is no better time than the present to get started!
Why was the standard revised?
o
o
o
o
There have been over 17,000 certificates issued around the world generating relevant
experience and knowledge
To address new organizations and technology (i.e. outsourcing, cloud computing, etc.)
To comply with the ISO/IEC directive to align with a structure of management system
standards
To simplify compliance for organization that are certified with more than one
management system (i.e. ISO 9001, etc.)
Highlights and key differences:
o
o
o
o
o
o
o
Realignment of the management system requirements
Internal and external issues, requirements, needs and expectations
Risk owners
Documentation requirements
Effectiveness measurement requirements
Statement of Applicability (SoA) framework
Controls Annex A realignment
1
©2014 A-lign. All Rights Reserved.
Main 7 clauses include:
o
o
o
o
o
o
o
4: Context of the organization
5: Leadership
6: Planning
7: Support
8: Operation
9: Performance evaluation
10: Improvement
Step 1 – Context of the organization



Understanding the organization and its context:
o The key is determining what the intended outcome of the ISMS is to the organization.
o Determine the mission of the organization (if it has not already been determined).
o How does the mission relate to information security and governance and compliance?
Understanding the needs and expectations of interested parties:
o Determine what is relevant to the ISMS, such as:
 Contracts
 Laws or regulations
 Internally interests
 Any additional external interests
Determining the scope of the ISMS:
o The scoping is required to be much more detailed in the latest version. The standard
provides requirements to include for the context of the organization and interested
parties:
 Include any vendors or contracts that reduce the scope.
 Include any areas that are under the primary business requirements.
 Include interfaces and dependencies between activities performed by the
organization and those that are performed by other organizations.
o Additionally, the scoping requires very defined boundaries to be laid out. Items to
consider:
 Firewalls and network diagrams
 Physical facilities
 Network segments
 Descriptions of how data is received / processed, the systems used for data
entry, how data output is produced and the systems used
2
©2014 A-lign. All Rights Reserved.
Step 2 – Leadership


Leadership (“top management”) is what drives the implementation / administration /
maintenance / improvement process of the ISMS
o Maintain accountability of the ISMS
o Ensure that the ISMS achieves its intended outcome(s)
o Direct and support persons to contribute to the effectiveness of the ISMS
o Communicate the importance of conforming to the ISMS requirements
The ISMS Policy is no longer required.
o There does need to be an overarching information security policy, as this is a
requirement in clause 5.2
o Include the objectives of the framework
o Allow for the dissemination to all interested parties, including:
 Contract holders
 Vendors
 Contractors/third parties
 All internal personnel
o Show commitment to the ISMS
o Show commitment to the improvement of the ISMS
Step 3 – Planning


The 2013 standard no longer calls out all the necessary requirements in performing risk
assessments (i.e. identify assets, threats, vulnerabilities, etc.), but now gives more control with
the owner(s) of the ISMS to determine the best approach when performing its information
security risk assessment.
o Risks should be tied to loss of confidentiality, integrity, or availability of information
within the scope of the ISMS.
o Utilizing risks associated with assets is still an acceptable method.
o Identification of assets, vulnerability, and threats are no longer called out.
o You should identify risks to the organization with a means to quantify (numeric, color
scheme, etc.) them.
o Finally, you need to analyze all third party vendors, contractors, and outsourced
resources as part of the risk assessment approach.
 Determining the risk associated with these parties is critical.
 Breaches resulting from lack of due care and due diligence on third parties and
vendors should always be a consideration.
Risk Treatment
o Determine all controls necessary to implement risk treatment options (can design as
required or identify from any source)
3
©2014 A-lign. All Rights Reserved.
o
o
Compare controls identified to those in Controls Annex A and produce the SoA (update
is necessary when conforming to the Controls Annex A for 2013)
 Must justify why controls are included or not included
 Need to justify with an explanation
Formulate risk treatment plan and obtain risk owner approval
Step 4 – Support





Resources
o Required to be determined and provided
Competence
o Determine necessary competence
o Ensure that persons are competent based on education, training, or experience
o Take actions to acquire the competence level needed
Awareness
o Required to be aware of the information security policy, their contribution to the
effectiveness of the ISMS, and implications of not conforming with the ISMS
requirements.
Communication
o The ability to successfully communicate internally and externally requirements related
to the internal audit, risk assessment, review of documentation, and metrics monitoring
is vital to the success or failure of the ISMS
o Internal and external communication relevant to the ISMS:
 What to communicate
 When to communicate
 With whom to communicate
 Who will communicate
 The processes by which communications will be effected
Documented information
o Definition, availability and maintenance
Step 5 – Operation


Operation planning and control
o Processes needed to meet information security requirements
o Actions necessary to address information security risk
o Plans to achieve the information security objectives
Information security risk assessment (described in Step 3)
o Perform at planned intervals or when significant changes are proposed or occur
4
©2014 A-lign. All Rights Reserved.
o

Allow for upper management to continue to review the risk assessment and be the risk
owners
Information security risk treatment (described in Step 3)
o Implement the information security risk treatment plan
Step 6 – Performance Evaluation




Internal audits and management reviews need to be conducted at least annually and, as in the
2005 standard, management reviews need to capture internal audit results, prior
nonconformities, etc. to ensure ISMS effectiveness measurement
Monitoring, measurement, analysis, and evaluation
o Information security performance and effectiveness, should include:
 What needs to be monitored and measured
 The methods for monitoring, measurement, analysis and evaluation
 When the monitoring and measurement are performed
 Who will perform the monitoring and measurement activities
 When the results will be analyzed and evaluated
 Who will perform the evaluation and analysis
Internal audit
o Plan, establish, implement and maintain an audit program
o Define audit criteria and scope
o Select auditors and conduct audits to ensure objectivity (some type of independence)
o Report the audit results to relevant management
Management review
o Top management performs at planned intervals (at least annually)
o Similar required inputs and outputs
Step 7 – Improvement


The 2013 standard has changed to no longer separate preventative and corrective actions; each
are treated as action necessary to ensure continual improvement of the ISMS
o Nonconformity and corrective action
 React to the nonconformity
 Evaluate the need for action and implement needed action
 Review the effectiveness of corrective action and make changes to the ISMS as
necessary
Continual improvement
o Continually improve the suitability, adequacy, and effectiveness of the ISMS
5
©2014 A-lign. All Rights Reserved.
Step 8 – Controls annex

There are minor changes between the documentation in the ISMS and Annex Controls.
o Number of domains grew from 11 to 14
o Number of controls dropped from 133 to 114

These changes, removals, and additions will mainly affect the SoA.
o Changes include the following:
A5
#
o
Version 2005
Security policy
o
A6
o
Security organization
o
A7
o
Asset management
o
A8
o
o
A8
o
A10
o
A11
o
Human resources
security
Physical and
environmental security
Communications and
operations management
Access control
A12
o
o
A13
o
Information systems
acquisition,
development, and
maintenance
Information security
incident management
A14
o
Business continuity
management
o
A15
o
Compliance
o
A16
N/A
o
A17
N/A
o
A18
N/A
o
o
o
o
o
6
©2014 A-lign. All Rights Reserved.
Version 2013
Information security
policies
How information
security is organized
Human resources
security
Asset management
Access control and
managing user access
Cryptographic
techniques
Physical security of the
organization’s sites and
equipment
Operational security
Secure
communications and
data transfer
Secure acquisition,
development and
support for information
systems
Security for suppliers
and third parties
Incident security
incident management
Information aspects of
business continuity
Compliance
o
o
Controls that have been removed include:
 A.6.1.1 Management commitment to information security
 A.6.1.2 Information security coordination
 A.6.1.4 Authorization process for information processing facilities
 A.6.2.1 Identification of risks related to external parties
 A.6.2.2 Addressing security when dealing with customers
 A.10.2.1 Service delivery
 A.10.7.4 Security of system documentation
 A.10.10.2 Monitoring system use
 A.10.10.5 Fault logging
 A.11.4.2 User authentication for external connections
 A.11.4.3 Equipment identification
 A.11.4.4 Remote diagnostic and configuration port protection
 A.11.4.6 Network connection control
 A.11.4.7 Network routing control
 A.10.8.5 Business information systems
 A.11.6.2 Sensitive system isolation
 A.12.2.1 Input data validation
 A.12.2.2 Control of internal processing
 A.12.2.3 Message integrity
 A.12.2.4 Output data validation
 A.12.5.4 Information leakage
 A.15.1.5 Prevention of misuse of information processing facilities
 A.15.3.2 Protection of information systems audit tools
Added controls include:
 A.6.1.5 Information security in project management
 A.12.6.2 Restrictions on software installation
 A.14.2.1 Secure development policy
 A.14.2.5 Secure system engineering principles
 A.14.2.6 Secure development environment
 A.14.2.8 System security testing
 A.15.1.1 Information security policy for supplier relationships
 A.15.1.3 Information and communication technology supply chain
 A.16.1.4 Assessment of and decision on information security events
 A.16.1.5 Response to information security incidents
 A.17.2.1 Availability of information processing facilities
7
©2014 A-lign. All Rights Reserved.
Overall, there are some significant changes to ISO 27001 in the newest 2013 edition. However, there is
nothing that is a great stretch for an organization that has a successful ISMS already operating. The
changes in 2013 provide better clarity with existing requirements in the standard and include some
additional requirements around our evolving world of technology.
Utilizing the guidelines in ISO 27001:2013 will improve the standardization and operations of the
information security program in your organization.
8
©2014 A-lign. All Rights Reserved.