A new version of the ISO/IEC 27001 information security management standard has been released. According to a cyber-security consultancy, it will speed and simplify the process for organisations to protect their information assets through international best practice.
IT Governance says that it has helped hundreds of organisations with ISO 27001 since the standard’s launch in 2005. The company says the 2013 version, released in the UK by the British Standards Institute (BSI, www.bsigroup.co.uk), eliminates several hurdles that have dissuaded some, including small firms, from adopting the standard.
Alan Calder, Founder and Executive Chairman of IT Governance, says: “ISO 27001 is simply the best protection available for organisations wanting to secure their information assets within a best practice framework. Well over 17,500 organisations around the world have discovered the benefits of being certified, including peace of mind for management and reassurance for customers. The 2013 update will make it much simpler and more attractive for a wider range of organisations to sign up, which is not only good business sense but also supports the government’s cyber security strategy.”
The IT firm says that the 2013 update increases the attractiveness of the standard. ISO 27001:2013 ihas greater focus upon the individual needs and context of an organisation. Many organisations considering ISO 27001 may already have various risk controls in place, which are dictated by particular functional, contractual and regulatory demands. Through the 2013 update, the standard now accepts these existing controls as the ‘baseline’ to which any required controls can simply be added.
Calder says: “One argument some boards have heard is that ISO 27001 is too costly to adopt because a separate, dedicated structure of ISO 27001 risk controls would need to operate in parallel with the organisation’s existing controls. While this argument has seldom been convincing, the updated standard eliminates this objection at a stroke by explicitly making your existing controls the foundation for your ISO 27001 compliance programme. Furthermore, the standard no longer requires that you use the Plan, Do, Check, Act, or ‘PDCA’, methodology when implementing ISO 27001. If your organisation instead prefers using, for example, ITIL for process implementations, that’s now absolutely fine. The key thing is to demonstrate what you have done – how you do it is your concern, which should be widely welcomed, especially in larger organisations.”
Calder points to ISO 27001:2013’s a clearer delineation between the role of the board and management.
Calder says: “The standard now more clearly recognises that the board’s role is governance: giving direction to management on requirements, monitoring how those requirements are met but not becoming involved in the minutiae of programme implementation. This clarification is part of the maturing of the standard.”
The third area welcomed by IT Governance concerns the standard’s risk assessment process, which SMEs may now find more intuitive and quicker to accomplish.
Calder says: “Organisations will now have the option to jump straight to detailing the risks they face, and how these risks should be controlled, without first needing to break down threats, vulnerabilities and impact by individual asset. While an asset-based approach is still permitted and can achieve more rigorous protection, organisations that may have been deterred by this workload are now accommodated within the standard.
“Well beyond a general tightening up of the standard, this update makes ISO 27001 more flexible, company-friendly and readily implemented. The high level of uptake for ISO 27001:2005 proves the world needs this sort of best practice guidance on information security management. Now the scope of the standard has been widened to encourage many more organisations to get on board and derive the benefits of compliance.”
Organisations already compliant with ISO 27001:2005 may have a transition period of 12 to 18 months to meet requirements for the updated standard. Visit www.itgovernance.co.uk
Alan Calder, a founder director of IT Governance, is author of The Case for ISO 27001 (2013) second edition (120 pages). And Steve G Watkins who leads the consultancy and training services of IT Governance is author of An Introduction to Information Security and ISO 27001 (2013) A Pocket Guide, second edition (56 pages). You can buy both paperback at the IT Governance website.
