Home >ISO 27001:2013
ISO 27001:2013
The 2013 version of ISO 27001 was published at the end of September 2013,
replacing the 2005 version. In the intervening 8 years use of IT,
threats to information security, tools, methods etc have changed
enormously and the Standard therefore needed to be brought up to date.
The changes themselves are relatively minor, which is a tribute to the farsightedness and expertise of those who wrote the 2005 standard.
Like the 2005 version ISO 27001:2013 comprises a set of mandatory
requirements and an Annex defining a set of ‘controls’
(reduced to 114 from 133), some of which organisations
can designate as ‘not applicable’.
ISO 27002:2013 is the ‘Code of Practice’ which provides detailed guidance on each control listed in the Annex.
The Standard and Code of Practice are available from
BSI
and
ISO as well as other sources.
The BSI website also includes additional guidance on the changes.
The main changes are as follows:
- The mandatory clauses now follow a structure (defined in ISO ‘Annex SL’) which will become common to all international standards for management systems.
- The Plan-Do-Check-Act model is no longer mandatory although a method for continual improvement is still fundamental (and required).
- There is more flexibility on how to conduct the risk assessment although the importance of the risk assessment now has more emphasis.
- The requirements for objectives and measurement are more detailed.
Organisations who already have a 2005 certificate have until
1 October to
transition to the 2013 standard. Most Certification Bodies are proposing
that transition should be accomplished as part of a periodic assessment
visit (i.e. at no additional cost to the organisation). For those organisations
that have used ISM’s
Guide to achieving
ISO 27001 certification and/or followed Pondergrove’s
principles
of management systems the transition is very straightforward. The Statement
of Applicability simply needs to be reorganised to conform to the structure
of the 2013 standard. A template is available from our
website.
If you need a username and password just
email
us or complete the form below.