Updating 27001:2005 to the 27001:2013 revision

By now nearly everyone in the industry knows about the ISO/IEC 27001:2013 Standard and the supporting Code of Practice document ISO/IEC 27002:2013. Both were developed through consensus of the international community with a membership of over 47 national standards bodies. ISO/IEC 27001 is one of the fastest growing management system standards used around the globe.

According to the International Organization for Standardization’s ISO Survey 2012, at the end of 2012 the ISO/IEC 27001:2005 accredited certificates issued worldwide nearly reached 20,000 in total in 100 countries. Since 2006 the number of certificates issued has increase by double digits each year, with the 2009 jump of 40% over 2008 being the largest year over year increase.

The transition period has begun and many organizations haven’t started to think and plan about the new standard, as the existing certification is still valid. If your existing certificate expires after September 25th, 2015, you will be verified for compliance against the revision. If your certificate expires prior to September 25th, 2015, then you must upgrade to the revised certificate and comply for certification. We have put together a top 5 summary of the changes in the revision:

1. The new standard has been revised based on experience and feedback from user over the last 8 years. In comparison, the new one is more flexible, easier to use, up to date with technology trends and efficient to apply.
2. The new standard takes into account new technologies, such as cloud based services, that are not addressed in the old standard and references to obsolete technology have been removed.
3. The new standard is more in line with other standards in particular ISO 9001, making the deployment and compliance with additional standards easier and more congruent.
4. The time period for organizations to transition to the revised standard is reasonable, but there is a due date.
5. The GAP analysis and/or risk assessment and risk treatment should be performed as new for the revised standard, even though the old standard‘s analysis and treatment is still applicable. By performing new assessments, you will get a fresh perspective on the whole of your risk management strategy for the information security management system.

One important improvement is that the revised standard is much easier to comply with for small organizations. The changes also take into account for the landscape of a small organizations to utilize third party vendors in order to operate on a larger scale. One thing small to medium organizations often lack is the resources to hire outside consultants to aid in the ISMS procedures updates the revised standard requires to re-certify. Here are a few simple best practices we have been prescribing to our clients as we begin assisting the process to update ISMS risk management procedures and documents:

• Outline the process in advance before beginning to take the steps for the certification.
• Provide a clear direction by establishing a road map with a timeline for all team members to follow.
• A ‘no brainer’ is to understand the changes made and how each change pertains to your organizations everyday operations.
• Clearly identify the items that will take more time to update or create, in order to allow the appropriate people enough time to complete the required implementations.
• Define specific dates for completion of the tasks involved for the entire team and the follow up dates to double check the work completed. Allow enough time prior to the audit for any modifications or remedies necessary to ensure compliance is met by the deadline.

We are interested in your comments and best practices to share with others beginning the process of re-certification against the ISO/IEC 27001:2013 revision. You can reach us at info@riskmanagementstudio.com or post your comments below. RM Studio has been assisting SMEs on a global scale to certify and maintain compliance to the ISO 27001 since 2005.