New version of ISO/IEC 27001 to better tackle IT security risks

We spoke to Edward Humphreys, Convener of the working group responsible for the development and maintenance of ISO/IEC 27001, to find out how the revision is going to affect you, the standard user.

What are the major benefits of the new edition?

We have brought the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005. The idea is to provide a more flexible, streamlined approach, which should lead to a more effective risk management.

We have also made a number of improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities.

Finally the new ISO/IEC 27001 has been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easy option.

What are the benefits of modifying the new ISO/IEC 27001 to fit the new high level structure for management system standards?

Aligning ISO/IEC 27001 to the new structure will help organizations wanting to implement more than one management system at a time. The similarity in structure between the standards will save organizations money and time as they can adopt integrated policies and procedures.

For example, an organization might want to integrate their information security system (ISO/IEC 27001) with other management systems such as the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).

What is the next step in the revision process?

The revision of the 2005 edition is now at the FDIS (Final Draft International Standard) stage. This will be completed in early September after which any typographical edits will be made ready for the expected launch in October. At this point the new edition of ISO/IEC 27001 will be available for purchase and the 2005 version withdrawn.

I am certified to ISO 27001:2005. What will this revision mean for me?

Organizations certified to the 2005 edition of the standard will need to upgrade their information security management system to comply with the requirements of the new edition of the standard. The transition period for upgrading has not yet been decided but it is likely to be two years from when the new edition is published.

How much effort will it take to go from the old version to the new version?

Upgrading to the new edition of ISO/IEC 27001 should not prove particularly problematic. The transition period helps as it means the effort required can be part of a staged work program and integrated into continual improvement activities and planned surveillance audits.

Article Credits: ISOorg