The New ISO/IEC 27001 for the Modern Enterprise Information Environment
Industrial espionage, risk of identity theft, customer data exposure, theft of company data, network attacks, viruses, and more are all risks that must be addressed by a company’s information security policy and system. Security breaches are more common than most people realise and because of the connectivity gained through the Internet, every company that uses the Internet, email, or any type of electronic storage or communication is at risk of data security breaches.
ISO 27001 was developed as ISO/IEC 27001:2005 specifically to address the above issues. Implementation and compliance with the standard help companies to improve productivity as fewer disruptions of information flow (because of internal or external threats) are experienced. At the same time, the cost of coordinating data security and the risk of data breaches are significantly reduced. Customers gain confidence in sharing their personal data with the companies because they know that the enterprises take the necessary steps to prevent accidental or intentional unauthorised access, deleting, or sharing of their information. Shareholders and business partners enjoy the same benefits of data protection.
Compliance with ISO/IEC 27001 enables the enterprise to improve its information security throughout the organisation on an ongoing basis. The risks are identified and addressed and where breaches occur, controls are in place to minimise impact on the organisation and its customers. In addition, the leadership role requirement ensures that top-level management becomes involved in the policy settings. Accountability is increased throughout the organisation.
Due to changes in information technology over the last decade, it has become necessary to rewrite the original ISO 27001. The new version was published in 2013 and revision is perhaps not the correct term for the changes. The standard underwent a complete revamp and is now in line with the other revised management system standards of the ISO. This makes implementation and management thereof easier as managers already familiar with the other updated ISO standards recognise similar principles such as document control, requirements for management reviews, and more.
Who is the Publisher?
You will have noticed that the standard is not called ISO 27001, but rather ISO/IEC 27001. The reason is that the ISO and the IEC (International Electro-Technical Commission) have co-published the standard. They formed a joint subcommittee for development and publishing called the ISO/IEC JTC1/SC 27. The standard provides the guidelines for the implementation of an information security management system that can be used alongside other ISO management standards.
The standard consists of several clauses and an annex to cover aspects such as the scope, referencing of the document, terms and definitions, leadership, and top-level support of the data security policy, planning of the ISMS, support, implementation, performance review, and corrective control. The annex consists of a comprehensive list of controls. Note that the 2005 version had three annexes whereas the new version only has one. More focus is placed on measurement and evaluation of the system’s performance with consideration for outsourcing. This is in line with modern practices where many companies outsource part or their entire IT function.
Whereas the 2005 version focussed on the Plan-Do-Check-Act approach, the new version follows approaches that support ongoing improvement. The context within which the enterprise operates is now also important since the information environment has changed considerably over the past few years. New controls have been introduced, such the information security relevant to project management, system security testing, responses to security incidents, and development policy, to name but a few. The number of controls has been reduced from 133 to 114 with 35 control objectives. Access control, communication security, asset management, information security policies, HR security, cryptography, and supplier relationships are among the groups of controls.
The top-down approach of ISO 27001 helps to ensure executive management involvement in the implementation and management of the compliant ISMS. The enterprise must clearly define the security policy and ISMS scope, whereafter a thorough risk assessment must be completed for identification of risks. The relevant control objectives and controls must be chosen and applied and the statement of applicability must then be prepared.
Where to Get Help
WWISE helps organisations to implement the new ISO 27001, prepare for certification, and implement a maintenance plan that includes regular management reviews. We also provide extensive training in the standard and internal and external auditing, in addition to our consultancy services, auditing expertise, and GAP analyses.