IRCA Technical Review Briefing Note ISO 27001 PDF
IRCA Technical Review Briefing Note ISO 27001 PDF
IRCA Technical Review Briefing Note ISO 27001 PDF
Page 1 of 16
Contents
Introduction
Summary of the changes within ISO/IEC 27001:2013
Overview
Detailed review
0.
Introduction
1.
Scope
2.
Normative References
3.
4.
5.
Leadership
6.
Planning
7.
Support
8.
Operation
9.
Performance Evaluation
10. Improvement
Annex A
ISO/IEC 27002
Summary
Auditor Guidance
Page 2 of 16
Introduction
The International Register of Certificated Auditors (IRCA) has prepared this technical review
to communicate to IRCA Certificated Auditors, IRCA Approved Training Organisations and
other interested parties our understanding of ISO/IEC 27001:2013.
This document should be read in conjunction with the IRCA Inform article on the summary of
changes to ISO/IEC 27001 and ISO/IEC 27002 published in July 2013 in which an initial
review of the proposed standards was provided. The purpose of this follow on document is to
support a deeper appreciation of the standard and the differences with the first edition,
ISO/IEC 27001:2005, as well as supporting the CPD requirements of IRCA certificated ISMS
auditors.
The content of this technical review is provided in good faith and is IRCAs opinion. It should
not be reproduced nor used for commercial purposes. IRCA Certificated Auditors and IRCA
Approved Training Organisations are advised to familiarise themselves with ISO/IEC
27001:2013 and ISO/IEC 27002:2013 when they are published.
Overview
ISO/IEC 27001:2013 has adopted the recently re styled wording and format for
management system standards (Refer to Annex SL). The aim is to enhance the
consistency, alignment and therefore the compatibility of ISO Management System
Standards (MSS). It will encourage uniformity of management system terminology and
assist organisations seeking to implement multiple management system programmes.
This new structure (referred to in Annex SL as the high level structure, or HLS) specifies 10
clauses (compared with the previous 8). In addition, there is a lot of text (identical core text,
or ICT) that will be common across all ISO management system standards. There are in
addition the information security specific current and new requirements. One point to note is
the total absence of requirements for any documented procedures in the body of the
standard.
As expected, ISO/IEC 27002 has been updated to reflect the changes made to
ISO/IEC 27001:2013.
Page 3 of 16
Detailed Review
Introduction
The Introduction no longer refers to a model, just requirements, and it now states explicitly
the objective of an information security management system (ISMS) preserves the
confidentiality, integrity and availability of information by applying a risk management
process and gives confidence to interested parties that risks are adequately managed. It
also emphasises that the ISMS is part of and integrated with the organisations processes
and overall management structure; this reinforces a key message the ISMS is not a bolton to the business. It reinforces this by stating that information security is considered in the
design of processes, information systems, and controls.
The contents of an ISMS continues to be made up of the usual components i.e. Policy,
Resources, Management Processes, Information security risk assessment and treatment,
Statement of Applicability, Documented Information and ISM processes deemed relevant to
the organisation.
The Plan Do Check Act (PDCA) cycle applied to ISMS processes and mapped to the ISM
Lifecycle in clause 0.2 Process approach of the 2005 edition, has been discontinued for the
purposes of this standard.
There is only small but significant difference: previously the standard could be used to
assess conformance now it is to assess the organisation's ability to meet the organisations
own information security requirements.
The compatibility clause remains and is tangibly demonstrated and reinforced by the
adoption of Annex SL.
1. Scope
The purpose of this clause is to state the applicability of the standard through the
requirements to establish, implement and continually improving an ISMS within the context of
the organisation (more of this later). It goes on to require the assessment and treatment of
information security risks tailored to the needs of the organisation. This compares to the
implementation of security controls in the 2005 edition.
Clause 1.2 Application (and exclusion) has been deleted. This is a significant change
exclusions are not acceptable.
Page 4 of 16
2. Normative references
There is only one normative reference; ISO/IEC 27000, Information technology Security
Techniques Information security management systems Overview and vocabulary. It
should be noted that this is currently being revised (from the 2012 edition).
Page 5 of 16
Page 6 of 16
5. Leadership
Clause 5 requires an organisation to consider and establish the roles of top management in
terms of the ISMS and how the information security policy is used as a tool to express its
expectations of leadership of the organisation.
Note: The text in clause 5 is almost entirely unchanged Annex SL HLS and ICT.
Page 7 of 16
6. Planning
Clause 6 requires an organisation to establish its strategic objectives and to identify risks
and opportunities and relate them to the scope of the ISMS.
Note: The text in clause 6 is almost entirely unchanged Annex SL HLS and ICT, but does have significant
information security specific additions.
Once again, there is note referencing ISO 31000 Risk management Principles and
guidelines.
Page 8 of 16
Page 9 of 16
7. Support
Clause 7 addresses the needs of an organisation to determine what resource and
competency requirements is has to support the ISMS and how internal and external
communications will be arranged and ISMS documentation managed.
Note: The text in clause 7 is almost entirely unchanged Annex SL HLS and ICT.
7.1 Resources
As before, the organisation must determine what resource it requires for the ISMS.
There are some explicit resource requirements that have been deleted (considered
unnecessary because they are within the general requirement); examples are
resources needed to ensure that information security procedures support the
business requirements and maintain adequate security by correct application of all
implemented controls.
7.2 Competence
The requirement to determine suitable competencies and for people to be competent based
on education, training and experience remains. There is a (new) note which provides
clarification on what documented information and actions may be required to record the
achievement of competence. (The training, mentoring or reassignment of current employees
or the contracting of competent persons).
7.3 Awareness
This clause reaffirms the need for persons under the control of the organisation to be aware
their contribution to the effectiveness of the ISMS and the implications of not conforming with
the ISMS. Now, it goes further by stating that they will also be aware of the information
security policy.
7.4 Communication
This clause is (almost entirely) new for ISO/IEC 27001:2013. It requires that the organisation
determine what and how ISMS communications will be managed to both internal and
external parties the what, who and when. Additionally, there is also a requirement for
communication processes the how. Previously there was only a need to communicate
actions and improvements to interested parties; now the requirement is generic and
broader.
Page 10 of 16
Page 11 of 16
8. Operation
Clause 8 covers the information security requirements of the ISMS and how to address
them.
Note: The text in clause 8 is almost entirely unchanged Annex SL HLS and ICT, but does have significant
information security specific additions.
Page 12 of 16
9. Performance evaluation
Clause 9 requires an organisation to measure the performance of its ISMS against the
standard and to review its performance and effectiveness, involving top management in this
activity.
Note: The text in clause 9 is almost entirely unchanged Annex SL HLS and ICT.
Page 13 of 16
10. Improvement
Clause 10 aim is for the organisation to identify and act on ISMS nonconformity through
corrective action. The first thing to note is that there is no longer any reference to preventive
action. This area is now dealt with in the Planning elements of the standard (clause 6.1 etc).
Note: The text in clause 10 is almost entirely unchanged Annex SL HLS and ICT.
10.1
There are no significant changes to the intent of this requirement (previously clause 8.2).
Focus is now placed on identifying and reacting to nonconformities including their
containment. This will require an organisation to identify if and where similar
nonconformities may have arisen elsewhere in the business and to implement corrective
action ensuring this does not occur or if it has, that it is corrected.
It should be noted that the language here has changed it is more user friendly. The
organisation must react to the nonconformity, and, as applicable, take action to control and
correct it, and deal with the consequences.
No documented procedure is required explaining how the corrective action process operates
but an organisation shall retain documented information to evidence that the nature of
nonconformities and subsequent actions have been captured along with the results of
corrective actions.
10.2
Continual improvement
Again, there are no significant changes to the intent of this brief (but far reaching)
requirement (previously clause 8.1). However continual improvement is now required to the
suitability and adequacy of the ISMS as well as its effectiveness.
Deleted requirements
There are a number of miscellaneous requirements from the 2005 edition that have been
deleted that have not already been mentioned above. For example
procedures; there are no requirements for procedures in the ISMS, however the
requirement still exists in the reference control objectives and controls of Annex A.
obtaining management authorisation to implement and operate the ISMS.
Page 14 of 16
ISO/IEC 27002:2013
ISO/IEC 27002:2005 has been revised to reflect the changes in ISO/IEC 27002:2013.
Page 15 of 16
Summary
It is evident that there have been changes (and improvements) made to ISO/IEC
27001:2013 compared with the 2005 edition. The purpose of this second edition of the
standard is not to reinvent a well-established practice but to direct and support organisations
in their desire to preserve the confidentiality, integrity and availability of information and all
that can mean to their on-going success. By encouraging greater planning and
preparedness as well as considering the performance and effectiveness of its ISMS will no
doubt support this goal.
The shift to more generic management system standard terminology should be viewed as a
positive step forward by all organisations seeking to integrate their systems as well as
auditors auditing them. What it will require is possibly greater planning, forethought and
commitment by the organisations management and interaction with perhaps more
interested parties than before.
Auditor Guidance
Auditors must familiarise themselves with the standard and in particular its intent and shift in
emphasis of management system components.
Elements new or more pronounced in ISO/IEC 27001:2013 and thus providing auditors the
opportunity to refocus their audits include:
More stringent requirements for organisational planning of the ISMS
Greater (and more visible) top management commitment and leadership requirements
Proactive communication policies and programmes
Solid partnership approach with interested parties
Individual ownership and responsibilities for the ISMS
ISMS performance evaluation
Page 16 of 16