Halkyn Security Blog
Specialist Security & Risk Management Consultants

ISMS: New version of ISO/IEC 27001 – Time to update?

An ISMS is fundamental to how you make sure your business is properly protected.

An ISMS is fundamental to how you make sure your business is properly protected.

As you may be aware, the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) was updated and the 2013 version became the “official” version at the start of October 2013. The previous version for ISMS requirements was ISO/IEC 27001:2005, and for eight years now, organisations have been working towards, and achieving, certification to that standard.

ISMS Requirements – Changes?

The change between the 2005 version and the current 2013 standard is more than just cosmetic and there is a lot of improvements for your ISMS. There are some areas where controls have been regrouped within Annex A, but there are also new controls for project management, outsourcing, design & engineering and information security events. Additionally the risk management approach has been brought more in line with ISO 31000.

What should you do?

Overall, the main impact is that a lot of existing ISMS document will need to be reviewed (and possibly references changed) and anyone working towards certification needs to make a decision as to which path they will go down.

  • If you are close to completing your implementation and will be able to get through all the required visits by the assessors no later than the end of September 2014, then you can opt to certify your ISMS against ISO/IEC 27001:2005.
  • Alternatively you can make the changes required to realign your ISMS to ISO/IEC 27001:2013 now and work towards certification that way. If your are more than 12 months away from full implementation of your ISMS, this is your only option.

Unless you really are very, very close to finishing your ISMS certification against the 2005 standard, we would strongly recommend you use the new 2013 version.

If your ISMS is currently certified to the 2005 version of the standard, your certification will remain valid until the end of your 3 year renewal cycle. However once you come up for re-certification you will need to work against the 2013 standard.

As far as we are aware, it is not possible to recertify against the 2005 during the twelve month “grace period” that has been offered for new certifications.

Supply chain ISMS certification

When it comes to your supply chain, one of the benefits of ISO/IEC 27001 certification is that it allows you to develop a level of trust. If your supplier has managed to achieve and maintain certification, then you have a reasonable level of assurance that they have implemented a working ISMS and will protect your data to at least some degree.

It is of critical importance that as part of this assurance you get access to copies of the documentation sets provided for certification, evidence that the ISMS is properly implemented and a good understanding of the scope submitted for certification audit. If you can tick these three boxes, you can have quite a good level of assurance around your supplier.

Now that the 2013 standard is official, you should also make sure that your supply chain move to meet the new requirements in a timely fashion. As mentioned above, any certifications currently valid will remain so, but it will help for you to engage your suppliers and find out what their plans for the transition are. By October 2016 all your suppliers should have had to recertify and it is unlikely that any ISO/IEC 27001:2005 certifications will be valid.

Coming Soon

To assist you with moving towards the 2013 standard, we will be providing a free downloadable checklist document that you can use to self-assess your ISMS compliance. Hopefully this will be ready before 25 October 2013.

Following on from that, we will also look to update our Security Policy Framework (SPF) mapping to assist suppliers to the Government / MOD. That is likely to be ready by the end of the year.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

Recent Tweets Recent Tweets