As you may be aware, the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) was updated and the 2013 version became the “official” version at the start of October 2013. The previous version for ISMS requirements was ISO/IEC 27001:2005, and for eight years now, organisations have been working towards, and achieving, certification to that standard.
ISMS Requirements – Changes?
The change between the 2005 version and the current 2013 standard is more than just cosmetic and there is a lot of improvements for your ISMS. There are some areas where controls have been regrouped within Annex A, but there are also new controls for project management, outsourcing, design & engineering and information security events. Additionally the risk management approach has been brought more in line with ISO 31000.
What should you do?
Overall, the main impact is that a lot of existing ISMS document will need to be reviewed (and possibly references changed) and anyone working towards certification needs to make a decision as to which path they will go down.
- If you are close to completing your implementation and will be able to get through all the required visits by the assessors no later than the end of September 2014, then you can opt to certify your ISMS against ISO/IEC 27001:2005.
- Alternatively you can make the changes required to realign your ISMS to ISO/IEC 27001:2013 now and work towards certification that way. If your are more than 12 months away from full implementation of your ISMS, this is your only option.
Unless you really are very, very close to finishing your ISMS certification against the 2005 standard, we would strongly recommend you use the new 2013 version.
If your ISMS is currently certified to the 2005 version of the standard, your certification will remain valid until the end of your 3 year renewal cycle. However once you come up for re-certification you will need to work against the 2013 standard.
As far as we are aware, it is not possible to recertify against the 2005 during the twelve month “grace period” that has been offered for new certifications.
Supply chain ISMS certification
When it comes to your supply chain, one of the benefits of ISO/IEC 27001 certification is that it allows you to develop a level of trust. If your supplier has managed to achieve and maintain certification, then you have a reasonable level of assurance that they have implemented a working ISMS and will protect your data to at least some degree.
It is of critical importance that as part of this assurance you get access to copies of the documentation sets provided for certification, evidence that the ISMS is properly implemented and a good understanding of the scope submitted for certification audit. If you can tick these three boxes, you can have quite a good level of assurance around your supplier.
Now that the 2013 standard is official, you should also make sure that your supply chain move to meet the new requirements in a timely fashion. As mentioned above, any certifications currently valid will remain so, but it will help for you to engage your suppliers and find out what their plans for the transition are. By October 2016 all your suppliers should have had to recertify and it is unlikely that any ISO/IEC 27001:2005 certifications will be valid.
To assist you with moving towards the 2013 standard, we will be providing a free downloadable checklist document that you can use to self-assess your ISMS compliance. Hopefully this will be ready before 25 October 2013.
Following on from that, we will also look to update our Security Policy Framework (SPF) mapping to assist suppliers to the Government / MOD. That is likely to be ready by the end of the year.