We spoke to Edward Humphreys, Convener of the working group responsible for the development and maintenance of ISO/IEC 27001, to find out how the revision is going to affect you, the standard user.
What are the major benefits of the new edition?
We have brought the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005. The idea is to provide a more flexible, streamlined approach, which should lead to a more effective risk management.
We have also made a number of improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities.
Finally the new ISO/IEC 27001 has been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easy option.
What are the benefits of modifying the new ISO/IEC 27001 to fit the new high level structure for management system standards?
Aligning ISO/IEC 27001 to the new structure will help organizations wanting to implement more than one management system at a time. The similarity in structure between the standards will save organizations money and time as they can adopt integrated policies and procedures.
For example, an organization might want to integrate their information security system (ISO/IEC 27001) with other management systems such as the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).
What is the next step in the revision process?
The revision of the 2005 edition is now at the FDIS (Final Draft International Standard) stage. This will be completed in early September after which any typographical edits will be made ready for the expected launch in October. At this point the new edition of ISO/IEC 27001 will be available for purchase and the 2005 version withdrawn.
I am certified to ISO 27001:2005. What will this revision mean for me?
Organizations certified to the 2005 edition of the standard will need to upgrade their information security management system to comply with the requirements of the new edition. The transition period for upgrading has not yet been decided but typically this is two-three years from when the new edition is published. In addition, accredited certifying bodies should also use the transition period to update their activities to fit the requirements of the new edition.
At the end of this transition period, the only valid certificates will be those that state conformity to the new requirements of ISO/IEC 27001:2013.
How much effort will it take to go from the old version to the new version?
Upgrading to the new edition of ISO/IEC 27001 should not prove particularly problematic. The transition period helps as it means the effort required can be part of a staged work programme and integrated into continual improvement activities and planned surveillances audits.