In September 2013 the ISO/IEC 27001:2005 standard was replaced by the new version, ISO/IEC 27001:2013.
A customer poll recently conducted by IT Governance found that the majority of nearly 200 respondents planned to transition to ISO27001:2013 in early 2014. If you are already certified to ISO27001:2005, what does this mean for your organisation?
First, it’s important to know that achieving accredited certification through a Certification Body will be dependent on that Certification Body itself having achieved accreditation against the requirements of the new standard. Until your Certification Body has transitioned to the 2013 standard, your surveillance visits will continue to be against the 2005 version. .
Organisations certified to ISO27001:2005 will be required to transition to ISO27001:2013 over an estimated period of 12 months once their Certification Body has successfully transitioned. As the ISO27001:2013 standard has now been published you are, however, able to start preparations for obtaining ISO27001:2013 certification.
With significant structural changes including flexible risk assessment methodologies and the restructuring of security controls, you may find the transition process challenging.
ISO27001:2013 Transitioning and Implementation Resources
Whether you are transitioning to ISO27001:2013 or implementing it from scratch, documentation is one of the biggest and probably most daunting challenges you will face. ISO27001:2013 requires you to produce a comprehensive set of ISMS documents and records which you will use to conduct your information security processes. Fortunately, there are tools available that are designed to reduce the time and cost (e.g. man hours) associated with producing or updating existing documents. Here are some of them:
Documentation Toolkit
ISO 27001:2013 requires you to produce a comprehensive set of ISMS documents and records. Importantly, you need to conduct your information security practices according to these documents. Pre-written documents such as those included in the ISO27001:2013 ISMS Standalone Documentation Toolkit can help address the challenge of producing extensive documentation from scratch. The toolkit contains fully customisable and editable templates including seven Policies, 55 Procedures, 23 Work Instructions, 25 Records, guidance documents as well as Blank Templates that will enable you to bring in your existing documentation in-line with a consistent management system. (Full contents are available here.)
Conversion Tool
The ISO27001:2005 to ISO27001:2013 Conversion Tool maps the controls of ISO 27001:2005 to ISO27001:2013, identifying where controls have been deleted, relocated, adjusted and added to the new standard. It provides commentary on the controls and how they have changed, why they’ve changed, and how organisations will benefit from the new ISO27001:2013. It helps certified organisations make the transition from their existing ISO 27001:2005 ISMS to an ISO27001:2013 ISMS.
Gap Analysis Tool
ISO27001:2005 to 2013 Gap Analysis Tool has been created to help organisations who have implemented ISO27001:2005, to assess the current status of their compliance to ISO27001:2013. This tool will enable such organisations to identify where they need to make changes, implement new procedures, or phase out previous controls. It helps organisations to tackle the upgrade of their ISMS to ISO27001:2013 by identifying to project managers where to start. The outcome of this tool and the analysis that it provides is the base for organisations to then conduct a detailed, granular approach to assessing their current information security control structure.
By Neil Ford, Copywriter at IT Governance
IT Governance is the one-stop-shop for information, advice, guidance, books, tools, training and consultancy in the field of information security, IT governance, risk management and compliance. IT Governance has been involved in designing, and successfully implementing, cost-effective ISO 27001 information security management systems since the standard was first introduced in 1995.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.