What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?
The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.
What are the new security controls and how does the 2013 revision deal with new risks?
First of all, the number of suggested controls in the 2013 revision has actually decreased from 133 to 114 – therefore, it is easier now to find the controls that are really needed for a particular risk. The new controls are these: A.6.1.5 Information security in project management, A.14.2.1 Secure development policy, A.14.2.5 Secure system engineering principles, A.14.2.6 Secure development environment, A.14.2.8 System security testing, A.16.1.4 Assessment of and decision on information security events, and A.17.2.1 Availability of information processing facilities.
How much new mandatory documentation is there, and for certified companies is there lots of work involved in implementing these?
As I mentioned previously, there is actually less documentation required. If a company is already certified against the old 2005 revision of ISO 27001, only about 10-20% of the existing documents will need to be changed, and some of the documents may now be deleted. Therefore, the effort to make this transition to the 2013 revision won’t be too big.
What advice would you give to those who want to transition from ISO 27001:2005 to 2013?
This transition should be planned carefully – if doing it unplanned, one could spend double the time that would normally be needed. In my blog post, How to make a transition from ISO 27001 2005 revision to 2013 revision, I’ve explained what are, in my opinion, the optimal 12 steps to make this transition.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.