ISO Updates Information Security Management Standard

For organizations certified to ISO 27001:2005, they will need to upgrade their information security management system to comply with the requirements of the new edition
For organizations certified to ISO 27001:2005, they will need to upgrade their information security management system to comply with the requirements of the new edition

“We have brought the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005,” wrote Edward Humphreys, convener of the working group responsible for the development and maintenance of ISO/IEC 27001, in a post on the ISO website. “The idea is to provide a more flexible, streamlined approach, which should lead to a more effective risk management.”

As far as the specific major benefits of the new edition, the ISO is eyeing the modern threat landscape and has made a number of improvements to the security controls listed in Annex A to better address identity theft, risks related to mobile devices and other online vulnerabilities.

The new ISO/IEC 27001 has also been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easier option. Aligning ISO/IEC 27001 to the new structure should help organizations if they want to implement more than one management system at a time. For example, an organization might want to integrate their information security system (ISO/IEC 27001) with other management systems such as the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).

The similarity in structure between the standards will save organizations money and time, so businesses can adopt integrated policies and procedures.

As far as timing, the revision of the 2005 edition is now at the Final Draft International Standard (FDIS) stage. This will be completed in early September, after which any typographical edits will be made ready for an expected launch in October. At this point the new edition of ISO/IEC 27001 will be available for purchase and the 2005 version withdrawn.

For organizations certified to ISO 27001:2005, they will need to upgrade their information security management system to comply with the requirements of the new edition.

“The transition period for upgrading has not yet been decided but it is likely to be two years from when the new edition is published,” Humphreys noted. “Upgrading to the new edition of ISO/IEC 27001 should not prove particularly problematic. The transition period helps as it means the effort required can be part of a staged work program and integrated into continual improvement activities and planned surveillance audits.”

What’s Hot on Infosecurity Magazine?