Recently the 2013 revisions of the internationally acclaimed standard for information security management, ISO27001 and accompanying 27002, ‘Code of practice for information security management controls’ were released. Whether you’re new to this or are looking for a smooth transition, it’s important to reflect on the changes made.

Being compliant with the latest information security standards is becoming more and more important these days. Shareholders, business partners, clients and even the government demand a clear overview of your policies as well as the right certifications. But the certification process can be an administrative demanding task, especially when standards are changing.

The changes made were necessary to keep up with the fairly new digital age we now live in. In general, there is a focus on communication standards. From now on, you are asked to set as well as measure clear objectives for information security and identify the risk owner within your organization. This should create a transparent communication flow between you and any third party involved. In my view, without such transparency your information security plans won’t stand a chance. The new standard will ultimately help align business and IT within your organization as well as with third party stakeholders.

Let me walk you through the major changes in more detail.

ISMS

There’s a new clause that requires you to list all interested parties, such as shareholders, authorities, legal and regulatory requirements, business partners and clients—because these are important inputs for your ISMS. The new standard has a lot more focus on interfaces and dependencies between activities performed within and outside of your organization.

Since most IT eco-systems are complex and filled with services delivered by third parties, it is only logical to list them in your information security plans. Besides, this transparency should enhance cooperation as well as trust between your business partners and/or clients.

Clauses vanished

Clauses regarding preventive actions have all together vanished from the standard. These have now been made part of the risk assessment process, which in itself has also dramatically changed. You are now required to actually perform a risk assessment, determining the level of risk (for C, I and A) using business impact and likelihood. On top of that, the old requirement to have a documented risk assessment methodology is now gone.

I firmly believe in identifying and recording assets that need safeguarding and performing an analysis of threats and vulnerabilities as an industry best practice. The new standard now forces you to define risk owners who are responsible for managing the risk to a proper level. You are free in choosing your own risk assessment approach, best suitable to your policies, risk owners and organization. This new concept gives more flexibility in forming your security standards.

Objectives

Another big game change is that some new clauses have been added that require you to set as well as measure clear objectives for information security. You will be asked to specify when and how the achievement of these objectives will be measured, as well as by whom.

These objectives will ultimately become one of the main pillars for cascading these metrics to your customers and stakeholders. I applaud this move as in my humble opinion it will be a true driver for transparency. As I mentioned earlier, if find transparency the key in this modern day and age.

Alignment

Some of the changes have been made to align ISO27001 with a number of other more or less related “Management System” standards, such as ISO14001 Environmental Management, ISO9001 Quality Management, ISO22301 Business Continuity Management and ISO20000 IT Service Management.

To conclude, these changes were necessary and should fit in well within any modern organization. They all make perfect sense but are not very controversial or new and therefore should not have a major impact on your certification process.