Monday, 15 April 2013

Three ways the ISO 27001 revision will affect your company

It has been eight years since the ISO 27001 standard was last revised but now changes are coming.

When 2013 nears its end we will see a new version of the information security standard ISO 27001. If you belong to those who must comply with the standard, or just consider it good practice, then you will experience a transitional period where your company must change its processes. It can be a time consuming process but luckily a draft of the revision has already been made publicly available.

Below you'll find the three most important changes in the ISO 27001 update so you can begin to prepare yourself immediately.

1. Increased flexibility in your choice of risk method
In the current ISO 27001 version it is a requirement that an active owner is identified and that a threat based vulnerability assessment is implemented. In the new draft the term risk owner is used instead and it is only a requirement to identify risks in relation to confidentiality, integrity and availability. Thereby, there is an attempt to adapt the risk process to the risk management standard ISO 31000.

It will, however, still be the ISO 27005 standard most people will use as a starting point for the risk process as it deals specifically with IT risks unlike ISO 31000 which provides a framework for analysis of all risk types in a business.

2. Sharpened demands to the Information Security Management System context
In the current draft the section about the establishing of the ISMS and the scope is brief and imprecise. The requirements for organisations ISMS context has been highlighted with the requirement that all relevant external stakeholder demands should be described as a part of the ISMS.

3. Demands to surveilance and measurements get their own section
Where they are currently spread among other requirements, the requirements for surveillance and measurement of efficiency have now been given their own section. There is an increased focus on ensuring that companies identifiy, describe and can document the efficiency of the implemented IT controls. Companies must draw up Key Performance Indicators for the evaluation of all implemented security measures and can document the KPI's output.

The ISO 27001 update is still open to changes but these three points should give you a headstart so you can have a smoother transition.

See also Six questions about the ISO 27001 revision (with answers)

For a more in-depth look you might be interested in this free on-demand webinar:

About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.


  1. ISO 27001 Audit
    The ISO 27001 Lead Auditor training course will give you the ability to successfully audit an existing information security management system against iso27001. You will be taught the techniques to use when auditing a management system. During the course you will go through the standard, clause by clause, to ensure that you understand what questions you should be asking, who you should be asking those questions to and what evidence you should be seeking during an audit.

  2. Wonderful blog..!Thanks for providing such great information abot ISO 27001. I have also suggest you e-learning course such as ISO 27001 internal auditor training e-learning course now available that helps to implement Information Security management system.