I recently held a presentation on this very topic in an attempt to address some of the questions and if you haven't already I strongly recommend you go watch it! You can watch it here.
I have
since received a lot of feedback and more questions. Since many of these
are relatively basic questions I thought it would be a good idea to
share them and the answers here.
If you are looking for the presentation slides you can find them here.
Now on
to the questions:
1.
What else is new in ISO 27001, is it only about risk?
No, there are plenty of other
changes. For example, management will have an increased
responsibility in the IT Risk Management. There will also be an
increased flexibility in your choice of risk method.
The revision is still only a draft
so changes can still occur.
You can see a few of the possible
changes here:
2.
Will it take a great amount of effort to shift to the new ISO 27001?
No, quite the contrary. ISO 27001 is
not filled with technical demands to your security, internal
audit or other. The 2013 draft has the same main content as the 2005
version; The purpose and many activities are the same.
The main difference is that the way
it is presented has been altered creating sharper formulations and
some areas are given more flexibility.
A transition would therefore not
require lots of extra effort on your part.
Further, you have absolutely nothing
to fear if your company is already ISO 27001 certified.
3.
Are there any consequences for the management (risk owner) if you do not
live up to the compliance?
There will only be consequences for
the risk owner if your company has decided such should exist. It can,
however, have consequences for your ISO 27001 certification and may
result in a reprimand when an audit visits.
4.
Is there a good mapping between NIST SP 800-53 controls and ISO
27001?
Yes,
the National Institute of Standards and Technology has even released
a paper regarding the issue. You can find it here.
5.
When will SecureAware reflect the new ISO 27001 standard?
Shortly after the new ISO 27001 changes are finalised and made public.
6. Is there already a paper about risk management in the new ISO 27001?
There are currently, to my knowledge, no specific papers available on this topic.
However, Neupart will publish a paper, on the topic. Once it is finished it will be available on our website and everyone on our mailing list will be informed.
If you have any questions not listed
here then feel free to contact me and I'll do my best to answer them.
You might also be interested in some of Neupart's other webinars. We offer you a learning experience with hands-on approaches. Check them out here: http://www.neupart.com/events
You might also be interested in some of Neupart's other webinars. We offer you a learning experience with hands-on approaches. Check them out here: http://www.neupart.com/events
About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.
ISO 27001 Audit
ReplyDeleteThe ISO 27001 Implementation training course is a two course designed to equip you with the skills and knowledge necessary for implementing an information security management system within your own organisation. The course is an excellent starting point if you are planning on implementing ISO 27001 Certification within your organisation.
This information is really helpful to me. Thanks for upload.ISO 27001 lead auditor
ReplyDeleteThanks for sharing this. ISO 27001 Lead Auditor Course Oman
ReplyDeleteIt is really very helpful for us and I have gathered some important information from this blog. ISO 27001 Certification
ReplyDelete