ISO Has released new version of its information security management standard ISO IEC 27001 in September 2013. Supporting guideline ISO IEC 27002, has been also updated. All organizations already certified under ISO IEC 27001:2005 have to transition to the new version by October 2015.
The effective use of these standards can help companies achieve best practices in information security, avoid re-inventing security controls, optimize the use of scarce resources, and reduce the major security risks such as loss of proprietary information, hacking of network, spread of malware, , data compromise and failures of service providers to understand and meet customer requirements.
Thousands of companies have adopted ISO/IEC 27001 and 27002 as their standards for information security programs and controls. Together, they are the de facto standards and provide the requirements and code of practice for security requirements. ISO IEC 27001 also enable organizations to achieve regulatory compliances like FISMA, HIPAA and GBLA. They provide a baseline for initiating, implementing, maintaining and improving an information security management system in any size organization.
Increased scope of security risk to include enterprise risk assessment. This will enable organizations to use it for their Governance, Risk and Compliance (GRC) program. This is a major change towards a very right direction. This has also simplified documentation requirements to a great extent by replacing the word „documented procedure“ with „documented information“
New standard has also simplified the list of controls in Annexure A by reducing number of controls from 133 to 114. However, scope of application of the controls has significantly expanded.
Some of the major changes in the controls are:
- Inclusion of System engineering and project management: New controls added to address information security in project management (A.6.1.5), Secure development policy (A.14.2.1), Secure system engineering principles (A.14.2.5)
- Mobile device policy (A.6.2.1): This is to address increasing use of mobile devices in information processing and also use of personal devices to access organizational information assets.
- System security testing (A.14.2.8): information processing systems should be tested for its compliance to security requirements. This testing is in addition to the regular system acceptance test conducted after system changes.
Many of the changes will better align security objectives with business goals and objectives and that alignment will help everyone across the whole organization to better appreciate the importance of information security to the company’s sustainability, viability and reputation.
Interested in… Discussing the establishment of security controls in your organization? Developing testing protocol to ensure a self-sustaining system? A one-day security system review? Considering ISO 27001:2013 certification?
Please contact your local UL DQS Inc. Sales Executive:
Ernie Cumming – WA, OR, ID, MT, WY, UT, CO, AL, HI, Northern CA
Paul Mullenhoff – NV, AZ, Southern CA
Steve Pinter – ND, SD, NE, KS, MO, IA, MN, WI, IL
Randy Spivey – NM, TX, OK, AR, LA
Scott Adams – MI, IN, OH, KY, TN, WV
Morgan Blue – MS, AL, GA, SC, NC, VA. DC, PR, Caribbean Islands
Larry Dorf – FL
Jeff Spizuco – NY, VT, NH, ME, RI, MA, PA, NJ, DE, MD, CT