ISO 27001:2013 transition webinar
Steve Watkins
Director, Training & Consultancy
IT Governance Ltd
Steve who?
• Author of ‘IT Governance; A
manager’s Guide to information
security and ISO 27001/2’(w A Calder)
• Chair of UK ISO 27001 User Group
• Member of IST33 &IST33/Panel 1
• UKAS ISMS Technical Assessor
and advising on ISO27001
transition
• : @swatty70
• http://uk.linkedin.com/pub/steve-
watkins/1/226/22b/
2 © IT Governance Ltd 2013
ISO 27001:2013 transition webinar
• The changes and what they mean for your
business?
– Continuous improvement processes
– Integration with your management framework
– Roles and responsibilities
– Risk assessment
– Mapping information security controls
• A less onerous and more integrated approach
• What it means for accredited certification
• Embarking on transition
3 © IT Governance Ltd 2013
Accredited Certification
4 © IT Governance Ltd 2013
National
Accreditation
Bodies
..… …..
Accredit
Certification
Bodies
..… ….. Certificate
ISO 27001:2013 “transition”
5 © IT Governance Ltd 2013
Certificated
Organisation
Accredited
Certification Body
Qualified
personnel
Auditors + Implementers
ISO 27001:2013
The changes
• Structure and implementation process
• Scope and risk
• Roles and responsibilities
• Resources
• Annex A security controls
6 © IT Governance Ltd 2013
ISO 27001: From 2005 to 2013
7 © IT Governance Ltd 2013
0. Introduction
1.Scope
2.Normative ref
3.Terms & definitions
4.Context of organization
5.Leadership
6.Planning
7.Support
8.Operation
9.Performance evaluation
10.Improvement
Annex A - Reference control
objectives and controls
ISO 27001:2005
0. Introduction
1.Scope
2.Normative ref
3.Terms & definitions.
4.ISMS
5.Management resp.
6.Internal ISMS audits
7.Management review
8.ISMS improvement
Annex A - Control objectives and
controls
ISO 27001 2013 (All MSS)
2013
2005
ISO 27001: From 2005 to 2013
8 © IT Governance Ltd 2013
4. Context of organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
4. Establish ISMS
• Scope
• Policy
• Risk Assessment
• Document control
5. Management Responsibility
6. Internal Audit
7. Management Review
8. Continual Improvement
ISO 27001:2013
Implementation
9 © IT Governance Ltd 2013
The order in which requirements are presented in this International
Standard does not reflect their importance or imply the order in which they
are to be implemented. The list items are enumerated for reference
purpose only.
ISO/IEC 27001:2013
• No longer specifies Plan-Do-Check-
Act (P-D-C-A) to develop and
establish the ISMS: the organisation
is to determine and adopt a continual
improvement model that suits
• Terms and definitions section
removed: references ISO 27000 ?
ISO 27001:2013
Scope
Integrate
Requirements
Scope Organisation to identify ‘interested parties’
information security requirements of these
parties and ‘external and internal issues’
ISO 27001:2013
Risk Assessment
11 © IT Governance Ltd 2013
Risk: Effect of uncertainty on objectives” ISO 27000:2012
Threats Vulnerabilities
Likelihood
Assets
Impacts
Risk
ISO 27001:2013
Risk Treatment
12 © IT Governance Ltd 2013
ISO 27001:2013
Integration
13 © IT Governance Ltd 2013
Adoption of ISMS: “Strategic decision” for organisation
“Part of the overall management system, based
on a business risk approach, to establish,
implement, operate, monitor, review, maintain
and improve information security.
Note: The management system includes
organizational structure, policies, planning
activities, responsibilities, practices,
procedures, processes and resources.” ISO 27000:2012, sect 2.34
ISO 27001:2013
Roles and responsibilities
• Management involvement: strengthened in
leadership and review
– Significant increase in performance related
requirements:
• setting information security objectives
• evaluation of information security performance
• measuring effectiveness of the ISMS (as well as controls)
• Using these to inform improvement
• Risk owner
• Resources, competence, awareness,
communication
14 © IT Governance Ltd 2013
ISO 27001:2013
Other notable changes
• Requirement that internal auditors shall not audit
their own work is absent: Ensuring objectivity
and impartiality remains
• Preventive action is no longer a mandated as a
separate requirement
• A number of requirements for communication
have been introduced where this was not
explicitly identified in the 2005 version of the
standard
15 © IT Governance Ltd 2013
ISO 27001:2013
Resources
16 © IT Governance Ltd 2013
ISO/IEC 27001:2013
http://www.itgovernance.co.uk/shop/p-1443-
isoiec-27001-2013-iso27001-iso-27001-isms-
requirements.aspx
ISO/IEC 27002:2013
http://www.itgovernance.co.uk/shop/p-1444-
isoiec-27002-2013-iso27002-iso-27002-code-
of-practice-for-infosec-controls.aspx
27001 & 27002 :2013
http://www.itgovernance.co.uk/shop/p-1445-
iso-iec-27001-2013-and-iso-iec-27002-
2013.aspx
27000:2012
http://www.itgovernance.co.uk/shop/p-707-
iso27000-iso-27000-isms-overview-and-
vocabulary.aspx
ISO 27001:2013
Resources
17 © IT Governance Ltd 2013
http://www.itgovernance.co.uk/shop/p-
357-an-introduction-to-information-
security-and-iso-27001-2013-a-pocket-
guide-second-edition.aspx
http://www.itgovernance.co.uk/shop
/p-720-iso27001iso27002-a-pocket-
guide-second-edition.aspx
ISO 27001:2013
Annex A
18 © IT Governance Ltd 2013
Annex A
5 Information security policies
6 Organisation of info. security
7 Human resources security
8 Asset Management
9 Access Control
12 Operations security
14 System acq, dev & maintenance
16 Info. security incident management
17 Info. sec aspects of BC Mngt
18 Compliance
11 Physical & environmental sec
15 Supplier relationships
10 Cryptography
Policies
New
Split
New
114 controls
14 categories
13 Communications security
ISO 27001:2013 Summary
• Management system +
flexibility
• Aligns to internal and
external drivers
• Worldwide accepted
accredited certification
19 © IT Governance Ltd 2013
ISO 2700
ISO 27001:2013 transition webinar
The changes and what they mean for your
business?
Continuous improvement processes
Integration with your management framework
Roles and responsibilities
Risk assessment
Mapping information security controls
A less onerous and more integrated approach
• What it means for accredited certification
• Embarking on transition
20 © IT Governance Ltd 2013
Accredited certification: transition
21 © IT Governance Ltd 2013
Certificated
Organisation
Accredited
Certification Body
Competent
auditors
Competent
implementers
Accredited certification:
transition
22 © IT Governance Ltd 2013
Organisations “with ISO 27001”
Organisations “seeking ISO 27001”
2013 2014 2015 2016
ISO 27001:2013
published
All ISO 27001:2005 certificates to have transitioned to ISO 27001:2013
30th September 2016
30th September 2015 No new ISO 27001:2005 certificates
to be issued
Initial audit to ISO 27001:2005 available
Initial audit to ISO 27001:2013 available
Transition to ISO 27001:2013 may be mandated by CB
Surveillance audit to ISO 27001:2005 available
1st January 2014 Transition Assessments of CBs begin as part of the normal surveillance cycle
When to start your transition?
Personnel
23 © IT Governance Ltd 2013
Competent
Auditors
Competent
implementers
http://www.itgovernance.co.uk/shop/p-1454-
iso27001-2013-certified-isms-transition-training-
course.aspx
When to start your transition?
ISMS
• Familiarity with 2013
and what is required
http://www.itgovernance.co.u
k/shop/p-963-nine-steps-to-
success-an-iso-270012013-
implementation-overview-
second-edition.aspx
• Health Check and
action plan?
http://www.itgovernance.co.u
k/iso27001_2013_healthche
ck.aspx 24 © IT Governance Ltd 2013
Think ISO 27001:2013
may be for you?
• Strategic decision – the
case is best laid out in the
well respected and widely
recognised ‘Case for …”
now update for
ISO 27001:2013
25 © IT Governance Ltd 2013
http://www.itgovernance.co.uk/s
hop/p-1158-the-case-for-iso-
27001-2013-second-
edition.aspx
New to ISO 27001:2013?
Don’t delay
26 © IT Governance Ltd 2013
http://www.itgovernance.co.uk/shop/p-710-
iso27001-certified-isms-foundation-training-
course.aspx
http://www.itgovernance.co.uk/shop/p-
713-iso27001-certified-isms-lead-
implementer-masterclass.aspx
http://www.itgovernance.co.uk/shop/p-
712-iso27001-certified-isms-lead-
auditor-training-course.aspx
New to ISO 27001:2013?
Don’t delay
27 © IT Governance Ltd 2013
http://www.itgovernance.co.uk/shop/p-
1462-iso-27001-2013-isms-standalone-
documentation-toolkit.aspx
http://www.itgovernance.co.uk
/iso27001_consultancy.aspx
Summary ISO 27001:2005 2013
28 © IT Governance Ltd 2013
? ?
Summary ISO 27001:2005 2013
• Accredited certification: Timescales not yet confirmed, however probably …
– To 2005: Available now through to 30 Sept 2015
– To 2013: Could be available in first 3 months of 2014
– Move from 2005 to 2013 certificate within a year of
Certification Body achieving accreditation to 2013
standard
29 © IT Governance Ltd 2013
Further information and reading
• http://www.itgovernance.co.uk/download/27001-update.pdf
4 pages introducing 2013 version
• http://www.itgovernance.co.uk/download/27001-update-reference-sheet.pdf
5 pages comparing 2005 to 2013
• http://www.itgovernance.co.uk/download/27001-2013-technical-guidance.pdf
11 pages of technical guidance for making the transition from ISO 27001:2005
30
Questions?
• Call us: +44 (0)845 070 1750
• Email us: [email protected]
• : @ITGovernance : @swatty70
• : www.facebook.com/ITGovernanceLtd
• : www.linkedin.com/company/IT-Governance
• UK: www.itgovernance.co.uk
• USA: www.itgovernanceusa.com
• EU: www.itgovernance.eu
• India: www.itgovernance.in
• Asia Pacific: www.itgovernance.asia
31
© IT Governance Ltd 2013