ISO/IEC 27001:2013 - IT Governance
ISO/IEC 27001:2013Technical guidance for transitioningfrom ISO/IEC 27001:2005January 2015Protect IT Governance Ltd 2015 1Comply Technical GuidanceThrivefor ISO 27001:2013v2
ISO/IEC 27001:2013Technical guidance for transitioningfrom ISO/IEC 27001:2005focuses on protecting three key aspects ofinformation:IntroductionISO/IEC 27001:2005 has been supersededby ISO/IEC 27001:2013. The InternationalAccreditation Forum (IAF) has announcedthat, as of 1 October 2014, no moreaccredited certificates to ISO 27001:2005will be issued. From that date, certificationbodies may only issue certificates to thenew version of the Standard, ISO27001:2013. The deadline for certification bodies (CBs)to transition from ISO 27001:2005 to ISO27001:2013 has been set as 1 October2015. Once transitioned, CBs will look totransition their clients promptly, and willcarry out transition audits at their nextscheduled surveillance visits.ISO/IEC 27000, which provides thestandard definitions used in ISO27001:2013, states that informationsecurity can also involve other properties,such as authenticity, accountability, nonrepudiation and reliability.If your ISMS is currently certified to the2005 version of ISO27001, then you needto act now to comply with the requirementsof the 2013 version of the Standard.Overview of notable changes toISO27001This green paper explains the differencesbetween the two versions of the Standardand outlines the changes you will need tomake to your ISMS to maintain itscompliance with – and certification to –ISO27001.The 2013 version of ISO27001 issubstantially different from the 2005iteration. This section lists the notablechanges to the Standard. See Summary ofchanges to management systemclauses, below, for detailed informationabout specific changes.The information security managementsystem (ISMS)The Standard no longer formally adopts thePlan-Do-Check-Act (PDCA) process model,leaving it to the organisation to determineand adopt a continual improvement modelthat suits its own environment.ISO27001 sets out the requirements of anISMS, which is defined as ‘a systematicapproach for establishing, implementing,operating, monitoring, reviewing,maintaining and improving anorganisation’s information security toachieve business objectives’1. An ISMS1ConfidentialityThe information is not available ordisclosed to unauthorised people,entities or processes.IntegrityThe information is complete andaccurate, and protected fromcorruption.AvailabilityThe information is accessible andusable by authorised users.The Standard states that the order in whichrequirements are presented does not reflectISO/IEC 27000:2014, section 3.2.1. IT Governance Ltd 20152Technical Guidance for ISO 27001:2013v2
their importance or the order in which theyshould be implemented.Management involvement is strengthenedin leadership and review.The Terms and definitions clause has beenremoved, and reference is instead made tothe current version of ISO27000, whichprovides terms and definitions for allISO27000-series standards. While thischange at first appears purely cosmetic, itdoes result in a change of definition forsuch key terms as ‘risk’ (now the ‘effect ofuncertainty on objectives’ rather than the‘combination of the probability of an eventand its consequence’). It also means thatwhen ISO27000 is updated, the terms anddefinitions for ISO27001 are automaticallyupdated.Documentation is no longer addressedthrough ‘control of documents’ and ‘controlof records’. The Documented informationsubclause now describes ‘documentedinformation required by this InternationalStandard’ and ‘documented informationdetermined by the organisation as beingnecessary for the effectiveness of theinformation security management system’.This allows the organisation greater latitudein determining the necessity of specificrecords and documents. It also simplifiesthe security procedures for the handling ofdocuments and information.The scope now requires that organisationsconsider ‘external and internal issues’,‘interested parties’, and the informationsecurity requirements of those interestedparties. This is intended to ensure that theISMS is relevant to the organisation’sactivity, and to provide assurance to itsstakeholders that it is appropriate.There is a significant expansion of therequirements relating to setting informationsecurity objectives, evaluating informationsecurity performance, and measuring theeffectiveness of the ISMS.The requirement that internal auditors shallnot audit their own work is absent in the2013 version of ISO27001, but the need toensure objectivity and impartiality remains.The ISO 27001:2013 information securityrisk assessment requirements are lessprescriptive than those of ISO 27001:2005,and are aligned with ISO 31000:2009, theinternational standard for riskmanagement: Preventive action is no longer a separaterequirement.Finally, a number of requirements forcommunication have been introduced.The new structure of ISO27001Threats and vulnerabilities are nolonger referred to in themanagement system requirements.The risk assessment does not haveto be asset-based.Risk treatment is to be achievedthrough the selection of controlsdetermined necessary by a riskassessment. These controls arethen compared with the Annex Acontrols to ensure that no essentialcontrols have been omitted.Risks are treated and residual riskis accepted by ‘risk owners’ ratherthan ‘asset owners’.ISO 27001:2013 adopts Annex SL2, theharmonised structure now used for all ISOmanagement system standards. This newstructure provides a clearer view of therequirements of the ISMS than before, asthere are now more top-level clauses intowhich the requirements have rmative referencesTerms and definitionsContext of the organisationLeadershipPlanningSupport2Annex SL of ISO/IEC Directives, Part 1, ConsolidatedISO Supplement, 2013. IT Governance Ltd 20153Technical Guidance for ISO 27001:2013v2
A.11. Physical and environmentalsecurityA.12. Operations securityA.13. Communications securityA.14. System acquisition, developmentand maintenanceA.15. Supplier relationshipsA.16. Information security incidentmanagementA.17. Information security aspects ofbusiness continuity managementA.18. Compliance8. Operation9. Performance evaluation10. ImprovementAnnex A has also been restructured intofewer controls (114), which have beendivided into a larger number of categories:A.5.A.6.A.7.A.8.A.9.Information security policiesOrganisation of informationsecurityHuman resources securityAsset managementAccess controlISO 27001:2005ISO 27001:2013StructureThe ISMS requirements are spread across fiveclauses, which approach the ISMS from amanagerial perspective:StructureThe ISMS requirements are spread acrossseven clauses, which do not have to befollowed in the order they are listed:4. Information security managementsystem5. Management responsibility6. Internal ISMS audits7. Management review of the ISMS8. ISMS improvement4. Context of the organisation5. Leadership6. Planning7. Support8. Operation9. Performance evaluation10. ImprovementImplications for transitionThe most obvious feature of the new structure is the addition of clause 4, Context of theorganisation. The 2013 version of the Standard now ensures that the ISMS is aligned withthe organisation’s business objectives and processes, as well as ensuring that it fulfilsbusiness, regulatory and contractual obligations from the very beginning.The new Standard also provides greater focus on communication, spreading the responsibilityfor information security further across the enterprise and business partners.A.10. CryptographySummary of changes to managementsystem clauses0. IntroductionIt is worth acknowledging that the ISODirective for management systemThe Plan-Do-Check-Act (PDCA) processapproach to establishing, implementing,operating, monitoring, reviewing,maintaining and improving an ISMS hasbeen removed, as have all references to it.(The 2005 version of the Standardreferenced it in clause 4, Generalrequirements.) IT Governance Ltd 20154Technical Guidance for ISO 27001:2013v2
standards3 says: “An effective managementsystem is usually based on managing theorganisation’s processes using a ‘Plan-DoCheck-Act’ approach in order to achieve theintended outcomes”.Note 4 to entry: Risk is oftenexpressed in terms of a combinationof the consequences (2.14) of anevent (including changes incircumstances) and the associatedlikelihood (2.45) of occurrence.1. ScopeNote 5 to entry: In the context ofinformation security managementsystems, information security riskscan be expressed as effect ofuncertainty on information securityobjectives.Subclauses 1.1 and 1.2 have beencondensed into one paragraph, removingany overlap with the requirements inclauses 4 to 10.2. Normative referencesISO27000 is quoted as a normativereference and is described as‘indispensable’ for the application of ISO27001:2013.Note 6 to entry: Information securityrisk is associated with the potentialthat threats (2.83) will exploitvulnerabilities (2.89) of aninformation asset or group ofinformation assets and therebycause harm to an organisation.The code of practice ISO 27002 is no longerdefined as a normative reference.3. Terms and definitionsPlease see ISO 27000:2014 for otherdefinitions.The list of terms and definitions has beenreplaced by a reference to the currentversion of ISO 27000, which standardisesterms and definitions for the entireISO27000 family of standards. (At the timeof writing, the current version is ISO27000:2014.)4. Context of organisation4.1 Understanding the organisation and itscontextThis subclause requires the organisation to‘determine external and internal issues thatare relevant to its purpose and affect itsability to achieve the intended outcome(s)’of the ISMS.This change means risk is now defined asthe:effect of uncertainty on objectivesIt references subclause 5.3 of ISO31000:2009 (Risk management - Principlesand guidelines), which considersestablishing the external and internalcontext of the organisation, and the contextof the risk management process. Thisincludes ensuring ‘that the objectives andconcerns of external stakeholders areconsidered when developing risk criteria’and should align the organisation’s securitystance with its stakeholders’ expectations.(See comments on subclause 5.2 Policy,below.)[SOURCE: ISO Guide 73:2009]NOTE 1 to entry: An effect is adeviation from the expected —positive or negative.NOTE 2 to entry: Uncertainty is thestate, even partial, of deficiency ofinformation related to,understanding or knowledge of, anevent (2.25), its consequence(2.14), or likelihood (2.45).Note 3 to entry: Risk is oftencharacterised by reference topotential events (2.25) andconsequences (2.14), or acombination of these.4.2 Understanding the needs andexpectations of interested partiesThis subclause requires the organisation todetermine the interested parties that are3ISO/IEC Directives, Part 1, Consolidated ISOSupplement, 2013. IT Governance Ltd 20155Technical Guidance for ISO 27001:2013v2
relevant to its ISMS and the requirementsthey have relevant to information security.These requirements may include ‘legal andregulatory requirements and contractualobligations’.different items, but acknowledged that onewas a subset of the other and that theycould both be described in a singledocument.)Subclause 5.2 c) requires the informationsecurity policy to include a commitment tosatisfy the applicable requirements of theISMS.4.3 Determining the scope of theinformation security management systemThis subclause introduces the requirementfor the organisation to determine the‘applicability’ of its ISMS to establish itsscope, and states that, in doing so, theorganisation should consider the aspectsidentified in clause 4. There is an explicitrequirement for ‘interfaces anddependencies’ to be considered as well.5.3 Organisational roles, responsibilitiesand authoritiesISO 27001:2013 introduces therequirement that top management assigns(rather than determines) andcommunicates the responsibility andauthority both for ensuring the ISMSconforms to the Standard and for reportingthe ISMS’s performance.4.4 Information security managementsystemThis is a slight variation on subclause 4.1 ofISO 27001:2005, with the addition of arequirement to continually improve theISMS. (As described above, the referenceto the PDCA model has been removed.)6. Planning5. LeadershipOrganisations should consider the externaland internal issues and requirements ofthird parties and determine the risks andopportunities that need to be addressed inorder to achieve their intended outcomes.6.1 Actions to address risks andopportunities6.1.1 GeneralThe term ‘leadership’ has been introduced,as have requirements specifically relating tothe ‘top management’ of the organisationsubject to the ISMS.6.1.2 Information security risk assessment5.1 Leadership and commitmentThe information security risk assessmentprocess must include risk acceptancecriteria as well as criteria for performinginformation risk assessments thatconsistently produce ‘valid and comparableresults’. (In ISO 27001:2005 therequirement was for ‘comparable andreproducible results’.)These requirements are more holistic thanthose in the 2005 version of the Standard.They also include the first reference toinformation security objectives, insubclause 5.1 a). Objectives are alsoreferenced in subclauses 5.2 b) Policy, 6.2Objectives and plans to achieve them, 8.1Operational planning and control and 9.3Management review.The risk assessment process shouldidentify, analyse and evaluate the risksassociated with the confidentiality, integrityand availability of information within thescope of the ISMS. Risk analysis shouldinclude an assessment of the consequencesof the risk materialising, the realisticlikelihood of the risk occurring, and thelevels of risk. Evaluating the risks willcompare the analysed levels of risk to therisk criteria and prioritise them fortreatment.There is a new requirement to integrate theISMS requirements into the organisation’sprocesses and the requirement forcommunication (subclause 4.2.4 c) in the2005 version) is enhanced.5.2 PolicyThroughout the Standard, the top-levelpolicy requirement is consistently referredto as the ‘information security policy’. (The2005 version referenced the ‘informationsecurity policy’ and ‘ISMS policy’ as two IT Governance Ltd 20156Technical Guidance for ISO 27001:2013v2
As well as risks being identified, ‘riskowners’ must also be identified. (The 2005version of the Standard required ‘assetowners’ to be identified.) ‘Risk owner’ isdefined as a ‘person or entity with theaccountability and authority to manage arisk’ [ISO 27000:2014].The plans for achieving information securityobjectives should include what will be done,what resources will be required, who will beresponsible, when it will be completed, andhow the results will be evaluated. This is amore specific set of requirements thanfound in ISO 27001:2005 (subclauses 4.2.2a) and, to an extent, 4.2.2 b)).6.1.3 Information security risk treatment7. SupportTaking into account the results of the riskassessment, an information security risktreatment process should be defined andapplied in order to select the appropriaterisk treatment options and design oridentify required controls from any source.These controls should be compared to thoseprovided in Annex A to ensure that nonecessary controls have been omitted. TheStandard states that the controls in AnnexA are not exhaustive.Training, awareness and competence (ISO27001:2005 subclause 5.2.2) is now splitinto Competence (7.2) and Awareness(7.3).7.1. ResourcesWhat was covered in six subclauses in the2005 version of the Standard (5.2.1 a) tof)) is now provided for in one sentence,with the remaining aspects coveredelsewhere in the Standard.A Statement of Applicability containing thenecessary controls should be produced.Subclause 6.1.3 d) strengthens therequirement that the inclusion of controls inthe Statement of Applicability – as well asthe exclusion of those from Annex A – isjustified.7.2 CompetenceWhere ISO 27001:2005 requiredorganisations to ensure the competence ofresponsible personnel by providing relevanttraining, ISO 27001:2013 goes further,requiring that organisations ensure allpersonnel are competent to do any workaffecting information security ‘on the basisof appropriate education, training, orexperience’.The requirement for a risk treatment planremains. ‘Risk owners’ must approve it andaccept the residual information securityrisks. (6.1.2 a) requires risk acceptancecriteria to be defined.)6.2 Information security objectives andplanning to achieve themWhere its employees are not deemedcompetent, an organisation should providetraining or mentoring, reassign them, orhire/contract competent persons.4This subclause builds on some of therequirements of subclause 5.1 of the 2005version of the Standard, and requiresinformation security objectives to beestablished, communicated and updated.They should take applicable informationsecurity requirements and risk assessmentand treatment results into account, andshould be consistent with the informationsecurity policy.7.3 AwarenessThe requirements for awareness have beenenhanced and some specific requirementshave been added. All persons workingunder the organisation’s control are to beaware of the information security policy andtheir contribution to the ISMS – includingthe benefits of improved informationsecurity performance, and the implications‘If practicable’, the objectives should bemeasured.4ISO 27000:2014 defines competence as the ‘ability toapply knowledge and skills to achieve intendedresults’. IT Governance Ltd 20157Technical Guidance for ISO 27001:2013v2
of not conforming with the ISMSrequirements. 7.4 Communication The organisation shall determine the needfor internal and external communications,including who should communicate, whatthey should communicate on, when andwith whom they should communicate it,and the processes to be used. This is inaddition to the other new requirements forcommunication found throughout theStandard. 7.5 Documented Information ISO27001 now acknowledges that anorganisation's documentation requirementsare dependent on its size and 'type ofactivities, processes, products andservices', on 'the complexity of processesand interactions', and – new in ISO27001:2013 – on 'the competence ofpersons'. (See 7.2 Competence, above.) Where subclause 4.3 of ISO 27001:2005(Documentation requirements) listed thespecific documents required for an ISMS,ISO 27001:2013 recognises that each ISMSis specific to the organisation thatimplements it and that ISMS documentationwill therefore vary from organisation toorganisation. The Standard requires the organisation toconsider the format (‘e.g. language,software version, graphics’) and media(‘e.g. paper, electronic’) for documentedinformation.Subclause 7.5 Documented informationstates only that the ISMS should includethe documented information ‘required’ bythe Standard, and relies on the organisationto identify for itself the actual documents itneeds.The requirements for the creation, updatingand control of documented information arelargely similar to the 2005 version of theStandard, except for explicit reference toretention and disposal, and the control ofdocumented information of external origin.For convenience, all the documentationrequirements of ISO 27001:2013 – not allof which are relevant to all organisations –are listed below. (The relevant subclausenumbers are shown in parenthesis.) 8. Operation8.1 Operational planning and controlThe scope (4.3).The information security policy (5.2e)).The information security riskassessment process (6.1.2).The information security risktreatment process (6.1.3).Statement of Applicability (6.1.3d)). IT Governance Ltd 2015The information security objectives(6.2).Evidence of competence (7.2).Documentation necessary for theeffectiveness o
ISO/IEC 27001:2005 has been superseded by ISO/IEC 27001:2013. The International Accreditation Forum (IAF) has announced that, as of 1 October 2014, no more accredited certificates to ISO 27001:2005 will be issued. From that date, certification bodies may only issue certificates to the new version of the Standard, ISO 27001:2013.
ISO 27001:2013 published All ISO 27001:2005 certificates to have transitioned to ISO 27001:2013 30th September 2016 30th September 2015 No new ISO 27001:2005 certificates to be issued Initial audit to ISO 27001:2005 available Initial audit to ISO 27001:2013 available Transition to ISO 27001:2013 may be mandated by CB
ISO/IEC 27001:2005 ISO/IEC 27002:2005 . ISMS Standards ISO/IEC 27001, 27002 . 23 / VSE-Gruppe 2013 . Standardization under ISO/IEC 27000 Standards Series in Cooperation with Additional Consortia . ISO/IEC 27001: Information Security Management System (ISMS) ISO/IEC 27002: Implementation Guidelines for ISO/IEC 27001 Con
1. Overview of ISO/IEC 27001:2022Information Security Management System 22 2. ISO/IEC 27001:2022 requirements 45 3. ISO/IEC 27001:2022Terms and Definitions 07 4. ISMS Documented information 18 5. ISO 27001 ISMS Internal auditing process 40 6. Steps for ISO 27001 certification 18 7. Risk management 18 8. Risk Assessment& Treatment 25 9.
IEC 61215 IEC 61730 PV Modules Manufacturer IEC 62941 IEC 62093 IEC 62109 Solar TrackerIEC 62817 PV Modules PV inverters IEC 62548 or IEC/TS 62738 Applicable Standard IEC 62446-1 IEC 61724-1 IEC 61724-2 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/
ISO/IEC 27001:2013 is the first revision of ISO/IEC 27001. First and foremost, the revision has taken account of practical experience of using the standard: there are now over 17,000 registrations worldwide. However, there have been two other major influences on the revision. The first is an ISO requirement that all new and revised
in fact the take-up of ISO/IEC 27001 continues to grow at a significant rate. As regards privacy the new standard ISO/IEC 27701 (extension of ISO/IEC 27001 for privacy) together with ISO/IEC 27001 provides organizations with help and support for dealing with data breaches. 7. Are the controls, as defined in Annex A,
ISO/IEC 27011:2008 . Information security management guidelines for tele-communications organizations based on ISO/IEC 27002. ISO/IEC 27013:2015 . Guidance on the integrated implementation of ISO/IEC 27001 . and ISO/IEC 20000-1. ISO/IEC 27014:2013includes nearly 20 standards. The . Governance of information security. ISO/IEC 27015:2012
CAD & BIM Standards Introduction This manual is a guide for consultant s performing, or desiring to perform, engineering design and/or drafting services for the Port of Portland.
