The international standard ISO/IEC 27001 is an ISMS set of requirements
for establishing, implementing, deploying, monitoring, reviewing, maintaining, updating and improving a documented ISMS with respect to an organisation’s overall business risks and opportunities.
It belongs to a class of standards referred to as the Management System
Standards (MSS), which includes standards such as ISO 9001(Quality
Management System), ISO 14001 (Environmental Management System),
ISO 22000 (Food Safety Management System), ISO/IEC 20000-1 (Service
Management System) and ISO 22301 (Business Continuity Management System).
In 2012, ISO published a common approach (ISO Directions Annex SL,
Appendix 3) for both the development of new MSS and for the revision of
existing MSS. The reasons for this were to enable an organisation to operate an integrated MSS that will comply with the requirements of two or more MSS. For example, an organisation could decide to operate with both ISO/IEC 27001 and ISO 22301, which would mean they would integrate their ISMS with the BCMS. Using this common integrated approach would provide many business benefits and increase the value of using MSS. Both ISO/IEC 27001 and ISO 22301 are two standards from the MSS family of standards that have been revised to take on this common approach, which involves using a high-level structure, identical core text and common terms and core definitions.
The second edition of ISO/IEC 27001 was published in 2013 a three-and-a-half year revision cycle. This new version takes account the new MSS approach. means that the high-level structure of the chap- ters, clauses and sections looks than the 2005 edition. In addition to changing the high-level structure, changes were to the require- ments specified in the standard. These changes reflected the received from member bodies of SC 27 and their cooperating organisations. ISO/IEC is a guide that provides transition maps showing the high- level changes that have been between the 2005 and the 2013 editions of both ISO/IEC 27001 and ISO/IEC 27002. This is very useful for those wanting to know in more detail where the changes have
This section of Chapter 2 provides some of the highlights of the second
edition of ISO/IEC 27001. More specific discussion on the second edition can be found in later chapters. These subsequent chapters will cover the
changes in more detail.
The organisational target audience of ISO/IEC 27001 has not changed in
the 2013 edition: it is suitable to all types and sizes of organisations. It can
be applied to any type of business activity and across all business markets, since its subject matter is the protection of information, irrespective of what systems, processes or IT the organisation deploys.
The functional target audience in the 2013 edition has also not changed.
The second edition of ISO/IEC 27001 places more emphasis on the role of
management, leadership and commitment of management in supporting
the ISMS. There is more emphasis on the need to align the development of
the ISMS with the needs and expectations of stakeholders and all relevant interested parties, and to make sure all internal and external business issues and requirements are covered.
The second edition of ISO/IEC 27001 still uses the word “shall” in specifying the requirements, and in ISO terminology any requirement that includes this word is mandatory to implement if an organisation wishes to claim conformance with the standard. Therefore, this means that this standard can be used for formal third-party certification, which is similar to the ISO 9001 case for quality management systems.
The ISO/IEC 27001: 2005 was based on a Plan-Do-Check-Act process mod-el. In the 2013 edition of ISO/IEC 27001 this model has been excluded, although its continual improvement philosophy is certainly still firmly in place. The process-based approach, however, is still very much a part of the new edition of ISO/IEC 27001, as was the case with the old edition. For example, the organisation needs to have a risk assessment process to be implemented or risk assessment process or an internal audit process. ISMS processes are the systematic operations and activities that are a central feature of ISO/IEC 27001.
The ISMS stages are establishing, implementing, deploying, monitoring, reviewing, maintaining, updating and improving and the organisation needs to go through a number of staged activities. These stages include a number of shall requirements (mandatory requirements) where things need to be done, activities need to be carried out and processes need to be implemented.
These requirements fall under the following clause headings:
- The context of the organisation (Clause 4);
- Leadership (Clause 5);
- Planning (Clause 6);
- Support (Clause 7);
- Operation (Clause 8);
- Performance evaluation (Clause 9);
- Improvement (Clause 10).
The purpose of the risk-based approach is to take care of the information
security aspects of the organisation’s business activities. The ISMS risk management process needs to take into account the requirements and expectations of all interested parties, including customers, consumers and business partners. It needs to take into account any issues that might be relevant to information security risks, be they related to corporate governance, legal, regulatory and contractual obligations, business objectives and strategy, business operations and processes or the use and application of information and communications technology (ICT) systems.
The overall risk philosophy in the new addition is based on the concepts
and terminology defined in the generic risk standard ISO 31000. The
clauses in this chapter are a mere overview of the more detailed discussion on ISMS risk management found in Chapter 4.
Both in ISO/IEC 27001: 2005 and ISO/IEC 27001: 2013, risk management
is a central theme; however, the 2013 edition includes a number of important changes to the risk management process.
One of the significant changes in requirements between the 2005 and 2013 editions is the need to identify the assets, threats and vulnerabilities. This is no longer a requirement in the second edition. So the asset-based approach in 2005 has been replaced with an approach based on the model defined in ISO 31000. This current risk assessment will be discussed in Chapter 4.
Another change to be found in the second edition is related to the treatment of risk. In the 2005 edition Annex A was used to select an appropriate setcontrols from to reduce identified risks. In the 2013 edition the user determinesset of controls in accordance with the risk treatment options that the organisation has decided to implement. The organisation then needs to compare this set of controls with the Annex A controls to benchmark whether any important controls have been excluded.
The standard ISO/IEC 27005 provides guidance on the information security risk management in support of ISO/IEC 27001.
In the 2005 version of ISO/IEC 27001, performance evaluation was consid-
ered and implemented through the use of several processes including taking measurements, monitoring, internal audits and management reviews. In the 2013 edition these same processes are specified and invoked; however, they have been brought together in a single chapter and the wording of the content has undergone some improvements. The standard ISO/IEC 27004 provides guidance on the requirements information security measurements given in ISO/IEC 27001.