ISO/IEC 27001 Control Changes Key Findings

The revised Information Security standard will be available tomorrow. We will be publishing our Control Mapping document to help understand the changes to the standard from the 2005 version. So check back here or go to our website www.advent-im.co.uk tomorrow Until then our key findings on the changes based upon the most recent draft are below.

PDCA as a main driver is now gone with placed greater setting importance objectives placed being and on

monitoring performance.

More

importance

interested parties and their role within the organisations ISMS.

Document control, internal audit and CAPA requirements as we would recognise them have gone, at least in their requirement to be

documented procedures although the requirement for them as an output still remains i.e. you dont need written procedures but you still need records maintained of what you have done with regard to them.

Documents and records are now as one (which makes sense as you always essentially treated them in the same way anyway). The number of sections is increased from 11 to 14 however the number of controls has been reduced from 133 to 113. CAPA There are no preventative actions anymore replaced by actions to address risks these are merged into the RA and RT areas. There is also a distinction between corrections that are carried out in direct response to a non-conformity against corrective actions that are implemented to eliminate the cause of a non-conformity.

Risk

assessment

The

identification

of

assets,

threats

and

vulnerabilities is no longer a prerequisite for the identification of information security risks. It is only required for the identification of C-IAdvent IM Ltd 2013 any republishing in part or full with express permission of Advent IM

A.

Not sure how this will and I assume that the current methodology

will continue for some time. Dont forget to come back to get the link to our full mapping document.

www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
Our blogs www.adventim.wordpress.com www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com www.adventimschoolsecurity.wordpress.com

Advent IM Ltd 2013 any republishing in part or full with express permission of Advent IM