INFORMATION TECHNOLOGY FLASH REPORT

Security Standards ISO/IEC 27001 and 27002 Have Been

Revised: What Are the Significant Changes?
October 17, 2013
What happened?
In November 2013, the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) will formally release long-anticipated updates to
ISO/IEC 27001 and 27002. The last time these standards were updated was in 2005.
ISO/IEC
Standard

Title Information Technology Security Techniques

27001: 2013

Information security management systems Requirements

27002: 2013

Code of practice for information security controls

What are ISO and IEC?

Founded in 1947, ISO is the worlds largest developer of voluntary international standards. ISO
has published more than 19,500 standards, which are used in government, business and
industry. Representing more than 160 countries and attracting over 30,000 experts a year, ISO
gathers their opinions to form consensus around an international standard.
Developed in collaboration with the IEC (an international standards organization dealing with
electrical, electronic and related technologies), ISO has supported long-recognized standards
for information security called ISO/IEC 27001 and ISO/IEC 27002. The effective use of these
standards can help companies achieve best practices in information security, avoid re-inventing
security controls, optimize the use of scarce resources, and reduce the occurrence of major
risks such as project failures, wasted investments, security breaches, system crashes, data
compromise, and failures of service providers to understand and meet customer requirements.

Why should companies care?

Tens of thousands of companies have adopted ISO/IEC 27001 and 27002 as their standards for
information security programs and controls. Together, they are the de facto standards for many
governance, risk and compliance (GRC) frameworks and provide the requirements and code of
practice for security regulations, assessments, insurance premiums and frameworks. They
provide a baseline for initiating, implementing, maintaining and improving an information
security management system in any size organization.

There have been significant changes made to these two standards. Since many organizations
use these standards as a framework/baseline/target, there may be ramifications for their
policies, standards and processes that warrant careful consideration. Many of the changes
represent the standards catching up with ever-changing technology. Other changes are
restructuring and clarification of the existing controls. Therefore, the changes reflected in the
new security standards will need to be incorporated into most companies information security
policies, standards and processes.
Companies currently certified with the old ISO standards (around 7,940 in total) will need to
update to the new standards and recertify using the new standards after September 2015, but
many companies may want to use the new standards to recertify before the deadline.
Companies that use ISO/IEC as a baseline or framework for their own security programs can
update when they are comfortable with the changes because it is their choice to use these
standards. However, one of the justifications for using ISO/IEC as standards is to take
advantage of updates and current thinking, so many companies may choose to adopt the new
standards sooner rather than later.
This Flash Report will help companies anticipate the requirements of the new standards and the
possible ramifications for the organization.

What has changed?

As summarized below, the changes are divided into two categories (1) changes to the
information security management system (ISMS), and (2) changes to controls.
Changes to ISMS: The ISMS remains the cornerstone of the ISO/IEC 27001 and 27002
standards. Changes made to the ISMS include:

The familiar Plan-Do-Check-Act (PDCA) process framework has been removed.

Interested parties and their requirements need to be listed in the ISMS and may include
legal, regulatory and contractual obligations.

The concepts of documents and records are merged together; they now are called
documented information. The requirement in the old standard for documented
procedures (document control, internal audit, corrective action and preventive) has been
removed. However, documenting the results of processes is required. As a result,
procedures are not required, but the documented information related to managing
documents, performing internal audits and executing corrective actions is required.

Required documents listed in the old standard (reference 4.3.1) have been removed.

Risk assessment using an assets value, vulnerabilities and threats has been removed in
the new standard. Risks are now associated with the confidentiality, integrity and
availability of information, and risks are assessed using the level of risk based on their
consequences and the likelihood they will materialize. Risk ownership is also required.

Objectives for information security need to be defined, measureable and account for
requirements, and risks and results communicated, updated and documented. Further,
plans to achieve the objectives should include what will be done, resources required,
responsibility, time frame and how results will be evaluated.

Changes to controls: Many GRC frameworks use ISO/IEC and will need to be updated at
some point to reflect the changes made in the new standards. The table on the following page
shows the structural changes between the 2005 and 2013 versions of the ISO/IEC 27001 and
27002 standards. Differences to note include:
Protiviti | 2

There were 11 control domains; now there are 14, including three additional sections.
The three new sections are not really new since these were included in the previous
ISO/IEC 27001:
1. Cryptography was part of the systems acquisition, development and
maintenance domain (old control 12.3).
2. Supplier relationships were part of communications and operations management
(old control 6.2).
3. Communications security was part of the communications and operations
management (old control 10.6).

There are 19 fewer controls. (The old version had 133 controls and the new one has
114.) There are six new controls, and 25 controls were eliminated because they were
too specific or outdated.

The following is a list of the new controls:

14.2.1: Secure development policy Standards for the development of

software and systems shall be established.

14.2.5: System development procedures Principles for developing secure

systems shall be established, documented, maintained and applied to any
information system.

14.2.6: Secure development environment Organizations shall establish and

appropriately protect secure development environments for system development
and integration.

14.2.8: System security testing Testing of security functionality shall be

carried out during development.

16.1.4: Assessment and classification of information security events

Information security events shall be assessed, and it shall be decided if they are
to be classified as information security incidents.

17.2.1: Availability of information processing facilities Information

processing facilities shall be implemented with redundancy sufficient to meet
availability requirements.

The following table breaks down the number of controls by section:

ISO
Domain
Count

Section
Description

New ISO
2013

Old ISO
2005

Section
Ref 2013

Controls
Count

Section
Ref 2005

Controls
Count

Security policies

Organization of information security

11

Human resource security

Asset management

10

Access control

14

11

25

Cryptography

10

N/A

N/A

Physical and environmental security

11

15

13

Operations security

12

14

10

32

Protiviti | 3

ISO
Domain
Count
9
10
11
12
13
14

Section
Description

New ISO
2013
Section
Ref 2013

Controls
Count

Section
Ref 2005

Controls
Count

13

N/A

N/A

14

13

12

16

15

N/A

N/A

16

13

17

14

18

15

10

Communication security
System acquisition, development
and maintenance
Supplier relationships
Information security incident
management
Information security aspects of
business continuity
Compliance
Total

Old ISO
2005

114

133

The following is a list of the controls that were eliminated:

6.2.2: Addressing security when dealing with
customers
10.4.2: Controls against mobile code
10.7.3: Information-handling procedures
10.7.4: Security of system documentation
10.8.5: Business information systems
10.9.3: Publicly available information
11.4.2: User authentication for external
connections
11.4.3: Equipment identification in networks
11.4.4: Remote diagnostic and configuration
port protection
11.4.6: Network connection control
11.4.7: Network routing control
11.5.5: Session time out
11.5.6: Limitation of connection time

11.6.2: Sensitive system isolation

12.2.1: Input data validation
12.2.2: Control of internal processing
12.2.3: Message integrity
12.2.4: Output data validation
12.5.4: Information leakage
14.1.2: Business continuity and risk
assessment
14.1.3: Developing and implementing
business continuity plans
14.1.4: Business continuity planning
framework
15.1.5: Prevention of misuse of information
processing facilities
15.3.2: Protection of information systems
audit tools

In Closing
While many will say that these changes to ISO/IEC 27001 and 27002 are long overdue and
perhaps more changes are required, the revised standards provide a package of security
techniques that is practical in assisting an organization in identifying its security requirements
and risks and selecting controls to address those requirements and mitigate those risks. Two
areas that will require attention are realignment of policies, standards and awareness training to
align with the new standard, and assigning risk owners and having them approve risk treatment
plans and residual risks. The updated standards will better align ISO/IEC with other frameworks
and evolving management and governance practices. Companies using ISO/IEC as a
framework or those that are ISO/IEC certified should consider adopting the new ISO/IEC
standards as time and resources permit. Many of the changes will better align security
objectives with business goals and objectives and that alignment will help everyone across the
whole organization to better appreciate the importance of information security to the companys
sustainability, viability and reputation.

Protiviti | 4

About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in
finance, technology, operations, governance, risk and internal audit. Through our network of
more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE
1000 and FORTUNE Global 500 companies. We also work with smaller, growing companies,
including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half
is a member of the S&P 500 index.
About Our IT Security and Privacy Solutions
As technology becomes more and more integral to the business, it is critical to view information
security and privacy as a part of the business, not just IT. Critical intellectual property and
regulated personal information need to be protected from security threats, vulnerabilities and
privacy exposures that challenge every organization today. Risks must be understood and
managed. Often organizations do not know the information risks in their environment or how
these risks can be reduced. Equally important, good security and privacy practices can permit
companies to take advantage of new technologies to provide revenue growth and cost
containment opportunities.
Protiviti provides a wide variety of security and privacy assessment, architecture, transformation
and management services to help organizations identify and address security and privacy risks
and potential exposures (e.g., loss of customer data, loss of revenue, or reputation impairment
to a customer) so they can be reduced before they become problems.
We have a demonstrated track record of helping companies prevent and respond to security
incidents, establish security programs, implement identity and access management, and reduce
industry-specific risks by providing enhanced data security and privacy. Protiviti can also help
organizations comply with regulations and standards including ISO/IEC 27001-2, PCI, privacy
and disclosure laws, HIPAA, GLBA and many more. We invite you to explore the various IT
security and privacy services that we offer:

Security Strategy & Program Management Services (frameworks including ISO/IEC

27001-2, NIST, CoBit)

Program and Compliance Assessments (including ISO/IEC 27001/2, PCI, HIPAA, Safe
Harbor, Incident & Breach Response, FFIEC, SOX, etc.)

Identity & Access Management Services

Data Security & Privacy Management Services

Vulnerability Assessment & Penetration Testing

Security Operations & Implementation Services

Incident Response & Forensic Services

2013 Protiviti Inc. An Equal Opportunity Employer.

Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services.