Académique Documents
Professionnel Documents
Culture Documents
27001: 2013
27002: 2013
There have been significant changes made to these two standards. Since many organizations
use these standards as a framework/baseline/target, there may be ramifications for their
policies, standards and processes that warrant careful consideration. Many of the changes
represent the standards catching up with ever-changing technology. Other changes are
restructuring and clarification of the existing controls. Therefore, the changes reflected in the
new security standards will need to be incorporated into most companies information security
policies, standards and processes.
Companies currently certified with the old ISO standards (around 7,940 in total) will need to
update to the new standards and recertify using the new standards after September 2015, but
many companies may want to use the new standards to recertify before the deadline.
Companies that use ISO/IEC as a baseline or framework for their own security programs can
update when they are comfortable with the changes because it is their choice to use these
standards. However, one of the justifications for using ISO/IEC as standards is to take
advantage of updates and current thinking, so many companies may choose to adopt the new
standards sooner rather than later.
This Flash Report will help companies anticipate the requirements of the new standards and the
possible ramifications for the organization.
Interested parties and their requirements need to be listed in the ISMS and may include
legal, regulatory and contractual obligations.
The concepts of documents and records are merged together; they now are called
documented information. The requirement in the old standard for documented
procedures (document control, internal audit, corrective action and preventive) has been
removed. However, documenting the results of processes is required. As a result,
procedures are not required, but the documented information related to managing
documents, performing internal audits and executing corrective actions is required.
Required documents listed in the old standard (reference 4.3.1) have been removed.
Risk assessment using an assets value, vulnerabilities and threats has been removed in
the new standard. Risks are now associated with the confidentiality, integrity and
availability of information, and risks are assessed using the level of risk based on their
consequences and the likelihood they will materialize. Risk ownership is also required.
Objectives for information security need to be defined, measureable and account for
requirements, and risks and results communicated, updated and documented. Further,
plans to achieve the objectives should include what will be done, resources required,
responsibility, time frame and how results will be evaluated.
Changes to controls: Many GRC frameworks use ISO/IEC and will need to be updated at
some point to reflect the changes made in the new standards. The table on the following page
shows the structural changes between the 2005 and 2013 versions of the ISO/IEC 27001 and
27002 standards. Differences to note include:
Protiviti | 2
There were 11 control domains; now there are 14, including three additional sections.
The three new sections are not really new since these were included in the previous
ISO/IEC 27001:
1. Cryptography was part of the systems acquisition, development and
maintenance domain (old control 12.3).
2. Supplier relationships were part of communications and operations management
(old control 6.2).
3. Communications security was part of the communications and operations
management (old control 10.6).
There are 19 fewer controls. (The old version had 133 controls and the new one has
114.) There are six new controls, and 25 controls were eliminated because they were
too specific or outdated.
ISO
Domain
Count
Section
Description
New ISO
2013
Old ISO
2005
Section
Ref 2013
Controls
Count
Section
Ref 2005
Controls
Count
Security policies
11
Asset management
10
Access control
14
11
25
Cryptography
10
N/A
N/A
11
15
13
Operations security
12
14
10
32
Protiviti | 3
ISO
Domain
Count
9
10
11
12
13
14
Section
Description
New ISO
2013
Section
Ref 2013
Controls
Count
Section
Ref 2005
Controls
Count
13
N/A
N/A
14
13
12
16
15
N/A
N/A
16
13
17
14
18
15
10
Communication security
System acquisition, development
and maintenance
Supplier relationships
Information security incident
management
Information security aspects of
business continuity
Compliance
Total
Old ISO
2005
114
133
In Closing
While many will say that these changes to ISO/IEC 27001 and 27002 are long overdue and
perhaps more changes are required, the revised standards provide a package of security
techniques that is practical in assisting an organization in identifying its security requirements
and risks and selecting controls to address those requirements and mitigate those risks. Two
areas that will require attention are realignment of policies, standards and awareness training to
align with the new standard, and assigning risk owners and having them approve risk treatment
plans and residual risks. The updated standards will better align ISO/IEC with other frameworks
and evolving management and governance practices. Companies using ISO/IEC as a
framework or those that are ISO/IEC certified should consider adopting the new ISO/IEC
standards as time and resources permit. Many of the changes will better align security
objectives with business goals and objectives and that alignment will help everyone across the
whole organization to better appreciate the importance of information security to the companys
sustainability, viability and reputation.
Protiviti | 4
About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in
finance, technology, operations, governance, risk and internal audit. Through our network of
more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE
1000 and FORTUNE Global 500 companies. We also work with smaller, growing companies,
including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half
is a member of the S&P 500 index.
About Our IT Security and Privacy Solutions
As technology becomes more and more integral to the business, it is critical to view information
security and privacy as a part of the business, not just IT. Critical intellectual property and
regulated personal information need to be protected from security threats, vulnerabilities and
privacy exposures that challenge every organization today. Risks must be understood and
managed. Often organizations do not know the information risks in their environment or how
these risks can be reduced. Equally important, good security and privacy practices can permit
companies to take advantage of new technologies to provide revenue growth and cost
containment opportunities.
Protiviti provides a wide variety of security and privacy assessment, architecture, transformation
and management services to help organizations identify and address security and privacy risks
and potential exposures (e.g., loss of customer data, loss of revenue, or reputation impairment
to a customer) so they can be reduced before they become problems.
We have a demonstrated track record of helping companies prevent and respond to security
incidents, establish security programs, implement identity and access management, and reduce
industry-specific risks by providing enhanced data security and privacy. Protiviti can also help
organizations comply with regulations and standards including ISO/IEC 27001-2, PCI, privacy
and disclosure laws, HIPAA, GLBA and many more. We invite you to explore the various IT
security and privacy services that we offer:
Program and Compliance Assessments (including ISO/IEC 27001/2, PCI, HIPAA, Safe
Harbor, Incident & Breach Response, FFIEC, SOX, etc.)