ISO/IEC 27001:2013

ISO/IEC 27001:2013

Information Security Management System

 

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

 

What are the main changes in ISO 27001:2013?

  • The revised standard has been written using the new high level structure, which is common to all new management systems standards. This will make integration straightforward when implementing more than one management system
  • Terminology changes have been made and some definitions have been removed or relocated
  • Risk assessment requirements have been aligned with BS ISO 31000
  • Management commitment requirements have a focus on “leadership”
  • Preventive action has been replaced with “actions to address, risks and opportunities”
  • SOA  requirements are similar, with more clarity on the need to determine controls by the risk treatment process
  • Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. Specific controls have also been added around cryptography and security in supplier relationships.
  • Greater emphasis is on setting objectives, monitoring performance and metrics

 

What are the benefits of ISO/IEC 27001 Information Security Management?

 

  • Identify risks and put controls in place to manage or eliminate them
  • Flexibility to adapt controls to all or selected areas of your business
  • Gain stakeholder and customer trust that their data is protected
  • Demonstrate compliance and gain status as preferred supplier

 

Consultancy Services Road Map:

 

  • Gap Analyses
  • Designing, Documentation and Implementation (System Development)
  • Internal Auditing
  • Management Review
  • Certification Process Guidance