As the UK government announces a new cyber defence reserve force, IT Governance welcomes the new version of the ISO/IEC 27001 information security standard, which will speed and simplify the process for organisations to protect their information assets through international best practice.
IT Governance has helped hundreds of organisations implement ISO 27001 since the standard’s launch in 2005. The company says the 2013 version, released today in the UK by the British Standards Institute (BSI), eliminates several hurdles that have dissuaded some organisations, including SMEs, from adopting the standard.
Alan Calder, Founder and Executive Chairman of IT Governance, says: “ISO 27001 is simply the best protection available for organisations wanting to secure their information assets within a best practice framework. Well over 17,500 organisations around the world have discovered the benefits of being certified, including peace of mind for management and reassurance for customers. The 2013 update will make it much simpler and more attractive for a wider range of organisations to sign up, which is not only good business sense but also supports the government’s cyber security strategy.”
In addition to responding to today’s technology and vulnerabilities, the 2013 update increases the attractiveness of the standard through several new measures.
A key feature of ISO 27001:2013 is the standard’s greater focus upon the individual needs and context of an organisation. Many organisations considering ISO 27001 may already have various risk controls in place, which are dictated by particular functional, contractual and regulatory demands. Through the 2013 update, the standard now accepts these existing controls as the ‘baseline’ to which any additional required controls can simply be added.
Calder comments: “One argument some boards have heard is that ISO 27001 is too costly to adopt because a separate, dedicated structure of ISO 27001 risk controls would need to operate in parallel with the organisation’s existing controls. While this argument has seldom been convincing, the updated standard eliminates this objection at a stroke by explicitly making your existing controls the foundation for your ISO 27001 compliance programme.
“Furthermore, the standard no longer requires that you use the Plan, Do, Check, Act, or ‘PDCA’, methodology when implementing ISO 27001. If your organisation instead prefers using, for example, ITIL for process implementations, that’s now absolutely fine. The key thing is to demonstrate what you have done – how you do it is your concern, which should be widely welcomed, especially in larger organisations.”
Another improvement in ISO 27001:2013 is a clearer delineation between the role of the board and management.
Calder explains: “The standard now more clearly recognises that the board’s role is governance: giving direction to management on requirements, monitoring how those requirements are met but not becoming involved in the minutiae of programme implementation. This clarification is part of the maturing of the standard.”
The third area of improvement welcomed by IT Governance concerns the standard’s risk assessment process, which SMEs may now find more intuitive and quicker to accomplish.
Calder says: “Organisations will now have the option to jump straight to detailing the risks they face, and how these risks should be controlled, without first needing to break down threats, vulnerabilities and impact by individual asset. While an asset-based approach is still permitted and can achieve more rigorous protection, organisations that may have been deterred by this workload are now accommodated within the standard.
“Well beyond a general tightening up of the standard, this update makes ISO 27001 more flexible, company-friendly and readily implemented. The high level of uptake for ISO 27001:2005 proves the world needs this sort of best practice guidance on information security management. Now the scope of the standard has been widened to encourage many more organisations to get on board and derive the benefits of compliance.”
It is anticipated that following the launch of ISO 27001:2013, organisations already compliant with ISO 27001:2005 will have a transition period of 12-18 months in which to meet additional requirements for the updated standard. IT Governance is able to advise both existing certificate holders and new adopters on the steps necessary to ensure compliance is achieved in a timely and cost-effective manner.