Changes to ISO/IEC 27001 Controls – Key Findings

iStock_000018385055SmallThe revised Information Security standard will be available tomorrow.

We will be publishing our Control Mapping document to help understand the changes to the standard from the 2005 version.

So check back here or go to our website tomorrow…

Until then our key findings on the changes based upon the most recent draft are below.

  • PDCA as a main driver is now gone with greater importance being placed setting objectives and monitoring performance.
  • More importance placed on interested parties and their role within the organisations ISMS.
  • Document control, internal audit and CAPA requirements as we would recognise them have gone, at least in their requirement to be documented procedures although the requirement for them as an output still remains i.e. you don’t need written procedures but you still need records maintained of what you have done with regard to them.
  •  Documents and records are now as one (which makes sense as you always essentially treated them in the same way anyway).
  • The number of sections is increased from 11 to 14 however the number of controls has been reduced from 133 to 114.
  • CAPA – There are no preventative actions anymore replaced by ‘actions to address risks’ these are merged into the RA and RT areas.  There is also a distinction between corrections that are carried out in direct response to a non-conformity against corrective actions that are implemented to eliminate the cause of a non-conformity.
  • Risk assessment – The identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks. It is only required for the identification of C-I-A.   Not sure how this will and I assume that the current methodology will continue for some time.

For those who have already certified or are going through the process with ISO/IEC 27001:2005, we are currently investigating the official position but it would seem logical to continue with this version until further official notification otherwise as currently we understand there is no formal certification process for the new standard.

Don’t forget to come back to get the link to our full mapping document.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s