October 17, 2013
In November 2013, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) will formally release long-anticipated updates to ISO/IEC 27001 and 27002. The last time these standards were updated was in 2005.
What are ISO and IEC?
Founded in 1947, ISO is the world’s largest developer of voluntary international standards. ISO has published more than 19,500 standards, which are used in government, business and industry. Representing more than 160 countries and attracting over 30,000 experts a year, ISO gathers their opinions to form consensus around an international standard.
Developed in collaboration with the IEC (an international standards organization dealing with electrical, electronic and related technologies), ISO has supported long-recognized standards for information security called ISO/IEC 27001 and ISO/IEC 27002. The effective use of these standards can help companies achieve best practices in information security, avoid re-inventing security controls, optimize the use of scarce resources, and reduce the occurrence of major risks such as project failures, wasted investments, security breaches, system crashes, data compromise, and failures of service providers to understand and meet customer requirements.
Why should companies care?
Tens of thousands of companies have adopted ISO/IEC 27001 and 27002 as their standards for information security programs and controls. Together, they are the de facto standards for many governance, risk and compliance (GRC) frameworks and provide the requirements and code of practice for security regulations, assessments, insurance premiums and frameworks. They provide a baseline for initiating, implementing, maintaining and improving an information security management system in any size organization.
There have been significant changes made to these two standards. Since many organizations use these standards as a framework/baseline/target, there may be ramifications for their policies, standards and processes that warrant careful consideration. Many of the changes represent the standards’ catching up with ever-changing technology. Other changes are restructuring and clarification of the existing controls. Therefore, the changes reflected in the new security standards will need to be incorporated into most companies’ information security policies, standards and processes.
Companies currently certified with the old ISO standards (around 7,940 in total) will need to update to the new standards and recertify using the new standards after September 2015, but many companies may want to use the new standards to recertify before the deadline.
Companies that use ISO/IEC as a baseline or framework for their own security programs can update when they are comfortable with the changes because it is their choice to use these standards. However, one of the justifications for using ISO/IEC as standards is to take advantage of updates and current thinking, so many companies may choose to adopt the new standards sooner rather than later.
This Flash Report will help companies anticipate the requirements of the new standards and the possible ramifications for the organization.
What has changed?
As summarized below, the changes are divided into two categories – (1) changes to the information security management system (ISMS), and (2) changes to controls.
Changes to ISMS : The ISMS remains the cornerstone of the ISO/IEC 27001 and 27002 standards. Changes made to the ISMS include:
- The familiar Plan-Do-Check-Act (PDCA) process framework has been removed.
- Interested parties and their requirements need to be listed in the ISMS and may include legal, regulatory and contractual obligations.
- The concepts of “documents” and “records” are merged together; they now are called “documented information.” The requirement in the old standard for documented procedures (document control, internal audit, corrective action and preventive) has been removed. However, documenting the results of processes is required. As a result, procedures are not required, but the documented information related to managing documents, performing internal audits and executing corrective actions is required.
- Required documents listed in the old standard (reference 4.3.1) have been removed.
- Risk assessment using an asset’s value, vulnerabilities and threats has been removed in the new standard. Risks are now associated with the confidentiality, integrity and availability of information, and risks are assessed using the level of risk based on their consequences and the likelihood they will materialize. Risk ownership is also required.
- Objectives for information security need to be defined, measureable and account for requirements, and risks and results communicated, updated and documented. Further, plans to achieve the objectives should include what will be done, resources required, responsibility, time frame and how results will be evaluated.
Changes to controls: Many GRC frameworks use ISO/IEC and will need to be updated at some point to reflect the changes made in the new standards. The table on the following page shows the structural changes between the 2005 and 2013 versions of the ISO/IEC 27001 and 27002 standards. Differences to note include:
There were 11 control domains; now there are 14, including three additional sections. The three new sections are not really new since these were included in the previous ISO/IEC 27001:
- Cryptography was part of the systems acquisition, development and maintenance domain (old control 12.3).
- Supplier relationships were part of communications and operations management (old control 6.2).
- Communications security was part of the communications and operations management (old control 10.6).
- There are 19 fewer controls. (The old version had 133 controls and the new one has 114.) There are six new controls, and 25 controls were eliminated because they were too specific or outdated.
- The following is a list of the new controls:
- 14.2.1: Secure development policy – Standards for the development of software and systems shall be established.
- 14.2.5: System development procedures – Principles for developing secure systems shall be established, documented, maintained and applied to any information system.
- 14.2.6: Secure development environment – Organizations shall establish and appropriately protect secure development environments for system development and integration.
- 14.2.8: System security testing – Testing of security functionality shall be carried out during development.
- 16.1.4: Assessment and classification of information security events – Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents.
- 17.2.1: Availability of information processing facilities – Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
- The following table breaks down the number of controls by section:
The following is a list of the controls that were eliminated:
- 6.2.2: Addressing security when dealing with customers
- 10.4.2: Controls against mobile code
- 10.7.3: Information-handling procedures
- 10.7.4: Security of system documentation
- 10.8.5: Business information systems
- 10.9.3: Publicly available information
- 11.4.2: User authentication for external connections
- 11.4.3: Equipment identification in networks
- 11.4.4: Remote diagnostic and configuration port protection
- 11.4.6: Network connection control
- 11.4.7: Network routing control
- 11.5.5: Session time out
- 11.5.6: Limitation of connection time
- 11.6.2: Sensitive system isolation
- 12.2.1: Input data validation
- 12.2.2: Control of internal processing
- 12.2.3: Message integrity
- 12.2.4: Output data validation
- 12.5.4: Information leakage
- 14.1.2: Business continuity and risk assessment
- 14.1.3: Developing and implementing business continuity plans
- 14.1.4: Business continuity planning framework
- 15.1.5: Prevention of misuse of information processing facilities
- 15.3.2: Protection of information systems audit tools
While many will say that these changes to ISO/IEC 27001 and 27002 are long overdue and perhaps more changes are required, the revised standards provide a package of security techniques that is practical in assisting an organization in identifying its security requirements and risks and selecting controls to address those requirements and mitigate those risks. Two areas that will require attention are realignment of policies, standards and awareness training to align with the new standard, and assigning risk owners and having them approve risk treatment plans and residual risks. The updated standards will better align ISO/IEC with other frameworks and evolving management and governance practices. Companies using ISO/IEC as a framework or those that are ISO/IEC certified should consider adopting the new ISO/IEC standards as time and resources permit. Many of the changes will better align security objectives with business goals and objectives and that alignment will help everyone across the whole organization to better appreciate the importance of information security to the company’s sustainability, viability and reputation.
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
About Our IT Security and Privacy Solutions
As technology becomes more and more integral to the business, it is critical to view information security and privacy as a part of the business, not just IT. Critical intellectual property and regulated personal information need to be protected from security threats, vulnerabilities and privacy exposures that challenge every organization today. Risks must be understood and managed. Often organizations do not know the information risks in their environment or how these risks can be reduced. Equally important, good security and privacy practices can permit companies to take advantage of new technologies to provide revenue growth and cost containment opportunities.
Protiviti provides a wide variety of security and privacy assessment, architecture, transformation and management services to help organizations identify and address security and privacy risks and potential exposures (e.g., loss of customer data, loss of revenue, or reputation impairment to a customer) so they can be reduced before they become problems.
We have a demonstrated track record of helping companies prevent and respond to security incidents, establish security programs, implement identity and access management, and reduce industry-specific risks by providing enhanced data security and privacy. Protiviti can also help organizations comply with regulations and standards including ISO/IEC 27001-2, PCI, privacy and disclosure laws, HIPAA, GLBA and many more. We invite you to explore the various IT security and privacy services that we offer:
- Security Strategy & Program Management Services (frameworks including ISO/IEC 27001-2, NIST, CoBit)
- Program and Compliance Assessments (including ISO/IEC 27001/2, PCI, HIPAA, Safe Harbor, Incident & Breach Response, FFIEC, SOX, etc.)
- Identity & Access Management Services
- Data Security & Privacy Management Services
- Vulnerability Assessment & Penetration Testing
- Security Operations & Implementation Services • Incident Response & Forensic Services