Steve Watkins dispels the myths of transitioning to ISO27001:2013

Steve-Watkins-1-280x150Ahead of his Live Twitter chat on November 21, #ISO27001chatSteve Watkins, director of IT Governance and all-round information security expert, dispels the myths of transitioning to ISO 27001:2013.

Myth – I’ve got until October 1 2015 to transition

Fact – The International Accreditation Forum (IAF) has called for global conformity with ISO 27001:2013 by October 1 2015. Your registration body will already be working towards transitioning to ISO 27001:2013 if it has not done so already.  All accredited registration bodies are expected to transition their own clients within the following 12 months.

If you currently hold registration to the 2005 version of the Standard, you will need to make amendments to your information security management system (ISMS) now in order to meet your compliance requirements by the time of the next visit from your certification body.

Myth – I don’t need to make any changes as ISO 27001:2013 has only had a few minor updates

Fact – Although ISO 27001:2013 isn’t too different from its 2005 predecessor, there is still quite a bit of legwork that needs to be done before a successful transition can take place.

A quick recap of some of the major changes:

  • There is a heightened emphasis on leadership, interested parties, competence, performance metrics, and reporting.
  • There are changes to the requirements relating to scope, the risk assessment methodology, and continual improvement.
  • New concepts have been introduced (consult ISO 27000 for terms and definitions).
  • There are changes to the structure of the Standard and the sections contained therein.
  • There are changes to the requirements for record keeping and documentation.
  • The Standard states that information security controls should be determined through the process of risk treatment (and do not have to be selected from Annex A).
  • There are changes to the requirements for reporting inclusions and exclusions in the Statement of Applicability (SOA).
  • A ‘harmonized management system standard’ structure (to form the basis of all future ISO management system structures and referred to as Annex SL/the common text) has been adopted. This will ease the integration of ISO management system standard requirements and may assist with the efficiency of auditing.
  • Annex A has been restructured into fewer information security controls spread across a larger number of categories.

Conducting a gap analysis is a useful way of assessing whether or not you meet the requirements set out in ISO 27001:2013.

Myth – My clients won’t mind if I don’t update to the new version of the Standard

Fact – Manybusiness agreements and partnerships are formed on the basis of mutual trust and respect for the other party. In fact, ISO 27001 is a prerequisite for many companies entering partnerships in the first place, particularly in the chemical, manufacturing, and IT sectors. Failing to transition to ISO 27001:2013 by your registration body’s next surveillance visit will mean your ISO 27001 certificate will become invalid and you may well lose clients.

Myth – Transitioning is going to be labor-intensive and costly

Fact – With most of the changes to the new Standard being “backward compatible”, organizations will be able to successfully transition without incurring major costs or utilizing many resources, as long as they are fully aware of the changes and where their ISMS currently is in relation to them.

A number of useful documents have been published that offer detailed guidance on what should be done in order to align your systems, processes, documents, and policies with the requirements of ISO 27001:2013.  The IT Governance green paper on transitioning to ISO 27001:2013 is a good starting point. By purchasing the Standard and attending a one-day online transitioning training course, you will be able to make the most of your preparation, if you plan to undertake the transition yourself.

Alternatively, ISO 27001:2013 transition consultancy can be a cost-effective option that uses expert guidance and support from an ISO 27001 specialist implementation team.

For further information on transitioning to ISO 27001:2013, watch Steve Watkins in action in the ISO 27001:2013 transition webinar. This one-hour webinar recording will take you through the various changes introduced by the newly released version of ISO 27001 and what they mean for you, your business, and your certification process.

(Please note that the transition deadline cited in this video has changed. The correct transition deadline can be found at the top of this page.)

For an overview to the Standard, download our free green paper:



About Steve Watkins

Steve Watkins_M_12Steve is director at IT Governance Ltd, the leading information security specialists. Together with Alan Calder, he led the world’s first certification to ISO 27001 (then BS 7799) in 1996 and has since helped hundreds of organizations around the world to register their own information security management systems (ISMSs) to the Standard.

As well as being a key figure in the UK for advising and supporting information security projects, Steve has worked on a number of international assignments, guiding many organizations in implementing a cyber secure framework while supporting their adherence to multiple local cybersecurity laws.