What you need to know about transitioning to ISO 27001:2013

Information SecurityISO 27001 – the internationally recognized information security standard – is one of the most widely implemented ISO standards. It provides a level of assurance to clients and other stakeholders that you take information security seriously. In a world which is increasing its focus on privacy, ISO 27001 is becoming of paramount importance to businesses worldwide.

The newest version of the Standard, ISO 27001:2013, was published in September 2013 and supersedes ISO/IEC 27001:2005. Below details what you need to know in order to successfully transition to the new version of the standard.

Transition deadline

The International Accreditation Forum (IAF) has called for global conformity with ISO 27001:2013 by October 1 2015. Your certification body will already be working towards transitioning to ISO 27001:2013 if it has not done so already.  All accredited certification bodies are expected to transition their own clients within the following 12 months.

If you are currently certified to the 2005 version of the Standard, you will need to make amendments to your information security management system (ISMS) now in order to meet your compliance requirements by the time of the next visit from your certification body.

Are you prepared to meet the requirements of ISO 27001:2013 at your next surveillance visit?

What has changed?

The most prominent changes include:

  • The Plan-Do-Check-Act (PDCA) model is no longer a requirement for ISO 27001:2013 and organisations can apply any form of continual improvement method.
  • Organisations required to use specific process models (e.g. COBIT®, ITIL® etc.) have reduced barriers to entry.
  • There are changes to the structure of the Standard.
  • ISO 27001:2013 is designed to integrate better with other ISO/IEC standards.
  • Terms and definitions are standardized across the ISO 27000 family.
  • The Standard is more flexible in general.
  • The ISO 31000 risk assessment link ties information security risk management into corporate risk management approaches.
  • The roles of board and management/leadership are clearly delineated.
  • The clauses and controls in Annex A have been restructured.

 Next actions

Transitioning to the new version of the Standard needn’t be painful. There is a range of helpful resources out there to give you all the knowledge, guidance, and support you need. Below, we’ve listed some resources you may find useful as you transition.

  • Gap analysis tool

ISO 27001:2013 ISMS Gap Analysis Tool – This tool quickly and clearly identifies the controls and control areas in which an organization does not conform to the requirements of the Standard. This provides a base for organizations to then develop a detailed, granular approach to assessing their current information security control structure.

  •  Training

ISO 27001:2013 Certified ISMS Transition Live Online Training Course – This one-day training course is designed to provide an essential ISO 27001:2013 knowledge update for information security management system (ISMS) implementers and auditors.

  • Consultancy

ISO 27001:2013 Transition Consultancy – This consultancy service provides you with all the necessary support, guidance, and advice you need to successfully transition to ISO 27001:2013.

IT Governance is a specialist in the field of information security and IT governance, and has led more than 140 successful certifications to ISO 27001 around the world. For further information on ISO 27001 and what you need to do to transition to the new version of the Standard, contact IT Governance today toll-free on 1-877-317-3454 or email servicecenter@itgovernanceusa.com.

Additionally, download our free green paper which provides an introduction to the Standard.