Since the introduction in 2005 ISO27001 has become the de facto standard for information security with a wide adoption throughout the industry. It has received some criticism however, mostly related to a lack of flexibility.
Partly based on these criticisms and partly to align the standard with other standards a new version was created, which was officially launched on 25 September 2013: ISO27001:2013. where the old version of the standard put focus on the risks per domain the new version emphasizes the organisational aspect of information security. This shift in focus can be seen for instance in the risk treatment.
ISO27001 as a standard consists of two main areas: An information security management system controlling the information security process and a set of information security controls, mitigating the individual risks.
The new standard, ISO27001:2013, still contains these two main parts, but allows more freedom in implementation. With the old standard for instance the set of controls (known as Annex A) was mandatory, the new standard merely states a set of controls is required and strongly recommends the standards' controls.
This change allows organisations to reuse controls already in place which aids both smaller and larger companies. Larger companies may already have implemented a controlset coming from a different methodology and smaller companies usually have a few controls in place for specific risks they face which can be kept and supplemented with controls contained in the standard.
Flexible risk analysis
Further improvements can be found in the risk assessment process: the new standard allows organisations to recognize and control these risks straightaway without first having to go through a timeconsuming process of risk analysis breaking down the risks, vulnerabilities and impact per asset.
This change makes the standard much more usable and intuitive for smaller organisations which usually have a good feel for the risks they face, but which haven't got the resources or expertise to run a full analysis process.
The Annex A, the section containing all controls, has been improved as well. Where the old version featured 133 controls in 11 groups the new version has 114 controls in 14 groups. This reduction in the number of controls doesn’t imply a reduction in control itself, but rather a shift in focus. The focal point of the controls now lies with guarding the chain of security: security is now part of the design instead of a feature to be implemented later on. This can be seen in the way security is now an integral part of the software design or acquisition process as well as the way the standard treats third parties and third party services.
Business continuity moved to own standard
The last large change is the way the standard handles business continuity. The old standard implemented a number of controls to guarantee a baseline, the new standard only requires organisations to define and implement a business continuity framework without defining which framework to use. This change benefits the adoption of ISO22301, Business Continuity Management, with which ISO27001 now aligns properly.
Moving to ISO27001:2013
Organizations already certified against ISO27001:2005 will have a transition period of 2 years to move to ISO27001:2013 version. In practice this means that from 25 September 2015 organizations must adhere to ISO27001:2013.
As the new standard requires a business continuity framework it is advisable to adopt ISO22301 during the transition. This standard for Business Continuity Management is expected to become a default requirement in requests for proposal.