– What’s new and improvement in the new edition of ISO/IEC 27001?
We have made the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005. The idea is to provide a more flexible, streamlined approach, which should lead to a more effective risk management.
We have also made a number of improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities.
Finally the new ISO/IEC 27001 has been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easy option.
– What are the major benefit of the new edition?
Aligning ISO/IEC 27001 to the new structure will help organizations wanting to implement more than one management system at a time. The similarity in structure between the standards will save organizations money and time as they can adopt integrated policies and procedures.
For example, an organization might want to integrate their information security system (ISO/IEC 27001) with other management systems such as the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).
– What is the next step in the revision process?
The revision of the 2005 edition is now at the FDIS (Final Draft International Standard) stage. This will be completed in early September after which any typographical edits will be made ready for the expected launch in October. At this point the new edition of ISO/IEC 27001 will be available for purchase and the 2005 version withdrawn.
– For the organizations which already certified to ISO 27001:2005. What will this revision mean for them?
There are over 15000 organizations certified to the 2005 edition of the standard. These organisations will now need to upgrade their information security management system to comply with the requirements of the new edition of the standard. The transition period for upgrading has not yet been decided but it is likely to be two years from when the new edition is published.
– For the organisations, which already certified existing ISO 27001, do they need to change their practices for surveillance audit?
The surveillance audits of existing users will need to show that they are updating their ISMS to meet the requirements of the new edition.
– Does the main requirements have any major change?
The general intent and focus of new edition of ISO/IEC 27001:2013 remains the same, addressing the information security risks that organisations face. The new edition has however been enhanced to be more business focused highlighting the need to place greater emphasis on organizational context and to align with internal and external business needs. There has however been a major restructuring of the standard to bring it in line with the specification of the next generation of management system standards. The new edition has also been aligned with the risk terminology and principles outline in ISO 31000 the risk management standard.
– Does control requirement in Annex A have any major change?
In addition to the release of a new edition of ISO/IEC 27001, there will be a new edition of ISO/IEC 27002. Annex A of ISO/IEC 27001 has adopted the changes that have been made to ISO/IEC 27002. These changes include several new controls, several modified controls and some controls have been deleted. The changes are aimed at addressing today’s threat environment .
– About the new requirement section “Top Management Leadership”, please explain more about this interesting topic?
The new section on Leadership is concerned with management demonstrate its commitment and proactive leadership for the processes and activities that are involved in the establishment, implementation, operation, monitoring and review, maintenance and improvement of the ISMS in accordance with the requirements of ISO/IEC 27001:2013.
– How the New version of ISO/IEC 27001 can do better to tackle IT security risks and Cybersecurity risk?
The new edition of ISO/IEC 27001:2013 has been improved to be more effective in providing a management framework for addressing information security risks from a business perspective. This includes addressing the wide range of threats that modern business is faced with including cyber risks, attacks on mobile systems and identity theft.
– Why professor choose Thailand to be the first country in Asia to do a special 3 days intensive training programme?
Thailand is an energetic, dynamic IT society, highly motivated to implement new ideas – so Thailand seems a good place to give the first 3-day seminar.– What’s new and improvement in the new edition of ISO/IEC 27001?
We have made the new edition up to date, taking into account the experiences of users who have implemented, or sought certification to, ISO/IEC 27001:2005. The idea is to provide a more flexible, streamlined approach, which should lead to a more effective risk management.
We have also made a number of improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities.
Finally the new ISO/IEC 27001 has been modified to fit the new high-level structure used in all management system standards, making its integration with other management systems an easy option.
– What are the major benefit of the new edition?
Aligning ISO/IEC 27001 to the new structure will help organizations wanting to implement more than one management system at a time. The similarity in structure between the standards will save organizations money and time as they can adopt integrated policies and procedures.
For example, an organization might want to integrate their information security system (ISO/IEC 27001) with other management systems such as the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).
– What is the next step in the revision process?
The revision of the 2005 edition is now at the FDIS (Final Draft International Standard) stage. This will be completed in early September after which any typographical edits will be made ready for the expected launch in October. At this point the new edition of ISO/IEC 27001 will be available for purchase and the 2005 version withdrawn.
– For the organizations which already certified to ISO 27001:2005. What will this revision mean for them?
There are over 15000 organizations certified to the 2005 edition of the standard. These organisations will now need to upgrade their information security management system to comply with the requirements of the new edition of the standard. The transition period for upgrading has not yet been decided but it is likely to be two years from when the new edition is published.
– For the organisations, which already certified existing ISO 27001, do they need to change their practices for surveillance audit?
The surveillance audits of existing users will need to show that they are updating their ISMS to meet the requirements of the new edition.
– Does the main requirements have any major change?
The general intent and focus of new edition of ISO/IEC 27001:2013 remains the same, addressing the information security risks that organisations face. The new edition has however been enhanced to be more business focused highlighting the need to place greater emphasis on organizational context and to align with internal and external business needs. There has however been a major restructuring of the standard to bring it in line with the specification of the next generation of management system standards. The new edition has also been aligned with the risk terminology and principles outline in ISO 31000 the risk management standard.
– Does control requirement in Annex A have any major change?
In addition to the release of a new edition of ISO/IEC 27001, there will be a new edition of ISO/IEC 27002. Annex A of ISO/IEC 27001 has adopted the changes that have been made to ISO/IEC 27002. These changes include several new controls, several modified controls and some controls have been deleted. The changes are aimed at addressing today’s threat environment .
– About the new requirement section “Top Management Leadership”, please explain more about this interesting topic?
The new section on Leadership is concerned with management demonstrate its commitment and proactive leadership for the processes and activities that are involved in the establishment, implementation, operation, monitoring and review, maintenance and improvement of the ISMS in accordance with the requirements of ISO/IEC 27001:2013.
– How the New version of ISO/IEC 27001 can do better to tackle IT security risks and Cybersecurity risk?
The new edition of ISO/IEC 27001:2013 has been improved to be more effective in providing a management framework for addressing information security risks from a business perspective. This includes addressing the wide range of threats that modern business is faced with including cyber risks, attacks on mobile systems and identity theft.
– Why professor choose Thailand to be the first country in Asia to do a special 3 days intensive training programme?
Thailand is an energetic, dynamic IT society, highly motivated to implement new ideas – so Thailand seems a good place to give the first 3-day seminar.