By Isaac Prince Jeffrey, Head - Risk & Compliance at Williams Lea India
After 8 years, the globally recognized standard for Information Security Management System (ISMS) - ISO/IEC 27001:2005 transitioned to ISO/IEC 27001:2013 version. Since the 2013 revision was published on 25th Sep, 2013, organizations will be able to upgrade until 25th Sep, 2015. The thought process that goes into each revision can be appreciated if you are aware of the standard from the BS7799 days. Since the ISO 27001:2013 standard is not prescriptive, implementers have the freedom to demonstrate the implementation of the controls/requirements using their own style.
Implementers generally try to retrofit existing documentation/processes and try to avoid creating new sets of documentation/processes unless it’s a completely new requirement. This helps teams to migrate to the new processes without much re-training. Create a mapping document containing the standard’s requirements vs implementation details for reference or include the mapping in the ISMS manual document since it is handy during implementation and when facing the certification auditors.
1. Robust Program Management
Considering the varied nature of stakeholders (Senior Management, Operations, HR, IT, Facilities, Finance, Legal, Risk Management Office, etc), a robust program manager is required to ensure that a proper project plan is arrived and resources/logistics are managed efficiently. Follow up with a keen eye on deadlines and escalation when delays are experienced is key to ensuring that the transition project is smooth.
2. Communication is key
The Communication Plan should address internal and external communications relevant to the ISMS at various phases of the transition. The senior management could set the tone for the transition initiative by sending an email in support of the project team.
3. Training – Implementer v/s Auditor
Get the implementation team trained on the ISO 27001:2013 implementer course and the audit team on the lead auditor course since implementation requirements are not covered in detail during the auditor course due to IRCA requirements. Eg. If you enroll in an auditor course, the instructor doesn’t spend time in explaining how to transition the risk assessment process but explains how to audit it.
4. Identification of new controls and preparing relevant documentation
In-depth critical reading of the standard will help identify new controls (eg. Secure system engineering principles - A.14.2.5, supplier security policy - A.15.1.1) such that the relevant process/procedure can be created and implemented.
5. Interested parties
The “Interested parties” term is a new reference in the 2013 version. Interested parties are stakeholders (i.e Any entity or individual that can influence your information security or can be influenced by it). Listing all the statutory, regulatory and contractual requirements, will help in identifying the relevant interested parties. Workshops held with senior management and enablers helped us to identify interested parties and their requirements.
6. Organisational Context
The ISMS objectives/purpose should be tuned to the strategic direction of the management’s vision. Inputs can be acquired by talking to management team members and using them for strategic alignment.
7. Risk Owners & Risk Assessment
Risk owner is a new addition in the 2013 standard. The risk owner and the asset owner need not be the same. Risk owner is a person who has sufficient authority to manage risk. Hence, while performing Risk assessment this should be clearly understood and distinguished. The 2013 standard does not mandate to identify assets, threats and vulnerabilities. Eg. A controls based risk assessment supplemented with adequate risk workshops and monitoring could be sufficient. An A/T/V (Asset/Threat/Vulnerability) based risk assessment can also be used, but some retrofits are required.
ISO = International Organization for Standardization (Although it should read IOS, it is referred as ISO since the Greek word “iso” means equal/consistent)
IEC = International Electrotechnical Commission
27001 = 27000 is the family of Information Security standards. 27001 is the certifiable standard for ISMS (Information Security Management System)
2005/2013 = Launch Year of the Standard
8. Risk Treatment Approval
The risk owners or senior management need to approve the risk treatment plan. The approvals need to be demonstrated during the certification audit.
9. Preventive Actions (PA)
We are so used to referring to CAPA (Corrective Action Preventive Action) during remediation. In the 2013 version, the term “Preventive Action” has been removed. Only “Correction” and “Corrective Action” are considered.
10. Measurement and reporting
Use the SMART (Specific-Measurable-Assignable-Realistic-Time related) methodology for measurement and reporting of ISMS objectives. This will help in effectiveness measurements. Responsibilities for monitoring and measurement/reporting should be defined and reviewed periodically.
Overall, the “Tone from the Top” i.e voice of support from senior management will remain a key driver of the transition and be the key to the success of any management framework implementation.