Latest ISO/27001 standard removes some problems

Security standards are usually a bit of a `pain’, but here is praise from IT Governance for the improvements introduced with the latest, 2013 version of the well-entrenched best practices standard

  • 11 years ago Posted in

It is one of the given facts about standards and security that everyone can understand the need for them in combination, but many end up resenting the impositions and problems they can generate in everyday life. So the arrival of a standard designed to speed and simplify the process of establishing good security, particularly in cloud services environments, is bound to be greeted with at least cautious optimism.

The standard in question is ISO/IEC 27001:2013, the latest version of the well-established standard for implementing security-oriented best practices.  

According to IT Governance, the cyber security services provider with a track record of implementing ISO 27001 since the standard’s launch in 2005, the 2013 version just released in the UK by the British Standards Institute (BSI), eliminates several hurdles that have dissuaded some organisations, including SMEs, from adopting the standard.

“ISO 27001 is simply the best protection available for organisations wanting to secure their information assets within a best practice framework,” said Alan Calder, Founder and Executive Chairman of IT Governance. “The 2013 update will make it much simpler and more attractive for a wider range of organisations to sign up, which is not only good business sense but also supports the government’s cyber security strategy.”

In addition to responding to today’s technology and vulnerabilities, the 2013 update increases the attractiveness of the standard through several new measures.

A key new feature is its greater focus upon the individual needs and context of an organisation. Many organisations considering ISO 27001 may already have various risk controls in place, which are dictated by particular functional, contractual and regulatory demands. Through the 2013 update, the standard now accepts these existing controls as the ‘baseline’ to which any additional required controls can simply be added.

And issue with ISO 27001 is that some feel it is too costly to adopt because a separate, dedicated structure of ISO 27001 risk controls need to operate in parallel with and organisation’s existing controls. The updated standard eliminates this objection by explicitly making existing controls the foundation for an organisation’s ISO 27001 compliance programme.

“Furthermore, the standard no longer requires that you use the `Plan, Do, Check, Act’ (PDCA)  methodology when implementing ISO 27001,” Calder said. “If your organisation instead prefers using, for example, ITIL for process implementations, that’s now absolutely fine. The key thing is to demonstrate what you have done – how you do it is your concern, which should be widely welcomed, especially in larger organisations.”

Another improvement in ISO 27001:2013 is a clearer delineation between the role of the board and management. The standard now more clearly recognises that the organisation board’s role is governance: giving direction to management on requirements and monitoring how those requirements are met. They no longer get involved in the details of programme implementation.  

The third area of improvement welcomed by Calder concerns the risk assessment process used in the standard, which SMEs may now find more intuitive and quicker to accomplish.

“Organisations will now have the option to jump straight to detailing the risks they face and how these risks should be controlled,” he said, “without first needing to break down threats, vulnerabilities and impact by individual asset. While an asset-based approach is still permitted and can achieve more rigorous protection, organisations that may have been deterred by this workload are now accommodated within the standard.

It is anticipated that following the launch of ISO 27001:2013, organisations already compliant with ISO 27001:2005 will have a transition period of 12-18 months in which to meet additional requirements for the updated standard.

IT Governance is able to advise both existing certificate holders and new adopters on the steps necessary to ensure compliance is achieved in a timely and cost-effective manner.

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.