ISO 27001
THE ISO 27001 is an international standard published by International Standardization Organization (ISO) and describes how to manage information security in an organization.
The latest version of this standard was published in 2013 and its full title is now ISO / IEC 27001: 2013.
The first version of this standard was published in 2005, and was developed based on British Standard BS 7799-2.
THE ISO 27001 can be implemented in any type of organization, whether for profit or not, private or public, small or large. It is written by the world's leading experts in the field of information security and provides methodology for implementing information security management in an organization. It also enables organizations to obtain certification, which means that an independent certifying body has confirmed that an organization has implemented information security in accordance with the ISO 27001.
With over 16,000+ certified organizations in more than 100 countries in October 2013, the standard revision is launched, which seeks alignment with the new Management Systems format.
The new version of the standard follows the standards of Annex SL of the ISO Directives, seeking to align with other management systems. We find this standard in standards such as 9001, 14001, 20000, and 22301. The standards that follow this standard have the following
Main clauses:
00. Introduction
01. Scope
02. Normative References
03. Terms and Definitions
04. Context of the Organization
05. Leadership
06. Planning
07. Support
08. Operation
09. Performance Evaluation
10. Improvement
Comparing to ISO / IEC 27001: 2005 with the ISO / IEC 27001: 2013, there was an increase in mandatory controls: from 102 (2005) to 148 (2013). For organizations that have made the appropriate investment in their Information Security Management System and devoted the necessary efforts to deploying and maturing it within the organization, migration will not have much difficulty.
The new version of the standard has a greater emphasis on the mandatory controls required during the certification audit. If a control is not deployed or inefficiently deployed, it is considered a nonconformity, the organization is not recommended for certification, or is decertified. The change makes clear the growing importance of Management Systems and the need for greater attention to Information Security Management.
TRANSITION
Following the release of the new version of the standard, organizations will have a period to adapt to changes. Companies in the certification process for ISO / IEC 27001: 2005, may continue the process and apply for certification until September 25, 2014.
Companies already certified must upgrade their certification to the ISO / IEC 27001: 2013 until 25 September 2015. Other companies may apply for ISO / IEC 27001: 2013 from 25 September 2013.
[SAFEWAY] has expertise in clients seeking certification or recertification of ISO / IEC 27001: 2013.
Want to know more about ISO27001 changes? [SAFEWAY] can help you.
Request a Security Assesment: [email protected]
