*** Welcome to piglix ***

ISO 27001


ISO/IEC 27001:2013 is an information security standard that was published in September 2013 It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for an information security management system (ISMS). Organizations which meet the standard may be certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit.

The official title of the standard is "Information technology — Security techniques — Information security management systems — Requirements".

ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:

This structure mirrors other management standards such as ISO 22301 (business continuity management); this helps organizations comply with multiple management systems standards if they wish. Annexes B and C of 27001:2005 have been removed.

The 2013 standard puts more emphasis on measuring and evaluating how well an organization's ISMS is performing, and there is a new section on outsourcing, which reflects the fact that many organizations rely on third parties to provide some aspects of IT. It does not emphasize the Plan-Do-Check-Act cycle that 27001:2005 did. Other continuous improvement processes like Six Sigma's DMAIC method can be implemented. More attention is paid to the organizational context of information security, and risk assessment has changed. Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9000 and ISO/IEC 20000, and it has more in common with them.

New controls:

Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important but little understood change in the new version of ISO 27001 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted ("shall") that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.


...
Wikipedia

...