Q&A: The New, Updated ISO 27001 Standard

BY reno ON 1st February 2015.


Q) To start with: what is ISO 27001?

A) ISO 27001 is an internationally recognised Standard for Information Security Management published by the International Standards Organisation and the International Electrotechnical Commission. Its objective is to “provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”.

Q) When did the ISO 27001 Standard become updated?

A) Very recently- last year in fact. What was ISO 27001: 2005 is now called ISO 27001: 2013.

Q) What changes does the update entail?

A) Though designed with the same overall goal – information security – in mind, ISO 27001:2013 is different from its predecessor in several key ways.

Firstly, it has been extended to contain additional controls, such as restrictions on software installation, system security testing, and response procedures to information security incidents. It also contains a new section on outsourcing.

Secondly, it shifts focus away from the Plan-Do-Check-Act cycle heavily emphasised in ISO 27001:2005. Instead, it focuses on measuring and evaluating the performance of a company’s ISMS and on the particular organisational context of information security.

Thirdly, it is designed to be more compatible with other ISO Standards, such as ISO 9000 and ISO 20000.

Q) How does the ISO 271001: 2013 work?

A) Essentially, the ISO 271001:2013 issues standards for 11 domains falling under information management. These include:

  • The organisation of information security, or policies for how information should be governed within an organisation
  • Human resources security
  • Policies for how employees joining, moving around in, and leaving an organisation should be governed
  • Physical and environmental security
  • Policies for the protection of physical computer facilities
  • Access control, policies for deciding who has the right to access networks, systems and data.

Q) What are the benefits of obtaining the ISO 27001:2013 certification?

A) ISO 27001: 2013 is specifically designed to make information security control more organised and congruous.

The ISO 27001:2013 certification:

  • Provides an opportunity to identify and manage risks to key information and systems assets;
  • Acts as a marketing tool, ensuring confidence through international recognition, to trading partners and clients;
  • Allows for an independent review, which in turn provides quality assurances on information security practices;
  • Limits threats to information security;
  • Enables companies to adopt an approach to information security that meets the organisation’s information security needs on an ongoing basis.