Latest ISO/27001 standard removes some problems

Security standards are usually a bit of a `pain’, but here is praise from IT Governance for the improvements introduced with the latest, 2013 version of the well-entrenched best practices standard

  • 11 years ago Posted in

It is one of the given facts about standards and security that everyone can understand the need for them in combination, but many end up resenting the impositions and problems they can generate in everyday life. So the arrival of a standard designed to speed and simplify the process of establishing good security, particularly in cloud services environments, is bound to be greeted with at least cautious optimism.

The standard in question is ISO/IEC 27001:2013, the latest version of the well-established standard for implementing security-oriented best practices.  

According to IT Governance, the cyber security services provider with a track record of implementing ISO 27001 since the standard’s launch in 2005, the 2013 version just released in the UK by the British Standards Institute (BSI), eliminates several hurdles that have dissuaded some organisations, including SMEs, from adopting the standard.

“ISO 27001 is simply the best protection available for organisations wanting to secure their information assets within a best practice framework,” said Alan Calder, Founder and Executive Chairman of IT Governance. “The 2013 update will make it much simpler and more attractive for a wider range of organisations to sign up, which is not only good business sense but also supports the government’s cyber security strategy.”

In addition to responding to today’s technology and vulnerabilities, the 2013 update increases the attractiveness of the standard through several new measures.

A key new feature is its greater focus upon the individual needs and context of an organisation. Many organisations considering ISO 27001 may already have various risk controls in place, which are dictated by particular functional, contractual and regulatory demands. Through the 2013 update, the standard now accepts these existing controls as the ‘baseline’ to which any additional required controls can simply be added.

And issue with ISO 27001 is that some feel it is too costly to adopt because a separate, dedicated structure of ISO 27001 risk controls need to operate in parallel with and organisation’s existing controls. The updated standard eliminates this objection by explicitly making existing controls the foundation for an organisation’s ISO 27001 compliance programme.

“Furthermore, the standard no longer requires that you use the `Plan, Do, Check, Act’ (PDCA)  methodology when implementing ISO 27001,” Calder said. “If your organisation instead prefers using, for example, ITIL for process implementations, that’s now absolutely fine. The key thing is to demonstrate what you have done – how you do it is your concern, which should be widely welcomed, especially in larger organisations.”

Another improvement in ISO 27001:2013 is a clearer delineation between the role of the board and management. The standard now more clearly recognises that the organisation board’s role is governance: giving direction to management on requirements and monitoring how those requirements are met. They no longer get involved in the details of programme implementation.  

The third area of improvement welcomed by Calder concerns the risk assessment process used in the standard, which SMEs may now find more intuitive and quicker to accomplish.

“Organisations will now have the option to jump straight to detailing the risks they face and how these risks should be controlled,” he said, “without first needing to break down threats, vulnerabilities and impact by individual asset. While an asset-based approach is still permitted and can achieve more rigorous protection, organisations that may have been deterred by this workload are now accommodated within the standard.

It is anticipated that following the launch of ISO 27001:2013, organisations already compliant with ISO 27001:2005 will have a transition period of 12-18 months in which to meet additional requirements for the updated standard.

IT Governance is able to advise both existing certificate holders and new adopters on the steps necessary to ensure compliance is achieved in a timely and cost-effective manner.

New state-of-the-art data centre features Vultr’s first AMD GPU supercompute cluster.
Only a quarter (25%) think their approach to the cloud is carefully considered and successful.
Moving to AWS Cloud will enable The Co-operative Bank to adopt cutting edge IT Infrastructure.
The global airline group will upgrade the value of its data and get its AI & generative AI ready...
Barracuda Networks’s award-winning Email Protection and Cloud Backup security solutions will be...
Leading company in renewables to leverage HPE’s unique turnkey AI infrastructure solution to...
The four-year project extension focuses on cloud transformation and enhanced operational efficiency...
Businesses in the UK are risking slower development as they fail to fully embrace technologies that...