A lot of noise on the shore, a lot of stuff to read on , a lot more people talking about the newer version ISO ISMS 27001:2013 right?. Here I am going to state the Top 5 changes, the top reasons for why you need to adapt the newer version.
The question that is boggling across all the certified 27001:2015 is why? What is the need? How to get trained? I am here to answer all the repercussions caused from this newbie.
Top 5 reasons to get along with the new standard ISMS 27001:2013
The high level structure preferences
The previous version 27001:2005 was released 8 years back, while there is a significant change in information technology in these years. This revision ISMS 27001:2013 is in a new high level language structure which syncs with all the new management standards and will allow easy flexibility and integration while implementing any new management standard with it.
Risk Assessment and mitigation
The major role playing and the center attraction to the new standard is the risk management process that has been given extreme flexibility to the risk owner. You identify the risk, analyze track document and handle the risk mitigation plan in relation to integrity and confidentiality terms, thus attempting to adapt the risk process to the risk management standard ISO 31000. Risk Assessment plan is much clearer, comprehensive and more objective which is a requisite for IT security management. So there is a goof enough IT risk management in the process an people will better be able to achieve the information security objectives.
Controls in Annexure A
The insertion of supply change management security is seen in the Annexure A. The controls have been revised in a way that helps in securing supplier relationships. It has also removed remove redundancy among the controls and has a more logical grouping. Specific controls have also been added.
Changes in domains, control objectives and feature controls
The number of domains has also been increased however the total numbers of controls have reduced. There are 14 domains, 35 control objectives and 112 detail controls. One of the great clauses added is assessment and decision of IT security events that focuses on incident response program.
Performance evaluation essentials
With ISMS 27001:2013 performances will be managed on a defined scale. This includes Monitoring and measurement analysis, Internal audit and management review. Monitoring will define what you need to monitor, Internal audit will focus on the specify measurements and clauses and Management review will review bases on the audit results that will fall under this category. This will give uplift toward implementation of your IT security management process.
Being known that IT Security is the necessary requirement of any organization and reviewing all the changes plotted here, I am sure your organization will incur huge benefits to ISO 27001:2013 Implementation indispensable to the organization level requirements.