Is Your Organization Ready for the 2013 Version of ISO 27001?

Your company’s certification status could be in jeopardy if you implement the changes incorrectly.

John B. Weaver shares his thoughts ...

The 2013 versions of ISO 27001 and ISO 27002 were released by the International  Organization for Standardization (ISO)  on October 1, 2013 and are now available. There are some interesting differences in the way the general requirements (Clauses 4-10) are organized and described. There are fewer controls in Annex A (114) but more control areas (14), reflecting a better logical aggregation. ISO 27001:2013 is the also second ISO standard to conform to Annex SL of the ISO/IEC Directives (Part 1), which provides guidance on standardizing management system frameworks. Taken in total, these changes will have a significant impact on organizations that are currently certified to ISO 27001:2005 as well as organizations pursuing initial certification.

With regard to certification, the release of ISO 27001:2013 and withdrawal of ISO 27001:2005 means that there will be a transition period dictated by the accreditation bodies and adapted by the registrars. In practical terms, a transition period starting on October 1st 2013 of 12 to 18 months (specified by the registrars) is anticipated, depending on whether your organization is pursuing an initial certification or is already certified and migrating to the 2013 version. All Information Security Management Systems (ISMS) certifications must be registered under the new version after October 1, 2015.

If your organization is looking for assistance with the implementation of ISO 27001:2013, be careful to select a competent and qualified advisor. There are consultants disseminating incorrect information that, if implemented, could jeopardize your company’s certification status.  The first step in assuring a successful transition is to read the standard. ISO 27001:2013 and ISO 27002:2013 (and 13 other 27000-series standards) are available online for download at the ANSI Store and elsewhere. 

John B. Weaver is president and CEO of JBW Group International with 25 years’ experience in reading coma-inducing information security standards and killing the buzz at cocktail parties by talking about them.