The 27001 Revision

Photograph of the ISO/IEC 27001 revision meeting in Melaka, April 2010

 
BSI certificate for information security

Certificate No. IS 85916
 
BSI certificate for quality

Certificate No. FS 30710
             
             
  Home About Gamma Tour our Web Site Events White Papers Services Visitors' Book How to contact us
        IMS Internal Control ISMS Smart Cards Common Criteria
                 

Overview

ISO/IEC 27001 is being revised and, as members of BSI's team of experts, Gamma is making substantial contributions to the revision process.

The major influences are:

  • ISO Guide 83 (High level structure and identical text for management system standards), which has caused ISO to adopt a new structure for ISO/IEC 27001
  • ISO 31000 (Risk management - principles and guidelines), which has caused ISO to rethink its approach to risk assessment
  • Practical experience in applying ISO/IEC 27001: 2005.

The revision process

ISO JTC 1 SC 27 WG 1, the committee responsible for ISO/IEC 27001 meets twice per year, firstly in April/May and secondly in October. Having decided to revise the standard, co-editors are assigned. Each National Body (e.g. BSI in the UK), and there are about 42 of these, comments on the standard. Comments are presented in a manner that requires precise identification of the subject, an explanation of why the comment is being made and proposed changes. These are then collated by the co-editors who guide us through them in the international meetings and moderate the discussion amongst the assembled national experts in order to achieve a consensus resolution of each one. Afterwards they produce a new draft and most importantly a disposition of comments so that each National Body knows whether its comments have been accepted or not, and if not, why not. This is tough work. As a popular and important standard there can be hundreds of comments. At our meeting in Nairobi, for example, there were over 470 comments which gave rise to a 137 page long Disposition of Comments.

The current version of the standard is called a Committee Draft (CD) and, as we are working on the second such draft, it is called CD2. Prior to the CDs, the previous drafts were Working Drafts (WDs) and there were four of them. The meetings at which these documents were discussed, together with their significant outcomes were:

Location Date Version Significant outcomes
Beijing, China April 2009 2005 Decision to revise ISO/IEC 27001:2005; call to dump Annex A
Redmond, USA October 2009 WD1 Call to retain Annex A; agreement to align with IS 31000
Melaka, Malaysia April 2010 WD2 Agreement to adopt Guide 83; decision on Annex A deferred to Berlin; first consensus thoughts on alignment with IS 31000
Berlin, Germany October 2010 WD3 Decision taken to retain Annex A as a cross-checking mechanism; first consensus thoughts on alignment with Guide 83; existing risk assessment requirements challenged
Singapore April 2011 WD4 Decision to loose the detailed risk assessment requirements; agreement on now to align with ISO Guide 83
Nairobi October 2011 CD1 Removal of duplicate requirements and further work on the revised risk assessment requirements
Stockholm May 2012 CD2  

 

CD2 will be voted on in February 2012 and comments upon it resolved at the May meeting, which will be held in Stockholm, Sweden. In Gamma's estimation the revised standard will be published in 2013.

ISO Guide 83

Annex C to ISO/IEC 27001:2005 compares its requirements with those of ISO 9001 and ISO 14001. The fact that there are many similarities is quite intentional, and was one of the original objectives in creating BS 7799-2:2002 as it eases an organisation's ability to construct and operate integrated management systems. However, there are subtle differences which have reputedly made it difficult for some organisations.

Accordingly, ISO's Technical Management Board (TMB) commissioned the Joint Technical Coordination Group (JTCG) to establish a new standard for developing management system standards. The result is Guide 83. It is currently in draft and will be voted upon by National Bodies this September.

It specifies a common structure for all management system standards, and where requirements are deemed to be identical there is identical text.  There are rules for the integration of discipline specific requirements.

The figure shows the mapping between the current version of ISO/IEC 27001 and the first CD, which conforms to that specified by Guide 83.

Much of sections 4 - 7 and 9 -10 consists of the Guide 83 identical text with very little additional information security specific text. The bulk of the information security specific text has been put into Section 8 - Operations.

 
The mapping between ISO/IEC 27001L2005 and the structure aspecified by Guide 83.

ISO 31000

ISO 31000:2009 is a new standard on risk management. It is generally applicable to all disciplines.

The standard contains some familiar terms, such as event, impact and likelihood; but also some unfamiliar ones, such as consequence and source of risk. Most noticeable, however, is the absence of the familiar information security terms: assets, threats and vulnerabilities. Another difference is that ISO 31000 lists seven ways to treat risk, as opposed to the four ways in ISO/IEC 27001:2005. It also uses the ISO Guide 73 definition of control, namely a measure that modifies risk.

Perhaps unsurprisingly, we found that it was possible to recast the Brewer-List method without using assets, threats and vulnerabilities, and drew the conclusion that it was is possible to conduct a risk assessment without using assets, threats and vulnerabilities. This is now generally accepted and since CD1 there has been no mention of assets, threats or vulnerabilities in the standard.

Making sure it will work

As part of our ISO work, we are planning to build a CD2 conformant ISMS and to study the particular challenges that organisations will face when converting existing ISMS to the new standard.
             
             
             
 
Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2008 registered company, certified for the provision of information security consultancy.  BSI certificate numbers IS 85916 and FS  30710.  Please send comments to webmaster@gammassl.co.uk or complete our Visitors'Book. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903Copyright © Gamma Secure Systems Limited 2011
 
 
Page last updated: 28 July, 2011