Transitioning to ISO/IEC 27001:2013

You already have an ISMS certified to ISO/IEC 27001:2005 and you want to transition to the new standard efficiently, without unnecessary costs or disruption. However you also want to realise the full benefits arising from the philosophical and practical changes within the new standard.

Your response - ask Gamma to help

Gamma can help you plan your transition now and implement the transition when it is time.

There are essentially two ways to transition:

  • You take a minimalistic approach, making the least possible changes
  • You take advantage of the new standard to sweep away old practices and start afresh.

The first option makes great sense if you know that your ISMS is working efficiently and effectively, and you may gauge that from your performance in certification audits. If you have lots of nonconformities and observations, maybe you should opt for the alternative approach. You might also take advantage of our health check and tune up service to help you decide. If you do that, we will conduct our review with the new version of the standard in mind.

As explained in our page on the new standard, there is a good mapping between the ISO/IEC 27001:2013 requirements and the ISO/IEC 27001:2005 requirements. This means that in electing for the minimalistic approach we would simply need to identify how you meet particular ISO/IEC 27001:2005 requirements (these are identified in our mapping tables) and use this information to generate a new conformance matrix for you.

However, there are some new requirements, and we will determine the best way for you to implement these so that they blend well with your existing (or proposed) ISMS practices. Some requirements have also changed or have been deleted. A particular example is the generalisation of the risk assessment requirements, which may make risk assessment easier for you. Annex A has also changed, to align with the new version of ISO/IEC 27002.

There is also likely to be a requirement for the retraining of your staff, who are involved with the operation of your ISMS. We will therefore perform a training needs analysis and propose a retraining programme.

At the conclusion of our work we will present to you a report explaining what you need to do, step by step, to undertake the transition, including retraining, together with estimates for the effort and costs involved.

You may elect to commission us to perform the training as part of this transition service, or later when you decide to implement your new transition plan, which we would be please to assist you with.

Your next move

... simply email us, or telephone +44(0)1276 702 505. Why not do it now!