Courtesy: ISO 20957-1:2013 Certification
Structure of the standard
The official title of the standard is “Information technology — Security techniques — Information security management systems — Requirements”
ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:1. Scope of the standard2. How the document is referenced3. Reuse of the terms and definitions in ISO/IEC 270004. Organizational context and stakeholders5. Information security leadership and high-level support for policy6. Planning an information security management system; risk assessment; risk treatment7. Supporting an information security management system8. Making an information security management system operational9. Reviewing the system’s performance10. Corrective actionAnnex A: List of controls and their objectives
This structure mirrors other management standards such as ISO 22301 (business continuity management) and this helps organizations comply with multiple management systems standards if they wish. Annexes B and C of 27001:2005 have been removed.
Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls. A very important change in ISO/IEC 27001:2013 is that there is now no requirement to use the Annex A controls to manage the information security risks. The previous version insisted (“shall”) that controls identified in the risk assessment to manage the risks must have been selected from Annex A. Thus almost every risk assessment ever completed under the old version of ISO/IEC 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls. This is the main reason for this change in the new version.
There are 114 controls in 14 groups and 35 control categories:A.5: Information security policies (2 controls)A.6: Organization of information security (7 controls)A.7: Human resource security – 6 controls that are applied before, during, or after employmentA.8: Asset management (10 controls)A.9: Access control (14 controls)A.10: Cryptography (2 controls)A.11: Physical and environmental security (15 controls)A.12: Operations security (14 controls)A.13: Communications security (7 controls)A.14: System acquisition, development and maintenance (13 controls)A.15: Supplier relationships (5 controls)A.16: Information security incident management (7 controls)A.17: Information security aspects of business continuity management (4 controls)A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
The controls reflect changes to technology affecting many organizations—for instance, cloud computing—but as stated above it is possible to use and be certified to ISO/IEC 27001:2013 and not use any of these controls.