BSI Group Australia and New Zealand announces the publication of the revised BS ISO/IEC 27001:2013 and BS ISO/IEC 27002:2013 standards governing information security.
First conceived at business standards company BSI in the form of BS 7799, the standards help businesses manage information security. The 2013 revision of the international standard will enable businesses of all sizes and sectors to accommodate the rapid evolution and increased complexity of managing information and the continual challenge posed by cyber security.
The revisions reflect the transformation in the way business is conducted today compared to 1995 when the BS 7799 standard was first used; the revised standards also factor in the changed information security needs thanks to technological advances over the years.
The revisions will help further change perceptions amongst businesses that information security is limited to IT, and includes wider elements such as people. It also takes into account the interactions that can occur between other management system standards and issues such as Risk Management and Business Continuity Management.
One of the fastest growing management system standards used around the globe, the ISO/IEC 27001 standard is used for third-party accredited certifications with at least 17,500 certificates having been issued in 100 countries with a continual trend of double digit growth year-on-year. Its use is supported by Code of Practice document ISO/IEC 27002. Both were developed through consensus of the international community with a membership of over 47 national standards bodies.
According to Anne Hayes, Head of Market Development for Risk at BSI, businesses need to avoid complacency with regard to Information Security and ensure that their practices are in line with today’s business environment. Given the rapid growth and pervasiveness of IT within the workplace, and the rising awareness of the importance of cyber security, extra vigilance is needed and can now be better provided.
ISO/IEC 27001 standard
ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system.
Key changes to the ISO/IEC 27001 standard include modification to fit the new high-level structure used in all management system standards, simplifying its integration with other management systems; and incorporation of feedback from users of the 2005 version, generically taking into account the changing technological landscape of the last eight years.
How businesses can benefit from ISO/IEC 27001
Businesses can enhance their reputation by including themselves in the large percentage of recognised global businesses that have implemented the standard. The ISO/IEC 27001 protects the business by identifying risks and putting in controls to manage or reduce them, helping them gain stakeholder and customer trust that their data is protected. Businesses can also increase tender opportunities by demonstrating compliance and gaining status as a preferred supplier.
ISO/IEC 27002 standard
ISO/IEC 27002 Information technology – Security techniques – Code of practice for information security controls gives guidelines on how to use ISO/IEC 27001 for organisational information security standards and information security management.
Key changes to the ISO/IEC 27002 standard include removal of duplication with ISO/IEC 27001 for ease of use; and revised and simplified guidance to address new/existing Information Security needs.
How businesses can benefit from ISO/IEC 27002
The ISO/IEC 27002 offers businesses a flexible set of controls to be used in the way an organisation wants to protect itself; and will also reflect the new threats faced by an organisation.
For organisations that are already certified to ISO 27001:2005, BSI has a range of tools including training courses, transition guides, webinars and events to help them transition to the new standard.