Your organization is  currently ISO 27001 2005 certified and looking for direction for ISO 27001 2013 up-gradation?

Look no further! Here are some of the key steps you need to take to migrate to the new standard:

In a previous blog we have mentioned the key differences between ISO 27001 2005 and 2013 version.

Step 1 – You need information security context register or any other similar name that lists organization’s key strategic issues, risk and external and internal requirements for information security. In a way this document is an input the selection of your scope. What this means is that if you are the security manager, ensure information security is aligned with business objective, and that it leads to  selection of the right scope for ISO 27001 certification.

Step 2 – ISO 27001 114 control gap analysis. This will result in identifying additional security controls that are applicable to your business and which requires to implemented. Controls such as security in project management is definitely something new in the new ISO 27001 2013 standard. Your gap analysis will show the additional controls that need to be implemented. There are nearly 15 such new controls that requires implementation.

Step 3 – Implement the identified gaps.  This would involve policy writing skills, training and seeking records from respective teams who have the responsibility of this implementation.

Step 4 – The new standard enforces the need for ‘risk ownership’, ‘communication’, and ‘accountability’. Establish these processes based on how you understand these terms. One such approach is to divide the statement of applicability (SOA) controls between organisational teams, and call them as control/risk owners.

Step 5 – Security Performance dashboard is an additional requirement which needs to be implemented. The reporting enforces a higher degree of ownership among teams guarding the organization.

Step 6 – Completing key procedural documentation in line with the ISO 27001 2013 requirement. An example could be writing the ISMS Manual in line with the standard requirement.

Step 7 – Internal Audit. This will ensure that the old and new policies are implemented successfully.

Step 8 – Management Review. If there are no major findings in internal audit go ahead and apply for an upgrade.

Attempt is made to make the ISO 27001 2013 migration simplistic.

Organization complexities such as number of locations, technology, vendor complexities, security compliance responsibilities, lack of policy writing skills, may result in delay in migration.

Hope this helps!

Author : Probal C