Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
As forward-thinking as the 2005 version of the ISO 27001 was, it had one unavoidable drawback: time. Digital environments have
changed so much over the past eight years that some degree of obsolescence was inevitable. The iPhone didn’t debut until 2007, the
Android in 2008, the iPad in 2010. These devices are so prevalent today that many people forget that they are relatively recent innova-
tions. Cloud computing was still in its relative infancy as well. Furthermore, in 2005, Wi-Fi was almost a novelty; today, you can connect
wirelessly in almost every coffee shop, commuter train, school campus, and airport. The proliferation of portable technology, coupled with
the ability to wire in just about any place, has given rise to the bring-your-own-device (BYOD) phenomenon, in which employees more
frequently are using personal devices to perform company business.
Another development in the past eight years is how companies collect data and who has access to that information. Websites increasingly
require some sort of registration to view content or make a purchase; employee and customer information is now widely and securely
available online. Furthermore, organizations are turning to third parties to collect, store, and manage this data.
Not surprisingly, these technological advances and information-gathering practices have resulted in new, more elaborate threats designed
to steal this data. Cyberattacks have grown more sophisticated in order to keep up with continually changing digital environments. Take the
previously mentioned example of the retail giant’s data breach. Eight years ago, the mere fact a company could store 110 million customer
records, much less those records could be stolen, seemed unthinkable. Yet, incidents of this magnitude are not only possible, but also are
resulting in disastrous consequences. The information security threats that these advances produced have moved the risk management and
security control context beyond that originally captured by the original ISO 27001, hence its need for revision.
ISO 27001:2013 provides an updated management system blueprint with a substantially revised and updated set of security controls (in
its Annex A) that enable organizations to comprehensively compare how they select controls for, operate, and maintain an ISMS in the
current digital and organizational universe.
Integrated Management Systems tually streamlines these controls, with only 113 as compared with
133 in the previous ISO (though the number of control groups has
ISO 27001:2013 is written so it also can be adapted to the
increased from 11 to 14, and some controls are now located in
high-level structure used in other ISO management standards, in-
different control groups). These updates include changes to:
cluding ISO 9000, ISO 14000 and ISO/IEC 20000-1. This
modification will permit easier integration of ISMS into existing Project management
(and multiple) management systems. As a result, though the princi-
ples embodied in the new ISO 27001 are similar to those in the Secure development policy
old, the structure is substantially different, and someone familiar with
Secure system engineering principles
the previous version will not feel immediately “at home” with the new.
Development environment security instead requiring that all of its requirements be in place. The remov-
al of PDCA also allows organizations greater flexibility in how they
System security testing
design and operate their ISMS and select controls—so long as they
Assessment of and decision on information security are meeting all the requirements of the standard.
events
Risk Ownership
Availability of information processing facilities The term “asset owner” was an integral part of ISO 27001:2005.
This term referenced the assets, threats, and vulnerabilities that
Outsourcing
needed to be identified to adhere to the standard. In the new iter-
The trend of outsourcing information gathering, storage, and secu-
ation of ISO 27001, asset ownership is replaced with “risk owner-
rity was already picking up steam when the first iteration of ISO
ship”; this term implies a greater level of responsibility in address-
27001 was introduced in 2005. This contracting of IT to third
ing and mitigating risks. The terminology change also provides
parties is now even more prevalent than it was a decade ago,
companies more flexibility to create their own risk management
and today’s organizations are understandably concerned with how
processes, but calls for added leadership to ensure those goals are
their data is being managed and protected outside of their own
achieved and maintained.
systems. ISO 27001:2013 recognizes this and added a section
devoted to outsourcing, thus providing additional guidance to com- Interested Parties
panies that entrust their IT to third-party vendors. Another language change with the new 27001 is that “stakehold-
ers” are now referred to as “interested parties.” Though on the sur-
Simplified Process Model
face, this may seem semantic, the revision does carry vendor risk
The original 27001 emphasized Plan-Do-Check-Act (PDCA), a
implications. With this change, organizations must now determine
four-step method to managing processes—in this application, in-
and ensure that relevant third-party entities are addressing informa-
formation security management processes. ISO 27001:2013 no
tion security risks associated with information and communications
longer makes reference to the PDCA model, largely because it
technology services. Though this might be standard operating pro-
implies too much rigidity in the ordering of steps. The update does
cedure for some 27001-compliant companies; for others, it will
not demand that steps be conducted in the order they are defined,
require a greater focus on vendor risk management.
Don’t wait:
Your company may have until as late as September 2015 to achieve compliance with the new version. That’s a long timeframe, and putting
off the update might be tempting. But for this endeavor, procrastination isn’t wise. First, you don’t want to be scrambling at the last minute
to achieve certification if that is your ultimate goal (which it should be). Second, while you wait, the threats that the new 27001 are meant
to address are still out there, poised to become a problem. The upgrade doesn’t need to occur all at once, but a gradual process will
make it all the less stressful. And if a company is taking its time, risk management staffs can always be proactive with vendors so that they
are on board once the parent organization is compliant.
Delegate responsibilities:
The new ISO 27001, much like the old one, has many moving parts. Several different individuals across multiple departments may be
charged with helping to achieve compliance. The inclusion of all these components underscores the importance of delegating who is re-
sponsible for what, especially as companies and their vendors transition to the updated 27001. Automated screenings already do a good
job of delegation by ensuring that the correct people are answering the parts of assessments most applicable to their responsibilities. Risk
staffs and IT departments can go a step further by assigning a specialist or a team of specialists to handle the transition to the update, as
well as encouraging vendors to take similar steps.
Evantix Risk Manager streamlines the vendor risk assessment process, eliminates the spreadsheets that bog down your compliance efforts,
and frees you and your staff to do what you do best—analyze and manage risk with the third parties that require the most guidance.
Advanced auditing: Our solution delegates and On-demand risk reports: When a vendor risk as-
tracks who at a vendor is responding to the assess- sessment is completed with the Evantix platform, it
ment. Suppliers appreciate this approach because it is saved and aggregated in our database. If your
doesn’t expose details of one department to anoth- company needs a risk report quickly without the
er department that doesn’t need to know that infor- benefit of a thorough assessment, we can provide
mation. You will appreciate this approach because that within hours of your request.
assessments are completed quicker and with more
accuracy.
Evantix is a pioneer in the automated vendor risk management field. Clients such as eBay, McGraw Hill, PayPal, Aclara, and Adobe have
turned to our solutions to improve their risk relationship with their vendors. We not only provide the platform for your vendor risk manage-
ment needs, but also the support, tools, and training to make your risk efforts a success. For more information and to request a free demo,
visit www.evantix.com or call 949-614-7076.
Download a
Sample ISO 27001
Assessment and see
Evantix for Yourself
Click Here