ISACA Journal
Volume 2, 2,014 

Features 

Aligning Information Security With Enterprise Risk Management Using ISO/IEC 27001:2013 

Vimal Mani, CISA, CICA 

In November 2013, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) formally released the long-anticipated updates to ISO/IEC 27001 and 27002. The last time these standards were updated was in 2005.

The revised version of ISO/IEC 27001:20131 has set the stage for significant structural changes in the standard’s individual sections with the introduction of changes as well a number of new information security controls. Much of the text and requirements from the previous version of the standard is still there, but has been adapted to fit new and expanding topics.

Key Changes to the Revised Standard

The following are the key changes in the newly revised standard:

  • Changes introduced in risk assessment (clause 6.1.2)—Assets, vulnerabilities and threats are not the basis of risk assessment anymore. The new requirements identify risk associated with confidentiality, integrity and availability (CIA) factors (organizational-context-based). Organizations will now have the option of deciding whether to outline the risk they face and how risk should be controlled without first needing to break down asset threats, vulnerabilities and impact by individual assets. While an asset-based approach is still permitted and can achieve more rigorous protection, organizations that may have been deterred by this workload can relax with the option provided by the revised standard. This will provide greater flexibility for organizations in choosing the way they want to assess their information security risk. It will also provide opportunities for identifying strategic risk related to information security apart from the technical risk found around IT assets.
  • Introduction of risk ownership (clauses 6.1.2 and 6.2)—The concept of asset owner is replaced with a new term, “risk owners,” which makes management at a higher level responsible and accountable for various identified risk. By focusing on the risk-owners approach, organizations will no longer be bound by the old asset ownership, allowing them the flexibility to choose and implement any risk management method that better suits the organization. Also, this will help better align information security risk management activities with the enterprise risk management activities of an organization.
  • More importance given to interested parties (clause 4.2)—The importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients and partners, is recognized in ISO/IEC 27001:2013. In the revised standard, a separate clause has been added that specifies that all interested parties must be listed together with all their requirements. This is helpful in getting key inputs into the information security management system (ISMS) from various interested parties who will have a stake in an organization’s ISMS implementation.
  • Addressing strategic risk—ISO/IEC 27001:2013 also includes upside risk (strategic risk) instead of focusing only on downside risk (technical risk). As part of the risk management process, organizations are now required to identify opportunities and make sure these are realized. These are improved opportunities of the ISMS that will support the business, which will enable business to do things in a better way than previously.
  • Changes in the number of control sections and controls—This change has resulted in the removal of some controls, the addition of other controls, the requirement of some new documents and the omission of some unnecessary documents. The number of controls has decreased from 133 to 114, while the number of sections has increased from 11 to 14 (figure 1 and figure 2). The structure of some of the sections has been changed to allow for better arrangement of controls for implementation.
Figure 1
Figure 2
  • Improved communication on information security (clause 7.4)—In the previous version of the standard, not much emphasis was given to communication of information security implementation in an organization. There is a new clause added in the revised standard where all the communication requirements (e.g., what needs to be communicated, when, by whom, through which means) are summarized. This is meant to help overcome the problem of information security being viewed as only an “IT thing” or a “security thing.”
  • Improved management oversight through monitoring of controls (clause 5.1)—ISO/IEC 27001:2005 broadly talked about monitoring the ISMS implementation and the effectiveness of information security controls through management oversight. The revised standard takes a much more focused approach and calls out the importance of having a documented plan or rationale for monitoring specific processes and controls through exclusive clauses introduced with very concrete rules. These rules explain how to set clear objectives, who will measure them and when, and who should analyze and evaluate those results. This is intended to bring ISMS closer to other management processes in an organization.

Value Addition Aligned With Other Management System Standards

Figure 3The revised standard is aligned with most of the management system standards practiced in the industry globally (figure 3). It is also important to note that the revised standard has a strong focus on aligning information security management with enterprise risk management (ERM) practices.

Business Case for ISO/IEC 27001:2013 Implementation

The updated standard can be implemented for the following purposes:

  • Fighting cybercrime—Introducing the ISO/IEC 27001 ISMS will help protect businesses from the threat of organized crime.
  • Recovering from accidents—Organizations can minimize the risk that information will be lost or corrupted as a result of human error.
  • Improving corporate governance—Reducing the organization’s financial exposure to the risk of losses resulting from IT system failure is now a corporate governance requirement. ISO/IEC 27001 can help companies comply.
  • Aligning with ERM—The newer version aligns information security risk management (ISRM) with ERM activities.

Conclusion

The improved management oversight and flexible context-based risk assessment practices of ISO/IEC 27001:2013 will help organizations in aligning ISRM practices completely with the ERM practices of organizations. It is advisable that organizations plan to implement, as well as transition into, the newer version of ISO/IEC 27001:2013 from the current version (ISO/IEC 27001:2005).

Endnote

1 International Organization for Standardization (ISO), ISO 27001:2013 Information technology—Security techniques—Information security management systems—Requirements, 2013

Vimal Mani, CISA, CICA, is senior manager of IT consulting at Protiviti (Middle East), based in Kuwait. Mani handles risk and business consulting; internal audit engagements focused on identifying and mitigating information risk, technology risk, software and ICT supply chain risk; and more. He also handles management consultancy engagements focused on developing, implementing and bringing improvements into the practices of corporate governance, business governance, IT governance, and business transformation and turnaround initiatives for clients. Mani is an active member of the ISACA Kuwait Chapter. He can be reached at vimal.mani@protivitiglobal.me.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.