In an encounter with Edward Humphreys, the Convener of the working group responsible for the development and maintenance of ISO/IEC 27001, information was provided to find out some of the ways the revision of the process will affect the standard users. Here are a few of some of the responses we got from the discussion:

What are the major benefits of the new edition?

The new edition is updated with the experiences of people who have sought and implemented the ISO/IEC 27001:2005 in mind. Our dream is to make the approach more flexible, with higher potentials for a more effective risk management.

More also, there are a sizeable number of improvements made to the security controls listed in Annex A, which is meant to ascertain that the standard remains relevant in dealing with today’s risks, in areas such as identity theft, risks related to mobile devices, and other online threats.

Lastly, we’ve modified the new ISO/IEC 27001 to fit the new high-level structure now used in all management system standards. The goal is to make the new ISO/IEC 27001 integrate easily with other management systems.

What are the benefits of modifying the new edition to fit the new high level structure for management system standards?

The integration of ISO/IEC 27001 with the new structure makes it easy for organizations to implement more than one management system at the same time. This alignment between the standards will help organizations to save money and time, as it is easier to adopt the integrated policies and procedures.

For instance, it is now possible for an organization to integrate their information security system (ISO/IEC 27001) with other management systems like the business continuity management (ISO/IEC 22301), IT service management (ISO/IEC 20000-1) or quality management (ISO 9001).

What is the next step in the revision process?

At the moment, the revision of the 2005 edition is at the stage of FDIS (Final Draft International Standard). It should be completed by early September, and a thorough typographical edits will be conducted afterward in readiness for the October launch. Upon the launch, the new edition of ISO/IEC 27001 will be made available for purchase, while the older version will be withdrawn from the public.

If I’m certified to ISO 27001:2005, what will this update mean for me?

If your organization is certified to the 2005 edition of the standard, you will be required to upgrade your information security management system so it can comply with the requirements of the new version. Although the transition period for the upgrading has not been decided yet, it should not be more than two to three years after the publication of the new edition. Therefore, all accredited certifying establishments should take the transition period as a grace to ensure their activities conform to the requirements of the new version. It is only those who comply with the new requirements that will have valid certificates at the end of the transition period.

What does it take to transit from the old version to the new one?

The process of upgrading to the new edition of ISO/IEC 27001 should not be problematic. Of course, the transition period provides the opportunity to perfect the upgrading process through continual improvement activities and planned surveillances audits.