e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 19

v. What are the documents and records that need to be produced

for the new 2013 revision? Many organisations used to complain about the amount of documents they had to produce for the 2005 version; however the new 2013 revision omits quite a number of those documents. For example, there is no requirement to develop an “ISMS Policy” but an “Information Security Policy” will sufice. See Table 1 for the minimum set of documents and records required by the new 2013 revision. This is by no means a deinitive list of documents and records – any other documents are to be added to improve the level of information security. vi. I am currently implementing the 2005 version and will go through certification audits in the near future. What about my current implementation? If you are at the early stages of implementing the 2005 version, and unlikely to go through the certiication audits before 1st October 2014, it is better to pursue the new standard ISOIEC 27001:2013. vii. What are the other changes in the new 2013 revision? • The new version of ISMS emphasises on business requirements and expectations of interested parties. It aims to add greater economic opportunities to the business community. To allow this to happen, the PDCA model has been removed. • The revised version has 113 controls, as opposed to the original 133 controls in the 2005 version. There is now 14 control domains in the current version; compared to the previous 11 Statement of Applicability 6.1.3 d Documents Risk treatment plan 6.1.3 e, 6.2 Risk assessment report 8.2 Deinition of security roles and responsibilities A.7.1.2, A.13.2.4 Inventory of assets A.8.1.1 Acceptable use of assets A.8.1.3 Access control policy A.9.1.1 Operating procedures for IT management A.12.1.1 Secure system engineering principles A.14.2.5 Supplier security policy A.15.1.1 Incident management procedure A.16.1.5 Business continuity procedures A.17.1.2 Legal, regulatory, and contractual requirements A.18.1.1 Records Records of training, skills, experience and qualiications 7.2 Monitoring and measurement results 9.1 Internal audit program 9.2 Results of internal audits 9.2 Results of the management review 9.3 Results of corrective actions 10.1 Logs of user activities, exceptions, and security events A.12.4.1, A.12.4.3 Table 1 : Minimum set of documents and records required by the new 2013 revision e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 20 control domains Figure 1. • The risk has been aligned with ISO 31000:2009 Risk Management— Principles and Guidelines, making the risk assessment requirement more general. It is no longer necessary to identify assets, threats and vulnerabilities . However, if the risk methodology uses an approach based on assets, threats and vulnerabilities, it is acceptable too. • When implementing ISMS, the controls must irst be determined in the risk treatment process, before comparison is made with Annex A. Figure 1 : The New Controls Added to ISO 27001:2013 Annex A as opposed to the old version Controls from Annex A can be excluded if the organisation concludes there are no risks or other requirements which would demand the implementation of a control. In the new 2013 version, controls must irst be determined in the risk treatment process before comparison is made with Annex A. These controls can come from other best practices or sector speciic standards. There would be three different situation where the controls from Annex A can be utilised as depicted in Figure 2. In the irst situation, the there is a 100 percent overlap between the selected controls and Annex A. In the second situation, there is a partial overlap between the selected controls and Annex A. Finally, in the third situation, there is a 100 percent segregation between the selected controls and Annex A. As such, we look forward to see the new 2013 implementation. Figure 2 : Different situations in utilizing controls from Annex A viii. What happens after the transition period ends? On the 1st of October 2015, two years after publication of the new version, all certiied organisations are expected to be in full compliance with ISOIEC 27001:2013 and have new certiicates issued. On the 2nd of October 2015, all certiicates referring to ISO IEC 27001:2005 or MS ISOIEC 27001:2007 will become invalid and withdrawn. Conclusion Meeting the requirements of the new standard has never been easier. However, this new version has been revised through practical experiences from the older version, making it more lexible and giving more freedom on how to implement it. For further details, kindly contact csm27001cybersecurity.my. ￭ Reference: 1. The All New ISO 27001:2013 – Nothing Much to Worry, http:www.cyberintelligence.myblog 2. Checklist of Mandatory Documentation Required by ISOIEC 27001 2013 Revision, Information Security Business Continuity Academy 3. Certified Organisation Register - http: csm27001.cybersecurity.myorg-cert.html 4. QMS Certification - http:www.malaysian- certified.my A.5. Security policy A.6. Organisation of information security A.7. Asset management A.8. Human resource security A.9. Physical and environmental security access control A.10. Communications and operations management A.11. Access control A.12. System acquisition, development and maintenance A.13. Information security incident management A.14. Business continuity management A.15. Compliance A.5. Security policy A.6. Organisation of information security A.7. Human resource security A.8. Asset management A.9. Access control A.10. Cryptography A.11. Physical and environmental security A.12. Operations security A.13. Communication security A.14. System acquisition, development and maintenance A.15. Supplier relationships A.16. Information security incident management A.17. Information security aspects of business continuity management A.18. Compliance 2013 New chapters introduced 2005