e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 9 ISOIEC 27001 was revised and only recently published on 1st October 2013. The revised version, known as ISOIEC 27001:2013 Information Security Management System ISMS - Requirements, replaces the old ISO IEC 27001:2005 ISMS - Requirements which has been the main reference since 2005. To ensure continuous compliance to ISOIEC 27001, it is necessary for organisations with existing ISOIEC 27001:2005 certiication to migrate to the revised ISOIEC 27001:2013. This article provides an overview of the changes in ISOIEC 27001 since 2005, and guidance for organisations to migrate to ISOIEC 27001:2013. 2. Whats new in ISOIEC 27001:2013? The first major change is the structural change. This is to align the standard to other management system standards published by ISO. The new structure of ISOIEC 27001:2013 mirrors the high level structure of the management system standards. Thus, the four mandatory clauses in ISOIEC 27001:2005 have now been increased to eight clauses refer Table 2. The new structure will make it easy for organisations that have achieved ISOIEC 27001 certification to achieve other management system standard certifications such as ISO 9001, ISO 14001, etc. Table 2: Mandatory clauses in ISOIEC 27001 Mandatory clauses in ISOIEC 27001:2005 Mandatory clauses in ISOIEC 27001:2013 Clause 4 Information Security Management System Clause 4 Context of the organisation Clause 5 Management responsibility Clause 5 Leadership Clause 6 Internal ISMS audits Clause 6 Planning Clause 7 Management review of ISMS Clause 7 Support Clause 8 ISMS improvement Clause 8 Operation Clause 9 Performance evaluation Clause 10 Improvement In addition, the risk assessment approach in this standard is more flexible as compared to the previous version. Requirement for risk assessment in ISO IEC 27001:2013 does not require that assets, threats and vulnerabilities to be identified. Thus, organisations are free to select whichever risk assessment methodology that suits them. As organisations may have an existing enterprise risk management approach, this will allow organisations to have a common risk assessment methodology even for information security risk assessment. The other significant change to ISO IEC 2700:2013 is in Annex A. Annex A defines information security controls and the control objectives. This annex remains in ISOIEC 27001 but the number of controls is reduced from 133 to 114 due to several controls being combined together. The number of control areas is now 14. They are: A.5 Information security policies, A.6 Organisation of information security, A.7 Human resources security, A.8 Asset management, A.9 Access control, A.10 Cryptography, A.11 Physical and environmental security, e-Security | Vol: 36-12014 © CyberSecurity Malaysia 2014 - All Rights Reserved 10 A.12 Operations security, A.13 Communications security A.14 System Acquisition, development and maintenance, A.15 Supplier relationships, A.16 Information security incident management, A.17 Information security aspects of business continuity, and A.18 Compliance. Refer to Figure 1 for the overall view of the new ISMS requirements and information security controls in ISO IEC 27001:2013. Figure 1: Requirements and information security controls in ISOIEC 27001:2013 And lastly, the contents of standard has been revised and improved overall in the hope that it is better understood by organisations. For example, in ISO IEC 27001:2005 version, the topics for conducting ISMS review were scattered in various clauses, but in this new standard, the topics were grouped together under Clause 9 Performance Evaluation. 3. How to migrate to the new ISOIEC 27001:2013? Firstly, organisations are recommended to send their relevant personnel for training sessions. Personnel who are in charge of ISMS should attend relevant training sessions to have a better understanding of these new requirements in ISOIEC 27001:2013. Examples of the relevant training programmes are Introduction to ISO IEC 27001:2013 and Migration to ISO IEC 27001:2013. Next, organisations which have implemented ISOIEC 27001:2005 are advised to conduct a thorough gap analysis. This is due to several requirements and controls that have been added, reviewed or deleted in the revised ISOIEC 27002:2013. By conducting a thorough gap analysis, the organisation will be able to assess the gap between the current implemented ISMS and the new ISOIEC 27001; and understand additional actions that are needed to be taken to comply with the new ISOIEC 27001. They will also be able to develop a detailed plan with timeline for the ISOIEC 27001:2013 migration. Furthermore, organisations should review their current documents; as most probably they need to change and update their documents to suit to ISO IEC 27001:2013. One document that must be updated is the Statement of Applicability SOA. An SOA is a document describing the control objectives and controls that are relevant and applicable to the organisations ISMS. SOA lists all information security controls that organisations have implemented and should be implementing. If there are new information security controls from ISOIEC 27002:2013 that should be implemented, the SOA should be updated to reflect this change. Furthermore, there are also a possibility for organisations to develop new policy