ISO 27001 already makes an effective contribution to the protection of information. Now this IT security standard has been amended for the first time. Its new structure focuses on good risk management and makes it easier for smaller companies to participate.
ISO 27001:2013 has now been harmonised with the High Level Structure, and large sections of the Standard are identical to those found in other management system requirements, such as ISO 9001, for example. The High Level Structure means that much clearer definition of responsibilities for individual actions is required than has hitherto been the case, and the top management of companies and organisations is also involved to a greater extent. The points of emphasis have been weighted differently; for example instead of being a specific ISMS core requirement, documentation is now considered to have more of a support function. “We welcome this step, as it means that the core business of the organisation is under the spotlight rather than the documents. After all, what is needed is an information management system, and not a document management system”, says Claudia Käsehagen, Head of Quality & Safety at TÜV NORD.
The requirements for control of risks are also new. They have been harmonised with Risk Management Standard ISO 31000 and are therefore considerably stricter. Seen as a whole, certified organisations enjoy more flexibility than before – but receive less specific guidance from the Standard.
Certifications based on the new ISO 27001:2013 are possible with immediate effect. However, certification processes that have already been started may be continued as planned and the changeover made at each surveillance audit. The transitional period for existing certificates based on the previous Standard ends on 1 October 2015. As from October 2014, certificates for first or re-certification can only be issued on the basis of the new Standard. “The changeover is based on an audit within the respective organisation” says Claudia Käsehagen.
More information is also available at: www.dakks.de/en and www.tuv-nord.com
About TÜV NORD GROUP
With over 10,000 employees, TÜV NORD GROUP is one of the largest technical service providers, offering its advisory, service and inspection expertise in over 70 countries throughout the world. Areas of activity include Industrial Services, Mobility, IT and Training. TÜV NORD GROUP occupies a unique position in the sector based on its work in the fields of natural resources and aerospace and is firmly committed to its guiding principle and watchword: “Excellence for your business”.