The requirements of ISO 27001 changed considerably in 2013 compared to the first version from 2005. The general structure of the standard was not only altered but also tightened to a large extent.
The ISO 27001 standard follows a process-oriented approach in the implementation of an information security management system (ISMS). While an explicit reference to the PDCA model was included in the earlier version, this is no longer mandatory. The requirements apply to all sizes and types of organization.
ISO 27001 stipulates that companies must define and consider all external and internal topics that affect their ability to successfully implement an ISMS. These primarily include the corporate culture, environmental conditions, regulatory requirements, contractual and legal obligations, as well as governance guidelines. ISO 27001 expects the top management of an organization to define the information security policy as well as the responsibility and competencies for implementing the requirements. Moreover, the company must commit to raising awareness for information security throughout the entire organization.
Planning also plays a key role in ISO 27001 certification. For instance, the requirements include assessing specific information security risks for the organization as well as developing an action plan. The responsibility for determining the risks and their prevention lies solely with the organization. What’s more, the standard stipulates that the company must make resources available to safeguard continuous improvement as well as maintenance and realization of the ISMS. The ISMS also needs to be carefully documented. Performance assessments must likewise be prepared at defined intervals. Companies need to review, measure and analyze the effectiveness of their ISMS – likewise at set intervals.
A catalog of the most important information as well as an annex containing the most relevant changes since 2013 can be found on the Dekra website. As soon as the ISMS is set up, the company values are classified. This also follows the three principles of confidentiality, integrity, and availability. This classification is divided into three levels.
Level 1 covers public documents, for example, whose falsification would cause relatively insignificant damages for the company of up to 500 dollars. This level applies to documents for which even the continued violation of ISO standards for over a week would scarcely result in significant damages to the organization.
Level 2 encompasses internal company documents, such as bills and payroll files. Here, violations against the ISO information security standard would result in moderate financial damages of up to 5,000 dollars. Such an incident should not be permitted to last longer than 24 hours.
Finally, Level 3 covers highly sensitive, internal company documents. Falsification of these documents would result in damages over the 5,000-dollar threshold. This type of incident cannot be permitted to last longer than three hours.