Chapter:1 Overview of ISO 27001:2013 System

1.0 Background of the new standards

The system of the International Organization for Standardization (ISO) requires that all
standards are reviewed every five years to ensure that they reflect the best practice in the
particular subject and take into account any lessons that have been learnt during the
application of the standard. The outcome of these reviews is that standards are confirmed,
revised or withdrawal of old standard.
Accordingly, the second revision of ISO 27001:2013 is intended to be a much more
fundamental set of changes and includes a significant number of changes both in style and
content of the standard. The official title of the standard is "Information technology— Security
techniques — Information security management systems — Requirements". The controls,
and control objectives, are listed in Annex A, although it is also possible in principle for
organizations to pick other controls from elsewhere. There are now 114 controls in 14 groups.
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining
and continually improving an information security management system (ISMS) within the
context of the organization. It also includes requirements for the assessment and treatment of
information security risks, tailored to the needs of the organization. The requirements set out
in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations,
regardless of type, size or nature. The focus is also to align with other standards like ISO 9001
and ISO 20000. The new standard puts more emphasis on measuring and evaluating how
well an organization’s ISMS is performing, and there is a new section on outsourcing, which
reflects the fact that many organizations rely on third parties to provide some aspects of IT.

ISO 27000 series of standards

ISO 27001 is a set of information security Assessment Series Standards.
ISO 27001 Series includes:
 ISO 27001:2013 Information Security management system requirements
 ISO/IEC 27000, Information technology — Security techniques — Information
security management systems — Overview and vocabulary
 ISO 27002:2013 – Code of practice for Information security controls.
2.0 Why ISO 27001?
ISO 27001 is a useful tool because it:
 Systematic approach
 Improved communication
 Improved compliance
 Improved profitability
 Reduction in liability and risk
 Improved internal management
 Confidence with stakeholders
 Improved employees’ confidence / faith
 Market credibility / image
 Facilitation of trading in a trusted environment.

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 1 of 10

Chapter:1 Overview of ISO 27001:2013 System

3.0 Why not ISO: 27001? (For whom ISO: 27001 is not a useful tool)
ISO 27001 is not useful for those who:
1. Do not want to spend money.
2. Believe in monopoly supplier.
3. Do not care for customers.
4. Have unlimited resources.
5. Do not believe in involving people.
6. Do not want to train employees.
7. Enjoy fire fighting and quick fixes.
8. Believe that quality does not pay.
9. Do not want to commit anything on paper.
10. Expect miracles to overcome challenge.
11. Have other sources of income and don't want to grow.

4.0 Benefit of ISO 27001

Organizations certified to ISO 27001 would achieve significant competitive edge

over other organizations engaged in similar operations (activities, products and
services), as it reflects the organization is proactive to protect the information
security through preventive mechanisms rather than corrective one.
A well-functioning ISMS system provides confidence to the organization and its
various stakeholders and gives the benefits as listed below:
1. Enables information security to be addressed in practical, cost-effective,
realistic and comprehensive manner;
2. Establishes mutual trust between networked sites;
3. Enhances Quality Assurance - ISO 9000, SEI-CMMI;
4. Demonstrates a high, and appropriate, standard of security;
5. Increases the ability to manage and survive a disaster;
6. Gives better control on information security system, which means more
satisfied customers leading to increased business prospects and better
market image;
7. Improved level of motivation, co-operation, workmanship and information
security awareness.

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 2 of 10

Chapter:1 Overview of ISO 27001:2013 System

5.0 Overview of ISO 27001: 2013 standard

There are total 10 clauses in ISO 27001:2013 standard, as listed below:
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization (P)
5. Leadership (P, D, C, A)
6. Planning (P)
7. Support (D)
8. Operation (D)
9. Performance evaluation (C)
10. Improvement (A)

5.1 Re-organized structure of ISO 27001: 2013 ISMS standard

The following parts have been reorganized in ISO 27001: 2013

1. Context of the organization – addresses needs and expectations of interested

parties and scope of information security management system.
2. Leadership – addresses management commitment, policy, roles, responsibilities
and authorities.
3. Planning – includes risks, opportunities, objectives and plans to achieve them,
and the planning of changes
4. Support – includes resources, competence, awareness, communication and
documented information
5. Operation – includes planning and control, determining market needs, interaction
with customers, IS risk assessment & risk treatment
6. Performance evaluation – includes monitoring, measurement, analysis and
evaluation, internal audit, and management review.
7. Improvement – addresses non-conformity and corrective action, improvement

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 3 of 10

 Chapter:1 Overview of ISO 27001:2013 System

5.2 Structure of ISO 27001:2013 Standard

5.3 The main elements of ISO 27001:2013

I. ISMS Policy
II. Planning
1. Planning for risk assessment and
3. Objectives and targets
treatment
2. Legal and other requirements
III. Implementation and Operation
1. Structure and responsibility 5. Document control
2. Training, awareness and competence 6. Operational control
3. Consultation and communication 7. Risk assessment and treatment
4. ISMS documentation
IV. Checking and Corrective Action
1. Performance measurement and
3. Records.
monitoring 4. ISMS management system audit
2. Nonconformance and corrective action
V. Management Review

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 4 of 10

Chapter:1 Overview of ISO 27001:2013 System

The ISO 27001 specification envisages five core elements for ISMS, for the purpose of
certification by third parties. These are:
1. Commitments and Policy
An organization should define its ISMS policy and focus on what needs to be
done for ensuring continual ISMS performance. It should also ensure
commitment to the policy.
2. Planning
An organization should formulate a plan to fulfill its ISMS policy.
3. Implementation
For effective implementation an organization should develop the capabilities
and support mechanisms necessary to achieve its ISMS policy, objectives
and targets.
4. Measurements and Evaluation
An organization should measure, monitor and evaluate its ISMS
performance.
5. Reviews and Improvement
An organization should review and continually improve its ISMS, with the objective
of improving its overall ISMS performance.
5.4 Objectives of revisions in ISO standards
 Enhance an organization’s ability to satisfy customers.
 Maintain relevance, provide integrated approach to organizational management,
and integrate with other management system standards.
 Reflect needs of all user groups and increasingly complex operating environments.
 Increase confidence in an organization's ability to provide conforming goods and/or
services.
 Enhance customer confidence in information security management systems based
on ISO 27001.
 Set a consistent foundation for next 10 years.

5.5 What was considered for revising the ISO standard?

International experts nominated by ISO member bodies looked at a number of items to
help guide revision activities:
 An extensive web-based user survey
 New quality and information security concepts and ideas for inclusion in ISO 27001
 Formal interpretations of old ISO 27001 standard
 Support and guidance notes
 Common terminology with other standards

5.6 What prompted revisions?

 Business and industry has changed.
 Greater diversity of ISO 27001 users and broader interests of users.
 Knowledge and technology developments.
Reasons for the changes:
Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 5 of 10
Chapter:1 Overview of ISO 27001:2013 System

 Decrease the emphasis on documentation.

 Increase the emphasis on achieving value for the organization and its customers.
 Increase the emphasis on risk management to achieve the objectives.

6.0 Steps for implementation of ISO 27001:2013 information security

management system
The global objectives of the implementation of ISO 27001:2013 are: “Say what
you do” and “Justify what you do”

All the progressive units in India, which are in the IT sector today, have adopted some
system of obtaining the data security. However, in this system there are generally a lot
bugs and loopholes. Experience of other industries in India and outside India shows
that extensive efforts on the part of each and every person in the organisation are
needed for upgrading the existing system to meet the requirements of ISO 27001
ISMS. In revised ISO 27001:2013 standard, approach of risk identification and taking
necessary actions are required.

The time required for installation of this system in any company may vary depending
upon their present status and work culture. The total cost includes the cost of
consultancy, fees of certifying body, resource requirement, etc., depending on
infrastructure available with the company’s established system and complexity of work
involved.

The steps for implementation of this system are:

1. Conduct awareness programmes (Top + Middle + Bottom level).
2. Form a task force for documentation.
3. Prepare documents of IS system.
4. Implementation and train all personnel in the use of procedures and formats.
5. Train internal auditors.
6. Assess the system through an internal audit.
7. Take corrective actions for non-compliances.
8. Apply for certification.
9. Assess the system through second round of internal audit.
10. Avail pre-certification audit of certifying body.
11. Take actions on suggestions given by them.
12. Maintain and improve the system by third round of internal audit.
13. Final audit by certifying body.

Annexure - 1

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 6 of 10

Chapter:1 Overview of ISO 27001:2013 System

Clarification of New Structure, Terminology and Concepts

1 Structure and terminology
The clause structure and some of the terminologies of this International Standard, in
comparison with old standard, have been changed to improve alignment with other
management systems standards.

The consequent changes in the structure and terminology do not need to be reflected in the
documentation of an organization’s information security management system.

The structure of clauses is intended to provide a coherent presentation of requirements rather

than a model for documenting an organization’s policies, objectives and processes. There is no
requirement for the structure of an organization's information security management system
documentation to mirror that of this International Standard.

2 Context of the organization

There are two new clauses relating to the context of the organization: 4.1 Understanding the
organization and its context and 4.2 Understanding the needs and expectations of
interested parties. Together, these clauses require the organization to determine the issues
and requirements that can impact on the planning of the information security management
system.

The scope of the standard states, in part, that this International Standard is applicable
where an organization needs to demonstrate its ability to consistently provide products and
services that meet customer and applicable statutory and regulatory requirements and aims to
enhance customer satisfaction. No requirement of this International Standard can be
interpreted as extending that applicability without the agreement of the organization.

3 Risk- based thinking

This International Standard requires the organization to understand its context (see clause
4.1) and determine the risks and opportunities that need to be addressed (see clause 6.1).

One of the key purposes of a information security management system is to act as a preventive
tool. Consequently, this International Standard does not have a separate clause or sub- clause
titled 'Preventive action’. The concept of preventive action is expressed through a risk-based
approach to formulating information security management system requirements.

The risk-based approach to drafting this International Standard has facilitated some
reduction in prescriptive requirements and their replacement by performance-based
requirements.

4 Applicability
Where a requirement can be applied within the scope of its information security management
system, the organization cannot decide that it is not applicable. Where a requirement
cannot be applied (for example where the relevant process is not carried out) the organization
can determine that the requirement is not applicable. However, this non-applicability cannot be
allowed to result in failure to achieve conformity of products and services or to meet the
organization’s aim to enhance customer satisfaction.

5 Documented information

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 7 of 10

Chapter:1 Overview of ISO 27001:2013 System
As part of the alignment with other management system standards, a common clause on
'Documented Information' has been adopted without significant change or addition (see
7.5). Where appropriate, text elsewhere in this International Standard has been aligned with its
requirements. Consequently, the terms ―documented procedure‖ and ―record‖ have both been
replaced throughout the requirements text by ―documented information‖. So the major focus in
the ISO 27001:2013 is to reduce documentation and only few places requirements of
documented information is requested.

Annexure - 2

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 8 of 10

Chapter:1 Overview of ISO 27001:2013 System

Some facts about ISO and messages from ISO 27001:2013

 ISO = International Organization for Standardization

 ISO is based on the Greek word ISO, which means ―equal‖ or standardization,
as the universal short form of its name.
 ISO is an independent Non-Government Organization and its headquarter is in
Geneva – Switzerland.
 ISO is made up of more than 160 National Standards Bodies (―NSBs‖)
 All standards are based on international consensus.
 ISO 27001 is a standard for Information Security Management System.
 ISO 27001 standard focuses on Information Security (ISMS) principles, risk-based
thinking and relation with other management system standards.
 ISO standards are usually developed by its Technical Committees (―TCs‖) and Sub-
committees (―SCs‖)
 Technical Committee HS/1, Information Security management, is responsible for
development and modification of ISO 27001 on Information Security
management system certification.
 ISO 27001:2013 was published on 1st October 2013

Messages from ISO 27001:2013 Standard

MESSAGE IN 4 LINES (ISO 27001:2013 Latest Standard)

 Plan what you do. (For any activity planning is important, and you have to plan for
resources / objectives / activities / controls / procedures, etc. for ISMS)
 Do what you say. (Implement your plan; deploy resources and confirm with plan)
 Check what you do. (Measure and monitor your activities and results for conformity and
effectiveness of system)
 Act. (Analyze / review / decide / change / improve effectiveness)

Annexure - 3

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 9 of 10

 Chapter:1 Overview of ISO 27001:2013 System

Basic Process Model of ISO 27001:2013

Any activity or set of activities that uses resources to transform inputs to outputs can be
considered as a process. Outputs from one process are typically inputs for other processes.

Overall aim of ISO 27001:2013 standard is to add value by planning and controlling
processes.

Schematic Representation of Process Approach

• Top management processes include, for example, planning, allocation of resources,

management review, etc.
• Realization processes include, for example, customer related processes, design and
development, product realization, etc.
• Support processes include, for example, training, maintenance, etc.

Copyright 2020 @ Punyam Academy | sales@punyamacademy.com | +91-98250 31523 Page 10 of 10