| |NOVEMBER 201619Consultants ReviewISMS at various phases of the transition. The senior management could set the tone for the transition initiative by sending an email in support of the project team. 3. Training ­ Implementer v/s AuditorGet the implementation team trained on the ISO 27001:2013 implementer course and the audit team on the lead auditor course since implementation requirements are not covered in detail during the auditor course due to IRCA requirements. Eg. If you enroll in an auditor course, the instructor doesn't spend time in explaining how to transition the risk assessment process but explains how to audit it.4. Identification of new controls and preparing relevant documentationIn-depth critical reading of the standard will help identify new controls (eg. Secure system engineering principles - A.14.2.5, supplier security policy - A.15.1.1) such that the relevant process/procedure can be created and implemented. 5. Interested partiesThe "Interested parties" term is a new reference in the 2013 version. Interested parties are stakeholders (i.e Any entity or individual that can influence your information security or can be influenced by it). Listing all the statutory, regulatory and contractual requirements, will help in identifying the relevant interested parties. Workshops held with senior management and enablers helped us to identify interested parties and their requirements. 6. Organisational ContextThe ISMS objectives/purpose should be tuned to the strategic direction of the management's vision. Inputs can be acquired by talking to management team members and using them for strategic alignment.7. Risk Owners & Risk AssessmentRisk owner is a new addition in the 2013 standard. The risk owner and the asset owner need not be the same. Risk owner is a person who has sufficient authority to manage risk. Hence, while performing Risk assessment this should be clearly understood and distinguished. The 2013 standard does not mandate to identify assets, threats and vulnerabilities. Eg. A controls based risk assessment supplemented with adequate risk workshops and monitoring could be sufficient. An A/T/V (Asset/Threat/Vulnerability) based risk assessment can also be used, but some retrofits are required. 8. Risk Treatment ApprovalThe risk owners or senior management need to approve the risk treatment plan. The approvals need to be demonstrated during the certification audit. 9. Preventive Actions (PA)We are so used to referring to CAPA (Corrective Action Preventive Action) during remediation. In the 2013 version, the term "Preventive Action" has been removed. Only "Correction" and "Corrective Action" are considered. 10. Measurement and reportingUse the SMART (Specific-Measurable-Assignable-Realistic-Time related) methodology for measurement and reporting of ISMS objectives. This will help in effectiveness measurements. Responsibilities for monitoring and measurement/reporting should be defined and reviewed periodically. Overall, the "Tone from the Top" i.e voice of support from senior management will remain a key driver of the transition and be the key to the success of any management framework implementation. Legend:ISO/IEC 27001:2005/2013ISO = International Organization for Standardization (Although it should read IOS, it is referred as ISO since the Greek word "iso" means equal/consistent)IEC = International Electrotechnical Commission27001 = 27000 is the family of Information Security standards. 27001 is the certifiable standard for ISMS (Information Security Management System)2005/2013 = Launch Year of the Standard
< Page 9 | Page 11 >