The information security management system ISO27001:2013 version is currently issued by the ISO organization on October 19, 2013. After the new version is published, it is a transition buffer period of 18 to 24 months, that is, the original enterprises that have obtained the certificate The transition to the new version of the standard is required by October 19, 2015 at the latest.

There are three main differences between this revision and the old version:

First, the management system is easier to integrate;

2. Integrate into the new challenges faced by enterprises;

3. More guidelines for extended reference.

described as follows:

(1) Easy integration: In the past, various management systems had inconsistent description methods for the management system requirements, and the chapters were different. For example, the management system requirements such as PDCA (Plan, Do, Check, Act), policy and advanced support of the management system are different. In the new version, Annex SL is adopted as a structural requirement, so that different management systems can be easily integrated and integrated. The high-level structure of Annex SL is an important basis for the formulation of all management systems in the ISO organization in the future. Currently, ISO22301 (former BS 25999 Operational Continuity Management System) and this new version of ISO27001 have adopted this structure for adjustment. It is expected that future revisions of promulgated standards such as ISO9000/ISO20000 will also be adjusted in the same way.

(2) New requirements: ISO27001:2005 originally had 11 domains and 133 control measures. The new version of DIS is currently adjusted to 14 domains (A.5-A.18) and 113 control measures (there may still be 113 control measures in the future). change). The newly added field is to upgrade the level of some control targets that were originally scattered in various fields to form new fields, such as encryption and supply chain management, which have been separated into new fields because of their importance; or split the original fields, For example, communication and operation management are separated into two independent fields to reflect the current development trend of information security. The reduction of controls is done by merging duplicate items, such as change management, where there is duplication in different areas. There are also new control items such as the management of smart devices, outsourcing management to strengthen the ICT supply chain, and information security requirements for system development project management.

(3) More reference: This time ISO also adds many new guidelines for enterprises to refer to. Organizations can carry out in-depth strengthening through different aspects and risks. Passing ISO27001 verification is only a basic requirement. At present, the ISO27000 series of guidance numbers have exceeded No. 44 (001-044), such as financial services, digital forensics, supply chain management (4 copies), software development and testing, etc. The competent authority can refer to these guidelines for upgrading requirements.