In October 2013, the ISO organization released the long-awaited new version of the ISO/IEC 27001 and ISO/IEC 27002 standards. While at first sight the changes didn’t seem that dramatic there is more to it after all; starting with the new roles in ISO/IEC 27001:2013.
One of the changes, for the better I might add, is the standard’s increased emphasis on roles and responsibilities within the Information Security Management System (ISMS). To name the two I am referring to, Top Management and Risk Owners are specifically spelled out nowadays.
The 2005 version of the standard referenced the management role. Most of this role’s responsibilities have been shifted to the Top Management role in the 2013 version.
The Top Management role has been assigned a range of responsibilities. It needs to:
1. Demonstrate leadership and commitment regarding the ISMS
2. Establish an Information Security Policy
3. Ensure that roles, responsibilities and authorities are assigned and communicated
4. Review the ISMS at planned intervals
Unlike ISO/IEC 20000, the new version of the ISO/IEC 27001 standard does not require Top Management to delegate some of these responsibilities to a Management Representative. In reality, organizations most likely end up appointing a Chief Information Security Officer (CISO) for example who will be responsible to establish an Information Security Policy.
A management responsibility that did not move to the Top Management role is the approval of the risk treatment plan and the acceptance of residual information security risks. These responsibilities ended up in the lap of the new Risk Owner’s role. What we will most likely see is that in reality, Top Management ends up taking on this role given the financial business impact associated with both the plan and the risk acceptance.
While on the surface these changes may not seem dramatic, the contributors to the new version of the standard, do want to see that a C-level person has taken on the role of Top Management. Anything less will not suffice. One of the reasons for making this more explicit must have been the growing importance of information security in today’s business environments.