Small businesses also a target
It isn't just the large companies that are under threat. The research conducted by PricewaterhouseCoopers (PwC) on behalf of the UK Department for Business, Innovation and Skills highlighted that small businesses were experiencing incident levels previously only seen in larger organizations, with 87 % of small organizations reporting a security breach in the last year.
In addition, the report suggested that we are seeing the effects of our increasing use of new technologies, with more and more organizations sustaining security or data breaches related to social networking sites, smartphones and tablets.
The revised standard (ISO/IEC 27001:2013) must also reflect these changes and as Edward Humphries, Convener of the working group responsible for developing and maintaining the standard, explained: "We have made a number of improvements to the security controls listed in Annex A to ensure that the standard remains current and is able to deal with today’s risks, namely identity theft, risks related to mobile devices and other online vulnerabilities."
Easier integration with other management systems
Another major change to the standard is the fact that it now fits the new high-level structure used in all management system standards. This has been put in place to help organizations that are implementing more than one management system standard at a time. It will also be of benefit to auditors who certify organizations that are using more than one such standard.
ISO/IEC 27001:2013 is available in the ISO Store in paper, pdf and ePub version.
For more information about the "2013 Information security breaches survey" conducted by PwC, please access the full study.
- Security, cybersecurity and privacy protection
- Information technologySecurity techniquesInformation security management systemsRequirements
- Information technologySecurity techniquesCode of practice for information security controls
- ISO/IEC 27003:2010 [Withdrawn]Information technologySecurity techniquesInformation security management system implementation guidance
- ISO/IEC 27004:2009 [Withdrawn]Information technologySecurity techniquesInformation security managementMeasurement