Earlier today, Compliance Managed Service Provider Opt-Sec used their Pervade Software Compliance Tracker to generate a full Gap Analysis between ISO27001:2005 and the updated ISO27001:2013 at the push of a single button!
ISO/IEC 27001:2005 is an information security management system (ISMS) standard published in October 2005. Eight years on, and the first revision of ISO27001 was released but, rather than being an update, it has actually proved to be a major overhaul. For example:-
- * The number of Sections has increased from 11 to 14
- * Companies can now write their own Controls (not just use Annex A)
- * The senior management responsibility has been re-written
- * It is more aligned with other policies (ISO901, ISO14001, ISO22301 and ISO31000)
Pervade Software's ISO27001 Policy, one of a wide range of pre-configured policies for the Pervade Compliance Tracker, breaks down the ISO Controls into easy-to-answer questions which simplifies the task of getting compliant and staying compliant for the compliance manager and other contributors. The 2005 version of the policy in the Pervade system breaks down into 250 questions.
Opt-Sec, who use the Pervade platform to offer managed compliance services, had answered all of the questions in the software in preparation for an ISO27001 audit. The 2013 version of the policy (which has 305 questions) was loaded into the software and, at the touch of a button, all of the questions that were common to both policies were instantly auto-answered in the new policy.
John Barry of Opt-Sec said "We have done a lot of work getting our systems and processes to a compliant state but we were working to the 2005 Controls and we were keen to see how this work translated to the new Controls".
178 of the 250 questions also appear in the 2013 policy and were immediately answered (so only 70% of their previous work was valid).
72 of the questions they had already answered were not required in the 2013 policy (so almost 30% of their previous work was now useless in the context of compliance).
127 new questions are asked in the 2013 policy that are not in the 2005 policy (so the work required to complete the 2013 policy is half as much again as the work they had already done to complete the 2005 policy).
These stats clearly show how much work is needed to complete the ISO27001:2013 policy, even by companies who have already got ISO27001:2005 certification. "The real magic was in seeing the 2013 policy fill up with answers before our very eyes" said John Barry, "we got a comprehensive gap analysis, with tasks allocated to appropriate team members, in a matter of seconds, and there wasn't a consultant with a clipboard anywhere to be seen".