Blog CertiKit ISO27001 Toolkit Version 13 is here!

Addressing artificial intelligence (AI)

Recent events have transformed AI from a slow-burn background technology into a cutting-edge resource that most organizations are now scrambling to exploit. This brings its own specific security challenges, introducing new controls and changing the way in which existing ones are applied. To start to address this, we have added an AI Security Policy to the toolkit which covers relevant areas such as data security and privacy protection, intellectual property protection and compliance and ethics. We have also updated many of our policies and guidelines to do with software development to consider AI-related issues. As the use of AI and the legal framework develops we are sure this will be an area for further attention in future releases of the toolkit.

Simplifying areas of confusion

There are a few areas of the toolkit that have generated support questions and some discussion, so we have taken the time to make the relevant documents clearer. These include:

• Context Requirements and Scope – this document has been simplified to focus on the major requirements of the standard such as external and internal issues and interested parties and their requirements. We have also moved references to risk assessment and objectives into the appropriate document within the toolkit.
• Competence – we have revamped the form used to capture information about the levels of competence of role holders, moving away from a questionnaire approach to a more interview-based one.
• Internal audit – some documents have been renamed to clarify their purpose and a new format audit schedule has been introduced. A Corrective Action Plan has been added for after the certification audit.
• Management review – a simplified management review procedure has been created.
• Objectives – a new tool has been created to provide for the definition and tracking of progress against objectives.
• Segregation of duties – the previous form was the subject of much discussion hence we have revamped it to make it easier to use.
• Principles for Engineering Secure Systems – this document was previously based on a NIST publication which was probably too involved for most purposes, so we have simplified it to focus on key information security principles.

Clarifying risk assessment

It’s always been the case that the risks and opportunities to the ISMS need to be assessed, and previously this has been achieved within the toolkit, albeit in a basic way. With this update we have emphasised this aspect of risk assessment more, with its own process and tool, and a set of relevant examples.

For information security risk assessment we have added a column to the “Reference Controls” tab of the risk assessment tools to allow for the noting of which risks make use of each of the Annex A controls. This is useful when creating the Statement of Applicability to justify why a control is applicable or not applicable.

Within the Statement of Applicability itself we have also allowed for the implementation status of a control to be “Partial” rather than simply yes or no.

For risk assessments the term “scenario-based” has been replaced with “event-based” to align with the terminology used in the ISO27005 guidance standard.

Coordinating supplier management

Supplier management is covered by a number of Annex A controls and documents have been available within the toolkit to cover most of them individually. However, we have recognised the need to bring these documents together into a coordinated process, resulting in the following new documents:

• Information Security Process for Supplier Relationships
• Supplier Review Procedure
• Approved Supplier List
• Supplier Review Log
• Supplier Offboarding Procedure
• Supplier Offboarding Checklist
• Cloud Service Requirements

Together with existing toolkit documents, these take a lifecycle approach to the management of information security within the supply chain.

More consistency in policies

We now have more than forty policies in the toolkit, most of them topic-specific to address requirements in a particular area of the standard. In this release we have ensured that they all consistently contain the same key items of information such as scope, audience and definitions of terms used. We have also reduced the level of background information given in some policies to make them shorter and more focused. In a few cases content that is relevant to users has been separated out into a new policy, with a defined audience. An Incident Management Policy has also been added.

Less GDPR-specific focus

Those controls concerned with privacy have previously been largely written around the requirements of the EU GDPR (General Data Protection Regulation). In this release we have made them more generally applicable, given the range of country and state specific privacy legislation that now exists.

Other changes

Of course, we have also corrected any typos and erroneous references to the 2013 version of the ISO27001 standard, as well as updating those documents, such as the Toolkit Index and Documentation Log, that refer to all documents in the toolkit.

Many other documents have been updated to keep them current and to mesh with changes to documents in other areas.

In Summary

The purpose of this update to the ISO27001 Toolkit was to keep the essence of the way it works whilst fine-tuning a number of areas to make it more user friendly, more consistent and up to date with developments such as AI.

We hope the changes will be helpful to existing and new customers alike, and as always we wish you well in your work to exploit the benefits of the ISO27001 standard and to protect your organizations.

You can learn more about what’s included, and view the toolkits documents here.