Free for PREMIUM members
Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium
Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.
However, there are other documented information requirements in
ISO/IEC 27001:2013 that an organization may consider to be matters
of policy, and therefore should be included in its ‘ISMS’ policy. These
1 The criteria for performing information security risk assessments
(see Clause 6.1.2 a) 2));
2 The organization’s policy towards releasing its information
security policy to interested parties (see Clause 5.2 g)); and
3 The organization’s policy regarding external communications (see
a) Documented information
‘Documented information’ is a new term that applies to what the 2005 version of the standard referred to as ‘documents’ and ‘records’. In transitioning to ISO/IEC 27001:2013, simply replace the terms ‘documents’ and ‘records’ with the term 'documented information’.
b) Terms of reference for top management
A change may be required to accommodate the specific responsibilities given in Clauses 5.1 a) to h).
A change may be required to accommodate the specific responsibilities given in Clauses 5.3 a) and b).
A change may be required to accommodate the requirements of Clause 7.4 as the process of creating awareness may be regarded as a form of communication
e) The Statement of Applicability
Annex A has been updated to reflect the controls that are now described in ISO/IEC 27002:2013. Whilst organizations are no longer required to select controls from Annex A, it is still used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)) and organizations are required to produce a SOA. The format of
an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, the control set is different, and therefore organizations will be required to update their SOAs. When doing so, be careful to ensure that control
implementation strictly conforms to the wording given in Annex A.
f) Actions to address risks and opportunities – general
Existing preventive action procedures will need to be revised or replaced to ensure conformance with Clauses 4.1, 4.2 and 6.1.1.
g) Monitoring, measurement, analysis and evaluation
The requirements of Clause 9.1 are more detailed and exact than the requirements for the ISMS and control effectiveness in ISO/IEC 27001:2005. From the perspective of transition it may be best to start with a clean sheet of paper
Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.