Add to collection(s) Add to saved
  1. No category
Uploaded by vksgeek

27001-2013 ISOGeek

Transition to ISO/IEC 27001:2013
Varinder Kumar
Principal Consultant
CEH,CISA,MEPTM, ITIL V3, LA27001, LA9001
Questions
What has changed?
What you need to know?
Transition timeline?
Any other questions?
What has changed?
Structural change
ISO/IEC 27001:2005
ISO/IEC 27001:2013
Management
Responsibility
Context of the
Organization
Management Review
Leadership
Establish
ISMS
Improve
ISMS
Planning
Implement
ISMS
Monitor
ISMS
Doc.
Req.
Internal
Audit
Mgmt.
Review
Improvement
Structure
simplified
ISMS
Improve
Operation
Performance
Evaluation
Support
Highlights of Changes
• Structure change is part of harmonization effort from ISO
• Annex SL – 10 Mandatory Clauses introduced – no
exclusions from Cl 4 to 10
• Better alignment with business objectives
• More emphasis on:
–
–
–
–
Risk management
Planning
Measurement
Communication
• The word “documented procedure” is replaced with
“documented information” in the body of the standard (410)
Summary of Changes
ISO/IEC 27001:2005
ISO/IEC 27001:2013
•132 “shall” statements
(section 4-8)
•125 “shall” statements
(section 4-10)
•Annexure A
•Annexure A
– 11 clauses
– 39 categories
– 133 controls
– 14 clauses
– 35 categories
– 114 controls
Number of requirements
reduced
What you need to
know?
4.0 Context of the organization
Interested
parties
- Customers,
Shareholders,
Regulatory
agencies
4.1 Understanding
the organization
and its context
• Determine external and
internal issues to its
purpose and relevant to
ISMS
• May refer to ISO 31000
Biz risks,
opportunities
4.2 Understanding
the need and
expectation of
interested parties
• Interested parties relevant
to ISMS
• Requirements relevant to
ISMS
• Regulatory requirements
ISMS
requirements
4.4 ISMS
4.3 Determine
scope of the ISMS
• Internal and external
issues
• Requirements of
interested parties
• Interface between
organizations
5.0 Leadership
5.1 Leadership and
commitment
• Top management have to provide evidence of:
• Directing and supporting personnel
• Supporting next level management to
demonstrate leadership
5.2 Policy
• Policy should include a statement of continual
improvement.
• Policy should be communicated
5.3 Organizational
roles,
responsibilities and
authorities
• More explicit requirements for defining line of
reporting and authorities..
6.0 Planning
6.1 Actions to
address risks and
opportunities
6.2 ISMS objectives
and planning to
achieve them
• ISMS planning to address business risks and
opportunities
• Establish method for information security risk
assessment
• Identify risk owners
• Risk owners approval of residual risks
• ISMS objectives for different functions and
levels
• Objectives should be measurable
• Consistent with risk treatment plan
• Develop plan to achieve objectives
7.0 Support
7.1 Resource
• No change
7.2 Competency
• No change
7.3 Awareness
7.4 Communication
7.5 Documented
information
• It is now an explicit requirement
• Need to define a procedure for internal and
external communication
• Need to define process for document creation,
approval and release
8.0 Operation
8.1 Operational
planning and control
• Implement the plan identified in 6.2
• Determine operational controls required to
operate ISMS
• Identify controls required for outsourced
process
8.2 Information
security risk
assessment
• No change
8.3 Information
security risk
treatment
• No change
9.0 Performance evaluation
9.1 Monitoring,
measurement,
analysis and
evaluation
• Organization shall determine:
• What needs to be monitored and measured
• Method of monitoring, measurement, analysis
and evaluation
• When monitoring and measuring to be
performed and who will perform.
• When results of monitoring to be analyzed
and evaluated. Who will perform.
9.2 Internal audit
• No change
9.3 Management
review
• No change
10.0 Improvement
10.1 Non-conformity
and corrective
action
10.2 Continual
improvement
• Similar to corrective action
• Section on preventive action have been deleted
• No change
Controls – Annex A
Grouping of controls
#
Clauses
A.5
Information security policies
A.6
Organization of information security
A.7
Human resource security
A.8
Asset management
A.9
Access control
A.10
Cryptography
A.11
Physical and environmental security
A.12
Operations security
A.13
Communications security
A.14
System acquisition, development and maintenance
A.15
Supplier relationships
A.16
Information security incident management
A.17
Information security aspects of business continuity management
A.18
Compliance
New and changed controls
A.6 Organization of information security
Objective
A.6.1 Internal organization
expanded
Objective: To establish a management framework to initiate and control the
implementation and operation of information security within the organization.
A.6.1.5
Information security
in project management
New
Control
Information security shall be addressed in
project management, regardless of the
type of the project.
A.6.2 Mobile device and teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1
Changed
Mobile device policy
Old control A.11.7.1
Control
A policy and supporting security measures
shall be adopted to manage the risks
introduced by using mobile devices.
New and changed controls
A.9 Access control
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to
systems and services.
A.9.2.1
Changed
A.9.2.2
User registration and
de-registration
Old control A.11.2.1
User access
provisioning
Control
A formal user access provisioning process shall
be implemented to assign or revoke access
rights for all user types to all systems and
services.
Removal or adjustment
of access rights
Control
The access rights of all employees and external
party users to information and information
processing facilities shall be removed upon
termination of their employment, contract or
agreement, or adjusted upon change.
New
A.9.2.6
Changed
Control
A formal user registration and de-registration
process shall be implemented to enable
assignment of access rights.
Old control A. 8.3.3
New and changed controls
A.12 Operations security
A.12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
A.12.5.1
Installation of software
on operational systems
New
New
Control
Procedures shall be implemented to
control the installation of software on
operational systems.
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.2
New
Restrictions on
software
installation
Control
Rules governing the installation of
software by users shall be established and
implemented.
New and changed controls
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information system
Objective: To ensure that information security is an integral part of information
systems across the entire lifecycle. This also includes the requirements for
information systems which provide services over public networks.
Objective
expanded
A.14.1.2
Securing application
Control
services on public
Information involved in application services
networks
passing over public networks shall be
Changed
protected from fraudulent activity, contract
Old control A.10.9.1
dispute and unauthorized disclosure and
modification.
A.14.1.3
Changed
Protecting
application
services
transactions
Old control
A.10.9.2
Control
Information involved in application service
transactions shall be protected to prevent
incomplete transmission, mis-routing,
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication or replay.
New and changed controls
A.14 System acquisition, development and maintenance
Objective
expanded
A.14.2 Security in development and support process
Objective: To ensure that information security is designed and implemented
within the development lifecycle of information systems.
A.14.2.1
Secure development
policy
Control
Rules for the development of software and
systems shall be established and applied to
developments within the organization.
Secure system
engineering
principles
Control
Principles for engineering secure systems
shall be established, documented,
maintained and applied to any information
system implementation efforts.
Secure development
environment
Control
Organizations shall establish and
appropriately protect secure development
environments for system development and
integration efforts that cover the entire
system development lifecycle.
New
A.14.2.5
New
A.14.2.6
New
New and changed controls
A.14 System acquisition, development and maintenance
A.14.2.8
System security
testing
Control
Testing of security functionality shall be
carried out during development.
System acceptance
testing
Control
Acceptance testing programs and related
criteria shall be established for new
information systems, upgrades and new
versions.
New
A.14.2.9
Changed
Old control A.10.3.2
New and changed controls
A.15 Supplier relationship
A.15.1 Information security in supplier relationship
Objective: To ensure protection of the organization’s assets that is accessible by
suppliers.
New
A.15.1.1
New
A.15.1.3
New
Information security
policy for supplier
relationships
Control
Information security requirements for
mitigating the risks associated with
supplier’s access to the organization’s
assets shall be
agreed with the supplier and documented.
Information and
communication
Technology supply
chain
Control
Agreements with suppliers shall include
requirements to address the information
security risks associated with information
and
communications technology services and
product supply chain.
New and changed controls
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of
information security incidents, including communication on security events and
weaknesses.
Combined A13.1, A13.2
A.16.1.4
New
A.16.1.5
New
Assessment of and
decision on
information security
events
Control
Information security events shall be
assessed and it shall be decided if they are
to be classified as information security
incidents.
Response to
information
security incidents
Control
Information security incidents shall be
responded to in accordance with the
documented procedures.
New and changed controls
A.17 Information security aspects of business continuity management
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.17.2.1
New
Availability of
information
Processing
facilities
Control
Information processing facilities shall
be implemented with redundancy
sufficient to meet availability
requirements.
Helpful guidelines
• ISO/IEC 27002:2013- Code of practice for
information security controls
• ISO/IEC 27000:2014 – Information security
management system overview and vocabulary
• ISO 31000:2009 – Risk management principles
and guidelines
Transition timeline?
Transition Timeline
ISO/IEC 27001:2013
Released
1-10-2013
Scope extension for
27001:2005 not
permitted
01-01-2014
ISO/IEC 27001:2005
Sunset – no new
applications
accepted
01-05-2015
30-09-15
Completion of
migration to
ISO/IEC 27001:2013
Audit Days required for transition
• Stage 1 review is required to review readiness.
• Audit days required for re-certification audit (per
ISO 27006) shall be used.
• Organization can upgrade to the new standard
during their surveillance audit cycle.
• Organizations must plan for their transition audit
before August 2015.
Any Questions ?
Related documents
CV
CV
Proposed draft liaison letter to ISO/IEC JTC 1/SC 25/WG 3,... request for review of “Expression of IEEE802.3an alien crosstalk requirements
Proposed draft liaison letter to ISO/IEC JTC 1/SC 25/WG 3,... request for review of “Expression of IEEE802.3an alien crosstalk requirements
Download