8 Step Guide to Bring Your Current ISMS from ISO 27001:2005 to ISO 27001:2013 A new version of ISO 27001 has been issued and you have been tasked with updating your company’s ISO 27001 program from 2005 to 2013… What does that mean and how should you get started? We have broken down the steps necessary to bring your current Information Security Management System (“ISMS”) that utilizes ISO 27001:2005 to the newest version. The timeline for transition depends on the current state of the ISMS, so here is a breakdown of deadlines for transition: New Implementations o Can be performed using the ISO/IEC 27001:2005 until October 1, 2014 o Can be performed (2005 to the 2013 standard) until October 1, 2015 Transition Complete Transition o After October 1, 2015 all new certifications are required to use the 2013 standard There is no better time than the present to get started! Why was the standard revised? o o o o There have been over 17,000 certificates issued around the world generating relevant experience and knowledge To address new organizations and technology (i.e. outsourcing, cloud computing, etc.) To comply with the ISO/IEC directive to align with a structure of management system standards To simplify compliance for organization that are certified with more than one management system (i.e. ISO 9001, etc.) Highlights and key differences: o o o o o o o Realignment of the management system requirements Internal and external issues, requirements, needs and expectations Risk owners Documentation requirements Effectiveness measurement requirements Statement of Applicability (SoA) framework Controls Annex A realignment 1 ©2014 A-lign. All Rights Reserved. Main 7 clauses include: o o o o o o o 4: Context of the organization 5: Leadership 6: Planning 7: Support 8: Operation 9: Performance evaluation 10: Improvement Step 1 – Context of the organization Understanding the organization and its context: o The key is determining what the intended outcome of the ISMS is to the organization. o Determine the mission of the organization (if it has not already been determined). o How does the mission relate to information security and governance and compliance? Understanding the needs and expectations of interested parties: o Determine what is relevant to the ISMS, such as: Contracts Laws or regulations Internally interests Any additional external interests Determining the scope of the ISMS: o The scoping is required to be much more detailed in the latest version. The standard provides requirements to include for the context of the organization and interested parties: Include any vendors or contracts that reduce the scope. Include any areas that are under the primary business requirements. Include interfaces and dependencies between activities performed by the organization and those that are performed by other organizations. o Additionally, the scoping requires very defined boundaries to be laid out. Items to consider: Firewalls and network diagrams Physical facilities Network segments Descriptions of how data is received / processed, the systems used for data entry, how data output is produced and the systems used 2 ©2014 A-lign. All Rights Reserved. Step 2 – Leadership Leadership (“top management”) is what drives the implementation / administration / maintenance / improvement process of the ISMS o Maintain accountability of the ISMS o Ensure that the ISMS achieves its intended outcome(s) o Direct and support persons to contribute to the effectiveness of the ISMS o Communicate the importance of conforming to the ISMS requirements The ISMS Policy is no longer required. o There does need to be an overarching information security policy, as this is a requirement in clause 5.2 o Include the objectives of the framework o Allow for the dissemination to all interested parties, including: Contract holders Vendors Contractors/third parties All internal personnel o Show commitment to the ISMS o Show commitment to the improvement of the ISMS Step 3 – Planning The 2013 standard no longer calls out all the necessary requirements in performing risk assessments (i.e. identify assets, threats, vulnerabilities, etc.), but now gives more control with the owner(s) of the ISMS to determine the best approach when performing its information security risk assessment. o Risks should be tied to loss of confidentiality, integrity, or availability of information within the scope of the ISMS. o Utilizing risks associated with assets is still an acceptable method. o Identification of assets, vulnerability, and threats are no longer called out. o You should identify risks to the organization with a means to quantify (numeric, color scheme, etc.) them. o Finally, you need to analyze all third party vendors, contractors, and outsourced resources as part of the risk assessment approach. Determining the risk associated with these parties is critical. Breaches resulting from lack of due care and due diligence on third parties and vendors should always be a consideration. Risk Treatment o Determine all controls necessary to implement risk treatment options (can design as required or identify from any source) 3 ©2014 A-lign. All Rights Reserved. o o Compare controls identified to those in Controls Annex A and produce the SoA (update is necessary when conforming to the Controls Annex A for 2013) Must justify why controls are included or not included Need to justify with an explanation Formulate risk treatment plan and obtain risk owner approval Step 4 – Support Resources o Required to be determined and provided Competence o Determine necessary competence o Ensure that persons are competent based on education, training, or experience o Take actions to acquire the competence level needed Awareness o Required to be aware of the information security policy, their contribution to the effectiveness of the ISMS, and implications of not conforming with the ISMS requirements. Communication o The ability to successfully communicate internally and externally requirements related to the internal audit, risk assessment, review of documentation, and metrics monitoring is vital to the success or failure of the ISMS o Internal and external communication relevant to the ISMS: What to communicate When to communicate With whom to communicate Who will communicate The processes by which communications will be effected Documented information o Definition, availability and maintenance Step 5 – Operation Operation planning and control o Processes needed to meet information security requirements o Actions necessary to address information security risk o Plans to achieve the information security objectives Information security risk assessment (described in Step 3) o Perform at planned intervals or when significant changes are proposed or occur 4 ©2014 A-lign. All Rights Reserved. o Allow for upper management to continue to review the risk assessment and be the risk owners Information security risk treatment (described in Step 3) o Implement the information security risk treatment plan Step 6 – Performance Evaluation Internal audits and management reviews need to be conducted at least annually and, as in the 2005 standard, management reviews need to capture internal audit results, prior nonconformities, etc. to ensure ISMS effectiveness measurement Monitoring, measurement, analysis, and evaluation o Information security performance and effectiveness, should include: What needs to be monitored and measured The methods for monitoring, measurement, analysis and evaluation When the monitoring and measurement are performed Who will perform the monitoring and measurement activities When the results will be analyzed and evaluated Who will perform the evaluation and analysis Internal audit o Plan, establish, implement and maintain an audit program o Define audit criteria and scope o Select auditors and conduct audits to ensure objectivity (some type of independence) o Report the audit results to relevant management Management review o Top management performs at planned intervals (at least annually) o Similar required inputs and outputs Step 7 – Improvement The 2013 standard has changed to no longer separate preventative and corrective actions; each are treated as action necessary to ensure continual improvement of the ISMS o Nonconformity and corrective action React to the nonconformity Evaluate the need for action and implement needed action Review the effectiveness of corrective action and make changes to the ISMS as necessary Continual improvement o Continually improve the suitability, adequacy, and effectiveness of the ISMS 5 ©2014 A-lign. All Rights Reserved. Step 8 – Controls annex There are minor changes between the documentation in the ISMS and Annex Controls. o Number of domains grew from 11 to 14 o Number of controls dropped from 133 to 114 These changes, removals, and additions will mainly affect the SoA. o Changes include the following: A5 # o Version 2005 Security policy o A6 o Security organization o A7 o Asset management o A8 o o A8 o A10 o A11 o Human resources security Physical and environmental security Communications and operations management Access control A12 o o A13 o Information systems acquisition, development, and maintenance Information security incident management A14 o Business continuity management o A15 o Compliance o A16 N/A o A17 N/A o A18 N/A o o o o o 6 ©2014 A-lign. All Rights Reserved. Version 2013 Information security policies How information security is organized Human resources security Asset management Access control and managing user access Cryptographic techniques Physical security of the organization’s sites and equipment Operational security Secure communications and data transfer Secure acquisition, development and support for information systems Security for suppliers and third parties Incident security incident management Information aspects of business continuity Compliance o o Controls that have been removed include: A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.4 Authorization process for information processing facilities A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.10.2.1 Service delivery A.10.7.4 Security of system documentation A.10.10.2 Monitoring system use A.10.10.5 Fault logging A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification A.11.4.4 Remote diagnostic and configuration port protection A.11.4.6 Network connection control A.11.4.7 Network routing control A.10.8.5 Business information systems A.11.6.2 Sensitive system isolation A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.5.4 Information leakage A.15.1.5 Prevention of misuse of information processing facilities A.15.3.2 Protection of information systems audit tools Added controls include: A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and communication technology supply chain A.16.1.4 Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.17.2.1 Availability of information processing facilities 7 ©2014 A-lign. All Rights Reserved. Overall, there are some significant changes to ISO 27001 in the newest 2013 edition. However, there is nothing that is a great stretch for an organization that has a successful ISMS already operating. The changes in 2013 provide better clarity with existing requirements in the standard and include some additional requirements around our evolving world of technology. Utilizing the guidelines in ISO 27001:2013 will improve the standardization and operations of the information security program in your organization. 8 ©2014 A-lign. All Rights Reserved.