Date post: | 08-Jul-2016 |
Category: |
Documents |
Upload: | steve-alain-onana-dang |
View: | 13 times |
Download: | 0 times |
© DNV Business Assurance. All rights reserved.
ISO 27001:2013
27 September 2013
An Overview of the Changes
© DNV Business Assurance. All rights reserved.
In this presentation
2
09:30 09:35 10:45 11:00
© DNV Business Assurance. All rights reserved.
Today’s presenter
Paul Breslin
ICT Sector Lead, DNV Business Assurance UK
Global rollout of ICT certification schemes in DNV
Practicing Information Security Lead Auditor
Active in the ICT Sector for 20 years in development and
assessment roles.
3
© DNV Business Assurance. All rights reserved.
Your questions answered You can ask a question by typing in the ‘Questions’ area of the panel
Please ask questions throughout the presentation
The microphone of all attendees will be muted throughout the webinar
Open forum for questions continues after the presentation
4
© DNV Business Assurance. All rights reserved.
Technical issues
Having trouble hearing?
Audio settings Microphone/Speakers Setup
5
Dial in on the telephone number and access code sent to you in your registration email
sent by [email protected]. For any other issues please go to
http://support.citrixonline.com/en_US/GoToWebinar
© DNV Business Assurance. All rights reserved.
In this presentation
6
09:30 09:35 10:45 11:00
© DNV Business Assurance. All rights reserved.
STOP PRESS
ISO/IEC 27001:2013 WAS PUBLISHED ON WED 25 SEP !!
7
www.iso.org
© DNV Business Assurance. All rights reserved.
ISO and Management System standards
ISO decided in early 2012 that all Management System standards should use a
common framework containing consistent high level structure, common text and
terminology
- Applicable for new standards and upcoming revisions of existing standards
The common framework is defined in Appendix 3 of ISO/IEC Directives, Part 1
Annex SL (pp 143-152)
Key objectives for the common framework:
1. Standardization and effectiveness in
standards development (for ISO
Technical Committees)
2. Enhanced alignment and compatibility of
standards which is especially beneficial for
organizations implementing an integrated Management System
8
© DNV Business Assurance. All rights reserved.
Key objectives of the common structure
Enhance the consistency and alignment of ISO management system ‘requirements’
standards by providing
- a unifying and agreed high level structure
- identical core text and common terms and core definitions
All such standards are aligned and the compatibility of these standards is enhanced.
Individual management systems standard will add additional “discipline-specific”
requirements as required.
This common approach to new management system standards and future revisions of
existing standards will increase the value of such standards to users.
It will be particularly useful for those organizations that choose to operate a single
(sometimes called “integrated”) management system that can meet the requirements of
two or more management system standards simultaneously.
9
© DNV Business Assurance. All rights reserved.
ISO Management System standards - Examples
10
ISO 9001
ISO 20000 IT
Service Mgt.
Etc.
ISO 50001
ISO 20121
Sustainable event
mgt
ISO 22000
ISO 39001 Road
Safety management
ISO 22301
Business Continuity
Etc.
Already published with new common structure Under revision based on new common structure
ISO 14001
ISO 27001
© DNV Business Assurance. All rights reserved.
Common framework
All such standards will include the following elements:
- High level structure, containing 10 main clauses with sub-clauses (numbers & titles)
- Identical core text for these common clauses
- Common terms and core definitions
Individual management systems standard will add additional “discipline-specific”
requirements as required, however there are limiting “rules”:
- Discipline specific text can be added such as new bullets or discipline specific new
paragraphs, etc.
- High level structure, incl. major clauses and common terms cannot be changed, i.e. there
are certain limitations on how discipline specific amendments can be included.
11
© DNV Business Assurance. All rights reserved.
High Level Structure – Main clauses
Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
12
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement.
Identical core text
For clauses 4-10 there are also sub-clauses, and identical core text (requirements) is
provided (refer Appendix 3 in Annex SL).
© DNV Business Assurance. All rights reserved.
High Level Structure – Sub clauses
Introduction
1. Scope
2. Normative references
3. Terms and definition
4. Context of the organization
- 4.1 Understanding the organization and its context
- 4.2 Understanding the needs and expectations of interested
parties
- 4.3 Determining the scope of the XXX management system
- 4.4 XXX management system
5. Leadership
- 5.1 Leadership and commitment
- 5.2 Policy
- 5.3 Organization roles, responsibilities and authorities
6. Planning
- 6.1 Actions to address risks and opportunities
- 6.2 XXX objectives and planning to achieve them
7. Support
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 7.5.1 General
- 7.5.2 Creating and updating
- 7.5.3 Control of documented information
8. Operation
- 8.1 Operational planning and control
9. Performance evaluation
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
10. Improvement
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
13
© DNV Business Assurance. All rights reserved.
Common and specific terms and definitions audit
competence
conformity
continual improvement
control
correction
corrective action
documented information
effectiveness
interested party (preferred term)
management system
measurement
monitoring
nonconformity
objective
organization
outsource (verb)
performance
policy
process
risk
risk treatment
stakeholder (admitted term)
top management
14
© DNV Business Assurance. All rights reserved.
Definitions (1)
15
© DNV Business Assurance. All rights reserved.
Definitions (2)
16
© DNV Business Assurance. All rights reserved.
The 27000 family of standards
17
27000 – Overview and vocabulary
27001 – Requirements
27002 – Code of Practice
27003 – Implementation guidance
27004 – Measurement
27005 – Risk management
27006 – Requirements on certification bodies
27007 – Guide for information security auditing
27010 – Guide for inter-sector and inter-organizational communications
27011 – Guide for telecomms based organisations
27019 – Guide for process control systems in the energy utility industry
27799 - Healthcare informatics – Information security in healthcare organisations
© DNV Business Assurance. All rights reserved. 18
Revision of ISO/IEC 27001 ISMS
• Governing committee: JTC1 / SC27 – Information technology – Security
techniques
• Every three years the committee decides to either • Keep the standard as is
• Withdraw the standard
• Revise the standard
• Project phases:
• NWIP > WD1…n > CD1…n > FCD > DIS > FDIS
• Can take 1-5 yrs depending upon scope of the change.
• ISO 27001 and ISO 27002 being revised but as separate projects
• 27001 revision project was proposed in 2008
• Work has been carried out from 2009 to review and revise the standard with the
aim to: • Align the standard with the new ISO Common framework
• Incorporate feedback from interested parties
© DNV Business Assurance. All rights reserved. 19
Timeline of ISO/IEC 27001:2013
April 2013 Jul/Aug 2013 Oct 2013
DIS ballot FDIS ballot IS (publication)
Transition period – No transition period has been decided upon yet. Based on
typical transitions, it could be within 18-24 months of publication.
© DNV Business Assurance. All rights reserved. 20
Revision of ISO/IEC 27001 ISMS
27001:2005 (old)
- Introduction
- Scope
- Normative references
- Terms and definitions
- Information security management system
- Management responsibility
- Internal ISMS audits
- Management review
- ISMS improvement
- Annex A (normative) control objectives
and controls
- Annex B (normative) OECD principles
and this International Standard
- Annex C (informative) Correspondence
between ISO 9001:2008, ISO 14001:2004
and this International Standard
27001:2013 (new)
- Introduction
- Scope
- Normative references
- Terms and definitions
- Context of the organisation
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
- Annex A (normative)
Reference control objectives
and controls
9 p
p
13 p
p
© DNV Business Assurance. All rights reserved. 21
- Information security management system
- Management responsibility
- Internal ISMS audits
- Management review
- ISMS improvement
- Context of the organisation
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
Identical core text (Annex SL)
ISMS specific text
(based on ISO/IEC 27001)
ISMS specific text
Revision of ISO/IEC 27001 ISMS
© DNV Business Assurance. All rights reserved.
CHANGES: ISO 31000 / Risk Assessment (1)
The ISO/IEC 27001 approach to risk
management has been aligned with ISO 31000
Definitions from ISO 31000 have been used;
such as ‘control’ and ‘risk treatment’
Differentiates between risks to the
management system (6.1.1) & information
security risks (6.1.2)
Note added in Section 6.1.3 Information
Security Risk Assessment
- NOTE: The information security risk assessment and
treatment process in this International Standard aligns
with the principles and generic guidelines provided in
ISO 31000[5].
Decision NOT to list the 7 options for risk
treatment as they are implied by the note.
22
© DNV Business Assurance. All rights reserved.
CHANGES: ISO 31000 / Risk Assessment (2) One effect of adopting ISO 31000 is on the approach to risk assessment.
It was decided to remove details on how the risk assessment should be done.
So requirements to identify assets, threats and vulnerabilities et al are gone
This was because the requirements were felt to be too prescriptive,
describing how organisations should manage risks rather than describing
what the goals are.
23
© DNV Business Assurance. All rights reserved.
CHANGES: Annex A Controls (1)
• Annex A reference control objectives and controls have been revised, and will
be aligned with the revision of ISO/IEC 27002
• New requirements have been added
• Some existing references from 2005 version have been modified and regrouped.
• Other references have been deleted.
• Net result:
Number of controls reduced from 133 controls in 11 groups to 113 in 14
groups
24
© DNV Business Assurance. All rights reserved.
CHANGES: Annex A Controls (2)
2005 version
- A.5 Security policy
- A.6 Organisation of information
security
- A.7 Asset management
- A.8 Human resources security
- A.9 Physical and environmental
security
- A.10 Communications and operations
management
- A.11 Access control
- A.12 Information systems acquisition,
development and maintenance
- A.13 Incident management
- A.14 Business continuity management
- A.15 Compliance
25
2013 version
- A.5 Security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 Systems acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Incident management
- A.17 Business continuity management
- A.18 Compliance
© DNV Business Assurance. All rights reserved.
CHANGES: Relationship to other ISO 27000 standards
As before ISO 27001 remains as a requirements standard; it does not contain
guidance or other explanations on how to address or implement the
requirements
Other standards in the ISO 27000 family (see later slide) are guidance
documents and should align with 27001 rather than vice-versa.
As such ISO 27002 is already undergoing revision as a sister project
ISO 27003 on implementation, ISO 27004 on measurement and ISO 27005 on
risk management will all need review and possible revision to ensure
consistency.
26
© DNV Business Assurance. All rights reserved.
CHANGES: Plan-Do-Check-Act
• The PDCA model is not explicitly referenced in the draft standard.
• It is still there as an underlying improvement model but..
• The different elements of PDCA are now distributed within the common
structure
• For example ACT can be interpreted as clause 10.Improvement
27
PDCA ISO 27001:2005
© DNV Business Assurance. All rights reserved.
CHANGES: Preventive Action
• Preventive action requirements are now gone
• These were typically a source of confusion – concept was unclear and
overlapped with risk management
• Core text in two places now covers the intent of preventive action at the
organisational level.
• 4.1 > a requirement to assess external/internal issues
• 6.1 > a requirement to determine risks and opportunities .
28
Extract from Appendix 4 of Annex SL
© DNV Business Assurance. All rights reserved.
CHANGES: Documentation (1)
• New standard requires “documented
information” rather than “documents”.
• In fact the distinction between documents
and records has now gone.
• Clause 7.5 has general requirements on
creating, updating and controlling
documented information.
• No requirement now for a Document Control
procedure…
• or for a Records Control procedure
• but….
29
© DNV Business Assurance. All rights reserved.
CHANGES: Documentation (2)
• You still need documentation!
• What needs to be documented? • 4.3 Scope of the ISMS
• 5.2 IS Policy
• 6.1 Risk assessment and treatment process
• 6.2 IS Objectives
• 7.2 Competence records
• 8.2 Risk assessment and treatment results
• 9.1 Monitoring and measuring results
• 9.2 Audit programme and results
• 9.3 Management review results
• 10.1 Evidence of correction actions
• Appendix A requires documented procedures in
a number of places (low teens depending on how
you count them)
• 7.5, 8.1 Anything else you determine as
necessary !
•
30
© DNV Business Assurance. All rights reserved. 31
Other ISMS standards developments
(Relatively) newly Published:
1. ISO/IEC 27000:2012 Overview and vocabulary
2. ISO/IEC 27010:2012 Information security management for inter-sector
and inter-organizational communications
3. ISO/IEC 27013:2012 Guidelines on the integrated implementation of
ISO/IEC 27001 and ISO/IEC 20000-1
4. ISO/IEC 27014:2012 Information security governance framework
5. ISO/IEC TR 27019:2013 Guidelines based on ISO/IEC 27002 for process
control systems specific to the energy utility industry
6. ISO/IEC TR 27015:2012 Guidelines for the financial services sector
New standards in development (non exhaustive):
1. ISO/IEC 27016 Organisational economics for IS management
2. ISO/IEC 27017 Guidelines on Information security controls for the use of
cloud computing services based on ISO/IEC 27001
3. ISO/IEC 27044 Guidelines for security incident and event mgt (SIEM)
© DNV Business Assurance. All rights reserved.
In this presentation
32
09:30 09:35 10:45 11:00
© DNV Business Assurance. All rights reserved.
In this presentation
33
09:30 09:35 10:45 11:00
© DNV Business Assurance. All rights reserved.
What’s next?
Presentation slides available on www.dnvba.co.uk
If you have any questions please email
- Paul Breslin [email protected]
- DNV Business Assurance UK [email protected]
34
© DNV Business Assurance. All rights reserved.
www.dnvba.co.uk
35
Thank you for joining us!