Date post: | 13-Sep-2014 |
Category: |
Documents |
View: | 986 times |
Download: | 3 times |
DQ
S –UL G
roup
Transition to ISO/IEC 27001:2013
Subrata Guha
Program Manager – IT Certification
DQ
S –UL G
roup
Questions
What has changed?
What you need to know?
Transition timeline?
Any other questions?
DQ
S –UL G
roup
What has changed?
DQ
S –UL G
roup
Structural change
Context of the Organization
Leadership
Planning
OperationImprovement
Performance Evaluation
Support
ISO/IEC 27001:2013
Management Responsibility
Management Review
Establish ISMS
Implement ISMS
Improve ISMS
Monitor ISMS
Doc. Req.
Internal Audit
ISMS Improve
ISO/IEC 27001:2005
Mgmt.Review
Structure simplified
DQ
S –UL G
roup
Change highlights
Structure change is part of harmonization effort from ISO
Better alignment with business objectives
More emphasis on: Risk management Planning Measurement Communication
The word “documented procedure” is replaced with “documented information” in the body of the standard (4-10)
DQ
S –UL G
roup
Summary of changes
ISO/IEC 27001:2005
132 “shall” statements (section 4-8)
Annexure A 11 clauses 39 categories 133 controls
ISO/IEC 27001:2013
125 “shall” statements (section 4-10)
Annexure A 14 clauses 35 categories 114 controls
Number of requirements reduced
DQ
S –UL G
roup
Summary of changes - Requirements
49
20
56 NewChangedNo Change
Total : 125
DQ
S –UL G
roup
Summary of changes - Controls
13
50
38
NewChangedNo Change
Total : 114
DQ
S –UL G
roup
What you need to know?
DQ
S –UL G
roup
4.0 Context of the organization
4.3 Determine scope of the ISMS
• Internal and external issues• Requirements of interested
parties• Interface between
organizations
4.4 ISMS
4.1 Understanding the organization and its context
• Determine external and internal issues to its purpose and relevant to ISMS
• May refer to ISO 31000
Biz risks, opportunities
4.2 Understanding the need and expectation of
interested parties
• Interested parties relevant to ISMS
• Requirements relevant to ISMS
• Regulatory requirements
Interested parties- Customers, Shareholders, Regulatory agencies
ISMS requirements
DQ
S –UL G
roup
5.0 Leadership
• Top management have to provide evidence of:• Directing and supporting personnel• Supporting next level management to
demonstrate leadership
5.1 Leadership and commitment
• Policy should include a statement of continual improvement.
• Policy should be communicated 5.2 Policy
• More explicit requirements for defining line of reporting and authorities..
5.3 Organizational roles, responsibilities
and authorities
DQ
S –UL G
roup
6.0 Planning
• ISMS planning to address business risks and opportunities
• Establish method for information security risk assessment
• Identify risk owners• Risk owners approval of residual risks
6.1 Actions to address risks and
opportunities
• ISMS objectives for different functions and levels
• Objectives should be measurable• Consistent with risk treatment plan• Develop plan to achieve objectives
6.2 ISMS objectives and planning to achieve them
DQ
S –UL G
roup
7.0 Support
• No change7.1 Resource
• No change7.2 Competency
• It is now an explicit requirement7.3 Awareness
• Need to define a procedure for internal and external communication7.4 Communication
• Need to define process for document creation, approval and release
7.5 Documented information
DQ
S –UL G
roup
8.0 Operation
• Implement the plan identified in 6.2• Determine operational controls required to
operate ISMS• Identify controls required for outsourced
process
8.1 Operational planning and control
• No change8.2 Information
security risk assessment
• No change8.3 Information
security risk treatment
DQ
S –UL G
roup
9.0 Performance evaluation
• Organization shall determine:• What needs to be monitored and measured• Method of monitoring, measurement,
analysis and evaluation• When monitoring and measuring to be
performed and who will perform.• When results of monitoring to be analyzed
and evaluated. Who will perform.
9.1 Monitoring, measurement,
analysis and evaluation
• No change9.2 Internal audit
• No change9.3 Management review
DQ
S –UL G
roup
10.0 Improvement
• Similar to corrective action• Section on preventive action have been deleted
10.1 Non-conformity and
corrective action
• No change10.2 Continual improvement
DQ
S –UL G
roup
Controls – Annex A
DQ
S –UL G
roup
Grouping of controls
# Clauses
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
DQ
S –UL G
roup
New and changed controls
A.6 Organization of information securityA.6.1 Internal organizationObjective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
A.6.1.5 Information securityin project management
ControlInformation security shall be addressed in project management, regardless of the type of the project.
A.6.2 Mobile device and teleworkingObjective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1 Mobile device policy ControlA policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.
New
Objective expanded
Changed Old control A.11.7.1
DQ
S –UL G
roup
New and changed controls
A.9 Access controlA.9.2 User access managementObjective: To ensure authorized user access and to prevent unauthorized access to systems and services.A.9.2.1 User registration and
de-registrationControlA formal user registration and de-registration process shall be implemented to enable assignment of access rights.
A.9.2.2 User access provisioning
ControlA formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.
A.9.2.6 Removal or adjustmentof access rights
ControlThe access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Changed Old control A.11.2.1
New
Changed Old control A. 8.3.3
DQ
S –UL G
roup
New and changed controls
A.12 Operations securityA.12.5 Control of operational softwareObjective: To ensure the integrity of operational systems.
A.12.5.1 Installation of softwareon operational systems
ControlProcedures shall be implemented to control the installation of software on operational systems.
A.12.6 Technical vulnerability managementObjective: To prevent exploitation of technical vulnerabilities.
A.12.6.2 Restrictions on softwareinstallation
ControlRules governing the installation of software by users shall be established and implemented.
New
New
New
DQ
S –UL G
roup
New and changed controls
A.14 System acquisition, development and maintenanceA.14.1 Security requirements of information systemObjective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.A.14.1.2 Securing application
services on publicnetworks
ControlInformation involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
A.14.1.3 Protecting applicationservices transactions
ControlInformation involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorizedmessage duplication or replay.
Objective expanded
Changed Old control A.10.9.1
Changed Old control A.10.9.2
DQ
S –UL G
roup
New and changed controls
A.14 System acquisition, development and maintenanceA.14.2 Security in development and support processObjective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development
policyControlRules for the development of software and systems shall be established and applied to developments within the organization.
A.14.2.5 Secure system engineering principles
ControlPrinciples for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.
A.14.2.6 Secure developmentenvironment
ControlOrganizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
New
New
New
Objective expanded
DQ
S –UL G
roup
New and changed controls
A.14 System acquisition, development and maintenanceA.14.2.8 System security
testingControlTesting of security functionality shall be carried out during development.
A.14.2.9 System acceptancetesting
ControlAcceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.
New
Changed Old control A.10.3.2
DQ
S –UL G
roup
New and changed controls
A.15 Supplier relationshipA.15.1 Information security in supplier relationshipObjective: To ensure protection of the organization’s assets that is accessible by suppliers.
A.15.1.1 Information securitypolicy for supplierrelationships
ControlInformation security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall beagreed with the supplier and documented.
A.15.1.3 Information and communicationTechnology supply chain
ControlAgreements with suppliers shall include requirements to address the information security risks associated with information andcommunications technology services and product supply chain.
New
New
New
DQ
S –UL G
roup
New and changed controls
A.16 Information security incident managementA.16.1 Management of information security incidents and improvementsObjective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
A.16.1.4 Assessment of anddecision on information security events
ControlInformation security events shall be assessed and it shall be decided if they are to be classified as information security incidents.
A.16.1.5 Response to informationsecurity incidents
ControlInformation security incidents shall be responded to in accordance with the documented procedures.
New
New
Combined A13.1, A13.2
DQ
S –UL G
roup
New and changed controls
A.17 Information security aspects of business continuity managementA.17.2 RedundanciesObjective: To ensure availability of information processing facilities.
A.17.2.1 Availability of information Processing facilities
ControlInformation processing facilities shall be implemented with redundancy sufficient to meet availability requirements.New
DQ
S –UL G
roup
Helpful guidelines
ISO/IEC 27002:2013- Code of practice for information security controls
ISO/IEC 27000:2014 – Information security management system overview and vocabulary
ISO 31000:2009 – Risk management principles and guidelines
DQ
S –UL G
roup
Transition timeline?
DQ
S –UL G
roup
Transition timeline
10/01/2013 10/01/2014 10/01/2015
ISO/IEC 27001:2013 Released
ISO/IEC 27001:2005 Sunset
Completion of migration to
ISO/IEC 27001:2013
DQ
S –UL G
roup
Audit days required for transition
Stage 1 review is required to review readiness.
Audit days required for re-certification audit (per ISO 27006) shall be used.
Organization can upgrade to the new standard during their surveillance audit cycle.
Organizations must plan for their transition audit before August 2015.
DQ
S –UL G
roup
Questions ?