iso 27001 2013 an overview of the changes_27 sept 2013

© DNV Business Assurance. All rights reserved.

ISO 27001:2013

27 September 2013

An Overview of the Changes


In this presentation

2

09:30 09:35 10:45 11:00


Today’s presenter

Paul Breslin

ICT Sector Lead, DNV Business Assurance UK

Global rollout of ICT certification schemes in DNV

Practicing Information Security Lead Auditor

Active in the ICT Sector for 20 years in development and

assessment roles.

3


Your questions answered You can ask a question by typing in the ‘Questions’ area of the panel

Please ask questions throughout the presentation

The microphone of all attendees will be muted throughout the webinar

Open forum for questions continues after the presentation

4


Technical issues

Having trouble hearing?

Audio settings Microphone/Speakers Setup

5

Dial in on the telephone number and access code sent to you in your registration email

sent by [email protected]. For any other issues please go to

http://support.citrixonline.com/en_US/GoToWebinar

mailto:[email protected]

http://support.citrixonline.com/en_US/GoToWebinar



6

09:30 09:35 10:45 11:00


STOP PRESS

ISO/IEC 27001:2013 WAS PUBLISHED ON WED 25 SEP !!

7

www.iso.org


ISO and Management System standards

ISO decided in early 2012 that all Management System standards should use a

common framework containing consistent high level structure, common text and

terminology

- Applicable for new standards and upcoming revisions of existing standards

The common framework is defined in Appendix 3 of ISO/IEC Directives, Part 1

Annex SL (pp 143-152)

Key objectives for the common framework:

1. Standardization and effectiveness in

standards development (for ISO

Technical Committees)

2. Enhanced alignment and compatibility of

standards which is especially beneficial for

organizations implementing an integrated Management System

8

http://isotc.iso.org/livelink/livelink?func=ll&objId=4230452&objAction=browse&sort=subtype

http://isotc.iso.org/livelink/livelink?func=ll&objId=4230452&objAction=browse&sort=subtype


Key objectives of the common structure

Enhance the consistency and alignment of ISO management system ‘requirements’

standards by providing

- a unifying and agreed high level structure

- identical core text and common terms and core definitions

All such standards are aligned and the compatibility of these standards is enhanced.

Individual management systems standard will add additional “discipline-specific”

requirements as required.

This common approach to new management system standards and future revisions of

existing standards will increase the value of such standards to users.

It will be particularly useful for those organizations that choose to operate a single

(sometimes called “integrated”) management system that can meet the requirements of

two or more management system standards simultaneously.

9


ISO Management System standards - Examples

10

ISO 9001

ISO 20000 IT

Service Mgt.

Etc.

ISO 50001

ISO 20121

Sustainable event

mgt

ISO 22000

ISO 39001 Road

Safety management

ISO 22301

Business Continuity

Etc.

Already published with new common structure Under revision based on new common structure

ISO 14001

ISO 27001


Common framework

All such standards will include the following elements:

- High level structure, containing 10 main clauses with sub-clauses (numbers & titles)

- Identical core text for these common clauses

- Common terms and core definitions

Individual management systems standard will add additional “discipline-specific”

requirements as required, however there are limiting “rules”:

- Discipline specific text can be added such as new bullets or discipline specific new

paragraphs, etc.

- High level structure, incl. major clauses and common terms cannot be changed, i.e. there

are certain limitations on how discipline specific amendments can be included.

11


High Level Structure – Main clauses

Introduction

1. Scope

2. Normative references

3. Terms and definitions

4. Context of the organization

5. Leadership

12

6. Planning

7. Support

8. Operation

9. Performance evaluation

10. Improvement.

Identical core text

For clauses 4-10 there are also sub-clauses, and identical core text (requirements) is

provided (refer Appendix 3 in Annex SL).


High Level Structure – Sub clauses

Introduction

1. Scope

2. Normative references

3. Terms and definition

4. Context of the organization

- 4.1 Understanding the organization and its context

- 4.2 Understanding the needs and expectations of interested

parties

- 4.3 Determining the scope of the XXX management system

- 4.4 XXX management system

5. Leadership

- 5.1 Leadership and commitment

- 5.2 Policy

- 5.3 Organization roles, responsibilities and authorities

6. Planning

- 6.1 Actions to address risks and opportunities

- 6.2 XXX objectives and planning to achieve them

7. Support

- 7.1 Resources

- 7.2 Competence

- 7.3 Awareness

- 7.4 Communication

- 7.5 Documented information

- 7.5.1 General

- 7.5.2 Creating and updating

- 7.5.3 Control of documented information

8. Operation

- 8.1 Operational planning and control

9. Performance evaluation

- 9.1 Monitoring, measurement, analysis and evaluation

- 9.2 Internal audit

- 9.3 Management review

10. Improvement

- 10.1 Nonconformity and corrective action

- 10.2 Continual improvement

13


Common and specific terms and definitions audit

competence

conformity

continual improvement

control

correction

corrective action

documented information

effectiveness

interested party (preferred term)

management system

measurement

monitoring

nonconformity

objective

organization

outsource (verb)

performance

policy

process

risk

risk treatment

stakeholder (admitted term)

top management

14


Definitions (1)

15


Definitions (2)

16


The 27000 family of standards

17

27000 – Overview and vocabulary

27001 – Requirements

27002 – Code of Practice

27003 – Implementation guidance

27004 – Measurement

27005 – Risk management

27006 – Requirements on certification bodies

27007 – Guide for information security auditing

27010 – Guide for inter-sector and inter-organizational communications

27011 – Guide for telecomms based organisations

27019 – Guide for process control systems in the energy utility industry

27799 - Healthcare informatics – Information security in healthcare organisations

© DNV Business Assurance. All rights reserved. 18

Revision of ISO/IEC 27001 ISMS

• Governing committee: JTC1 / SC27 – Information technology – Security

techniques

• Every three years the committee decides to either • Keep the standard as is

• Withdraw the standard

• Revise the standard

• Project phases:

• NWIP > WD1…n > CD1…n > FCD > DIS > FDIS

• Can take 1-5 yrs depending upon scope of the change.

• ISO 27001 and ISO 27002 being revised but as separate projects

• 27001 revision project was proposed in 2008

• Work has been carried out from 2009 to review and revise the standard with the

aim to: • Align the standard with the new ISO Common framework

• Incorporate feedback from interested parties


Timeline of ISO/IEC 27001:2013

April 2013 Jul/Aug 2013 Oct 2013

DIS ballot FDIS ballot IS (publication)

Transition period – No transition period has been decided upon yet. Based on

typical transitions, it could be within 18-24 months of publication.



27001:2005 (old)

- Introduction

- Scope

- Normative references

- Terms and definitions

- Information security management system

- Management responsibility

- Internal ISMS audits

- Management review

- ISMS improvement

- Annex A (normative) control objectives

and controls

- Annex B (normative) OECD principles

and this International Standard

- Annex C (informative) Correspondence

between ISO 9001:2008, ISO 14001:2004

and this International Standard

27001:2013 (new)

- Introduction

- Scope

- Normative references

- Terms and definitions

- Context of the organisation

- Leadership

- Planning

- Support

- Operation

- Performance evaluation

- Improvement

- Annex A (normative)

Reference control objectives

and controls

9 p

p

13 p

p


- Information security management system

- Management responsibility

- Internal ISMS audits

- Management review

- ISMS improvement

- Context of the organisation

- Leadership

- Planning

- Support

- Operation

- Performance evaluation

- Improvement

Identical core text (Annex SL)

ISMS specific text

(based on ISO/IEC 27001)

ISMS specific text



CHANGES: ISO 31000 / Risk Assessment (1)

The ISO/IEC 27001 approach to risk

management has been aligned with ISO 31000

Definitions from ISO 31000 have been used;

such as ‘control’ and ‘risk treatment’

Differentiates between risks to the

management system (6.1.1) & information

security risks (6.1.2)

Note added in Section 6.1.3 Information

Security Risk Assessment

- NOTE: The information security risk assessment and

treatment process in this International Standard aligns

with the principles and generic guidelines provided in

ISO 31000[5].

Decision NOT to list the 7 options for risk

treatment as they are implied by the note.

22


CHANGES: ISO 31000 / Risk Assessment (2) One effect of adopting ISO 31000 is on the approach to risk assessment.

It was decided to remove details on how the risk assessment should be done.

So requirements to identify assets, threats and vulnerabilities et al are gone

This was because the requirements were felt to be too prescriptive,

describing how organisations should manage risks rather than describing

what the goals are.

23


CHANGES: Annex A Controls (1)

• Annex A reference control objectives and controls have been revised, and will

be aligned with the revision of ISO/IEC 27002

• New requirements have been added

• Some existing references from 2005 version have been modified and regrouped.

• Other references have been deleted.

• Net result:

Number of controls reduced from 133 controls in 11 groups to 113 in 14

groups

24


CHANGES: Annex A Controls (2)

2005 version

- A.5 Security policy

- A.6 Organisation of information

security

- A.7 Asset management

- A.8 Human resources security

- A.9 Physical and environmental

security

- A.10 Communications and operations

management

- A.11 Access control

- A.12 Information systems acquisition,

development and maintenance

- A.13 Incident management

- A.14 Business continuity management

- A.15 Compliance

25

2013 version

- A.5 Security policies

- A.6 Organisation of information security

- A.7 Human resource security

- A.8 Asset management

- A.9 Access control

- A.10 Cryptography

- A.11 Physical and environmental security

- A.12 Operations security

- A.13 Communications security

- A.14 Systems acquisition, development and maintenance

- A.15 Supplier relationships

- A.16 Incident management

- A.17 Business continuity management

- A.18 Compliance


CHANGES: Relationship to other ISO 27000 standards

As before ISO 27001 remains as a requirements standard; it does not contain

guidance or other explanations on how to address or implement the

requirements

Other standards in the ISO 27000 family (see later slide) are guidance

documents and should align with 27001 rather than vice-versa.

As such ISO 27002 is already undergoing revision as a sister project

ISO 27003 on implementation, ISO 27004 on measurement and ISO 27005 on

risk management will all need review and possible revision to ensure

consistency.

26


CHANGES: Plan-Do-Check-Act

• The PDCA model is not explicitly referenced in the draft standard.

• It is still there as an underlying improvement model but..

• The different elements of PDCA are now distributed within the common

structure

• For example ACT can be interpreted as clause 10.Improvement

27

PDCA ISO 27001:2005


CHANGES: Preventive Action

• Preventive action requirements are now gone

• These were typically a source of confusion – concept was unclear and

overlapped with risk management

• Core text in two places now covers the intent of preventive action at the

organisational level.

• 4.1 > a requirement to assess external/internal issues

• 6.1 > a requirement to determine risks and opportunities .

28

Extract from Appendix 4 of Annex SL


CHANGES: Documentation (1)

• New standard requires “documented

information” rather than “documents”.

• In fact the distinction between documents

and records has now gone.

• Clause 7.5 has general requirements on

creating, updating and controlling

documented information.

• No requirement now for a Document Control

procedure…

• or for a Records Control procedure

• but….

29


CHANGES: Documentation (2)

• You still need documentation!

• What needs to be documented? • 4.3 Scope of the ISMS

• 5.2 IS Policy

• 6.1 Risk assessment and treatment process

• 6.2 IS Objectives

• 7.2 Competence records

• 8.2 Risk assessment and treatment results

• 9.1 Monitoring and measuring results

• 9.2 Audit programme and results

• 9.3 Management review results

• 10.1 Evidence of correction actions

• Appendix A requires documented procedures in

a number of places (low teens depending on how

you count them)

• 7.5, 8.1 Anything else you determine as

necessary !

•

30


Other ISMS standards developments

(Relatively) newly Published:

1. ISO/IEC 27000:2012 Overview and vocabulary

2. ISO/IEC 27010:2012 Information security management for inter-sector

and inter-organizational communications

3. ISO/IEC 27013:2012 Guidelines on the integrated implementation of

ISO/IEC 27001 and ISO/IEC 20000-1

4. ISO/IEC 27014:2012 Information security governance framework

5. ISO/IEC TR 27019:2013 Guidelines based on ISO/IEC 27002 for process

control systems specific to the energy utility industry

6. ISO/IEC TR 27015:2012 Guidelines for the financial services sector

New standards in development (non exhaustive):

1. ISO/IEC 27016 Organisational economics for IS management

2. ISO/IEC 27017 Guidelines on Information security controls for the use of

cloud computing services based on ISO/IEC 27001

3. ISO/IEC 27044 Guidelines for security incident and event mgt (SIEM)



32

09:30 09:35 10:45 11:00



33

09:30 09:35 10:45 11:00


What’s next?

Presentation slides available on www.dnvba.co.uk

If you have any questions please email

- Paul Breslin [email protected]

- DNV Business Assurance UK [email protected]

34

http://www.dnvba.co.uk/




www.dnvba.co.uk

35

Thank you for joining us!

iso 27001 2013 an overview of the changes_27 sept 2013

Documents