transitioning from iso/iec 27001:2005 to iso/iec 27001:2013

Author: mohsen-mojabi

Post on 01-Jun-2018

228 views

Category:

Documents


1 download

Embed Size (px)

TRANSCRIPT

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    1/30

    Transitioning from

    ISO/IEC 27001:2005

    to

    ISO/IEC 27001:2013

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    2/30

    What haschanged?

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    3/30

    Structural Changes

    Context of theOrganization

    Leadership

    Planning

    OperationImproveme

    nt

    Performance

    Evaluation

    Support

    ISO/IEC !""#$"#%

    &anagement'esponsi(ilit)

    &anagement 'evie*

    Esta(lishIS&S

    Implement IS&S

    ImproveIS&S

    &onitorIS&S

    +oc,'e-,

    Internal.udit

    IS&SImprove

    ISO/IEC !""#$""

    &gmt,'evie*

    Structure simpli0ed

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    4/30

    Change highlights

    Structure change is part of harmonization effort from ISO

    Better alignment with business objectives

    More emphasis on: Risk management

    Planning

    Measurement

    ommunication

    !he wor" #"ocumente" proce"ure$ is replace" with

    #"ocumente" information$ in the bo"% of the stan"ar" &'()*+

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    5/30

    Summary of changes

    ISO,I- ./**):.**0

    )1. #shall$ statements

    &section '(2+

    3nne4ure 3 )) clauses

    15 categories

    )11 controls

    ISO,I- ./**):.*)1

    ).0 #shall$ statements

    &section '()*+

    3nne4ure 3

    )' clauses

    10 categories

    ))' controls

    1um(er of re-uirementsreduced

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    6/30

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    7/30

    Summary of changes Controls

    5otal $ ##2

    #%

    "

    %61e*

    Changed

    1o Change

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    8/30

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    9/30

    #$0 Conte%t of the organi&ation

    2,% +eterminescope of the

    IS&S

    6 Internal and externalissues

    6 'e-uirements ofinterested parties

    6 Interface (et*een

    organizations

    2,2IS&S

    2,#

    7nderstandingthe organizationand its context

    6 +etermine external and

    internal issues to itspurpose and relevant toIS&S

    6 &a) refer to ISO %#"""8iz ris9s:

    opportunities

    2,7nderstandingthe need andexpectation of

    interestedparties

    6 Interested partiesrelevant to IS&S6 'e-uirements relevantto IS&S

    6 'egulator)re-uirements

    Interestedparties; Customers:Shareholders:'egulator)

    agencies

    IS&S

    re-uirements

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    10/30

    5$0 'ea(ershi)

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    11/30

    *$0 +lanning

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    12/30

    7$0 Su))ort

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    13/30

    ,$0 O)eration

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    14/30

    -$0 +erformance e.aluation

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    15/30

    10$0 Im)ro.ement

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    16/30

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    17/30

    rou)ing of controls

    # Clauses

    ., Information securit) policies

    .,4 Organization of information securit)

    .,!

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    18/30

    e an( change( controls

    A.6 Organization of information security

    A.6.1 Internal organizationObjective:5o esta(lish a management frame*or9 to initiate andcontrol the implementation and operation of information securit)*ithin the organization,

    .,4,#, Information securit)

    in pro=ectmanagement

    Control

    Information securit) shall (eaddressed in pro=ect management:regardless of the t)pe of thepro=ect,

    A.6.2 Mobile device and teleworingO(=ective$ 5o ensure the securit) of tele*or9ing and use of mo(ile

    devices,

    .,4,,# &o(ile device polic) Control. polic) and supporting securit)measures shall (e adopted tomanage the ris9s introduced ()using mo(ile devices,

    1e*

    O(=ective

    expanded

    Changed

    Old control .,##,!,#

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    19/30

    e an( change( controls

    A.! Access control

    A.!.2 "ser access management

    O(=ective$ 5o ensure authorized user access and to preventunauthorized access to s)stems and services,

    .,3,,# 7ser registrationandde;registration

    Control. formal user registration and de;registration process shall (e

    implemented to ena(le assignment ofaccess rights,

    .,3,, 7ser accessprovisioning

    Control. formal user access provisioningprocess shall (e implemented to assignor revo9e access rights for all user

    t)pes to all s)stems and services,.,3,,4 'emoval or

    ad=ustmentof access rights

    Control5he access rights of all emplo)ees andexternal part) users to information andinformation processing facilities shall (eremoved upon termination of theiremplo)ment: contract or agreement: or

    Chang

    ed

    Old control

    .,##,,#

    1e*

    Changed

    Old control ., 6,%,%

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    20/30

    e an( change( controls

    A.12 Oerations security

    A.12.$ Control of oerational softwareO(=ective$ 5o ensure the integrit) of operational s)stems,

    .,#,,# Installation ofsoft*areon operational

    s)stems

    ControlProcedures shall (e implemented tocontrol the installation of soft*are

    on operational s)stems,A.12.6 %ec&nical vulnerability managementO(=ective$ 5o prevent exploitation of technical vulnera(ilities,

    .,#,4, 'estrictions on

    soft*areinstallation

    Control

    'ules governing the installation ofsoft*are () users shall (eesta(lished and implemented,

    1e*

    1e*

    1e*

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    21/30

    e an( change( controls

    A.1' (ystem ac)uisition* develoment and maintenance

    A.1'.1 (ecurity re)uirements of information systemO(=ective$ 5o ensure that information securit) is an integral part ofinformation s)stems across the entire lifec)cle, 5his also includesthe re-uirements for information s)stems *hich provide servicesover pu(lic net*or9s,

    .,#2,#, Securing

    applicationservices on pu(licnet*or9s

    Control

    Information involved in applicationservices passing over pu(lic net*or9sshall (e protected from fraudulentactivit): contract dispute andunauthorized disclosure andmodi0cation,

    .,#2,#,% Protectingapplicationservicestransactions

    ControlInformation involved in applicationservice transactions shall (eprotected to prevent incompletetransmission: mis;routing:unauthorized message alteration:

    unauthorized disclosure: unauthorizedmessa e du lication or re la ,

    O(=ective

    expanded

    Changed

    Old control.,#",3,#

    Changed

    Old control.,#",3,

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    22/30

    e an( change( controls

    A.1' (ystem ac)uisition* develoment and maintenance

    A.1'.2 (ecurity in develoment and suort rocess

    O(=ective$ 5o ensure that information securit) is designed andimplemented *ithin the development lifec)cle of informations)stems,

    .,#2,,# Securedevelopment

    polic)

    Control'ules for the development of soft*are

    and s)stems shall (e esta(lished andapplied to developments *ithin theorganization,

    .,#2,, Secure s)stemengineeringprinciples

    ControlPrinciples for engineering secures)stems shall (e esta(lished:

    documented: maintained and appliedto an) information s)stemimplementation e>orts,

    .,#2,,4 Securedevelopmentenvironment

    ControlOrganizations shall esta(lish andappropriatel) protect secure

    development environments for

    1e*

    1e*

    1e*

    O(=ective

    expanded

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    23/30

    e an( change( controls

    A.1' (ystem ac)uisition* develoment and maintenance

    .,#2,,6 S)stem securit)testing

    Control5esting of securit) functionalit) shall(e carried out during development,

    .,#2,,3 S)stemacceptance

    testing

    Control.cceptance testing programs and

    related criteria shall (e esta(lishedfor ne* information s)stems:upgrades and ne* versions,

    1e*

    Changed

    Old control.,#",%,

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    24/30

    e an( change( controls

    A.1$ (ulier relations&i

    A.1$.1 Information security in sulier relations&iO(=ective$ 5o ensure protection of the organizations assets that isaccessi(le () suppliers,

    .,#,#,# Informationsecurit)

    polic) for supplierrelationships

    ControlInformation securit) re-uirements for

    mitigating the ris9s associated *ithsuppliers access to the organizationsassets shall (eagreed *ith the supplier anddocumented,

    .,#,#,% Information andcommunication5echnolog) suppl)chain

    Control.greements *ith suppliers shallinclude re-uirements to address theinformation securit) ris9s associated*ith information andcommunications technolog) servicesand product suppl) chain,

    1e*

    1e*

    1e*

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    25/30

    e an( change( controls

    A.16 Information security incident management

    A.16.1 Management of information security incidents andimrovementsO(=ective$ 5o ensure a consistent and e>ective approach to themanagement of information securit) incidents: includingcommunication on securit) events and *ea9nesses,

    .,#4,#,2 .ssessment ofanddecision oninformationsecurit) events

    ControlInformation securit) events shall (eassessed and it shall (e decided ifthe) are to (e classi0ed asinformation securit) incidents,

    .,#4,#, 'esponse toinformationsecurit) incidents

    ControlInformation securit) incidents shall (eresponded to in accordance *ith thedocumented procedures,

    1e*

    1e*

    Com(ined .#%,#:.#%,

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    26/30

    e an( change( controls

    A.1+ Information security asects of business continuitymanagement

    A.1+.2 ,edundanciesO(=ective$ 5o ensure availa(ilit) of information processing facilities,

    .,#!,,# .vaila(ilit) ofinformationProcessing

    facilities

    ControlInformation processing facilities shall(e implemented *ith redundanc)

    [email protected] to meet availa(ilit)re-uirements,

    1e*

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    27/30

    el)ful gui(elines

    ISO,I- ./**.:.*)1 7 o"e of Practice for InformationSecurit% ontrols

    ISO 1)***:.**5 7 Risk Management Principles an" 8ui"elines

    ISO ./**0:.*)) 7 Information Securit% Risk Management

    ISO ./**':.**5 7 Information Securit% Management 7

    Measurement

    ISO ./**1:.*)* 7 Information Securit% Management 7

    Implementation 8ui"ance

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    28/30

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    29/30

    Transition timeline

    #"/"#/"#% #"/"#/"#2#"/"#/"#

    ISO/IEC!""#$"#%

    'eleased

    ISO/IEC!""#$""

    Sunset

    Completion ofmigration to

    ISO/IEC!""#$"#%

  • 8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

    30/30

    u(it (ays re"uire( for transition

    Stage ) review is re9uire" to review rea"iness

    3u"it "a%s re9uire" for re(certification au"it &per ISO ./**;+

    shall be use"

    Organization can upgra"e to the new stan"ar" "uring their

    surveillance au"it c%cle

    Organizations must plan for their transition au"it before

    3ugust .*)0