transitioning from iso/iec 27001:2005 to iso/iec 27001:2013

8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

1/30

Transitioning from

ISO/IEC 27001:2005

to

ISO/IEC 27001:2013


2/30

What haschanged?


3/30

Structural Changes

Context of theOrganization

Leadership

Planning

OperationImproveme

nt

Performance

Evaluation

Support

ISO/IEC !""#$"#%

&anagement'esponsi(ilit)

&anagement 'evie*

Esta(lishIS&S

Implement IS&S

ImproveIS&S

&onitorIS&S

+oc,'e-,

Internal.udit

IS&SImprove

ISO/IEC !""#$""

&gmt,'evie*

Structure simpli0ed


4/30

Change highlights

Structure change is part of harmonization effort from ISO

Better alignment with business objectives

More emphasis on: Risk management

Planning

Measurement

ommunication

!he wor" #"ocumente" proce"ure$ is replace" with

#"ocumente" information$ in the bo"% of the stan"ar" &'()*+


5/30

Summary of changes

ISO,I- ./**):.**0

)1. #shall$ statements

&section '(2+

3nne4ure 3 )) clauses

15 categories

)11 controls

ISO,I- ./**):.*)1

).0 #shall$ statements

&section '()*+

3nne4ure 3

)' clauses

10 categories

))' controls

1um(er of re-uirementsreduced


6/30


7/30

Summary of changes Controls

5otal $ ##2

#%

"

%61e*

Changed

1o Change


8/30


9/30

#$0 Conte%t of the organi&ation

2,% +eterminescope of the

IS&S

6 Internal and externalissues

6 'e-uirements ofinterested parties

6 Interface (et*een

organizations

2,2IS&S

2,#

7nderstandingthe organizationand its context

6 +etermine external and

internal issues to itspurpose and relevant toIS&S

6 &a) refer to ISO %#"""8iz ris9s:

opportunities

2,7nderstandingthe need andexpectation of

interestedparties

6 Interested partiesrelevant to IS&S6 'e-uirements relevantto IS&S

6 'egulator)re-uirements

Interestedparties; Customers:Shareholders:'egulator)

agencies

IS&S

re-uirements


10/30

5$0 'ea(ershi)


11/30

*$0 +lanning


12/30

7$0 Su))ort


13/30

,$0 O)eration


14/30

-$0 +erformance e.aluation


15/30

10$0 Im)ro.ement


16/30


17/30

rou)ing of controls

# Clauses

., Information securit) policies

.,4 Organization of information securit)

.,!


18/30

e an( change( controls

A.6 Organization of information security

A.6.1 Internal organizationObjective:5o esta(lish a management frame*or9 to initiate andcontrol the implementation and operation of information securit)*ithin the organization,

.,4,#, Information securit)

in pro=ectmanagement

Control

Information securit) shall (eaddressed in pro=ect management:regardless of the t)pe of thepro=ect,

A.6.2 Mobile device and teleworingO(=ective$ 5o ensure the securit) of tele*or9ing and use of mo(ile

devices,

.,4,,# &o(ile device polic) Control. polic) and supporting securit)measures shall (e adopted tomanage the ris9s introduced ()using mo(ile devices,

1e*

O(=ective

expanded

Changed

Old control .,##,!,#


19/30


A.! Access control

A.!.2 "ser access management

O(=ective$ 5o ensure authorized user access and to preventunauthorized access to s)stems and services,

.,3,,# 7ser registrationandde;registration

Control. formal user registration and de;registration process shall (e

implemented to ena(le assignment ofaccess rights,

.,3,, 7ser accessprovisioning

Control. formal user access provisioningprocess shall (e implemented to assignor revo9e access rights for all user

t)pes to all s)stems and services,.,3,,4 'emoval or

ad=ustmentof access rights

Control5he access rights of all emplo)ees andexternal part) users to information andinformation processing facilities shall (eremoved upon termination of theiremplo)ment: contract or agreement: or

Chang

ed

Old control

.,##,,#

1e*

Changed

Old control ., 6,%,%


20/30


A.12 Oerations security

A.12.$ Control of oerational softwareO(=ective$ 5o ensure the integrit) of operational s)stems,

.,#,,# Installation ofsoft*areon operational

s)stems

ControlProcedures shall (e implemented tocontrol the installation of soft*are

on operational s)stems,A.12.6 %ec&nical vulnerability managementO(=ective$ 5o prevent exploitation of technical vulnera(ilities,

.,#,4, 'estrictions on

soft*areinstallation

Control

'ules governing the installation ofsoft*are () users shall (eesta(lished and implemented,

1e*

1e*

1e*


21/30


A.1' (ystem ac)uisition* develoment and maintenance

A.1'.1 (ecurity re)uirements of information systemO(=ective$ 5o ensure that information securit) is an integral part ofinformation s)stems across the entire lifec)cle, 5his also includesthe re-uirements for information s)stems *hich provide servicesover pu(lic net*or9s,

.,#2,#, Securing

applicationservices on pu(licnet*or9s

Control

Information involved in applicationservices passing over pu(lic net*or9sshall (e protected from fraudulentactivit): contract dispute andunauthorized disclosure andmodi0cation,

.,#2,#,% Protectingapplicationservicestransactions

ControlInformation involved in applicationservice transactions shall (eprotected to prevent incompletetransmission: mis;routing:unauthorized message alteration:

unauthorized disclosure: unauthorizedmessa e du lication or re la ,

O(=ective

expanded

Changed

Old control.,#",3,#

Changed

Old control.,#",3,


22/30



A.1'.2 (ecurity in develoment and suort rocess

O(=ective$ 5o ensure that information securit) is designed andimplemented *ithin the development lifec)cle of informations)stems,

.,#2,,# Securedevelopment

polic)

Control'ules for the development of soft*are

and s)stems shall (e esta(lished andapplied to developments *ithin theorganization,

.,#2,, Secure s)stemengineeringprinciples

ControlPrinciples for engineering secures)stems shall (e esta(lished:

documented: maintained and appliedto an) information s)stemimplementation e>orts,

.,#2,,4 Securedevelopmentenvironment

ControlOrganizations shall esta(lish andappropriatel) protect secure

development environments for

1e*

1e*

1e*

O(=ective

expanded


23/30



.,#2,,6 S)stem securit)testing

Control5esting of securit) functionalit) shall(e carried out during development,

.,#2,,3 S)stemacceptance

testing

Control.cceptance testing programs and

related criteria shall (e esta(lishedfor ne* information s)stems:upgrades and ne* versions,

1e*

Changed

Old control.,#",%,


24/30


A.1$ (ulier relations&i

A.1$.1 Information security in sulier relations&iO(=ective$ 5o ensure protection of the organizations assets that isaccessi(le () suppliers,

.,#,#,# Informationsecurit)

polic) for supplierrelationships

ControlInformation securit) re-uirements for

mitigating the ris9s associated *ithsuppliers access to the organizationsassets shall (eagreed *ith the supplier anddocumented,

.,#,#,% Information andcommunication5echnolog) suppl)chain

Control.greements *ith suppliers shallinclude re-uirements to address theinformation securit) ris9s associated*ith information andcommunications technolog) servicesand product suppl) chain,

1e*

1e*

1e*


25/30


A.16 Information security incident management

A.16.1 Management of information security incidents andimrovementsO(=ective$ 5o ensure a consistent and e>ective approach to themanagement of information securit) incidents: includingcommunication on securit) events and *ea9nesses,

.,#4,#,2 .ssessment ofanddecision oninformationsecurit) events

ControlInformation securit) events shall (eassessed and it shall (e decided ifthe) are to (e classi0ed asinformation securit) incidents,

.,#4,#, 'esponse toinformationsecurit) incidents

ControlInformation securit) incidents shall (eresponded to in accordance *ith thedocumented procedures,

1e*

1e*

Com(ined .#%,#:.#%,


26/30


A.1+ Information security asects of business continuitymanagement

A.1+.2 ,edundanciesO(=ective$ 5o ensure availa(ilit) of information processing facilities,

.,#!,,# .vaila(ilit) ofinformationProcessing

facilities

ControlInformation processing facilities shall(e implemented *ith redundanc)

su@cient to meet availa(ilit)re-uirements,

1e*


27/30

el)ful gui(elines

ISO,I- ./**.:.*)1 7 o"e of Practice for InformationSecurit% ontrols

ISO 1)***:.**5 7 Risk Management Principles an" 8ui"elines

ISO ./**0:.*)) 7 Information Securit% Risk Management

ISO ./**':.**5 7 Information Securit% Management 7

Measurement

ISO ./**1:.*)* 7 Information Securit% Management 7

Implementation 8ui"ance


28/30


29/30

Transition timeline

#"/"#/"#% #"/"#/"#2#"/"#/"#

ISO/IEC!""#$"#%

'eleased

ISO/IEC!""#$""

Sunset

Completion ofmigration to

ISO/IEC!""#$"#%


30/30

u(it (ays re"uire( for transition

Stage ) review is re9uire" to review rea"iness

3u"it "a%s re9uire" for re(certification au"it &per ISO ./**;+

shall be use"

Organization can upgra"e to the new stan"ar" "uring their

surveillance au"it c%cle

Organizations must plan for their transition au"it before

3ugust .*)0

transitioning from iso/iec 27001:2005 to iso/iec 27001:2013

Documents