transitioning from iso/iec 27001:2005 to iso/iec 27001:2013
TRANSCRIPT
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
1/30
Transitioning from
ISO/IEC 27001:2005
to
ISO/IEC 27001:2013
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
2/30
What haschanged?
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
3/30
Structural Changes
Context of theOrganization
Leadership
Planning
OperationImproveme
nt
Performance
Evaluation
Support
ISO/IEC !""#$"#%
&anagement'esponsi(ilit)
&anagement 'evie*
Esta(lishIS&S
Implement IS&S
ImproveIS&S
&onitorIS&S
+oc,'e-,
Internal.udit
IS&SImprove
ISO/IEC !""#$""
&gmt,'evie*
Structure simpli0ed
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
4/30
Change highlights
Structure change is part of harmonization effort from ISO
Better alignment with business objectives
More emphasis on: Risk management
Planning
Measurement
ommunication
!he wor" #"ocumente" proce"ure$ is replace" with
#"ocumente" information$ in the bo"% of the stan"ar" &'()*+
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
5/30
Summary of changes
ISO,I- ./**):.**0
)1. #shall$ statements
§ion '(2+
3nne4ure 3 )) clauses
15 categories
)11 controls
ISO,I- ./**):.*)1
).0 #shall$ statements
§ion '()*+
3nne4ure 3
)' clauses
10 categories
))' controls
1um(er of re-uirementsreduced
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
6/30
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
7/30
Summary of changes Controls
5otal $ ##2
#%
"
%61e*
Changed
1o Change
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
8/30
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
9/30
#$0 Conte%t of the organi&ation
2,% +eterminescope of the
IS&S
6 Internal and externalissues
6 'e-uirements ofinterested parties
6 Interface (et*een
organizations
2,2IS&S
2,#
7nderstandingthe organizationand its context
6 +etermine external and
internal issues to itspurpose and relevant toIS&S
6 &a) refer to ISO %#"""8iz ris9s:
opportunities
2,7nderstandingthe need andexpectation of
interestedparties
6 Interested partiesrelevant to IS&S6 'e-uirements relevantto IS&S
6 'egulator)re-uirements
Interestedparties; Customers:Shareholders:'egulator)
agencies
IS&S
re-uirements
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
10/30
5$0 'ea(ershi)
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
11/30
*$0 +lanning
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
12/30
7$0 Su))ort
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
13/30
,$0 O)eration
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
14/30
-$0 +erformance e.aluation
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
15/30
10$0 Im)ro.ement
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
16/30
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
17/30
rou)ing of controls
# Clauses
., Information securit) policies
.,4 Organization of information securit)
.,!
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
18/30
e an( change( controls
A.6 Organization of information security
A.6.1 Internal organizationObjective:5o esta(lish a management frame*or9 to initiate andcontrol the implementation and operation of information securit)*ithin the organization,
.,4,#, Information securit)
in pro=ectmanagement
Control
Information securit) shall (eaddressed in pro=ect management:regardless of the t)pe of thepro=ect,
A.6.2 Mobile device and teleworingO(=ective$ 5o ensure the securit) of tele*or9ing and use of mo(ile
devices,
.,4,,# &o(ile device polic) Control. polic) and supporting securit)measures shall (e adopted tomanage the ris9s introduced ()using mo(ile devices,
1e*
O(=ective
expanded
Changed
Old control .,##,!,#
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
19/30
e an( change( controls
A.! Access control
A.!.2 "ser access management
O(=ective$ 5o ensure authorized user access and to preventunauthorized access to s)stems and services,
.,3,,# 7ser registrationandde;registration
Control. formal user registration and de;registration process shall (e
implemented to ena(le assignment ofaccess rights,
.,3,, 7ser accessprovisioning
Control. formal user access provisioningprocess shall (e implemented to assignor revo9e access rights for all user
t)pes to all s)stems and services,.,3,,4 'emoval or
ad=ustmentof access rights
Control5he access rights of all emplo)ees andexternal part) users to information andinformation processing facilities shall (eremoved upon termination of theiremplo)ment: contract or agreement: or
Chang
ed
Old control
.,##,,#
1e*
Changed
Old control ., 6,%,%
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
20/30
e an( change( controls
A.12 Oerations security
A.12.$ Control of oerational softwareO(=ective$ 5o ensure the integrit) of operational s)stems,
.,#,,# Installation ofsoft*areon operational
s)stems
ControlProcedures shall (e implemented tocontrol the installation of soft*are
on operational s)stems,A.12.6 %ec&nical vulnerability managementO(=ective$ 5o prevent exploitation of technical vulnera(ilities,
.,#,4, 'estrictions on
soft*areinstallation
Control
'ules governing the installation ofsoft*are () users shall (eesta(lished and implemented,
1e*
1e*
1e*
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
21/30
e an( change( controls
A.1' (ystem ac)uisition* develoment and maintenance
A.1'.1 (ecurity re)uirements of information systemO(=ective$ 5o ensure that information securit) is an integral part ofinformation s)stems across the entire lifec)cle, 5his also includesthe re-uirements for information s)stems *hich provide servicesover pu(lic net*or9s,
.,#2,#, Securing
applicationservices on pu(licnet*or9s
Control
Information involved in applicationservices passing over pu(lic net*or9sshall (e protected from fraudulentactivit): contract dispute andunauthorized disclosure andmodi0cation,
.,#2,#,% Protectingapplicationservicestransactions
ControlInformation involved in applicationservice transactions shall (eprotected to prevent incompletetransmission: mis;routing:unauthorized message alteration:
unauthorized disclosure: unauthorizedmessa e du lication or re la ,
O(=ective
expanded
Changed
Old control.,#",3,#
Changed
Old control.,#",3,
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
22/30
e an( change( controls
A.1' (ystem ac)uisition* develoment and maintenance
A.1'.2 (ecurity in develoment and suort rocess
O(=ective$ 5o ensure that information securit) is designed andimplemented *ithin the development lifec)cle of informations)stems,
.,#2,,# Securedevelopment
polic)
Control'ules for the development of soft*are
and s)stems shall (e esta(lished andapplied to developments *ithin theorganization,
.,#2,, Secure s)stemengineeringprinciples
ControlPrinciples for engineering secures)stems shall (e esta(lished:
documented: maintained and appliedto an) information s)stemimplementation e>orts,
.,#2,,4 Securedevelopmentenvironment
ControlOrganizations shall esta(lish andappropriatel) protect secure
development environments for
1e*
1e*
1e*
O(=ective
expanded
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
23/30
e an( change( controls
A.1' (ystem ac)uisition* develoment and maintenance
.,#2,,6 S)stem securit)testing
Control5esting of securit) functionalit) shall(e carried out during development,
.,#2,,3 S)stemacceptance
testing
Control.cceptance testing programs and
related criteria shall (e esta(lishedfor ne* information s)stems:upgrades and ne* versions,
1e*
Changed
Old control.,#",%,
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
24/30
e an( change( controls
A.1$ (ulier relations&i
A.1$.1 Information security in sulier relations&iO(=ective$ 5o ensure protection of the organizations assets that isaccessi(le () suppliers,
.,#,#,# Informationsecurit)
polic) for supplierrelationships
ControlInformation securit) re-uirements for
mitigating the ris9s associated *ithsuppliers access to the organizationsassets shall (eagreed *ith the supplier anddocumented,
.,#,#,% Information andcommunication5echnolog) suppl)chain
Control.greements *ith suppliers shallinclude re-uirements to address theinformation securit) ris9s associated*ith information andcommunications technolog) servicesand product suppl) chain,
1e*
1e*
1e*
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
25/30
e an( change( controls
A.16 Information security incident management
A.16.1 Management of information security incidents andimrovementsO(=ective$ 5o ensure a consistent and e>ective approach to themanagement of information securit) incidents: includingcommunication on securit) events and *ea9nesses,
.,#4,#,2 .ssessment ofanddecision oninformationsecurit) events
ControlInformation securit) events shall (eassessed and it shall (e decided ifthe) are to (e classi0ed asinformation securit) incidents,
.,#4,#, 'esponse toinformationsecurit) incidents
ControlInformation securit) incidents shall (eresponded to in accordance *ith thedocumented procedures,
1e*
1e*
Com(ined .#%,#:.#%,
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
26/30
e an( change( controls
A.1+ Information security asects of business continuitymanagement
A.1+.2 ,edundanciesO(=ective$ 5o ensure availa(ilit) of information processing facilities,
.,#!,,# .vaila(ilit) ofinformationProcessing
facilities
ControlInformation processing facilities shall(e implemented *ith redundanc)
su@cient to meet availa(ilit)re-uirements,
1e*
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
27/30
el)ful gui(elines
ISO,I- ./**.:.*)1 7 o"e of Practice for InformationSecurit% ontrols
ISO 1)***:.**5 7 Risk Management Principles an" 8ui"elines
ISO ./**0:.*)) 7 Information Securit% Risk Management
ISO ./**':.**5 7 Information Securit% Management 7
Measurement
ISO ./**1:.*)* 7 Information Securit% Management 7
Implementation 8ui"ance
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
28/30
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
29/30
Transition timeline
#"/"#/"#% #"/"#/"#2#"/"#/"#
ISO/IEC!""#$"#%
'eleased
ISO/IEC!""#$""
Sunset
Completion ofmigration to
ISO/IEC!""#$"#%
-
8/9/2019 Transitioning from ISO/IEC 27001:2005 to ISO/IEC 27001:2013
30/30
u(it (ays re"uire( for transition
Stage ) review is re9uire" to review rea"iness
3u"it "a%s re9uire" for re(certification au"it &per ISO ./**;+
shall be use"
Organization can upgra"e to the new stan"ar" "uring their
surveillance au"it c%cle
Organizations must plan for their transition au"it before
3ugust .*)0