Iso 27001 transition to 2013 03202014

DQ

S –UL G

roup

Transition to ISO/IEC 27001:2013

Subrata Guha

Program Manager – IT Certification

DQ

S –UL G

roup

Questions

What has changed?

What you need to know?

Transition timeline?

Any other questions?

DQ

S –UL G

roup

What has changed?

DQ

S –UL G

roup

Structural change

Context of the Organization

Leadership

Planning

OperationImprovement

Performance Evaluation

Support

ISO/IEC 27001:2013

Management Responsibility

Management Review

Establish ISMS

Implement ISMS

Improve ISMS

Monitor ISMS

Doc. Req.

Internal Audit

ISMS Improve

ISO/IEC 27001:2005

Mgmt.Review

Structure simplified

DQ

S –UL G

roup

Change highlights

Structure change is part of harmonization effort from ISO

Better alignment with business objectives

More emphasis on: Risk management Planning Measurement Communication

The word “documented procedure” is replaced with “documented information” in the body of the standard (4-10)

DQ

S –UL G

roup

Summary of changes

ISO/IEC 27001:2005

132 “shall” statements (section 4-8)

Annexure A 11 clauses 39 categories 133 controls

ISO/IEC 27001:2013

125 “shall” statements (section 4-10)

Annexure A 14 clauses 35 categories 114 controls

Number of requirements reduced

DQ

S –UL G

roup

Summary of changes - Requirements

49

20

56 NewChangedNo Change

Total : 125

DQ

S –UL G

roup

Summary of changes - Controls

13

50

38

NewChangedNo Change

Total : 114

DQ

S –UL G

roup

What you need to know?

DQ

S –UL G

roup

4.0 Context of the organization

4.3 Determine scope of the ISMS

• Internal and external issues• Requirements of interested

parties• Interface between

organizations

4.4 ISMS

4.1 Understanding the organization and its context

• Determine external and internal issues to its purpose and relevant to ISMS

• May refer to ISO 31000

Biz risks, opportunities

4.2 Understanding the need and expectation of

interested parties

• Interested parties relevant to ISMS

• Requirements relevant to ISMS

• Regulatory requirements

Interested parties- Customers, Shareholders, Regulatory agencies

ISMS requirements

DQ

S –UL G

roup

5.0 Leadership

• Top management have to provide evidence of:• Directing and supporting personnel• Supporting next level management to

demonstrate leadership

5.1 Leadership and commitment

• Policy should include a statement of continual improvement.

• Policy should be communicated 5.2 Policy

• More explicit requirements for defining line of reporting and authorities..

5.3 Organizational roles, responsibilities

and authorities

DQ

S –UL G

roup

6.0 Planning

• ISMS planning to address business risks and opportunities

• Establish method for information security risk assessment

• Identify risk owners• Risk owners approval of residual risks

6.1 Actions to address risks and

opportunities

• ISMS objectives for different functions and levels

• Objectives should be measurable• Consistent with risk treatment plan• Develop plan to achieve objectives

6.2 ISMS objectives and planning to achieve them

DQ

S –UL G

roup

7.0 Support

• No change7.1 Resource

• No change7.2 Competency

• It is now an explicit requirement7.3 Awareness

• Need to define a procedure for internal and external communication7.4 Communication

• Need to define process for document creation, approval and release

7.5 Documented information

DQ

S –UL G

roup

8.0 Operation

• Implement the plan identified in 6.2• Determine operational controls required to

operate ISMS• Identify controls required for outsourced

process

8.1 Operational planning and control

• No change8.2 Information

security risk assessment

• No change8.3 Information

security risk treatment

DQ

S –UL G

roup

9.0 Performance evaluation

• Organization shall determine:• What needs to be monitored and measured• Method of monitoring, measurement,

analysis and evaluation• When monitoring and measuring to be

performed and who will perform.• When results of monitoring to be analyzed

and evaluated. Who will perform.

9.1 Monitoring, measurement,

analysis and evaluation

• No change9.2 Internal audit

• No change9.3 Management review

DQ

S –UL G

roup

10.0 Improvement

• Similar to corrective action• Section on preventive action have been deleted

10.1 Non-conformity and

corrective action

• No change10.2 Continual improvement

DQ

S –UL G

roup

Controls – Annex A

DQ

S –UL G

roup

Grouping of controls

# Clauses

A.5 Information security policies

A.6 Organization of information security

A.7 Human resource security

A.8 Asset management

A.9 Access control

A.10 Cryptography

A.11 Physical and environmental security

A.12 Operations security

A.13 Communications security

A.14 System acquisition, development and maintenance

A.15 Supplier relationships

A.16 Information security incident management

A.17 Information security aspects of business continuity management

A.18 Compliance

DQ

S –UL G

roup

New and changed controls

A.6 Organization of information securityA.6.1 Internal organizationObjective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

A.6.1.5 Information securityin project management

ControlInformation security shall be addressed in project management, regardless of the type of the project.

A.6.2 Mobile device and teleworkingObjective: To ensure the security of teleworking and use of mobile devices.

A.6.2.1 Mobile device policy ControlA policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

New

Objective expanded

Changed Old control A.11.7.1

DQ

S –UL G

roup


A.9 Access controlA.9.2 User access managementObjective: To ensure authorized user access and to prevent unauthorized access to systems and services.A.9.2.1 User registration and

de-registrationControlA formal user registration and de-registration process shall be implemented to enable assignment of access rights.

A.9.2.2 User access provisioning

ControlA formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.

A.9.2.6 Removal or adjustmentof access rights

ControlThe access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.


New

Changed Old control A. 8.3.3

DQ

S –UL G

roup


A.12 Operations securityA.12.5 Control of operational softwareObjective: To ensure the integrity of operational systems.

A.12.5.1 Installation of softwareon operational systems

ControlProcedures shall be implemented to control the installation of software on operational systems.

A.12.6 Technical vulnerability managementObjective: To prevent exploitation of technical vulnerabilities.

A.12.6.2 Restrictions on softwareinstallation

ControlRules governing the installation of software by users shall be established and implemented.

New

New

New

DQ

S –UL G

roup


A.14 System acquisition, development and maintenanceA.14.1 Security requirements of information systemObjective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.A.14.1.2 Securing application

services on publicnetworks

ControlInformation involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

A.14.1.3 Protecting applicationservices transactions

ControlInformation involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorizedmessage duplication or replay.

Objective expanded



DQ

S –UL G

roup


A.14 System acquisition, development and maintenanceA.14.2 Security in development and support processObjective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development

policyControlRules for the development of software and systems shall be established and applied to developments within the organization.

A.14.2.5 Secure system engineering principles

ControlPrinciples for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

A.14.2.6 Secure developmentenvironment

ControlOrganizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

New

New

New

Objective expanded

DQ

S –UL G

roup


A.14 System acquisition, development and maintenanceA.14.2.8 System security

testingControlTesting of security functionality shall be carried out during development.

A.14.2.9 System acceptancetesting

ControlAcceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

New


DQ

S –UL G

roup


A.15 Supplier relationshipA.15.1 Information security in supplier relationshipObjective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.1.1 Information securitypolicy for supplierrelationships

ControlInformation security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall beagreed with the supplier and documented.

A.15.1.3 Information and communicationTechnology supply chain

ControlAgreements with suppliers shall include requirements to address the information security risks associated with information andcommunications technology services and product supply chain.

New

New

New

DQ

S –UL G

roup


A.16 Information security incident managementA.16.1 Management of information security incidents and improvementsObjective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.16.1.4 Assessment of anddecision on information security events

ControlInformation security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

A.16.1.5 Response to informationsecurity incidents

ControlInformation security incidents shall be responded to in accordance with the documented procedures.

New

New

Combined A13.1, A13.2

DQ

S –UL G

roup


A.17 Information security aspects of business continuity managementA.17.2 RedundanciesObjective: To ensure availability of information processing facilities.

A.17.2.1 Availability of information Processing facilities

ControlInformation processing facilities shall be implemented with redundancy sufficient to meet availability requirements.New

DQ

S –UL G

roup

Helpful guidelines

ISO/IEC 27002:2013- Code of practice for information security controls

ISO/IEC 27000:2014 – Information security management system overview and vocabulary

ISO 31000:2009 – Risk management principles and guidelines

DQ

S –UL G

roup

Transition timeline?

DQ

S –UL G

roup

Transition timeline

10/01/2013 10/01/2014 10/01/2015

ISO/IEC 27001:2013 Released

ISO/IEC 27001:2005 Sunset

Completion of migration to

ISO/IEC 27001:2013

DQ

S –UL G

roup

Audit days required for transition

Stage 1 review is required to review readiness.

Audit days required for re-certification audit (per ISO 27006) shall be used.

Organization can upgrade to the new standard during their surveillance audit cycle.

Organizations must plan for their transition audit before August 2015.

DQ

S –UL G

roup

Questions ?

Iso 27001 transition to 2013 03202014

Documents

Transcript of Iso 27001 transition to 2013 03202014