Your SlideShare is downloading. ×

Transitioning to iso 27001 2013

3,211
views

Published on

Published in: Technology

2 Comments
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,211
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
446
Comments
2
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Transitioning to ISO 27001:2013
  • 2. 2 Welcome and Introductions SAI Global  Provides information services and solutions globally to: – Manage risk – Achieve compliance – Drive business improvement  Leading provider of ISO 27001 assurance services in the region  Provides training in understanding, implementing and auditing Information Security Management Systems
  • 3. 3 Introductions CQR  Largest Australian-owned independent information security consultancy  Experts in the design, implementation and operations of ISMS’ based on ISO 27001  Our specialists have assisted in excess of 20 organisations globally through the certification process  CQR has been certified to ISO 27001 for almost 9 years
  • 4. 4 Learning Outcomes  At the end of the session, you will have: – An understanding of the differences between the 2005 and 2013 version of ISO/IEC 27001 – Information to allow you to start to plan the necessary transition activities
  • 5. 5 Agenda  Brief history of ISO 27001 and 27002  Drivers for updating the standard  Changes to the mandatory clauses – 2005 – Clauses 4 to 8 – 2013 - Clauses 4 to 10  Key changes to Annex A  Transition Activities  Certification considerations  Q&A
  • 6. 6 The evolution of ISO 27001 revisited
  • 7. 7 ISO 27001 Revisited  Developed from BS 7799 Part 2  First released in 2005 as the core standard in the 27000 family for information security  Supporting standard ISO 27002 renamed from ISO 17799 in 2007  Both standards updated and published in 2013  ISO 27001 is the “auditable” and “certifiable” standard
  • 8. 8 Drivers for the update
  • 9. 9 Why the update?  Experience over the last 2 decades with a large number of organisations globally  The changing landscape (outsourcing, cloud etc.)  To align the standard with key principles within the ISO 31000 risk management standard
  • 10. 10 Why the update?  Driven by the need to align the structure of ALL ISO management systems standards – Shared language for all non-specific components of the management systems – Conformance with Annex SL requirements
  • 11. 11 Conceptual Differences
  • 12. 12 Concepts and Context differences  No formal PDCA model any more as long as continual improvement occurs  Shift to move support of the ISMS to the executive management level (“top management”)  Management of risks has higher focus than control effectiveness  Now have the concept of “risk owner”
  • 13. 13 Changes to the mandatory clauses
  • 14. 14 Mandatory Clauses – 2005 version  Clauses 0-3 provide background and definitions  Clauses 4-8 provide the mandatory requirements for the ISMS  Clause 4 – Information security management system  Clause 5 – Management responsibility  Clause 6 – Internal ISMS audits  Clause 7 – Management review of the ISMS  Clause 8 – ISMS Improvement
  • 15. 15 Mandatory Clauses – 2013 version  Clauses 0-3 provide background  Clauses 4-10 provide the mandatory requirements for the ISMS  Clause 4 – Context of the organisation  Clause 5 – Leadership  Clause 6 – Planning  Clause 7 – Support  Clause 8 – Operation  Clause 9 – Performance evaluation  Clause 10 - Improvement
  • 16. 16 Key differences  Need to document motivation and context for operating an ISMS  Requirement to consider interfaces and dependencies with other parties  Need to include external risk sources and outsourced functions  Must be included in scope  The ISMS Policy has been removed and now only refers to an Information Security Policy
  • 17. 17 Key Differences  Alignment of risk approach to ISO 31000 rather than the current version of ISO 27005  Don’t need to identify assets, threats and vulnerabilities before risk identification  Risk sections now discuss “consequences” not “impact”  Formally requires risk owners to approve the risk treatment plans
  • 18. 18 Key Differences  Preventive action as a concept disappears – Replaced by “risks and opportunities”  Determination of controls is now part of the risk assessment, not a separate selection process from Annex A  However, still need to validate selected controls against Annex A to verify no necessary controls have been omitted  A Statement of Applicability is still required
  • 19. 19 Key Differences – Mandatory Procedures  2005 had 5 mandatory procedures  2013 has removed the explicit requirement  Still required to control documented information – Including supporting records  Internal Audit activity is still required but no longer requires a formal procedure  Non-conformity and corrective action must still occur  Explicit preventive action requirement is removed
  • 20. 20 Key Differences – Mandatory Requirements  Management Review changes – Must occur at planned intervals (used to be at least annually) – No longer defines specific precise inputs and outputs but provides a list of topics that need to be considered  Internal Audit – Statement that auditors shall not audit their won work has been removed – However, must be objective and impartial
  • 21. 21 Annexure A Changes
  • 22. 22 Annex A  2005 had 133 controls in 11 sections  2013 has 114 controls in 14 sections  Some controls have been removed completely – E.g. A.12.5.4 Information leakage – A.11.5.6 Limitation of connection time  Others are combined – E.g. malicious and mobile code is now Malware (new A.12.2.1)  Some new controls added  My view – the new Annex A is a simplified set of controls that are more easily understood
  • 23. 23 Annex A  Have split Communications and Operations Management (A.10) into two – A.12 Operations security – A.13 Communications security  Also now have a separate section (A.10) for Cryptography  Business Continuity section has undergone significant change, focusing on embedding information security into the organisation’s BCMS – This section also addresses redundant facilities
  • 24. 24 Other Changes
  • 25. 25 Annexures B and C (2005)  Annex B contained the cross reference to the OECD principles  Also referred to the PDCA model which has been dropped  There is no equivalent annexure in the 2013 version  Annex C provided a cross-reference between 27001 and other standards  Given the revision of the other standards this section has also been removed with no replacement
  • 26. 26 Transition Activities
  • 27. 27 Transition Activities  Assumption – you have an ISMS in place based on the ISO/IEC 27001:2005 standard – Equivalent to AS/NZS ISO/IEC 27001:2006  Assumption – Goal is to keep changes to a minimum
  • 28. 28 Transition Activities  Where to start? – Is a gap analysis worthwhile? – Yes, level will depend on how close you are to your system  You need to have some sort of transition plan and a gap analysis may help identify tasks  Once you have identified key activities, add them to your current system as improvement opportunities
  • 29. 29 Transition Activities  Document all “interested parties” – Internal and external  Re-visit your Scope statement – Make sure you capture the interfaces with third parties and the security requirements around these interfaces
  • 30. 30 Transition Activities  For Management, specifically allocate responsibility for – Ensuring the ISMS conforms with the standard – Reporting on the performance of the ISMS to top management  Capture business objectives and understand how your ISMS can assist in delivering against these (align business and security objectives)
  • 31. 31 Transition Activities  Review your ISMS policy (in 2013, called the Information Security Policy) and simplify if there is value in doing so. – You can leave it unchanged if it’s working! – Can add the roles and responsibilities previously discussed in this document if you wish
  • 32. 32 Transition Activities  Review your risk management procedure – Can simplify by removing the asset-threatvulnerability approach – Ensure that you have a process to identify and record “risk owners”  Revisit your risk assessments and get approval of treatments from the risk owners – Still need a record of acceptance of residual risk
  • 33. 33 Transition Activities  Revisit your Statement of Applicability (SoA) – Map risks against new Annex A controls – Just because a control has disappeared from Annex A does not mean you should remove it – If it still manages a risk, it should still appear in your SoA  Check references in the rest of your system to controls within the SoA (risk register etc.)
  • 34. 34 Transition Activities  Review the required documentation – Do you want to keep your versions of the old mandatory procedures – What documents can be retired? – What new documents are needed? – New documents may be required based on any new controls selected in your Statement of Applicability
  • 35. 35 Transition Activities  Potential new documents – Information security objectives (Not Annex A related) – A.14.2.1 Secure Development Policy – A.14.2.5 Secure Systems Engineering principles – A.15.1.1 InfoSec Policy for Supplier Relationships – A.16.1.7 a procedure for evidence management
  • 36. 36 Transition Activities  Revisit your metrics and measures – New version has more focus on metrics and measures – Need to identify what your metrics will be and how you will measure the performance of the ISMS  Only measure that which provides value (information on the performance of the ISMS)
  • 37. 37 Transition Activities  Need to ensure that you define – How things will be measured – Who monitors/measures – When will it be done – Who is going to look at the results – When will this happen
  • 38. 38 Additional Workshops  Melbourne – 9th December  Sydney – 10th December  Further information www.saiglobal.com or http://training.saiglobal.com/tis/promotion.aspx?id=a0 c20000005bAeQ
  • 39. 39 Certification Considerations
  • 40. 40 Certification  For new certifications, can choose to certify to the 2005 version until Sept 2014  For organisations currently certified to the 2005 version, you have until Sept 2015 to transition your system  Don’t leave it until the last minute, start making the necessary changes as soon as you can
  • 41. 41 Any questions?
  • 42. 42 Thanks for your attention Enjoy you day! david.simpson@cqr.com