Transitioning to ISO 27001:2013
2

Welcome and Introductions SAI Global
 Provides information services and solutions globally
to:
– Manage risk
– Achieve...
3

Introductions CQR
 Largest Australian-owned independent information
security consultancy
 Experts in the design, impl...
4

Learning Outcomes

 At the end of the session, you will have:
– An understanding of the differences between
the 2005 a...
5

Agenda
 Brief history of ISO 27001 and 27002
 Drivers for updating the standard
 Changes to the mandatory clauses
– ...
6

The evolution of ISO 27001 revisited
7

ISO 27001 Revisited

 Developed from BS 7799 Part 2
 First released in 2005 as the core standard in
the 27000 family ...
8

Drivers for the update
9

Why the update?

 Experience over the last 2 decades with a large
number of organisations globally
 The changing land...
10

Why the update?

 Driven by the need to align the structure of ALL
ISO management systems standards
– Shared language...
11

Conceptual Differences
12

Concepts and Context differences

 No formal PDCA model any more as long as
continual improvement occurs
 Shift to m...
13

Changes to the mandatory clauses
14

Mandatory Clauses – 2005 version

 Clauses 0-3 provide background and definitions
 Clauses 4-8 provide the mandatory...
15

Mandatory Clauses – 2013 version
 Clauses 0-3 provide background
 Clauses 4-10 provide the mandatory
requirements fo...
16

Key differences
 Need to document motivation and context for
operating an ISMS
 Requirement to consider interfaces a...
17

Key Differences

 Alignment of risk approach to ISO 31000 rather than
the current version of ISO 27005
 Don’t need t...
18

Key Differences

 Preventive action as a concept disappears
– Replaced by “risks and opportunities”
 Determination o...
19

Key Differences – Mandatory Procedures

 2005 had 5 mandatory procedures
 2013 has removed the explicit requirement
...
20

Key Differences – Mandatory Requirements

 Management Review changes
– Must occur at planned intervals (used to be at...
21

Annexure A Changes
22

Annex A

 2005 had 133 controls in 11 sections
 2013 has 114 controls in 14 sections
 Some controls have been remov...
23

Annex A

 Have split Communications and Operations
Management (A.10) into two
– A.12 Operations security
– A.13 Commu...
24

Other Changes
25

Annexures B and C (2005)

 Annex B contained the cross reference to the OECD
principles
 Also referred to the PDCA m...
26

Transition Activities
27

Transition Activities

 Assumption – you have an ISMS in place based on
the ISO/IEC 27001:2005 standard
– Equivalent ...
28

Transition Activities

 Where to start?
– Is a gap analysis worthwhile?
– Yes, level will depend on how close you are...
29

Transition Activities

 Document all “interested parties”
– Internal and external
 Re-visit your Scope statement
– M...
30

Transition Activities

 For Management, specifically allocate responsibility
for
– Ensuring the ISMS conforms with th...
31

Transition Activities

 Review your ISMS policy (in 2013, called the
Information Security Policy) and simplify if the...
32

Transition Activities

 Review your risk management procedure
– Can simplify by removing the asset-threatvulnerabilit...
33

Transition Activities

 Revisit your Statement of Applicability (SoA)
– Map risks against new Annex A controls
– Just...
34

Transition Activities

 Review the required documentation
– Do you want to keep your versions of the old
mandatory pr...
35

Transition Activities

 Potential new documents
– Information security objectives (Not Annex A
related)
– A.14.2.1 Se...
36

Transition Activities

 Revisit your metrics and measures
– New version has more focus on metrics and
measures
– Need...
37

Transition Activities

 Need to ensure that you define
– How things will be measured
– Who monitors/measures
– When w...
38

Additional Workshops

 Melbourne – 9th December
 Sydney – 10th December

 Further information
www.saiglobal.com or
...
39

Certification Considerations
40

Certification

 For new certifications, can choose to certify to the
2005 version until Sept 2014
 For organisations...
41

Any questions?
42

Thanks for your attention
Enjoy you day!
david.simpson@cqr.com
Upcoming SlideShare
Loading in...5
×

Transitioning to iso 27001 2013

3,786

Published on

Published in: Technology
2 Comments
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,786
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
528
Comments
2
Likes
3
Embeds 0
No embeds

No notes for slide

Transitioning to iso 27001 2013

  1. 1. Transitioning to ISO 27001:2013
  2. 2. 2 Welcome and Introductions SAI Global  Provides information services and solutions globally to: – Manage risk – Achieve compliance – Drive business improvement  Leading provider of ISO 27001 assurance services in the region  Provides training in understanding, implementing and auditing Information Security Management Systems
  3. 3. 3 Introductions CQR  Largest Australian-owned independent information security consultancy  Experts in the design, implementation and operations of ISMS’ based on ISO 27001  Our specialists have assisted in excess of 20 organisations globally through the certification process  CQR has been certified to ISO 27001 for almost 9 years
  4. 4. 4 Learning Outcomes  At the end of the session, you will have: – An understanding of the differences between the 2005 and 2013 version of ISO/IEC 27001 – Information to allow you to start to plan the necessary transition activities
  5. 5. 5 Agenda  Brief history of ISO 27001 and 27002  Drivers for updating the standard  Changes to the mandatory clauses – 2005 – Clauses 4 to 8 – 2013 - Clauses 4 to 10  Key changes to Annex A  Transition Activities  Certification considerations  Q&A
  6. 6. 6 The evolution of ISO 27001 revisited
  7. 7. 7 ISO 27001 Revisited  Developed from BS 7799 Part 2  First released in 2005 as the core standard in the 27000 family for information security  Supporting standard ISO 27002 renamed from ISO 17799 in 2007  Both standards updated and published in 2013  ISO 27001 is the “auditable” and “certifiable” standard
  8. 8. 8 Drivers for the update
  9. 9. 9 Why the update?  Experience over the last 2 decades with a large number of organisations globally  The changing landscape (outsourcing, cloud etc.)  To align the standard with key principles within the ISO 31000 risk management standard
  10. 10. 10 Why the update?  Driven by the need to align the structure of ALL ISO management systems standards – Shared language for all non-specific components of the management systems – Conformance with Annex SL requirements
  11. 11. 11 Conceptual Differences
  12. 12. 12 Concepts and Context differences  No formal PDCA model any more as long as continual improvement occurs  Shift to move support of the ISMS to the executive management level (“top management”)  Management of risks has higher focus than control effectiveness  Now have the concept of “risk owner”
  13. 13. 13 Changes to the mandatory clauses
  14. 14. 14 Mandatory Clauses – 2005 version  Clauses 0-3 provide background and definitions  Clauses 4-8 provide the mandatory requirements for the ISMS  Clause 4 – Information security management system  Clause 5 – Management responsibility  Clause 6 – Internal ISMS audits  Clause 7 – Management review of the ISMS  Clause 8 – ISMS Improvement
  15. 15. 15 Mandatory Clauses – 2013 version  Clauses 0-3 provide background  Clauses 4-10 provide the mandatory requirements for the ISMS  Clause 4 – Context of the organisation  Clause 5 – Leadership  Clause 6 – Planning  Clause 7 – Support  Clause 8 – Operation  Clause 9 – Performance evaluation  Clause 10 - Improvement
  16. 16. 16 Key differences  Need to document motivation and context for operating an ISMS  Requirement to consider interfaces and dependencies with other parties  Need to include external risk sources and outsourced functions  Must be included in scope  The ISMS Policy has been removed and now only refers to an Information Security Policy
  17. 17. 17 Key Differences  Alignment of risk approach to ISO 31000 rather than the current version of ISO 27005  Don’t need to identify assets, threats and vulnerabilities before risk identification  Risk sections now discuss “consequences” not “impact”  Formally requires risk owners to approve the risk treatment plans
  18. 18. 18 Key Differences  Preventive action as a concept disappears – Replaced by “risks and opportunities”  Determination of controls is now part of the risk assessment, not a separate selection process from Annex A  However, still need to validate selected controls against Annex A to verify no necessary controls have been omitted  A Statement of Applicability is still required
  19. 19. 19 Key Differences – Mandatory Procedures  2005 had 5 mandatory procedures  2013 has removed the explicit requirement  Still required to control documented information – Including supporting records  Internal Audit activity is still required but no longer requires a formal procedure  Non-conformity and corrective action must still occur  Explicit preventive action requirement is removed
  20. 20. 20 Key Differences – Mandatory Requirements  Management Review changes – Must occur at planned intervals (used to be at least annually) – No longer defines specific precise inputs and outputs but provides a list of topics that need to be considered  Internal Audit – Statement that auditors shall not audit their won work has been removed – However, must be objective and impartial
  21. 21. 21 Annexure A Changes
  22. 22. 22 Annex A  2005 had 133 controls in 11 sections  2013 has 114 controls in 14 sections  Some controls have been removed completely – E.g. A.12.5.4 Information leakage – A.11.5.6 Limitation of connection time  Others are combined – E.g. malicious and mobile code is now Malware (new A.12.2.1)  Some new controls added  My view – the new Annex A is a simplified set of controls that are more easily understood
  23. 23. 23 Annex A  Have split Communications and Operations Management (A.10) into two – A.12 Operations security – A.13 Communications security  Also now have a separate section (A.10) for Cryptography  Business Continuity section has undergone significant change, focusing on embedding information security into the organisation’s BCMS – This section also addresses redundant facilities
  24. 24. 24 Other Changes
  25. 25. 25 Annexures B and C (2005)  Annex B contained the cross reference to the OECD principles  Also referred to the PDCA model which has been dropped  There is no equivalent annexure in the 2013 version  Annex C provided a cross-reference between 27001 and other standards  Given the revision of the other standards this section has also been removed with no replacement
  26. 26. 26 Transition Activities
  27. 27. 27 Transition Activities  Assumption – you have an ISMS in place based on the ISO/IEC 27001:2005 standard – Equivalent to AS/NZS ISO/IEC 27001:2006  Assumption – Goal is to keep changes to a minimum
  28. 28. 28 Transition Activities  Where to start? – Is a gap analysis worthwhile? – Yes, level will depend on how close you are to your system  You need to have some sort of transition plan and a gap analysis may help identify tasks  Once you have identified key activities, add them to your current system as improvement opportunities
  29. 29. 29 Transition Activities  Document all “interested parties” – Internal and external  Re-visit your Scope statement – Make sure you capture the interfaces with third parties and the security requirements around these interfaces
  30. 30. 30 Transition Activities  For Management, specifically allocate responsibility for – Ensuring the ISMS conforms with the standard – Reporting on the performance of the ISMS to top management  Capture business objectives and understand how your ISMS can assist in delivering against these (align business and security objectives)
  31. 31. 31 Transition Activities  Review your ISMS policy (in 2013, called the Information Security Policy) and simplify if there is value in doing so. – You can leave it unchanged if it’s working! – Can add the roles and responsibilities previously discussed in this document if you wish
  32. 32. 32 Transition Activities  Review your risk management procedure – Can simplify by removing the asset-threatvulnerability approach – Ensure that you have a process to identify and record “risk owners”  Revisit your risk assessments and get approval of treatments from the risk owners – Still need a record of acceptance of residual risk
  33. 33. 33 Transition Activities  Revisit your Statement of Applicability (SoA) – Map risks against new Annex A controls – Just because a control has disappeared from Annex A does not mean you should remove it – If it still manages a risk, it should still appear in your SoA  Check references in the rest of your system to controls within the SoA (risk register etc.)
  34. 34. 34 Transition Activities  Review the required documentation – Do you want to keep your versions of the old mandatory procedures – What documents can be retired? – What new documents are needed? – New documents may be required based on any new controls selected in your Statement of Applicability
  35. 35. 35 Transition Activities  Potential new documents – Information security objectives (Not Annex A related) – A.14.2.1 Secure Development Policy – A.14.2.5 Secure Systems Engineering principles – A.15.1.1 InfoSec Policy for Supplier Relationships – A.16.1.7 a procedure for evidence management
  36. 36. 36 Transition Activities  Revisit your metrics and measures – New version has more focus on metrics and measures – Need to identify what your metrics will be and how you will measure the performance of the ISMS  Only measure that which provides value (information on the performance of the ISMS)
  37. 37. 37 Transition Activities  Need to ensure that you define – How things will be measured – Who monitors/measures – When will it be done – Who is going to look at the results – When will this happen
  38. 38. 38 Additional Workshops  Melbourne – 9th December  Sydney – 10th December  Further information www.saiglobal.com or http://training.saiglobal.com/tis/promotion.aspx?id=a0 c20000005bAeQ
  39. 39. 39 Certification Considerations
  40. 40. 40 Certification  For new certifications, can choose to certify to the 2005 version until Sept 2014  For organisations currently certified to the 2005 version, you have until Sept 2015 to transition your system  Don’t leave it until the last minute, start making the necessary changes as soon as you can
  41. 41. 41 Any questions?
  42. 42. 42 Thanks for your attention Enjoy you day! david.simpson@cqr.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×