ISO 27002 2013 Atualizações / mudanças
Upcoming SlideShare
Loading in...5
×
 

ISO 27002 2013 Atualizações / mudanças

on

  • 527 views

Atualização da norma ISO 27002 2013.

Atualização da norma ISO 27002 2013.

Statistics

Views

Total Views
527
Views on SlideShare
527
Embed Views
0

Actions

Likes
0
Downloads
61
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

ISO 27002 2013 Atualizações / mudanças Document Transcript

  • 1. 1 November 2013 New releases of ISO 27001:2013 and ISO 27002:2013 The new versions of ISO 27001 Information Security Management System (ISMS requirements) and ISO 27002 Code of Practice for Information Security Controls (aids the implementation of ISO 27001) were published in September 2013. An effectively implemented ISMS can improve the state of information security in an organisation. Organisations already ISO certified are allowed a period of two years to meet the requirements of the new ISO version. Changes in ISO 27002:2013  The revised Annex SL format has a new set of chapters and structure, as illustrated in the image in the Appendix.  The new structure is intended to standardise terminology and requirements to all management system standards, such as ISO 9000 Quality Management and ISO 20000 Information Technology – Service Management.  The Information Security Management System (ISMS) is renamed as Context of the Organisation.  The new version of the standard requires clear demonstration of leadership. Leadership and management are now clearly defined as two requirements. Leaders need to demonstrate commitment by defining strategic goals and ensuring that sufficient resources are available to implement information security correctly. Management is defined as the implementation and day to day running of the systems.  Organisations will now have the flexibility to implement the requirements in the most suitable way for them, since the new standard is less prescriptive.  A noticeable change is the withdrawal of the Plan-Do-Check-Act (PDCA) model which was an important section of the standard. The 2013 version uses a model in the mandatory clauses; however it is not a dedicated section.  The importance of interested parties is recognised in the new standard, where a separate clause is included which requires all interested parties to be listed under “Understanding the needs and expectations of interested parties”, along with their requirements.  Chapters on Risk Assessment and Risk Treatment were removed. The documentation of a Risk Management Methodology is not required and the assets-vulnerabilities-threats are not the basis of the risk assessment. Only risks associated with confidentiality, integrity and availability need to be identified. Also, the new concept of risk owners is introduced instead of asset owners.  The new standard includes 114 controls in 14 security control clauses (categories), whereas the 2005 standard had 133 controls in 11 security control clauses.  Two new categories are added – “Cryptography” and “Supplier Relationships” and the existing category “Communications and operations management” is split into two categories– “Operations Security” and “Communications Security”.  Many controls included in the standard are not altered while some controls are deleted or merged together. Additionally, some new controls are added and the guidance text is accordingly updated.  The tables below illustrate the security control clauses (categories) included in ISO 27002:20013 and ISO 27001:2005. ISO 27002:2013 ISO 27002:2005 5 Information Security Policies Security Policy 6 Organisation of Information Security Organisation of Information Security 7 Human Resource Security Asset Management 8 Asset Management Human Resource Security 9 Access Control Physical and Environmental Security
  • 2. Risk Assurance Consulting (RAC) November 2013 2 ISO 27002:2013 ISO 27002:2005 10 Cryptography Communications and Operations Management 11 Physical and Environmental Security Access Control 12 Operations Security Information Systems Acquisition, Development and Maintenance 13 Communications Security Information Security Incident Management 14 System acquisition, Development and Maintenance Business Continuity Management 15 Supplier Relationships Compliance 16 Information Security Incident Management 17 Information Security Aspects of Business Continuity Management 18 Compliance New controls proposed in the ISO 27002:2013 release Controls added in 27002:2013 A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 System development procedures A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and Communication Technology supply chain A.16.1.4 Assessment and decision of information security events A.16.1.5 Response to information security incidents A.17.1.2 Implementing information security continuity A.17.2.1 Availability of information processing facilities ISO 27002:2005 controls deleted 27001:2005 control deleted in ISO 27001:2013 A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.4 Authorisation process for information processing facilities A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.10.2.1 Service delivery A.10.7.4 Security of system documentation A.10.8.5 Business Information Systems A.10.10.2 Monitoring system use A.10.10.5 Fault logging A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote Diagnostic and configuration port protection A.11.4.6 Network Connection control A.11.4.7 Network routing control A.11.6.2 Sensitive system isolation
  • 3. Risk Assurance Consulting (RAC) November 2013 3 27001:2005 control deleted in ISO 27001:2013 A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.5.4 Information leakage A.14.1.1 Including information security in the business continuity management process A.14.1.3 Developing and implementing continuity plans including formation security. A.14.1.4 Business continuity planning framework A.15.1.5 Prevention of misuse of information processing facilities A.15.3.2 Protection of information systems audit tools We would be pleased to meet with you and provide you with any clarifications and / or additional information on matters raised.
  • 4. Risk Assurance Consulting (RAC) November 2013 4 Appendix: Revised ISO 27002:2013 structure
  • 5. Risk Assurance Consulting (RAC) This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. © 2013 PricewaterhouseCoopers Ltd. All rights reserved. PwC refers to the Cyprus member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details Your contacts for IT Governance & Security matters in PwC Cyprus: George Lambrou Partner Risk Assurance Consulting Tel. +357 - 22 555 728 george.lambrou@cy.pwc.com Christos Tsolakis Partner Risk Assurance Consulting Tel. +357 - 22 555 570 christos.tsolakis@cy.pwc.com Demos Demou Manager Risk Assurance Consulting Tel. +357 - 22 555 056 demos.demou@cy.pwc.com Efthyvoulos Efthyvoulou Manager Risk Assurance Consulting Tel. +357 - 22 555 460 efhtyvoulos.efthyvoulou@cy.pwc.com Alexis Thomas Manager Risk Assurance Consulting Tel. +357 - 22 555 625 alexis.thomas@cy.pwc.com www.pwc.com.cy/technology PwC Cyprus Julia House 3 Themistocles Dervis Street CY-1066 Nicosia, Cyprus P O Box 21612 CY-1591 Nicosia, Cyprus www.pwc.com.cy Risk Assurance Consulting (RAC) This content is for general information purposes only, and should not be used as a substitute for consultation with PricewaterhouseCoopers Ltd. All rights reserved. PwC refers to the Cyprus member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details Your contacts for IT Governance & Security matters in PwC @cy.pwc.com technology-conculting November 2013 This content is for general information purposes only, and should not be used as a substitute for consultation with PricewaterhouseCoopers Ltd. All rights reserved. PwC refers to the Cyprus member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details Your contacts for IT Governance & Security matters in PwC