Iso 27001 transition to 2013 03202014


Published on

Subrata Guha, UL DQS Inc. IT Services Director, with more than 20 years of professional experience in the fields of IT Service Management, Software Engineering and Audit/Assessment of Quality Management Systems hosts a webinar that focuses on the transition to ISO IEC 27001:2013. This webinar includes:

- Highlights of the changes in ISO IEC 27001:2013
- Transition Strategy
- Q&A session

Iso 27001 transition to 2013 03202014

  1. 1. DQS–ULGroup Transition to ISO/IEC 27001:2013 Subrata Guha Program Manager – IT Certification
  2. 2. DQS–ULGroup Questions What has changed? What you need to know? Transition timeline? Any other questions?
  3. 3. DQS–ULGroup What has changed?
  4. 4. DQS–ULGroup Structural change Context of the Organization Leadership Planning OperationImprovement Performance Evaluation Support ISO/IEC 27001:2013 Management Responsibility Management Review Establish ISMS Implement ISMS Improve ISMS Monitor ISMS Doc. Req. Internal Audit ISMS Improve ISO/IEC 27001:2005 Mgmt. Review Structure simplified
  5. 5. DQS–ULGroup Change highlights  Structure change is part of harmonization effort from ISO  Better alignment with business objectives  More emphasis on:  Risk management  Planning  Measurement  Communication  The word “documented procedure” is replaced with “documented information” in the body of the standard (4-10)
  6. 6. DQS–ULGroup Summary of changes ISO/IEC 27001:2005  132 “shall” statements (section 4-8)  Annexure A  11 clauses  39 categories  133 controls ISO/IEC 27001:2013  125 “shall” statements (section 4-10)  Annexure A  14 clauses  35 categories  114 controls Number of requirements reduced
  7. 7. DQS–ULGroup Summary of changes - Requirements 49 20 56 New Changed No Change Total : 125
  8. 8. DQS–ULGroup Summary of changes - Controls 13 50 38 New Changed No Change Total : 114
  9. 9. DQS–ULGroup What you need to know?
  10. 10. DQS–ULGroup 4.0 Context of the organization 4.3 Determine scope of the ISMS • Internal and external issues • Requirements of interested parties • Interface between organizations 4.4 ISMS 4.1 Understanding the organization and its context • Determine external and internal issues to its purpose and relevant to ISMS • May refer to ISO 31000 Biz risks, opportunities 4.2 Understanding the need and expectation of interested parties • Interested parties relevant to ISMS • Requirements relevant to ISMS • Regulatory requirements Interested parties - Customers, Shareholders, Regulatory agencies ISMS requirements
  11. 11. DQS–ULGroup 5.0 Leadership • Top management have to provide evidence of: • Directing and supporting personnel • Supporting next level management to demonstrate leadership 5.1 Leadership and commitment • Policy should include a statement of continual improvement. • Policy should be communicated 5.2 Policy • More explicit requirements for defining line of reporting and authorities.. 5.3 Organizational roles, responsibilities and authorities
  12. 12. DQS–ULGroup 6.0 Planning • ISMS planning to address business risks and opportunities • Establish method for information security risk assessment • Identify risk owners • Risk owners approval of residual risks 6.1 Actions to address risks and opportunities • ISMS objectives for different functions and levels • Objectives should be measurable • Consistent with risk treatment plan • Develop plan to achieve objectives 6.2 ISMS objectives and planning to achieve them
  13. 13. DQS–ULGroup 7.0 Support • No change7.1 Resource • No change7.2 Competency • It is now an explicit requirement7.3 Awareness • Need to define a procedure for internal and external communication7.4 Communication • Need to define process for document creation, approval and release 7.5 Documented information
  14. 14. DQS–ULGroup 8.0 Operation • Implement the plan identified in 6.2 • Determine operational controls required to operate ISMS • Identify controls required for outsourced process 8.1 Operational planning and control • No change 8.2 Information security risk assessment • No change 8.3 Information security risk treatment
  15. 15. DQS–ULGroup 9.0 Performance evaluation • Organization shall determine: • What needs to be monitored and measured • Method of monitoring, measurement, analysis and evaluation • When monitoring and measuring to be performed and who will perform. • When results of monitoring to be analyzed and evaluated. Who will perform. 9.1 Monitoring, measurement, analysis and evaluation • No change9.2 Internal audit • No change 9.3 Management review
  16. 16. DQS–ULGroup 10.0 Improvement • Similar to corrective action • Section on preventive action have been deleted 10.1 Non- conformity and corrective action • No change 10.2 Continual improvement
  17. 17. DQS–ULGroup Controls – Annex A
  18. 18. DQS–ULGroup Grouping of controls # Clauses A.5 Information security policies A.6 Organization of information security A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
  19. 19. DQS–ULGroup New and changed controls A.6 Organization of information security A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. A.6.1.5 Information security in project management Control Information security shall be addressed in project management, regardless of the type of the project. A.6.2 Mobile device and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy Control A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. New Objective expanded Changed Old control A.11.7.1
  20. 20. DQS–ULGroup New and changed controls A.9 Access control A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration Control A formal user registration and de-registration process shall be implemented to enable assignment of access rights. A.9.2.2 User access provisioning Control A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. A.9.2.6 Removal or adjustment of access rights Control The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Changed Old control A.11.2.1 New Changed Old control A. 8.3.3
  21. 21. DQS–ULGroup New and changed controls A.12 Operations security A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems Control Procedures shall be implemented to control the installation of software on operational systems. A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.2 Restrictions on software installation Control Rules governing the installation of software by users shall be established and implemented. New New New
  22. 22. DQS–ULGroup New and changed controls A.14 System acquisition, development and maintenance A.14.1 Security requirements of information system Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. A.14.1.2 Securing application services on public networks Control Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. A.14.1.3 Protecting application services transactions Control Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Objective expanded Changed Old control A.10.9.1 Changed Old control A.10.9.2
  23. 23. DQS–ULGroup New and changed controls A.14 System acquisition, development and maintenance A.14.2 Security in development and support process Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy Control Rules for the development of software and systems shall be established and applied to developments within the organization. A.14.2.5 Secure system engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. A.14.2.6 Secure development environment Control Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. New New New Objective expanded
  24. 24. DQS–ULGroup New and changed controls A.14 System acquisition, development and maintenance A.14.2.8 System security testing Control Testing of security functionality shall be carried out during development. A.14.2.9 System acceptance testing Control Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. New Changed Old control A.10.3.2
  25. 25. DQS–ULGroup New and changed controls A.15 Supplier relationship A.15.1 Information security in supplier relationship Objective: To ensure protection of the organization’s assets that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships Control Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. A.15.1.3 Information and communication Technology supply chain Control Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. New New New
  26. 26. DQS–ULGroup New and changed controls A.16 Information security incident management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.4 Assessment of and decision on information security events Control Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.5 Response to information security incidents Control Information security incidents shall be responded to in accordance with the documented procedures. New New Combined A13.1, A13.2
  27. 27. DQS–ULGroup New and changed controls A.17 Information security aspects of business continuity management A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information Processing facilities Control Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. New
  28. 28. DQS–ULGroup Helpful guidelines  ISO/IEC 27002:2013- Code of practice for information security controls  ISO/IEC 27000:2014 – Information security management system overview and vocabulary  ISO 31000:2009 – Risk management principles and guidelines
  29. 29. DQS–ULGroup Transition timeline?
  30. 30. DQS–ULGroup Transition timeline 10/01/2013 10/01/2014 10/01/2015 ISO/IEC 27001:2013 Released ISO/IEC 27001:2005 Sunset Completion of migration to ISO/IEC 27001:2013
  31. 31. DQS–ULGroup Audit days required for transition  Stage 1 review is required to review readiness.  Audit days required for re-certification audit (per ISO 27006) shall be used.  Organization can upgrade to the new standard during their surveillance audit cycle.  Organizations must plan for their transition audit before August 2015.
  32. 32. DQS–ULGroup Questions ?