ISO 27001:2013 - Changes


Published on

null Mumbai Chapter Meet - December 2013

Published in: Education, Technology

ISO 27001:2013 - Changes

  1. 1. ISO 27001 : 2013 How it is different?
  2. 2. Structure of the Standard Official Title: "Information technology— Security techniques — Information security management systems — Requirements". Major Changes: • This structure mirrors the structure of other new management standards such as ISO 22301 (business continuity management) • Helps organizations who aim to comply with multiple standards, to improve their IT from different perspectives • Annexes B and C of 27001:2005 have been removed. • New term introduced of Risk Owners
  3. 3. 27001:2013 Standard 1. Scope of the standard 2. How the document is referenced 3. Reuse of the terms and definitions in ISO/IEC 27000 4. Organizational context and stakeholders 5. Information security leadership and high-level support for policy 6. Planning an information security management system; risk assessment; risk treatment 7. Supporting an information security management system 8. Making an information security management system operational 9. Reviewing the system's performance 10. Corrective action Annex A: List of controls and their objectives. 27001:2013 Standard has ten short clauses, plus a long Annex A
  4. 4. Generic Changes from ISO 27001:2005 standard • Puts more emphasis on measuring and evaluating how well an organization's ISMS is performing • New section on Outsourcing • Does not emphasize the Plan-Do-Check-Act cycle. • More attention is paid to the organizational context of information security. • Risk assessment has changed. • It is designed to fit better alongside other management standards such as ISO 9000 and ISO 20000, and share many common features with them.
  5. 5. Important changes w.r.t ISO 27001:2005 • The revised standard has been written using the new high level structure, Annex SL which is common to all new management systems standards. This will allow easy integration when implementing more than one management system • Risk assessment requirements have been aligned with BS ISO 31000 • Management commitment requirements have a focus on “leadership” • Preventive action has been replaced with “actions to address, risks and opportunities” • SOA requirements are similar, with more clarity on the need to determine controls by the risk treatment process • Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. • Stress on maintaining documented information, rather than information record • Greater emphasis is on setting objectives, monitoring performance and metric
  6. 6. New controls – Annex A • • • • • • • • • • • A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and communication technology supply chain A.16.1.4 Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.17.2.1 Availability of information processing facilities Clause 6.1.3 describes how an organization can respond to risks with a risk treatment plan; an important part of this is choosing appropriate controls.
  7. 7. New Concepts Introduced
  8. 8. In which clauses we need “Documented Information” ?
  9. 9. Mapping of clauses in ISO 27001 (2005 and 2013)
  10. 10. Mapping of clauses in ISO 27001 (2005 and 2013) (contd..)
  11. 11. Mapping of clauses in ISO 27001 (2005 and 2013) (contd..)
  12. 12. Control List – Annex A (A.5 – A.18) of ISO 27001:2013 A.5: Information security policies A.6: Organization of information security A.7: Human resource security A.8: Asset management A.9: Access control A.10: Cryptography A.11: Physical and environmental security A.12: Operations security A.13: Communications security A.14: System acquisition, development and maintenance A.15: Supplier relationships A.16: Information security incident management A.17: Information security aspects of business continuity management A.18: Compliance These controls, and control objectives, are listed in Annex A, although it is also possible for organizations to pick other controls elsewhere. There are now 114 controls in 14 groups; the old standard had 133 controls in 11 groups.
  13. 13. Questions to Brainstorm Q1. Why do I need to implement ISMS? Q2. What can ISMS offer me which I won’t get otherwise without implementation? Q3. Why Context of Organization is important in ISO 27001:2013 Q4. What exactly do you mean by “requirement” mentioned in the standard? Q5. Can I reduce the scope of ISMS implementation to certify a part of my organization? Q6. What is difference between “achieving conformance” and “getting compliant”? Q7. Can PDCA cycle can be used in 27001:2013 ? Q8. Is asset based approach of risk assessment in 2013 version still applicable as it was during 2005 standard? Can you elaborate?