Transitioning to iso 27001 2013

Transitioning to ISO 27001:2013

2

Welcome and Introductions SAI Global
 Provides information services and solutions globally
to:
– Manage risk
– Achieve compliance
– Drive business improvement
 Leading provider of ISO 27001 assurance services in
the region
 Provides training in understanding, implementing and
auditing Information Security Management Systems

3

Introductions CQR
 Largest Australian-owned independent information
security consultancy
 Experts in the design, implementation and operations
of ISMS’ based on ISO 27001
 Our specialists have assisted in excess of 20
organisations globally through the certification
process
 CQR has been certified to ISO 27001 for almost 9
years

4

Learning Outcomes

 At the end of the session, you will have:
– An understanding of the differences between
the 2005 and 2013 version of ISO/IEC 27001
– Information to allow you to start to plan the
necessary transition activities

5

Agenda
 Brief history of ISO 27001 and 27002
 Drivers for updating the standard
 Changes to the mandatory clauses
– 2005 – Clauses 4 to 8
– 2013 - Clauses 4 to 10
 Key changes to Annex A
 Transition Activities
 Certification considerations
 Q&A

6

The evolution of ISO 27001 revisited

7

ISO 27001 Revisited

 Developed from BS 7799 Part 2
 First released in 2005 as the core standard in
the 27000 family for information security
 Supporting standard ISO 27002 renamed from
ISO 17799 in 2007
 Both standards updated and published in 2013
 ISO 27001 is the “auditable” and “certifiable”
standard

9

Why the update?

 Experience over the last 2 decades with a large
number of organisations globally
 The changing landscape (outsourcing, cloud
etc.)
 To align the standard with key principles within
the ISO 31000 risk management standard

10

Why the update?

 Driven by the need to align the structure of ALL
ISO management systems standards
– Shared language for all non-specific
components of the management systems
– Conformance with Annex SL requirements

12

Concepts and Context differences

 No formal PDCA model any more as long as
continual improvement occurs
 Shift to move support of the ISMS to the
executive management level (“top
management”)
 Management of risks has higher focus than
control effectiveness
 Now have the concept of “risk owner”

13

Changes to the mandatory clauses

14

Mandatory Clauses – 2005 version

 Clauses 0-3 provide background and definitions
 Clauses 4-8 provide the mandatory
requirements for the ISMS
 Clause 4 – Information security management
system
 Clause 5 – Management responsibility
 Clause 6 – Internal ISMS audits
 Clause 7 – Management review of the ISMS
 Clause 8 – ISMS Improvement

15

Mandatory Clauses – 2013 version
 Clauses 0-3 provide background
 Clauses 4-10 provide the mandatory
requirements for the ISMS
 Clause 4 – Context of the organisation
 Clause 5 – Leadership
 Clause 6 – Planning
 Clause 7 – Support
 Clause 8 – Operation
 Clause 9 – Performance evaluation
 Clause 10 - Improvement

16

Key differences
 Need to document motivation and context for
operating an ISMS
 Requirement to consider interfaces and
dependencies with other parties
 Need to include external risk sources and
outsourced functions
 Must be included in scope
 The ISMS Policy has been removed and now only
refers to an Information Security Policy

17

Key Differences

 Alignment of risk approach to ISO 31000 rather than
the current version of ISO 27005
 Don’t need to identify assets, threats and
vulnerabilities before risk identification
 Risk sections now discuss “consequences” not
“impact”
 Formally requires risk owners to approve the risk
treatment plans

18

Key Differences

 Preventive action as a concept disappears
– Replaced by “risks and opportunities”
 Determination of controls is now part of the risk
assessment, not a separate selection process from
Annex A
 However, still need to validate selected controls
against Annex A to verify no necessary controls have
been omitted
 A Statement of Applicability is still required

19

Key Differences – Mandatory Procedures

 2005 had 5 mandatory procedures
 2013 has removed the explicit requirement
 Still required to control documented information
– Including supporting records
 Internal Audit activity is still required but no longer
requires a formal procedure
 Non-conformity and corrective action must still occur
 Explicit preventive action requirement is removed

20

Key Differences – Mandatory Requirements

 Management Review changes
– Must occur at planned intervals (used to be at
least annually)
– No longer defines specific precise inputs and
outputs but provides a list of topics that need to
be considered
 Internal Audit
– Statement that auditors shall not audit their won
work has been removed
– However, must be objective and impartial

22

Annex A

 2005 had 133 controls in 11 sections
 2013 has 114 controls in 14 sections
 Some controls have been removed completely
– E.g. A.12.5.4 Information leakage
–
A.11.5.6 Limitation of connection time
 Others are combined – E.g. malicious and mobile
code is now Malware (new A.12.2.1)
 Some new controls added
 My view – the new Annex A is a simplified set of
controls that are more easily understood

23

Annex A

 Have split Communications and Operations
Management (A.10) into two
– A.12 Operations security
– A.13 Communications security
 Also now have a separate section (A.10) for
Cryptography
 Business Continuity section has undergone
significant change, focusing on embedding
information security into the organisation’s BCMS
– This section also addresses redundant facilities

25

Annexures B and C (2005)

 Annex B contained the cross reference to the OECD
principles
 Also referred to the PDCA model which has been
dropped
 There is no equivalent annexure in the 2013 version
 Annex C provided a cross-reference between 27001
and other standards
 Given the revision of the other standards this section
has also been removed with no replacement

27

Transition Activities

 Assumption – you have an ISMS in place based on
the ISO/IEC 27001:2005 standard
– Equivalent to AS/NZS ISO/IEC 27001:2006
 Assumption – Goal is to keep changes to a
minimum

28


 Where to start?
– Is a gap analysis worthwhile?
– Yes, level will depend on how close you are to
your system
 You need to have some sort of transition plan and
a gap analysis may help identify tasks
 Once you have identified key activities, add them
to your current system as improvement
opportunities

29


 Document all “interested parties”
– Internal and external
 Re-visit your Scope statement
– Make sure you capture the interfaces with third
parties and the security requirements around
these interfaces

30


 For Management, specifically allocate responsibility
for
– Ensuring the ISMS conforms with the standard
– Reporting on the performance of the ISMS to
top management
 Capture business objectives and understand how
your ISMS can assist in delivering against these
(align business and security objectives)

31


 Review your ISMS policy (in 2013, called the
Information Security Policy) and simplify if there is
value in doing so.
– You can leave it unchanged if it’s working!
– Can add the roles and responsibilities previously
discussed in this document if you wish

32


 Review your risk management procedure
– Can simplify by removing the asset-threatvulnerability approach
– Ensure that you have a process to identify and
record “risk owners”
 Revisit your risk assessments and get approval of
treatments from the risk owners
– Still need a record of acceptance of residual risk

33


 Revisit your Statement of Applicability (SoA)
– Map risks against new Annex A controls
– Just because a control has disappeared from
Annex A does not mean you should remove it
– If it still manages a risk, it should still appear in
your SoA
 Check references in the rest of your system to
controls within the SoA (risk register etc.)

34


 Review the required documentation
– Do you want to keep your versions of the old
mandatory procedures
– What documents can be retired?
– What new documents are needed?
– New documents may be required based on any
new controls selected in your Statement of
Applicability

35


 Potential new documents
– Information security objectives (Not Annex A
related)
– A.14.2.1 Secure Development Policy
– A.14.2.5 Secure Systems Engineering principles
– A.15.1.1 InfoSec Policy for Supplier Relationships
– A.16.1.7 a procedure for evidence management

36


 Revisit your metrics and measures
– New version has more focus on metrics and
measures
– Need to identify what your metrics will be and
how you will measure the performance of the
ISMS
 Only measure that which provides value
(information on the performance of the ISMS)

37


 Need to ensure that you define
– How things will be measured
– Who monitors/measures
– When will it be done
– Who is going to look at the results
– When will this happen

38

Additional Workshops

 Melbourne – 9th December
 Sydney – 10th December

 Further information
www.saiglobal.com or
http://training.saiglobal.com/tis/promotion.aspx?id=a0
c20000005bAeQ

39

Certification Considerations

40

Certification

 For new certifications, can choose to certify to the
2005 version until Sept 2014
 For organisations currently certified to the 2005
version, you have until Sept 2015 to transition your
system
 Don’t leave it until the last minute, start making the
necessary changes as soon as you can

42

Thanks for your attention
Enjoy you day!
david.simpson@cqr.com

Transitioning to iso 27001 2013

More Related Content

What's hot

Viewers also liked

Similar to Transitioning to iso 27001 2013

Recently uploaded

Transitioning to iso 27001 2013