Submit Search
Upload
ISO 27001—Recent Changes and Key Requirements
•
0 likes
•
468 views
AI-enhanced title
Thilak Pathirage -Senior IT Gov and Risk Consultant
Follow
ISO27001:2013 CHANGES
Read less
Read more
Technology
Report
Share
Report
Share
1 of 59
Download now
Download to read offline
Recommended
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
Reza Teynia ISMS, ITSM, MSc
D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
Standardization of IT Processes
Standardization of IT Processes
Natarajan V
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
CISSP Online & Classroom Training & Certification Course - ievision.org
CISSP Online & Classroom Training & Certification Course - ievision.org
IEVISION IT SERVICES Pvt. Ltd
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
Compliance Framework
Compliance Framework
barnetdh
Recommended
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
Reza Teynia ISMS, ITSM, MSc
D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
Standardization of IT Processes
Standardization of IT Processes
Natarajan V
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
CISSP Online & Classroom Training & Certification Course - ievision.org
CISSP Online & Classroom Training & Certification Course - ievision.org
IEVISION IT SERVICES Pvt. Ltd
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
Compliance Framework
Compliance Framework
barnetdh
Superior it governance with iso 38500.key
Superior it governance with iso 38500.key
Basta Group BV
IT Governance & ISO 38500
IT Governance & ISO 38500
Ramiro Cid
UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014
DQS India
Initiating IT Governance Strategy to Identify Business Needs
Initiating IT Governance Strategy to Identify Business Needs
PECB
ISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
2012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V1
Michael Boyle
What is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
Iso 27001 isms - white paper
Iso 27001 isms - white paper
Lakshy Management Consultant Pvt Ltd
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
ISACA Riyadh
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
Iso 27001 2013
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
Reduce admin time by 60% - Here is how
Reduce admin time by 60% - Here is how
Craig Willetts ISO Expert
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
ITIL Indonesia
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
NQA
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
Eryk Budi Pratama
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NQA
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
aqel aqel
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
Hakem Filiz
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
samsontamwaiho
Comparative Analysis of Information Security Management System Standards - Si...
Comparative Analysis of Information Security Management System Standards - Si...
Mansoor Faridi, CISA
More Related Content
What's hot
Superior it governance with iso 38500.key
Superior it governance with iso 38500.key
Basta Group BV
IT Governance & ISO 38500
IT Governance & ISO 38500
Ramiro Cid
UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014
DQS India
Initiating IT Governance Strategy to Identify Business Needs
Initiating IT Governance Strategy to Identify Business Needs
PECB
ISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
2012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V1
Michael Boyle
What is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
Iso 27001 isms - white paper
Iso 27001 isms - white paper
Lakshy Management Consultant Pvt Ltd
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
ISACA Riyadh
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Eryk Budi Pratama
Iso 27001 2013
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
Reduce admin time by 60% - Here is how
Reduce admin time by 60% - Here is how
Craig Willetts ISO Expert
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
Verde Ventures Pvt. Ltd.
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
ITIL Indonesia
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
NQA
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
Eryk Budi Pratama
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NQA
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
aqel aqel
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
Hakem Filiz
What's hot
(20)
Superior it governance with iso 38500.key
Superior it governance with iso 38500.key
IT Governance & ISO 38500
IT Governance & ISO 38500
UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014
Initiating IT Governance Strategy to Identify Business Needs
Initiating IT Governance Strategy to Identify Business Needs
ISO 27001:2013 - Changes
ISO 27001:2013 - Changes
2012 04 16 Iso38500 Governance V1
2012 04 16 Iso38500 Governance V1
What is iso 27001 isms
What is iso 27001 isms
Iso 27001 isms - white paper
Iso 27001 isms - white paper
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Iso 27001 2013
Iso 27001 2013
Reduce admin time by 60% - Here is how
Reduce admin time by 60% - Here is how
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
Viewers also liked
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
samsontamwaiho
Comparative Analysis of Information Security Management System Standards - Si...
Comparative Analysis of Information Security Management System Standards - Si...
Mansoor Faridi, CISA
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and Challenges
Certification Europe
ISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour Consultancy
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799
Meghna Verma
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
iFour Consultancy
ISO 27001
ISO 27001
n|u - The Open Security Community
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
Viewers also liked
(9)
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
Comparative Analysis of Information Security Management System Standards - Si...
Comparative Analysis of Information Security Management System Standards - Si...
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Benefits
ISO 27001 Benefits
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
Comparison of it governance framework-COBIT, ITIL, BS7799
Comparison of it governance framework-COBIT, ITIL, BS7799
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001
ISO 27001
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Similar to ISO 27001—Recent Changes and Key Requirements
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
gray_audit_presentation.ppt
gray_audit_presentation.ppt
KhalilIdhman
Presentation Revision Standards
Presentation Revision Standards
DQS India
Data Management Strategies
Data Management Strategies
Micheal Axelsen
Cisa 2013 ch2
Cisa 2013 ch2
Aladdin Dandis
What CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data Governance
DATAVERSITY
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013
SAIGlobalAssurance
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
SAIGlobalAssurance
CISSPills #3.02
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
Introduction to DCAM, the Data Management Capability Assessment Model
Introduction to DCAM, the Data Management Capability Assessment Model
Element22
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
iasaglobal
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic Approach
Mohammad Reda Katby
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
IEMA ISO14001 - External Auditors viewpoint
IEMA ISO14001 - External Auditors viewpoint
Lloyd's Register - Management Systems
Process
Process
meenakshi sv
IBM Maximo and ISO 55000
IBM Maximo and ISO 55000
Helen Fisher
Data Governance for EPM Systems with Oracle DRM
Data Governance for EPM Systems with Oracle DRM
US-Analytics
EDMC_DCAM_-_WORKING_DRAFT_VERSION_0.7.pdf
EDMC_DCAM_-_WORKING_DRAFT_VERSION_0.7.pdf
Abhinav195887
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docx
Sunil Arora
rethinking marketing
rethinking marketing
Navneet Singh
Similar to ISO 27001—Recent Changes and Key Requirements
(20)
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
gray_audit_presentation.ppt
gray_audit_presentation.ppt
Presentation Revision Standards
Presentation Revision Standards
Data Management Strategies
Data Management Strategies
Cisa 2013 ch2
Cisa 2013 ch2
What CDOs Need to Know: Foundations of Data Governance
What CDOs Need to Know: Foundations of Data Governance
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
CISSPills #3.02
CISSPills #3.02
Introduction to DCAM, the Data Management Capability Assessment Model
Introduction to DCAM, the Data Management Capability Assessment Model
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Principal 4 Enabling A Holistic Approach
Principal 4 Enabling A Holistic Approach
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORK
IEMA ISO14001 - External Auditors viewpoint
IEMA ISO14001 - External Auditors viewpoint
Process
Process
IBM Maximo and ISO 55000
IBM Maximo and ISO 55000
Data Governance for EPM Systems with Oracle DRM
Data Governance for EPM Systems with Oracle DRM
EDMC_DCAM_-_WORKING_DRAFT_VERSION_0.7.pdf
EDMC_DCAM_-_WORKING_DRAFT_VERSION_0.7.pdf
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docx
rethinking marketing
rethinking marketing
More from Thilak Pathirage -Senior IT Gov and Risk Consultant
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
cobit 2019 -current-user - ISACA Publication
cobit 2019 -current-user - ISACA Publication
Thilak Pathirage -Senior IT Gov and Risk Consultant
Introduction to ISACA COBIT-2019 Framwork.pdf
Introduction to ISACA COBIT-2019 Framwork.pdf
Thilak Pathirage -Senior IT Gov and Risk Consultant
Social media-assessment
Social media-assessment
Thilak Pathirage -Senior IT Gov and Risk Consultant
Sql securitytesting
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
Cissp nda
Cissp nda
Thilak Pathirage -Senior IT Gov and Risk Consultant
Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12
Thilak Pathirage -Senior IT Gov and Risk Consultant
Composite indicators
Composite indicators
Thilak Pathirage -Senior IT Gov and Risk Consultant
More from Thilak Pathirage -Senior IT Gov and Risk Consultant
(12)
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
Cybersecurity-Audit-A-Case-Study-for-SME.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
ISACA Cyber-Audit-Certificate-Exam-Guide_Eng_0819.pdf
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
Capability_Assessment_of_IT_Governance_Using_the_2.pdf
cobit 2019 -current-user - ISACA Publication
cobit 2019 -current-user - ISACA Publication
Introduction to ISACA COBIT-2019 Framwork.pdf
Introduction to ISACA COBIT-2019 Framwork.pdf
Social media-assessment
Social media-assessment
Sql securitytesting
Sql securitytesting
Cissp nda
Cissp nda
Risk based it auditing for non it auditors (basics of it auditing) final 12
Risk based it auditing for non it auditors (basics of it auditing) final 12
Composite indicators
Composite indicators
Recently uploaded
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
HostedbyConfluent
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Recently uploaded
(20)
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
ISO 27001—Recent Changes and Key Requirements
1.
© 2013 ISACA.
All Rights Reserved. SESSION 314: ISO 27001— WHAT YOU NEED TO KNOW ABOUT RECENT CHANGES Peter T. Davis Principal, Peter Davis+Associates 1
2.
© 2013 ISACA.
All Rights Reserved. IT Governance consulting CISA, CISSP, CMA, CMC, CISM, COBIT 5 FC, ITIL FC, PMP, SSGB, CGEIT, PRINCE2 FC, ISO 27001 LI/LA, ISO 20000 FC, ISO 27005/31000 RM, ISO 28000 FC 29 years IT security and audit experience Authored/co-authored 12 books International Who’s Who of Professionals Contact information ptdavis@pdaconsulting.com www.pdaconsulting.com (v) 416-907-4041 (f) 416-907-4851 2
3.
© 2013 ISACA.
All Rights Reserved. Session Objectives Understand key differences Understand new requirements Understand added controls and deleted controls 3
4.
© 2013 ISACA.
All Rights Reserved. Big Picture Evolution NOT Revolution Harmonization Much of the 2005 text and requirements still there, but moved around to fit the new headings Not as big a migration as BS 7799 to ISO 17799 +80% 4
5.
© 2013 ISACA.
All Rights Reserved. ISMS Source: ISO/IEC 27001:2005 5
6.
© 2013 ISACA.
All Rights Reserved. 5 Key Differences Written in accordance with Annex SL ISO 27002 is no longer a normative reference Definitions removed and relocated to ISO 27000 Changes to terminology; e.g., IS policy is used rather than ISMS policy Requirements for Management Commitment revised and presented in the Leadership Clause 6
7.
© 2013 ISACA.
All Rights Reserved. 4 More Differences Preventive action replaced with “actions to address risks and opportunities” and features earlier in the standard Risk assessment requirements more general and align with ISO 31000 SoA requirements are similar but more clarity on the determination of controls by the risk treatment process Greater emphasis on setting the objectives, monitoring performance and metrics 7
8.
© 2013 ISACA.
All Rights Reserved. New Document Structure Developed using Annex SL For standard writers Provides standardized text suitable for all MS standards New structure to become common for all MS standards Want to standardize terminology and requirements for fundamental MS requirements 8
9.
© 2013 ISACA.
All Rights Reserved. Table of Contents 2005 2013 0 Introduction 0 Introduction 1 Scope 1 Scope 2 Normative References 2 Normative References 3 Terms and Definitions 3 Terms and Definitions 4 Information Security Management System 4 Context of the Organization 5 Management Responsibility 5 Leadership 6 Internal ISMS Audit 6 Planning 7 Management Review of the ISMS 7 Support 9
10.
© 2013 ISACA.
All Rights Reserved. Table of Contents 2005 2013 8 ISMS Improvement 8 Operation 9 Performance Evaluation 10 Improvement A Control Objectives and Controls A Control Objectives and Controls B OECD Principles and this International Standard C Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard 10
11.
© 2013 ISACA.
All Rights Reserved. 3 Terms and Definitions All definitions removed Relevant definitions moved to ISO 27000 Promotes consistency of terms and definitions across the ISO 27000 suite 11
12.
© 2013 ISACA.
All Rights Reserved. 4 Context of the Organization Relates to the context of the organization— Determine external and internal issues Clear requirement to consider interested parties Context determines IS policy and objectives and how the organization will consider risk and the effect of risk on its business Requirements of interested parties may include legal and regulatory requirements and contractual obligations 12
13.
© 2013 ISACA.
All Rights Reserved. External Context Social, cultural, political, legal, regulatory, financial, technological, economic, natural & competitive environment (international, national, regional, or local) Key drivers & trends having impact on the objectives of the organization Relationships with, and perceptions & values of, external stakeholders 13
14.
© 2013 ISACA.
All Rights Reserved. Internal Context Organization’s culture Governance, organizational structure, roles & accountabilities Policies and objectives and the strategies in place to achieve them Capital in terms of resources & knowledge (e.g., money, time, people, processes, systems and technologies) Informal & formal info systems, info flows & decision making processes Adopted standards, guidelines & models Form & extent of contractual relationships Relationships with, and perceptions & values of, internal stakeholders 14
15.
© 2013 ISACA.
All Rights Reserved. 5 Leadership Summarizes the requirements specific to top management’s role in the ISMS Outlines specific ways for management to demonstrate its commitment to the system. Examples include: ensuring that the resources needed for the ISMS are available communicating the importance of effective IS management and conforming to the ISMS requirements. ISMS policy renamed, but original policy requirements remain Requires that top management ensure responsibilities and authorities for roles relevant to IS are assigned and communicated 15
16.
© 2013 ISACA.
All Rights Reserved. 6 Planning Establishment of IS objectives and guiding principles for the ISMS When planning the ISMS, the context of the organization should be taken into account through the consideration of the risks and opportunities Organization’s IS objectives must be clearly defined with plans in place to achieve them Risk assessment requirements more general and align with ISO 31000 SoA requirements largely unchanged (name dropped) 16
17.
© 2013 ISACA.
All Rights Reserved. Risk Risk Owner rather than Data Owner Only required to identify risks w.r.t. CIA Includes “upside risk” a.k.a Opportunities Risk treatment plan (RTP) used to create a SoA 17
18.
© 2013 ISACA.
All Rights Reserved. Establish context Identify risks Analyse risks Evaluate risks Treat risks Communicateandconsult Monitorandreview Risk assessment Process for Managing Risk Process for Managing Risk Risk Assessment 18
19.
© 2013 ISACA.
All Rights Reserved. Risk Treatment Plan Clause 6.1.3 describes how an organization can respond to risks with a RTP; an important part of this is choosing appropriate controls These controls, and control objectives, are listed in Annex A, although it is also possible in principle for organizations to pick other controls elsewhere 19
20.
© 2013 ISACA.
All Rights Reserved. 7 Support Required to establish, implement and maintain and continually improve an effective ISMS, including: Resource requirements Competence of people involved Awareness of and communication with interested parties Requirements for document management Refers to “documented information” rather than “documents and records” No longer a list of documents you need or particular names they must be given Puts emphasis on the content rather than the name 20
21.
© 2013 ISACA.
All Rights Reserved. 8 Operation Requires organizations to plan and control the operation of their IS requirements Will include: Carrying out IS risk assessments at planned intervals Implementing an IS RTP 21
22.
© 2013 ISACA.
All Rights Reserved. 9 Performance Evaluation Internal audits and management review key methods of reviewing the performance of the ISMS and tools for its continual improvement More specific requirements for measurement of effectiveness 22
23.
© 2013 ISACA.
All Rights Reserved. 10 Improvement Nonconformities of the ISMS have to be dealt with together with corrective actions to ensure they don’t happen again As with all MS standards, continual improvement is a core requirement of the standard 23
24.
© 2013 ISACA.
All Rights Reserved. Controls 2005 2013 Security Policy Renamed Information Security Policies Security Organization Renamed How Information Security is Organized Asset Management Moved Human Resources Security Human Resources Security Moved Asset Management Physical and Environmental Security Renamed Access Control and Managing User Access Communications and Operations Management Split Cryptographic Technology Access Control Renamed Physical Security of the Organisation's Sites and Equipment 24
25.
© 2013 ISACA.
All Rights Reserved. Controls 2005 2013 Information Systems Acquisition, Development and Maintenance Renamed Operational Security Information Security Incident Management Moved Secure Communications and Data Transfer Business Continuity Management Renamed Secure Acquisition, Development and Support of Information Systems Compliance Unchanged Security for Suppliers and Third Parties Information Security Incident Management Information Aspects of Business Continuity Management Compliance 25
26.
© 2013 ISACA.
All Rights Reserved. Controls Number of controls reduced from 133 to 113 Controls now in 14 groups (2005: 11 groups) Existing controls deleted or merged and some new controls added Some of the retained controls have been re-worded 26
27.
© 2013 ISACA.
All Rights Reserved. Deleted Controls A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.4 Authorization process for information processing facilities A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.10.2.1 Service delivery A.10.7.4 Security of system documentation A.10.10.2 Monitoring system use A.10.10.5 Fault logging A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification A.11.4.4 Remote diagnostic and configuration port protection 27
28.
© 2013 ISACA.
All Rights Reserved. Deleted Controls A.11.4.4 Remote diagnostic and configuration port protection A.11.4.6 Network connection control A.11.4.7 Network routing control A.10.8.5 Business information systems A.11.6.2 Sensitive system isolation A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.5.4 Information leakage A.15.1.5 Prevention of misuse of information processing facilities A.15.3.2 Protection of information systems audit tools 28
29.
© 2013 ISACA.
All Rights Reserved. Added Controls A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 Secure system engineering principles A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and communication technology supply chain A.16.1.4 Assessment of and decision on information security events A.16.1.5 Response to information security incidents A.17.2.1 Availability of information processing facilities 29
30.
© 2013 ISACA.
All Rights Reserved. 30 Session Recap Plan Act Do Check Quality Circle
31.
© 2013 ISACA.
All Rights Reserved. 31 Session Recap Plan Act Do Check Quality Circle 4 Context of the Organization 5 Leadership 6 Planning 7 Support
32.
© 2013 ISACA.
All Rights Reserved. 32 Session Recap Plan Act Do Check Quality Circle 4 Context of the Organization Understanding the organization and its context Expectations of interested parties Scope of ISMS ISMS
33.
© 2013 ISACA.
All Rights Reserved. 33 Session Recap Plan Act Do Check Quality Circle 5 Leadership Leadership and commitment Policy Org. roles, responsibilities and authorities
34.
© 2013 ISACA.
All Rights Reserved. 34 Session Recap Plan Act Do Check Quality Circle 6 Planning Actions to address risks and opportunities IS objectives and plans to achieve them
35.
© 2013 ISACA.
All Rights Reserved. 35 Session Recap Plan Act Do Check Quality Circle 7 Support Resources Competence Awareness Communication Documented information
36.
© 2013 ISACA.
All Rights Reserved. 36 Session Recap Plan Act Do Check Quality Circle 8 Operation Operational planning & control IS risk assessment IS risk treatment
37.
© 2013 ISACA.
All Rights Reserved. 37 Session Recap Plan Act Do Check Quality Circle 9 Performance Evaluation Monitoring, measurement, analysis and evaluation Internal audit Management review
38.
© 2013 ISACA.
All Rights Reserved. 38 Session Recap Plan Act Do Check Quality Circle 10 Improvement Nonconformity & corrective action Continual improvement
39.
© 2013 ISACA.
All Rights Reserved. Take Home Thoughts Less descriptive and prescriptive Greater freedom in implementing Transition period for certified organizations 39
40.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (1/10) ISO 27001:2005 ISO 27001:2013 Change 0.2 Process Approach Eliminated from this new standard PDCA Model was an explicit section in the older version unlike the newer one, which adopts this model all throughout the mandatory clauses, but does not occupy a separate and dedicated section in the standard. 1. Scope 1.1 General 1.2 Applications These sub- sections are eliminated from this new standard Sub Sections 1.1 General and 1.2 Application of older version are now merged into one section 1. Scope. The set of mandatory clauses in the old standard were from 4 to 8, which is now changed to 4 to 10 in the new version. 40
41.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (2/10) ISO 27001:2005 ISO 27001:2013 Change 4. Information security management system 4. Context of the organization ISMS is renamed as Context of the Organization 4.1. General Requirements 4.1. General Requirements The Old standard talks about Documented ISMS, whereas the New one strongly focuses on understanding the context of business. Also, a reference to ISO31000 – the Risk Management standard is added. 41
42.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (3/10) ISO 27001:2005 ISO 27001:2013 Change 4.2 Establishing and managing the ISMS 4.2. Understanding the needs and expectations of interested parties The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements. This is definitely an excellent way of defining key inputs into the ISMS. 42
43.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (4/10) ISO 27001:2005 ISO 27001:2013 Change 4.2.1 a) to j) Establish the ISMS 6.1. Actions to address risks and opportunities Risk assessment and treatment Assets, vulnerabilities and threats are not the basis of risk assessment anymore! It is only required to identify the risks associated with the confidentiality, integrity and availability – although this might seem too radical of a change, the authors of the new standard wanted to allow more freedom in the way the risks are identified. However, the assets-vulnerabilities-threats methodology will remain as a best practice for a long time. The concept of determining the level of risk based on consequences and likelihood remains the same. Further, Risk Assessment Methodology does not need to be documented, although the risk assessment process needs to be defined in advance; the concept of asset owner is gone, too – a new term is used: “risk owners” – so the responsibility is pushed to a higher level. 43
44.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (5/10) ISO 27001:2005 ISO 27001:2013 Change 4.3 Documentation Requirements Documented information (No Dedicated Sub- Section)4.3. Determining the scope of the information security management system The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001. The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is eliminated – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, we don’t need to write all these procedures, but we are required to maintain all the records when managing documents, performing internal audits, and executing corrective actions. Also, the clause from the old standard where all the required documents are listed (4.3.1) is removed – now there is no central list of required documents.
45.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (6/10) ISO 27001:2005 ISO 27001:2013 Change New Clause 4.4. Information security management system 5. Management responsibility 5. Leadership 5.1. Management Commitment 5.1. Leadership and commitment Unlike the older version, the newer version talks only about the need of Leadership and Management’s Commitment. Policy related clauses are moved to a separate sub-section. 45
46.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (7/10) ISO 27001:2005 ISO 27001:2013 Change 5.2. Resource Management 5.2. Policy This is a dedicated sub-section for the backbone document of ISMS; i.e., the IS Policy 5.3. Organizational roles, responsibilities and authorities New addition. An individual sub-section in the newer version. 6. Internal ISMS audits 6. Planning PDCA not explained explicitly but embedded into the mandatory clauses in the newer version, with the mapping as under: P-6; D-7 & 8; C-9; A-10 It completely talks about, Risks, Opportunities, Information Security Risk Assessment and Treatment, unlike the older one which only focused on the ISMS mandated Internal Audits. 46
47.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (8/10) ISO 27001:2005 ISO 27001:2013 Change 7. Management Review of the ISMS 9.3. Management Review 7. Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented Information Unlike the older version, in this newer version, Management Review has been made a sub-section, of the Performance Evaluation Clause. 7. New clause in the new standard 7.4. This is also a new clause where all the requirements are summarized – what needs to be communicated, when, by whom, through which means, etc. This will help overcome the problem of information security being only an “IT thing” or “security thing” – the success of information security depends on both the IT side and the business side, and their overall understanding about the purpose of information protection. Hence this dedicated emphasis on Communication can be seen as a good change. 47
48.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (9/10) ISO 27001:2005 ISO 27001:2013 Change 8. ISMS Improvement 8. Operations10.2 of the newer version The Elaborated DO phase in the new version. Contains Risk Assessment Requirements However, the older version talked about CAPA, and continual improvement, the “ACT” phase 48
49.
© 2013 ISACA.
All Rights Reserved. Standard Comparison (10/10) ISO 27001:2005 ISO 27001:2013 Change None 9. Performance Evaluation The separate “CHECK” Phase, talking about, measurement, monitoring, analysis and evaluation along with Internal Audits and Management Reviews None 10. Improvement Talks about NCs, Corrective Actions and Continual Improvement. No Explicit mention of Preventive Actions. 49
50.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (1/9) Control Rationale A.6.1.1 Management commitment to information security Claimed that this is not a control but part of the ISO/IEC 27001 management commitment requirement A.6.1.2 Information security coordination Claimed removed as this deals with the establishment of an ISMS and guidance is to be found in ISO/IEC 27003 A.6.1.4 Authorisation process for information processing facilities Appears no longer explicitly addressed, as it seems to be an aspect of A.6.1.1 A.6.2.1 Identification of risks related to external parties Claimed that this is not a control but part of the ISO/IEC 27001 risk assessment/risk treatment requirements 50
51.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (2/9) Control Rationale A.6.2.2 Addressing security when dealing with customers Claimed that this is not a control but part of the ISO/IEC 27001 risk assessment/risk treatment requirements A.10.2.1 Service delivery No reason given A.10.7.4 Security of system documentation Claimed that this control has been removed on the grounds that system documentation is just another form of asset that requires protection. Its removal therefore requires consideration during risk assessment of whether such documents, should they fall into the wrong hands, present a source of risk. 51
52.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (3/9) Control Rationale A.10.8.5 Business Information Systems Claimed removed on the grounds that the control really relates to the whole standard reflecting and trying to do it more or less in a single control doesn’t really work. A.10.10.2 Monitoring system use Appears considered to be part of Event Logging (A.12.4.1) A.10.10.5 Fault logging Now appears referenced in Event Logging (A.12.4.1) A.11.4.2 User authentication for external connections Claimed covered by access control (A.9.1.1) 52
53.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (4/9) Control Rationale A.11.4.3 Equipment identification in networks Appears covered by A.13.1.3 A.11.4.4 Remote Diagnostic and configuration port protection Claimed that separate physical diagnostic ports are becoming rare and that protection is covered through access control (A.9.1.1) and segregation in networks control (A.13.1.3). A.11.4.6 Network Connection control Claimed covered by A.13.1.3 A.11.4.7 Network routing control Claimed covered by A.13.1.3 53
54.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (5/9) Control Rationale A.11.6.2 Sensitive system isolation Claimed that in an interconnected world such a control defeats the objective. However, we note that it may still apply in certain cases. A.12.2.1 Input data validation Claimed that since this control was introduced, technology has moved on, and input data validation is just one small aspect of protecting web interfaces from attacks such as SQL injection. There are some remarks in the “Other Information” section of A.14.2.5, but the general understanding appears now is that such techniques lie firmly in the domain of professional software developers and are therefore outside the scope of ISO/IEC 27002. 54
55.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (6/9) Control Rationale A.12.2.2 Control of internal processing See A.14.2.5 and the explanation above. A.12.2.3 Message integrity Appears to be a duplication of material in A.13.2.1. A.12.2.4 Output data validation See A.14.2.5 and the explanation above. A.12.5.4 Information leakage Claimed that this control was deleted because it only covered part of the problem associated with information leakage, and indeed there is coverage elsewhere. For example, the term "leakage" appears in A.8.3.2, A.11.2.1, A.12.6.2 and A.13.2.4 as guidance and other information. Note., however, we note that the term "covert channel" does not appear in the DIS. Adware viruses, some of which are known to leak information, would be addressed by A.12.2.1.
56.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (7/9) Control Rationale A.14.1.1 Including information security in the business continuity management process There used to be five "controls" and now there are three. Two these (planning/RA and testing) map well onto two of these originals. The other three originals perhaps merit being called controls even less than everything else in the 2005 version; "principles" would be a more apt description. From our experience, this control is often just mapped to the BCP as a whole and therefore this control could be mapped to A.17.1.2. A.14.1.3 Developing and implementing continuity plans including formation security. For the reason cited above, this control could be mapped to A.17.1.2. 56
57.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (8/9) Control Rationale A.14.1.4 Business continuity planning framework For the reason cited above, this control could be mapped to A.17.1.2. A.15.1.5 Prevention of misuse of information processing facilities This control corresponds to a UK law and could be a remnant of the original BS7799:1995 standard which was completely UK centric. Its omission is effectively covered by the new A.18.2.1 which requires all relevant laws to be identified. Thus, in the UK, this control is effectively dealt with by that control. Moreover, there is mention of "warning banners" in A.9.4.2. 57
58.
© 2013 ISACA.
All Rights Reserved. Deleted Controls (9/9) Control Rationale A.15.3.2 Protection of information systems audit tools Claimed that this control has been removed on the grounds that an audit tool is just another form of asset that requires protection. Its removal therefore requires consideration during risk assessment of whether such tools present a source of risk. 58
59.
© 2013 ISACA.
All Rights Reserved. Copyright This session is the copyright of Peter Davis+Associates © 2013. All rights reserved. 59
Download now