SlideShare une entreprise Scribd logo
1  sur  32
Télécharger pour lire hors ligne
DQS–ULGroup
Transition to ISO/IEC 27001:2013
Subrata Guha
Program Manager – IT Certification
DQS–ULGroup
Questions
What has changed?
What you need to know?
Transition timeline?
Any other questions?
DQS–ULGroup
What has changed?
DQS–ULGroup
Structural change
Context of the
Organization
Leadership
Planning
OperationImprovement
Performance
Evaluation
Support
ISO/IEC 27001:2013
Management
Responsibility
Management Review
Establish
ISMS
Implement
ISMS
Improve
ISMS
Monitor
ISMS
Doc.
Req.
Internal
Audit
ISMS
Improve
ISO/IEC 27001:2005
Mgmt.
Review
Structure simplified
DQS–ULGroup
Change highlights
 Structure change is part of harmonization effort from ISO
 Better alignment with business objectives
 More emphasis on:
 Risk management
 Planning
 Measurement
 Communication
 The word “documented procedure” is replaced with
“documented information” in the body of the standard (4-10)
DQS–ULGroup
Summary of changes
ISO/IEC 27001:2005
 132 “shall” statements
(section 4-8)
 Annexure A
 11 clauses
 39 categories
 133 controls
ISO/IEC 27001:2013
 125 “shall” statements
(section 4-10)
 Annexure A
 14 clauses
 35 categories
 114 controls
Number of requirements reduced
DQS–ULGroup
Summary of changes - Requirements
49
20
56 New
Changed
No Change
Total : 125
DQS–ULGroup
Summary of changes - Controls
13
50
38
New
Changed
No Change
Total : 114
DQS–ULGroup
What you need to
know?
DQS–ULGroup
4.0 Context of the organization
4.3 Determine
scope of the ISMS
• Internal and external issues
• Requirements of interested
parties
• Interface between
organizations
4.4 ISMS
4.1 Understanding
the organization
and its context
• Determine external and
internal issues to its purpose
and relevant to ISMS
• May refer to ISO 31000
Biz risks,
opportunities
4.2 Understanding
the need and
expectation of
interested parties
• Interested parties relevant to
ISMS
• Requirements relevant to
ISMS
• Regulatory requirements
Interested parties
- Customers,
Shareholders,
Regulatory agencies
ISMS
requirements
DQS–ULGroup
5.0 Leadership
• Top management have to provide evidence of:
• Directing and supporting personnel
• Supporting next level management to
demonstrate leadership
5.1 Leadership and
commitment
• Policy should include a statement of continual
improvement.
• Policy should be communicated
5.2 Policy
• More explicit requirements for defining line of
reporting and authorities..
5.3 Organizational
roles, responsibilities
and authorities
DQS–ULGroup
6.0 Planning
• ISMS planning to address business risks and
opportunities
• Establish method for information security risk
assessment
• Identify risk owners
• Risk owners approval of residual risks
6.1 Actions to
address risks and
opportunities
• ISMS objectives for different functions and
levels
• Objectives should be measurable
• Consistent with risk treatment plan
• Develop plan to achieve objectives
6.2 ISMS objectives
and planning to
achieve them
DQS–ULGroup
7.0 Support
• No change7.1 Resource
• No change7.2 Competency
• It is now an explicit requirement7.3 Awareness
• Need to define a procedure for internal and
external communication7.4 Communication
• Need to define process for document creation,
approval and release
7.5 Documented
information
DQS–ULGroup
8.0 Operation
• Implement the plan identified in 6.2
• Determine operational controls required to
operate ISMS
• Identify controls required for outsourced
process
8.1 Operational
planning and control
• No change
8.2 Information
security risk
assessment
• No change
8.3 Information
security risk
treatment
DQS–ULGroup
9.0 Performance evaluation
• Organization shall determine:
• What needs to be monitored and measured
• Method of monitoring, measurement, analysis
and evaluation
• When monitoring and measuring to be
performed and who will perform.
• When results of monitoring to be analyzed
and evaluated. Who will perform.
9.1 Monitoring,
measurement,
analysis and
evaluation
• No change9.2 Internal audit
• No change
9.3 Management
review
DQS–ULGroup
10.0 Improvement
• Similar to corrective action
• Section on preventive action have been deleted
10.1 Non-
conformity and
corrective action
• No change
10.2 Continual
improvement
DQS–ULGroup
Controls – Annex A
DQS–ULGroup
Grouping of controls
# Clauses
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
DQS–ULGroup
New and changed controls
A.6 Organization of information security
A.6.1 Internal organization
Objective: To establish a management framework to initiate and control the
implementation and operation of information security within the organization.
A.6.1.5 Information security
in project management
Control
Information security shall be addressed in
project management, regardless of the type
of the project.
A.6.2 Mobile device and teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1 Mobile device policy Control
A policy and supporting security measures
shall be adopted to manage the risks
introduced by using mobile devices.
New
Objective
expanded
Changed Old control A.11.7.1
DQS–ULGroup
New and changed controls
A.9 Access control
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to
systems and services.
A.9.2.1 User registration and
de-registration
Control
A formal user registration and de-registration
process shall be implemented to enable
assignment of access rights.
A.9.2.2 User access
provisioning
Control
A formal user access provisioning process shall be
implemented to assign or revoke access rights for
all user types to all systems and services.
A.9.2.6 Removal or adjustment
of access rights
Control
The access rights of all employees and external
party users to information and information
processing facilities shall be removed upon
termination of their employment, contract or
agreement, or adjusted upon change.
Changed Old control A.11.2.1
New
Changed Old control A. 8.3.3
DQS–ULGroup
New and changed controls
A.12 Operations security
A.12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
A.12.5.1 Installation of software
on operational systems
Control
Procedures shall be implemented to control
the installation of software on operational
systems.
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.2 Restrictions on software
installation
Control
Rules governing the installation of software
by users shall be established and
implemented.
New
New
New
DQS–ULGroup
New and changed controls
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information system
Objective: To ensure that information security is an integral part of information
systems across the entire lifecycle. This also includes the requirements for
information systems which provide services over public networks.
A.14.1.2 Securing application
services on public
networks
Control
Information involved in application services
passing over public networks shall be
protected from fraudulent activity, contract
dispute and unauthorized disclosure and
modification.
A.14.1.3 Protecting application
services transactions
Control
Information involved in application service
transactions shall be protected to prevent
incomplete transmission, mis-routing,
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication or replay.
Objective
expanded
Changed Old control A.10.9.1
Changed Old control A.10.9.2
DQS–ULGroup
New and changed controls
A.14 System acquisition, development and maintenance
A.14.2 Security in development and support process
Objective: To ensure that information security is designed and implemented within
the development lifecycle of information systems.
A.14.2.1 Secure development
policy
Control
Rules for the development of software and
systems shall be established and applied to
developments within the organization.
A.14.2.5 Secure system
engineering principles
Control
Principles for engineering secure systems shall
be established, documented, maintained and
applied to any information system
implementation efforts.
A.14.2.6 Secure development
environment
Control
Organizations shall establish and appropriately
protect secure development environments for
system development and integration efforts
that cover the entire system development
lifecycle.
New
New
New
Objective
expanded
DQS–ULGroup
New and changed controls
A.14 System acquisition, development and maintenance
A.14.2.8 System security
testing
Control
Testing of security functionality shall be carried
out during development.
A.14.2.9 System acceptance
testing
Control
Acceptance testing programs and related
criteria shall be established for new
information systems, upgrades and new
versions.
New
Changed Old control A.10.3.2
DQS–ULGroup
New and changed controls
A.15 Supplier relationship
A.15.1 Information security in supplier relationship
Objective: To ensure protection of the organization’s assets that is accessible by
suppliers.
A.15.1.1 Information security
policy for supplier
relationships
Control
Information security requirements for
mitigating the risks associated with supplier’s
access to the organization’s assets shall be
agreed with the supplier and documented.
A.15.1.3 Information and
communication
Technology supply
chain
Control
Agreements with suppliers shall include
requirements to address the information
security risks associated with information and
communications technology services and
product supply chain.
New
New
New
DQS–ULGroup
New and changed controls
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of
information security incidents, including communication on security events and
weaknesses.
A.16.1.4 Assessment of and
decision on
information security
events
Control
Information security events shall be assessed
and it shall be decided if they are to be
classified as information security incidents.
A.16.1.5 Response to
information
security incidents
Control
Information security incidents shall be
responded to in accordance with the
documented procedures.
New
New
Combined A13.1, A13.2
DQS–ULGroup
New and changed controls
A.17 Information security aspects of business continuity management
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.17.2.1 Availability of
information
Processing facilities
Control
Information processing facilities shall be
implemented with redundancy sufficient to
meet availability requirements.
New
DQS–ULGroup
Helpful guidelines
 ISO/IEC 27002:2013- Code of practice for information security
controls
 ISO/IEC 27000:2014 – Information security management
system overview and vocabulary
 ISO 31000:2009 – Risk management principles and
guidelines
DQS–ULGroup
Transition timeline?
DQS–ULGroup
Transition timeline
10/01/2013 10/01/2014 10/01/2015
ISO/IEC 27001:2013
Released
ISO/IEC 27001:2005
Sunset
Completion of
migration to
ISO/IEC 27001:2013
DQS–ULGroup
Audit days required for transition
 Stage 1 review is required to review readiness.
 Audit days required for re-certification audit (per ISO 27006)
shall be used.
 Organization can upgrade to the new standard during their
surveillance audit cycle.
 Organizations must plan for their transition audit before
August 2015.
DQS–ULGroup
Questions ?

Contenu connexe

Tendances

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013SAIGlobalAssurance
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.
ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.
ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.DQS Inc.
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certificationramya119
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
Changes to ISO9001/ISO14001
Changes to ISO9001/ISO14001Changes to ISO9001/ISO14001
Changes to ISO9001/ISO14001Sara Gulo
 
BCI ISO 22301 Benchmarking Report
BCI ISO 22301 Benchmarking ReportBCI ISO 22301 Benchmarking Report
BCI ISO 22301 Benchmarking ReportNQA
 
Iso27001 The Road To Certification
Iso27001   The Road To CertificationIso27001   The Road To Certification
Iso27001 The Road To Certificationtschraider
 
The Changes in ISO 9001:2015 in a Whole New Light
The Changes in ISO 9001:2015 in a Whole New LightThe Changes in ISO 9001:2015 in a Whole New Light
The Changes in ISO 9001:2015 in a Whole New LightVera Kofyan
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
A Preliminary Review for ISO 22301:2019 - What Will Change?
A Preliminary Review for ISO 22301:2019 - What Will Change?A Preliminary Review for ISO 22301:2019 - What Will Change?
A Preliminary Review for ISO 22301:2019 - What Will Change?PECB
 
NQA ISO 45001 Gap Guide
NQA ISO 45001 Gap GuideNQA ISO 45001 Gap Guide
NQA ISO 45001 Gap GuideNQA
 
IBM Maximo and ISO 55000
IBM Maximo and ISO 55000IBM Maximo and ISO 55000
IBM Maximo and ISO 55000Helen Fisher
 

Tendances (20)

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013  ChecklistISO/IEC 27001:2005 naar ISO 27001:2013  Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.
ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.
ISO 50001 Energy Management, SEP Executive Briefing - UL DQS Inc.
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
Changes to ISO9001/ISO14001
Changes to ISO9001/ISO14001Changes to ISO9001/ISO14001
Changes to ISO9001/ISO14001
 
BCI ISO 22301 Benchmarking Report
BCI ISO 22301 Benchmarking ReportBCI ISO 22301 Benchmarking Report
BCI ISO 22301 Benchmarking Report
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms Compliance
 
Iso27001 The Road To Certification
Iso27001   The Road To CertificationIso27001   The Road To Certification
Iso27001 The Road To Certification
 
The Changes in ISO 9001:2015 in a Whole New Light
The Changes in ISO 9001:2015 in a Whole New LightThe Changes in ISO 9001:2015 in a Whole New Light
The Changes in ISO 9001:2015 in a Whole New Light
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
ISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guideISO 27001:2013 - A transition guide
ISO 27001:2013 - A transition guide
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
A Preliminary Review for ISO 22301:2019 - What Will Change?
A Preliminary Review for ISO 22301:2019 - What Will Change?A Preliminary Review for ISO 22301:2019 - What Will Change?
A Preliminary Review for ISO 22301:2019 - What Will Change?
 
NQA ISO 45001 Gap Guide
NQA ISO 45001 Gap GuideNQA ISO 45001 Gap Guide
NQA ISO 45001 Gap Guide
 
IBM Maximo and ISO 55000
IBM Maximo and ISO 55000IBM Maximo and ISO 55000
IBM Maximo and ISO 55000
 
ISO 9001:2015 awareness.
ISO 9001:2015 awareness. ISO 9001:2015 awareness.
ISO 9001:2015 awareness.
 

En vedette

ISO 9001:2015 Revision Overview: part 2
ISO 9001:2015 Revision Overview: part 2ISO 9001:2015 Revision Overview: part 2
ISO 9001:2015 Revision Overview: part 2DQS Inc.
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationDQS Inc.
 
TS 16949 Rules 4th Edition presentation - japanese
TS 16949 Rules 4th Edition presentation - japaneseTS 16949 Rules 4th Edition presentation - japanese
TS 16949 Rules 4th Edition presentation - japaneseDQS Inc.
 
ISO 14001 Revision: Status and Transition
ISO 14001 Revision: Status and TransitionISO 14001 Revision: Status and Transition
ISO 14001 Revision: Status and TransitionDQS Inc.
 
Deepening the Dive into ISO 14001:2015
Deepening the Dive into ISO 14001:2015Deepening the Dive into ISO 14001:2015
Deepening the Dive into ISO 14001:2015DQS Inc.
 
ISO 9001:2015 Revision Update Part 5
ISO 9001:2015 Revision Update Part 5ISO 9001:2015 Revision Update Part 5
ISO 9001:2015 Revision Update Part 5DQS Inc.
 
ISO 13485:2016 Revisions Webinar
ISO 13485:2016 Revisions WebinarISO 13485:2016 Revisions Webinar
ISO 13485:2016 Revisions WebinarDQS Inc.
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
ISO/TS 16949 Rules 4th edition training
ISO/TS 16949 Rules 4th edition trainingISO/TS 16949 Rules 4th edition training
ISO/TS 16949 Rules 4th edition trainingDQS Inc.
 
ISO 14001:2015 Revision Update Webinar
ISO 14001:2015 Revision Update WebinarISO 14001:2015 Revision Update Webinar
ISO 14001:2015 Revision Update WebinarDQS Inc.
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
ISO 9001:2015 Overview: Revisions & Impact - Part 1
ISO 9001:2015 Overview: Revisions & Impact - Part 1ISO 9001:2015 Overview: Revisions & Impact - Part 1
ISO 9001:2015 Overview: Revisions & Impact - Part 1DQS Inc.
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...iFour Consultancy
 
TS 16949 rules 4th edition presentation - spanish
TS 16949 rules 4th edition presentation - spanishTS 16949 rules 4th edition presentation - spanish
TS 16949 rules 4th edition presentation - spanishDQS Inc.
 

En vedette (20)

ISO 9001:2015 Revision Overview: part 2
ISO 9001:2015 Revision Overview: part 2ISO 9001:2015 Revision Overview: part 2
ISO 9001:2015 Revision Overview: part 2
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training Presentation
 
ISO 27001:2013 - Changes
ISO 27001:2013 -  ChangesISO 27001:2013 -  Changes
ISO 27001:2013 - Changes
 
TS 16949 Rules 4th Edition presentation - japanese
TS 16949 Rules 4th Edition presentation - japaneseTS 16949 Rules 4th Edition presentation - japanese
TS 16949 Rules 4th Edition presentation - japanese
 
ISO 14001 Revision: Status and Transition
ISO 14001 Revision: Status and TransitionISO 14001 Revision: Status and Transition
ISO 14001 Revision: Status and Transition
 
Deepening the Dive into ISO 14001:2015
Deepening the Dive into ISO 14001:2015Deepening the Dive into ISO 14001:2015
Deepening the Dive into ISO 14001:2015
 
ISO 9001:2015 Revision Update Part 5
ISO 9001:2015 Revision Update Part 5ISO 9001:2015 Revision Update Part 5
ISO 9001:2015 Revision Update Part 5
 
ISO 13485:2016 Revisions Webinar
ISO 13485:2016 Revisions WebinarISO 13485:2016 Revisions Webinar
ISO 13485:2016 Revisions Webinar
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
ISO/TS 16949 Rules 4th edition training
ISO/TS 16949 Rules 4th edition trainingISO/TS 16949 Rules 4th edition training
ISO/TS 16949 Rules 4th edition training
 
ISO 14001:2015 Revision Update Webinar
ISO 14001:2015 Revision Update WebinarISO 14001:2015 Revision Update Webinar
ISO 14001:2015 Revision Update Webinar
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
ISO 9001:2015 Overview: Revisions & Impact - Part 1
ISO 9001:2015 Overview: Revisions & Impact - Part 1ISO 9001:2015 Overview: Revisions & Impact - Part 1
ISO 9001:2015 Overview: Revisions & Impact - Part 1
 
Sarwono sutikno wisuda stsn - 10 nov 2015 v2
Sarwono sutikno   wisuda stsn - 10 nov 2015 v2Sarwono sutikno   wisuda stsn - 10 nov 2015 v2
Sarwono sutikno wisuda stsn - 10 nov 2015 v2
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
 
TS 16949 rules 4th edition presentation - spanish
TS 16949 rules 4th edition presentation - spanishTS 16949 rules 4th edition presentation - spanish
TS 16949 rules 4th edition presentation - spanish
 
Sandingan ISO/IEC 27001 SMKI vs ISO 37001 SMAP
Sandingan ISO/IEC 27001 SMKI vs ISO 37001 SMAPSandingan ISO/IEC 27001 SMKI vs ISO 37001 SMAP
Sandingan ISO/IEC 27001 SMKI vs ISO 37001 SMAP
 

Similaire à Iso 27001 transition to 2013 03202014

ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Presentation Revision Standards
Presentation Revision StandardsPresentation Revision Standards
Presentation Revision StandardsDQS India
 
Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...
Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...
Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...Covance
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
730-214 - IEEE Standard for Software Quality Assurance.pptx
730-214 - IEEE Standard for Software Quality Assurance.pptx730-214 - IEEE Standard for Software Quality Assurance.pptx
730-214 - IEEE Standard for Software Quality Assurance.pptxSaba651353
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Jerimi Soma
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wpketanaagja
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】Jerimi Soma
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013SAIGlobalAssurance
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and ismsSeptafiansyah P
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Yasmin AbdelAziz
 
Information system implementation, change management and control
Information system implementation, change management and controlInformation system implementation, change management and control
Information system implementation, change management and controlShruti Pendharkar
 
Integrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyIntegrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyCovance
 
ISO 9001:2015 Revision Overview: part 3
ISO 9001:2015 Revision Overview: part 3ISO 9001:2015 Revision Overview: part 3
ISO 9001:2015 Revision Overview: part 3DQS Inc.
 

Similaire à Iso 27001 transition to 2013 03202014 (20)

27001 2013 iso geek
27001 2013 iso geek27001 2013 iso geek
27001 2013 iso geek
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Presentation Revision Standards
Presentation Revision StandardsPresentation Revision Standards
Presentation Revision Standards
 
Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...
Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...
Covance Accelerator Methodology Delivers Validated Oracle Argus Cloud in Reco...
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
730-214 - IEEE Standard for Software Quality Assurance.pptx
730-214 - IEEE Standard for Software Quality Assurance.pptx730-214 - IEEE Standard for Software Quality Assurance.pptx
730-214 - IEEE Standard for Software Quality Assurance.pptx
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdf
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
 
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
ISO Cloud Security add-on & PCI DSS mapping 【Continuous Study】
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013
 
Integrating sms and isms
Integrating sms and ismsIntegrating sms and isms
Integrating sms and isms
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1
 
Information system implementation, change management and control
Information system implementation, change management and controlInformation system implementation, change management and control
Information system implementation, change management and control
 
Integrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyIntegrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug Safety
 
Ch9 evolution
Ch9 evolutionCh9 evolution
Ch9 evolution
 
ISO 9001:2015 Revision Overview: part 3
ISO 9001:2015 Revision Overview: part 3ISO 9001:2015 Revision Overview: part 3
ISO 9001:2015 Revision Overview: part 3
 

Iso 27001 transition to 2013 03202014

  • 1. DQS–ULGroup Transition to ISO/IEC 27001:2013 Subrata Guha Program Manager – IT Certification
  • 2. DQS–ULGroup Questions What has changed? What you need to know? Transition timeline? Any other questions?
  • 4. DQS–ULGroup Structural change Context of the Organization Leadership Planning OperationImprovement Performance Evaluation Support ISO/IEC 27001:2013 Management Responsibility Management Review Establish ISMS Implement ISMS Improve ISMS Monitor ISMS Doc. Req. Internal Audit ISMS Improve ISO/IEC 27001:2005 Mgmt. Review Structure simplified
  • 5. DQS–ULGroup Change highlights  Structure change is part of harmonization effort from ISO  Better alignment with business objectives  More emphasis on:  Risk management  Planning  Measurement  Communication  The word “documented procedure” is replaced with “documented information” in the body of the standard (4-10)
  • 6. DQS–ULGroup Summary of changes ISO/IEC 27001:2005  132 “shall” statements (section 4-8)  Annexure A  11 clauses  39 categories  133 controls ISO/IEC 27001:2013  125 “shall” statements (section 4-10)  Annexure A  14 clauses  35 categories  114 controls Number of requirements reduced
  • 7. DQS–ULGroup Summary of changes - Requirements 49 20 56 New Changed No Change Total : 125
  • 8. DQS–ULGroup Summary of changes - Controls 13 50 38 New Changed No Change Total : 114
  • 10. DQS–ULGroup 4.0 Context of the organization 4.3 Determine scope of the ISMS • Internal and external issues • Requirements of interested parties • Interface between organizations 4.4 ISMS 4.1 Understanding the organization and its context • Determine external and internal issues to its purpose and relevant to ISMS • May refer to ISO 31000 Biz risks, opportunities 4.2 Understanding the need and expectation of interested parties • Interested parties relevant to ISMS • Requirements relevant to ISMS • Regulatory requirements Interested parties - Customers, Shareholders, Regulatory agencies ISMS requirements
  • 11. DQS–ULGroup 5.0 Leadership • Top management have to provide evidence of: • Directing and supporting personnel • Supporting next level management to demonstrate leadership 5.1 Leadership and commitment • Policy should include a statement of continual improvement. • Policy should be communicated 5.2 Policy • More explicit requirements for defining line of reporting and authorities.. 5.3 Organizational roles, responsibilities and authorities
  • 12. DQS–ULGroup 6.0 Planning • ISMS planning to address business risks and opportunities • Establish method for information security risk assessment • Identify risk owners • Risk owners approval of residual risks 6.1 Actions to address risks and opportunities • ISMS objectives for different functions and levels • Objectives should be measurable • Consistent with risk treatment plan • Develop plan to achieve objectives 6.2 ISMS objectives and planning to achieve them
  • 13. DQS–ULGroup 7.0 Support • No change7.1 Resource • No change7.2 Competency • It is now an explicit requirement7.3 Awareness • Need to define a procedure for internal and external communication7.4 Communication • Need to define process for document creation, approval and release 7.5 Documented information
  • 14. DQS–ULGroup 8.0 Operation • Implement the plan identified in 6.2 • Determine operational controls required to operate ISMS • Identify controls required for outsourced process 8.1 Operational planning and control • No change 8.2 Information security risk assessment • No change 8.3 Information security risk treatment
  • 15. DQS–ULGroup 9.0 Performance evaluation • Organization shall determine: • What needs to be monitored and measured • Method of monitoring, measurement, analysis and evaluation • When monitoring and measuring to be performed and who will perform. • When results of monitoring to be analyzed and evaluated. Who will perform. 9.1 Monitoring, measurement, analysis and evaluation • No change9.2 Internal audit • No change 9.3 Management review
  • 16. DQS–ULGroup 10.0 Improvement • Similar to corrective action • Section on preventive action have been deleted 10.1 Non- conformity and corrective action • No change 10.2 Continual improvement
  • 18. DQS–ULGroup Grouping of controls # Clauses A.5 Information security policies A.6 Organization of information security A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
  • 19. DQS–ULGroup New and changed controls A.6 Organization of information security A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. A.6.1.5 Information security in project management Control Information security shall be addressed in project management, regardless of the type of the project. A.6.2 Mobile device and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy Control A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. New Objective expanded Changed Old control A.11.7.1
  • 20. DQS–ULGroup New and changed controls A.9 Access control A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration Control A formal user registration and de-registration process shall be implemented to enable assignment of access rights. A.9.2.2 User access provisioning Control A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. A.9.2.6 Removal or adjustment of access rights Control The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Changed Old control A.11.2.1 New Changed Old control A. 8.3.3
  • 21. DQS–ULGroup New and changed controls A.12 Operations security A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems Control Procedures shall be implemented to control the installation of software on operational systems. A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.2 Restrictions on software installation Control Rules governing the installation of software by users shall be established and implemented. New New New
  • 22. DQS–ULGroup New and changed controls A.14 System acquisition, development and maintenance A.14.1 Security requirements of information system Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. A.14.1.2 Securing application services on public networks Control Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. A.14.1.3 Protecting application services transactions Control Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Objective expanded Changed Old control A.10.9.1 Changed Old control A.10.9.2
  • 23. DQS–ULGroup New and changed controls A.14 System acquisition, development and maintenance A.14.2 Security in development and support process Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy Control Rules for the development of software and systems shall be established and applied to developments within the organization. A.14.2.5 Secure system engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. A.14.2.6 Secure development environment Control Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. New New New Objective expanded
  • 24. DQS–ULGroup New and changed controls A.14 System acquisition, development and maintenance A.14.2.8 System security testing Control Testing of security functionality shall be carried out during development. A.14.2.9 System acceptance testing Control Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. New Changed Old control A.10.3.2
  • 25. DQS–ULGroup New and changed controls A.15 Supplier relationship A.15.1 Information security in supplier relationship Objective: To ensure protection of the organization’s assets that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships Control Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. A.15.1.3 Information and communication Technology supply chain Control Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. New New New
  • 26. DQS–ULGroup New and changed controls A.16 Information security incident management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.4 Assessment of and decision on information security events Control Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.5 Response to information security incidents Control Information security incidents shall be responded to in accordance with the documented procedures. New New Combined A13.1, A13.2
  • 27. DQS–ULGroup New and changed controls A.17 Information security aspects of business continuity management A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information Processing facilities Control Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. New
  • 28. DQS–ULGroup Helpful guidelines  ISO/IEC 27002:2013- Code of practice for information security controls  ISO/IEC 27000:2014 – Information security management system overview and vocabulary  ISO 31000:2009 – Risk management principles and guidelines
  • 30. DQS–ULGroup Transition timeline 10/01/2013 10/01/2014 10/01/2015 ISO/IEC 27001:2013 Released ISO/IEC 27001:2005 Sunset Completion of migration to ISO/IEC 27001:2013
  • 31. DQS–ULGroup Audit days required for transition  Stage 1 review is required to review readiness.  Audit days required for re-certification audit (per ISO 27006) shall be used.  Organization can upgrade to the new standard during their surveillance audit cycle.  Organizations must plan for their transition audit before August 2015.