Subrata Guha, UL DQS Inc. IT Services Director, with more than 20 years of professional experience in the fields of IT Service Management, Software Engineering and Audit/Assessment of Quality Management Systems hosts a webinar that focuses on the transition to ISO IEC 27001:2013. This webinar includes:
- Highlights of the changes in ISO IEC 27001:2013
- Transition Strategy
- Q&A session
5. DQS–ULGroup
Change highlights
Structure change is part of harmonization effort from ISO
Better alignment with business objectives
More emphasis on:
Risk management
Planning
Measurement
Communication
The word “documented procedure” is replaced with
“documented information” in the body of the standard (4-10)
6. DQS–ULGroup
Summary of changes
ISO/IEC 27001:2005
132 “shall” statements
(section 4-8)
Annexure A
11 clauses
39 categories
133 controls
ISO/IEC 27001:2013
125 “shall” statements
(section 4-10)
Annexure A
14 clauses
35 categories
114 controls
Number of requirements reduced
10. DQS–ULGroup
4.0 Context of the organization
4.3 Determine
scope of the ISMS
• Internal and external issues
• Requirements of interested
parties
• Interface between
organizations
4.4 ISMS
4.1 Understanding
the organization
and its context
• Determine external and
internal issues to its purpose
and relevant to ISMS
• May refer to ISO 31000
Biz risks,
opportunities
4.2 Understanding
the need and
expectation of
interested parties
• Interested parties relevant to
ISMS
• Requirements relevant to
ISMS
• Regulatory requirements
Interested parties
- Customers,
Shareholders,
Regulatory agencies
ISMS
requirements
11. DQS–ULGroup
5.0 Leadership
• Top management have to provide evidence of:
• Directing and supporting personnel
• Supporting next level management to
demonstrate leadership
5.1 Leadership and
commitment
• Policy should include a statement of continual
improvement.
• Policy should be communicated
5.2 Policy
• More explicit requirements for defining line of
reporting and authorities..
5.3 Organizational
roles, responsibilities
and authorities
12. DQS–ULGroup
6.0 Planning
• ISMS planning to address business risks and
opportunities
• Establish method for information security risk
assessment
• Identify risk owners
• Risk owners approval of residual risks
6.1 Actions to
address risks and
opportunities
• ISMS objectives for different functions and
levels
• Objectives should be measurable
• Consistent with risk treatment plan
• Develop plan to achieve objectives
6.2 ISMS objectives
and planning to
achieve them
13. DQS–ULGroup
7.0 Support
• No change7.1 Resource
• No change7.2 Competency
• It is now an explicit requirement7.3 Awareness
• Need to define a procedure for internal and
external communication7.4 Communication
• Need to define process for document creation,
approval and release
7.5 Documented
information
14. DQS–ULGroup
8.0 Operation
• Implement the plan identified in 6.2
• Determine operational controls required to
operate ISMS
• Identify controls required for outsourced
process
8.1 Operational
planning and control
• No change
8.2 Information
security risk
assessment
• No change
8.3 Information
security risk
treatment
15. DQS–ULGroup
9.0 Performance evaluation
• Organization shall determine:
• What needs to be monitored and measured
• Method of monitoring, measurement, analysis
and evaluation
• When monitoring and measuring to be
performed and who will perform.
• When results of monitoring to be analyzed
and evaluated. Who will perform.
9.1 Monitoring,
measurement,
analysis and
evaluation
• No change9.2 Internal audit
• No change
9.3 Management
review
16. DQS–ULGroup
10.0 Improvement
• Similar to corrective action
• Section on preventive action have been deleted
10.1 Non-
conformity and
corrective action
• No change
10.2 Continual
improvement
18. DQS–ULGroup
Grouping of controls
# Clauses
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
19. DQS–ULGroup
New and changed controls
A.6 Organization of information security
A.6.1 Internal organization
Objective: To establish a management framework to initiate and control the
implementation and operation of information security within the organization.
A.6.1.5 Information security
in project management
Control
Information security shall be addressed in
project management, regardless of the type
of the project.
A.6.2 Mobile device and teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1 Mobile device policy Control
A policy and supporting security measures
shall be adopted to manage the risks
introduced by using mobile devices.
New
Objective
expanded
Changed Old control A.11.7.1
20. DQS–ULGroup
New and changed controls
A.9 Access control
A.9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to
systems and services.
A.9.2.1 User registration and
de-registration
Control
A formal user registration and de-registration
process shall be implemented to enable
assignment of access rights.
A.9.2.2 User access
provisioning
Control
A formal user access provisioning process shall be
implemented to assign or revoke access rights for
all user types to all systems and services.
A.9.2.6 Removal or adjustment
of access rights
Control
The access rights of all employees and external
party users to information and information
processing facilities shall be removed upon
termination of their employment, contract or
agreement, or adjusted upon change.
Changed Old control A.11.2.1
New
Changed Old control A. 8.3.3
21. DQS–ULGroup
New and changed controls
A.12 Operations security
A.12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
A.12.5.1 Installation of software
on operational systems
Control
Procedures shall be implemented to control
the installation of software on operational
systems.
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.2 Restrictions on software
installation
Control
Rules governing the installation of software
by users shall be established and
implemented.
New
New
New
22. DQS–ULGroup
New and changed controls
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information system
Objective: To ensure that information security is an integral part of information
systems across the entire lifecycle. This also includes the requirements for
information systems which provide services over public networks.
A.14.1.2 Securing application
services on public
networks
Control
Information involved in application services
passing over public networks shall be
protected from fraudulent activity, contract
dispute and unauthorized disclosure and
modification.
A.14.1.3 Protecting application
services transactions
Control
Information involved in application service
transactions shall be protected to prevent
incomplete transmission, mis-routing,
unauthorized message alteration,
unauthorized disclosure, unauthorized
message duplication or replay.
Objective
expanded
Changed Old control A.10.9.1
Changed Old control A.10.9.2
23. DQS–ULGroup
New and changed controls
A.14 System acquisition, development and maintenance
A.14.2 Security in development and support process
Objective: To ensure that information security is designed and implemented within
the development lifecycle of information systems.
A.14.2.1 Secure development
policy
Control
Rules for the development of software and
systems shall be established and applied to
developments within the organization.
A.14.2.5 Secure system
engineering principles
Control
Principles for engineering secure systems shall
be established, documented, maintained and
applied to any information system
implementation efforts.
A.14.2.6 Secure development
environment
Control
Organizations shall establish and appropriately
protect secure development environments for
system development and integration efforts
that cover the entire system development
lifecycle.
New
New
New
Objective
expanded
24. DQS–ULGroup
New and changed controls
A.14 System acquisition, development and maintenance
A.14.2.8 System security
testing
Control
Testing of security functionality shall be carried
out during development.
A.14.2.9 System acceptance
testing
Control
Acceptance testing programs and related
criteria shall be established for new
information systems, upgrades and new
versions.
New
Changed Old control A.10.3.2
25. DQS–ULGroup
New and changed controls
A.15 Supplier relationship
A.15.1 Information security in supplier relationship
Objective: To ensure protection of the organization’s assets that is accessible by
suppliers.
A.15.1.1 Information security
policy for supplier
relationships
Control
Information security requirements for
mitigating the risks associated with supplier’s
access to the organization’s assets shall be
agreed with the supplier and documented.
A.15.1.3 Information and
communication
Technology supply
chain
Control
Agreements with suppliers shall include
requirements to address the information
security risks associated with information and
communications technology services and
product supply chain.
New
New
New
26. DQS–ULGroup
New and changed controls
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of
information security incidents, including communication on security events and
weaknesses.
A.16.1.4 Assessment of and
decision on
information security
events
Control
Information security events shall be assessed
and it shall be decided if they are to be
classified as information security incidents.
A.16.1.5 Response to
information
security incidents
Control
Information security incidents shall be
responded to in accordance with the
documented procedures.
New
New
Combined A13.1, A13.2
27. DQS–ULGroup
New and changed controls
A.17 Information security aspects of business continuity management
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.17.2.1 Availability of
information
Processing facilities
Control
Information processing facilities shall be
implemented with redundancy sufficient to
meet availability requirements.
New
28. DQS–ULGroup
Helpful guidelines
ISO/IEC 27002:2013- Code of practice for information security
controls
ISO/IEC 27000:2014 – Information security management
system overview and vocabulary
ISO 31000:2009 – Risk management principles and
guidelines
31. DQS–ULGroup
Audit days required for transition
Stage 1 review is required to review readiness.
Audit days required for re-certification audit (per ISO 27006)
shall be used.
Organization can upgrade to the new standard during their
surveillance audit cycle.
Organizations must plan for their transition audit before
August 2015.