Update on ISO Revision

Transcription

1 Update on ISO Revision by Sudarshan Mandyam, CISA CISM Director, ISACA Sydney chapter Global Program Manager ISMS, ISC on Tuesday 20 th October 2009

2 AGENDA 1.Process of publishing and auditing standards 2.About ISC and IT related services 3.Standards families Requirement & Guidelines family of standards 5.An Overview of 27001:2005 and 27002: Activities of ISACA and AISA 7.Activities of ISMS User Group Australia 8.Changes proposed in ISO How to take part in revision activities

3 Process of publishing and auditing STANDARDS standards TRAINING CERTIFICATION Switzerland Regional EU, PANAM, AP National ANZ, ANSI, BSI Industry PCI DSS Company IBM, HP Greece Regional IRCA, RABQSA JRQA, NRBPT Company ISC, SAI Global Persons Sydney Regional EU, PANAM, AP National JAS-ANZ, UKAS Company

4 International Standards Certification Pty Ltd Family owned business Owner Mr. Tony Wilde o A pioneer in the certification industry o Quality practitioner since 1970s o The first Lead Auditor in Asia Pacific for a management system o Former CXO of SAI Global and managed about 175 Lead Auditors o Was involved in creating JAS-ANZ accreditation Body System Certification Quality, Environment, Health & Safety, Disability services, Information Security, Business Continuity, IT Service Management Product Certification, for example, fire safety equipment RABQSA certified Lead Auditor Training ISMS in addition to Quality, Environment, Health & Safety Internal training for disability services

5 Standards families Requirement & Guidelines Requirements are mandatory Shall is used in the text in Requirements standards. For example, Shall have an information security policy Guidelines are optional Should is used in the text in Guidelines standards For example, information security policy should include compliance with application regulations.

6 27001 family of standards A family can have only one vocabulary standard (ending with 000) and one requirement standard (ending with 001). The remaining are guidelines. A family can have any number of standards. 1.- Vocabulary 2.- Requirements 3.- Code of Practice 4.- Implementation Guidelines 5.- ISMS Metrics 6.- ISMS Risk Assessment 7.- Guidelines for Certification Bodies 8.- ISMS Audit Gudielines

7 An Overview of 27001:2005 and 27002: Introduction 5. Security Policy 2. References to standards 6. Security Organisation 3. Definitions 7. Information Assets 4 Scope, Risk Assessment, SOA 8. Human Resources 5. Resourcing 9. Physical & Environmental Security 6. Internal Audit 10. Computer Operations 7. Management Review 11. Logical Security 8. Corr & Prev. Action 12. SDLC Annexure A.5 A.15 Annexure B OECD Annexure C - Comparison 13. Incident Management 14. BCM 15. Compliance

8 Activities of ISACA and AISA ISO/IEC JTC 1 / SC 27 International Organisation for Standards International Electrotechnical Commission Joint Technical Committee 1 Sub Committee 27-5 groups ISACA 1. Ron Hale, USA 2. Howard Nicholson, Australia AISA ( There are three user groups; ISMS UGA is the latest. For comments on ISO revision, please contact ISMS User Group Australia - John Snare, Melbourne.

9 Activities of ISMS User Group Australia New User Group was formed in September 2009 Convener - Sudarshan Mandyam, ISC Member - David Begg, ServiceFirst, NSW Government Member Sunil Sharma, CSC About 90 members of ISMS User Groups Mainly in Sydney, Brisbane, Melbourne and Canberra Quarterly Video Conferencing. End product is a user guide for a specific area of ISMS Q th November Scope of ISMS Q February Statement of Applicability Q May 2010 Policy, Procedure & Guidelines

10 Changes proposed in ISO Although is a guidance standard (optional) it matches with Annexure A of Requirements. Any change proposed in will be a part of Annexure A of ISO Therefore the organisation needs to justify in the Statement of Applicability why a particular control is not selected. Note: 27003, 27004, etc are independent of ISO

11 Changes proposed in ISO Security Strategy and Governance 2.Security Organisation Structure 3.Enterprise Architecture 4.Enterprise Integrated Risk Management 5.Information Security Management & Operations 6.Information Security Strategic Plan 7.Reporting legal or criminal violations 8.Compliance inspections 9.Information Lifecycle management 10.Privacy Impact assessment

12 Changes proposed in ISO Physical security of laptops, smartphones, PDAs 2.Physical security certification 3.Emanations security 4.Software technical architecture security 5.Software data architecture security 6.Mainframe applications 7.Virtualised software and hardware 8.Information system security accreditation 9.Securing wireless communications 10.SCADA security controls 11.Network security controls Layer 1 to Layer 7 12.Cyber Security

13 How to take part in revision activities 1.Contact Ron Hale, ISACA, USA 2.Join AISA, the Melbourne chapter and the ISMS User Group ( a total fee of A$ per annum). 3.Google search - JTC 1 / SC 27 4.h ttp://standards.iso.org/ittf/ PubliclyAvailableStandards/index.html 5.visit 6.If you still need help, write to: sudarshan@iscworldwide.com

14 Questions?