Information Security Exchange

Size: px

Start display at page:

Download "Information Security Exchange"

Clemence Price
6 years ago
Views:

1 Information Security Exchange

2 ISO 27001:2013 The road to certification Mike Edwards 30 April 2014

3 Content Who is BSI? Annex SL Clauses 4 10 Annex A Transitioning from ISO 27001:2005 to

4 Who is BSI 10 fast facts

Planning phase 20% of the time implementing We now

80% of our time planning 20% of our time planning but

fire fighting which then ends up lasting the life of

5 Planning phase 20% of the time implementing We now need to spend time planning the task We should spend 80% of our time planning 20% of our time planning but we spend 20% of the time implementing 60% of the time fire fighting which then ends up lasting the life of the system or to our retirement which ever comes sooner. 5

6 Annex SL Appendix 2

7 Annex SL, Appendix 2 Purpose 7

ISO/IEC 27001:2013 Components Overview PLAN 4 Context of the organization Understanding of context Expectations of interested parties Scope and ISMS 5 Leadership

Competence Awareness Communication Documented Information DO 8 Operation Operational planning and control Risk assessment Risk treatment CHECK 9 Performance and

8 ISO/IEC 27001:2013 Components Overview PLAN 4 Context of the organization Understanding of context Expectations of interested parties Scope and ISMS 5 Leadership Management commitment IS policy Roles, responsibilities and authorities 6 Planning Actions to address risk and opportunity IS objectives 7 Support Resources Competence Awareness Communication Documented Information DO 8 Operation Operational planning and control Risk assessment Risk treatment CHECK 9 Performance and Evaluation Monitoring, measurement, analysis and evaluation Internal audit Management review ACT 10 Improvement Nonconformity and corrective action Continual improvement 8

9 Comparison with ISO/IEC 27001:2005 9

10 Summary of recent changes to ISO/IEC Terms and definitions 10

11 4. Context of the Organization Understanding the organization and its context Understanding the needs and expectation of interested parties Determining the Scope of the management system 11

12 Interested Parties Civilians Customers Distributors Shareholders Investors Owners Insurers Government Regulators Information suppliers The Organization Management Those who implement and maintain the ISMS Security Incident Response Staff Other Staff Contractors Competitors Media Customers User groups Legal, compliance & risk Information interest groups Technical services Other response agencies Information services Staff dependents Suppliers 12

13 5 Leadership Leadership & Commitment Policy Organizational Roles, Responsibilities & Authorities 13

14 6 Planning Actions to address, risks and opportunities Map to context of the organization Looking at organizational risk No more preventative action! IS objectives 14

15 7 Support 7.4 Communication 7.5 Documented Information 15

16 7.5 Documented information Required by ISO 27001: Scope of the ISMS 5.2 Information security policy Information security risk assessment process information security risk treatment process d) statement of applicability 6.2 Information security objectives 7.2 d) Evidence of competence a) documented information required by international standard and ISMS 8.1 Operational planning and control 8.2 Results of the information security risk assessments 8.3 Results of the information security risk treatment 9.1 Evidence of the monitoring and measurement results 9.2 g) Evidence of the audit programme(s) and the audit results 9.3 Evidence of the results of management reviews 10.1 f) Evidence of the nature of the nonconformities and any subsequent actions taken 10.1 g) Evidence of the results of any corrective action 09/05/

17 8 Operation 8.1 Operational planning and control 8.2 Information security risk assessment 8.3 Information security risk treatment 17

18 9 Performance Evaluation 18

19 9 Performance Evaluation Management Review 19

20 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement 20

21 Controls (Annex A and ISO/IEC 27002) 21

22 Mapping of control groups in Annex A YOU ARE HERE 22

23 Transition to ISO/IEC 27001:2013

24 Transition to ISO/IEC 27001:2013 Transition arrangements Tips for making the transition 24

Transition plan for ISO/IEC 27001:2013 Transfer Completion Deadline:Within 24 months of the publication date of ISO/IEC 27001:2013 (1 October 2015) A new application can be assessed against ISO/IEC

25 Transition plan for ISO/IEC 27001:2013 Transfer Completion Deadline:Within 24 months of the publication date of ISO/IEC 27001:2013 (1 October 2015) A new application can be assessed against ISO/IEC 27001:2005 if it will be completed within 12 months after the publication date of ISO/IEC 27001:2013 Year New Application ISO/IEC 27001:2005 ISO/IEC 27001:2013 Transition Transition period (24months) 25

Kingdom Telephone: +44 845 086 9000 Email: Links:

26 Contact us Address: BSI Group Kitemark Court Davy Avenue, Knowlhill Milton Keynes, MK5 8PP United Kingdom Telephone: Links: 26

28 Information Security Exchange 28

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

Transition guide Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013 The new international standard for information security management systems ISO/IEC 27001 - Information Security Management - Transition