ISO27001:2013 The New Standard Revised Edition

Transcription

1 ECSC UNRESTRICTED ISO27001:2013 The New Standard Revised Edition +44 (0) A Blue Paper from Page 1 of 14

2 Version 1_00 Date: 27 January 2014 For more information about ECSC s full range of information security services, visit: All Rights Reserved. This document contains information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of ECSC Ltd. For the latest updates to this document, please visit: Warranty This document is supplied on an as is basis with no warranty and no support. Limitations of Liability In no event shall ECSC Ltd. be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. The information contained in this document is subject to change without notice. No trademark, copyright, or patent licenses are expressly or implicitly granted (herein) with this blue paper. Disclaimer Any brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. ECSC Ltd. are not associated with any vendors or products that may be mentioned in this document. Page 2 of 14

3 Executive Summary This Blue Paper is an introductory document. The comments and advice are based on our experience of developing, implementing, maintaining and improving Information Security Management Systems in accordance with ISO27001:2005. The maintenance of a certified information security management system can be challenging, and the changes introduced to ISO 27001:2013 will require alterations to systems currently deemed compliant with the 2005 version of the standard. In our position as vendor independent information security consultants, our clients seek our help to develop more effective ways to maintain compliance as standards develop. The field of Information Security has changed a great deal over the last 8 years with new technologies, business opportunities, threats and vulnerabilities emerging constantly. Therefore, the ISO 27001:2005 standard has been updated to reflect these changes while still being appropriate and flexible enough for the vast range of organisations that currently conform to its requirements. At first glance the standard appears to have changed considerably in structure and content and you d be forgiven for thinking this means a huge amount of work to transition your current ISMS to the requirement of the new standard. However when we examine these changes more carefully they are often subtle; the reworking has focussed on adding more clarity to the requirements and aligning the mandatory clauses with other ISO standards such as Key changes include an increased emphasis on monitoring and measuring the performance and effectiveness of the ISMS, clearer links between risks and chosen controls, and the need for defined skills and competences required to maintain the ISMS. In addition there have been changes to the control sections and individual controls within Annex A. The final version of the standard (ISO 27001:2013) was released in October 2013 and certification bodies should soon be able to offer UKAS accredited certification to this updated version of the standard. Page 3 of 14

4 Mandatory Clauses The mandatory management clauses have been subject to a considerable amount of restructuring. There are now new clause sections covering Leadership, Planning, Support, Operation, and Performance Evaluation. On closer inspection we can see that not much in the way of content and/or requirements have changed, these sections have simply been updated and clarified. Leadership This section focuses on the need for management commitment and involvement in the ISMS. As before, management must ensure that security is embedded in the organisations culture, and that the appropriate resources are in place to support the ISMS. Management must also set policy and security objectives and ensure that security requirements are communicated effectively throughout the organisation. Compared to the current standard there are no new requirements here. Planning Risk Assessment This section outlines the requirements of the risk assessment process you will note that the need for the identification of information assets, threats, vulnerabilities, and owners are no longer required. While the assessment of impact and likelihood, defined criteria for the acceptance of risks and identifying treatment plans still remain. The standards advises the use of ISO (a generic risk assessment standard) as a guide for conducting your risk assessment. Interestingly, after identifying your risks, this revised standard now requires you to determine all controls that are necessary to implement the information security risk treatment options. You must then compare these controls with those in Annex A and verify that no necessary controls have been omitted. This could imply that there must be a risk for every control in Annex A. Page 4 of 14

5 Mandatory Clauses cont. Statement of Applicability This section also defines the requirements for the Statement of Applicability. The significant change here is that you must provide justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls. Measurable Objectives This section also elevates the requirements for setting and measuring security objectives. You must now define what will be measured, what resources will be required to measure the objectives, who will be responsible, when it will be completed and how the results will be evaluated. The standard now requires objectives to be defined at a functional level not just by management. Support This section is concerned with ensuring the appropriate resources are provided to support the implementation and ongoing management of the ISMS, that key competences of individuals are identified, that there is effective communication (both internally and externally) regarding the ISMS and that the required documentation is in place. Much like with the Quality Standard ISO 9001 you are now required to identify what relevant competences individuals supporting the ISMS must have and ensure this is maintained through education and training initiatives. The biggest change being a requirement to retain appropriate documented information as evidence of competence. This section also defines the importance of effective communication relating to the ISMS throughout, and external to, the organisation. You must now formally define what will be communicated, who will communicate the information and to whom, and by what method. Page 5 of 14

6 Mandatory Clauses cont. Operation This is a rather vague section concerned with ensuring business changes are considered through the risk assessment and that appropriate risk treatments are identified and implemented in a timely manner. This particular section is somewhat weak on content when compared to other sections. Performance Evaluation This section places more importance on the need to measure the performance and effectiveness of the ISMS. You will be required to define what will be measured, who will perform these measurements and what will be done with the results? You must be able to provide documented evidence of both these measurements and the knowledge gained as a result. There is still a requirement to conduct Internal Audits at planned intervals and to maintain an audit programme which includes methods, frequencies and responsibilities etc., much the same as in the current standard. You must ensure that your Internal Audits cover the new controls in the standard (detailed later in this document). An updated Management Review agenda is detailed within this section with a few minor changes. There is now a need to review Change to internal and external issues relevant to the ISMS. Information security performance is key with an emphasis on feedback on the measurement of ISMS effectiveness and fulfilment of information security objectives. Note that the standard no longer dictates a minimum frequency of these reviews but we would still recommend a minimum of 6 monthly Management Review Meetings. Improvement This section has replaced the Corrective and Preventive Action section in the current standard. Page 6 of 14

7 Mandatory Clauses cont. It states the organisation shall identify and address nonconformities (corrective action) and then evaluate the need for action to eliminate the root causes of nonconformities (preventive action). It provides an extensive list of ways you might identify potential nonconformities. This section is a vast improvement on the current Corrective and Preventive Action Procedures, as it provides much more clarity around these requirements. This section emphasises the need for the organisation to continually strive to improve the adequacy, suitability and effectiveness of the ISMS. Page 7 of 14

8 Annex A Just when you thought you had learnt all the control numbers they now have a new order, and have increased to 14 sections: A.5 Security Policies A.6 Organisation of Information Security A.7 Human Resource Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.12 Operations Security A.13 Communications Security A.14 Systems Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.17 Information Security Aspects of Business Continuity Management A.18 Compliance As you can see all of the old familiar sections are still there, albeit in a different order, with a couple of additions. Cryptography now gets its own section but this only contains the same two controls as in the current standard. Operations and Communications have been split into separate sections while Supplier Relationships is completely new (more on this later). Page 8 of 14

9 New Controls The following are some of the new controls: A Information Security in Project management This control states that Information Security shall be addressed in project management, regardless of the type of the project. This could potentially have a significant impact as it suggests that security should be embedded in all areas of business process within the ISMS scope regardless of the type of project. A.14.2 Security in Development and Support Processes The section relating to Development has seen perhaps the most significant change from the current standard with four new controls being added: A A A A Secure Development Policy Secure Systems Engineering Principles System Security Testing Systems Acceptance Testing With these new controls the new standard recognises the importance of information security across the entire systems life-cycle from design through to implementation and testing and suggest a much more sensible approach than in the previous standard and as such, the following controls have been deleted from this section: A A A A A Input data validation Control of internal processing Message integrity Output data validation Information leakage A.15.1 Supplier Relations The importance of managing the risks associated with your suppliers has been given greater prominence through the introduction of this new section. While the need for third Page 9 of 14

10 New Controls cont. party agreements and monitoring of third party services remain from the current standard the following new controls have been included: A A Information security policy for supplier relationships ICT supply chain A.16.1 Incident Management This section has been extended to include two new controls related to the assessment of severity of security events and the formal response taken to dealing with incidents. A A Assessment and decision of information security events Response to information security incidents A.17 Business Continuity Management This section has also seen noteworthy changes. While the new standard still requires you to have formal Business Continuity Plans it now specifically requires consideration of the continuity of information security in the event of a disaster. The control to test your plans has been amended to Verify, Review and Evaluate Information Security Continuity (A ) thus requiring assessment of the information security continuity controls in place not just the plans. In addition, a new sub section has been added (A.17.2 Redundancies) and a single control within this new section (A Availability of Information Processing Facilities) requires redundancies to be built into all information processing systems where required to meet documented tolerances. Page 10 of 14

11 Modified Controls The following controls, while very similar to the existing controls, have been altered to varying degrees so that the requirement is now slightly different: A Policies for Information Security The current standard requires a single high level Information Security Policy while this proposed control states that a set of policies shall be defined, approved and communicated to all relevant parties. A Management of Secret Authentication Information of Ssers & A Use of Secret Authentication Information The term secret authentication information has replaced passwords taking into account that this may now include passwords, pass phrases, PINS etc. A Controls Against Malware Previously covered by two controls for protecting against malicious code and mobile code these have now been merged into one sensible control. A Securing Applications Services on Public Networks & A Protecting Application Service Transactions These modified controls replace the previous controls in A.10.8 and A.10.9 related to exchange of information, e-commerce, on-line transactions and publicly available information. In the new revision there is a strong emphasis on authentication, non repudiation, and the integrity of information. Many of the these considerations can be addressed by the application of cryptographic controls. Please note that there is also a reworking of ISO to provide updated guidance on these new controls in ISO 27001:2013. Page 11 of 14

12 Controls Removed or Deleted The following controls have been removed altogether from the new standard (some of which you may be pleased to see the back of). Please note that the intent of some of these controls may have been merged into another control. A A A A A A A A A A A A A A A A A A A A Management Commitment Information Security Coordination Authorisation process for information processing facilities Addressing risks when dealing with customers Information handling procedures Business Information Systems Electronic commerce On-line transactions User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Network connection control Network routing control Information access restriction Sensitive system isolation Input data validation Control of internal processing Message integrity Output data validation Information leakage Page 12 of 14

13 Conclusion While these changes may appear daunting, for the most part they are aimed at clarifying the intent of a clause or control, or shifting the focus of security management efforts towards repeatable, measurable processes. The most significant changes are likely to be driven by audit practices; clearly these will develop as new certificates are awarded against the standard. All existing ISO certified Management Systems will require some modification in order to ensure certification against the new standard. However, this modification process should be relatively painless. Wholesale re-working of your existing systems may not be required. 1. Look for existing processes which already provide measurable data to feed into the new measurement and monitoring processes. 2. Ensure your high level objectives can be supported by the analysis of this data. 3. Plan for the inclusion of new risks in your risk assessment; use the revised Annex A controls to support this process. 4. Draft new policies on information security for supplier relationships, mobile devices and on secure development. Perhaps most importantly, you should ensure management are aware of the need for ongoing support for and commitment to the ISMS. Page 13 of 14

14 Where Next? When standards develop it is essential to understand the intentions and implications of any changes and how these are likely to be audited. This ECSC Blue Paper has been designed to outline the most significant changes to the ISO27001 standard, to enable you to plan any changes carefully and efficiently. If you feel we can be of assistance, then we will be more than happy to come to see you to discuss your particular project, and give you some initial guidance on building an effective Compliance and Certification programme. Call +44 (0) or today. Page 14 of 14