ISO27001:2013 The New Standard Revised Edition

Similar documents
Advent IM Ltd ISO/IEC 27001:2013 vs

Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

WELCOME ISO/IEC 27001:2017 Information Briefing

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

ISO/IEC INTERNATIONAL STANDARD

Mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013

ISO/IEC INTERNATIONAL STANDARD

Information technology Security techniques Information security controls for the energy utility industry

ISO/IEC Information technology Security techniques Code of practice for information security management

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

_isms_27001_fnd_en_sample_set01_v2, Group A

General Data Protection Regulation

Version 1/2018. GDPR Processor Security Controls

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ISMS Essentials. Version 1.1

Gatekeeper Public Key Infrastructure Framework. Information Security Registered Assessors Program Guide

Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013

An Introduction to the ISO Security Standards

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Google Cloud & the General Data Protection Regulation (GDPR)

TRAINING COURSE CERTIFICATION (TCC) COURSE REQUIREMENTS

ITG. Information Security Management System Manual

FSC STANDARD. Standard for Multi-site Certification of Chain of Custody Operations. FSC-STD (Version 1-0) EN

Sparta Systems Stratas Solution

EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

What is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management.

Introduction to ISO/IEC 27001:2005

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

TEL2813/IS2820 Security Management

Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001

UKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems

Scheme Document SD 003

ISO/IEC Information technology Security techniques Code of practice for information security controls

ISO 9001 Auditing Practices Group Guidance on:

Audit Report. Association of Chartered Certified Accountants (ACCA)

ESS Utility Android App User Guide

Reference Framework for the FERMA Certification Programme

Manchester Metropolitan University Information Security Strategy

AUTHORITY FOR ELECTRICITY REGULATION

Ecma International Policy on Submission, Inclusion and Licensing of Software

Scheme Document. For more information or help with your application contact BRE Global on +44 (0) or

Sparta Systems TrackWise Digital Solution

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Security Management Models And Practices Feb 5, 2008

ISO/IEC FDIS INTERNATIONAL STANDARD FINAL DRAFT. Information technology Security techniques Information security management systems Requirements

ISO Business Continuity Management System

ISO/IEC INTERNATIONAL STANDARD

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

ISO & ISO & ISO Cloud Documentation Toolkit

What is ISO/IEC 27001?

BRE Global Limited Scheme Document SD 186: Issue No December 2017

UKAS accredited Certification Bodies

TELECOMMUNICATIONS AND DATA CABLING BUSINESSES

Information Security Controls Policy

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

BCS Specialist Certificate in Change Management Syllabus

Summary of Changes in ISO 9001:2008

Sparta Systems TrackWise Solution

Navigating ISO 9001:2015

Information Security Exchange

SECURITY & PRIVACY DOCUMENTATION

Policy for Certification of Private Label Products Within the Cradle to Cradle Certified Certification Scheme. Version 1.0.

TERMS & CONDITIONS. Complied with GDPR rules and regulation CONDITIONS OF USE PROPRIETARY RIGHTS AND ACCEPTABLE USE OF CONTENT

Information technology Service management. Part 10: Concepts and vocabulary

TCG. TCG Certification Program. TNC Certification Program Suite. Document Version 1.1 Revision 1 26 September 2011

AsureQuality Limited. CodeMark Programme. Certificate Holder Responsibilities and Requirements

Third Party Security Review Process

ISO Gap Analysis Excerpt from sample report

Description of the TÜV NORD CERT certification procedure GMP+ FC (Feed Certification scheme) of GMP+ International B.V. (NL)

QPP Proprietary Profile Guide

ISO/IEC :2015 IMPACT ON THE CERTIFIED CLIENT

FAMI-QS VERSION 6 TRANSITION REQUIREMENTS

SSL Certificates Certificate Policy (CP)

MyCreditChain Terms of Use

DATA PROTECTION POLICY THE HOLST GROUP

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

PEFC N 04 Requirements for certification bodies and accreditation bodies

Public Safety Canada. Audit of the Business Continuity Planning Program

Cloud Security Standards

FOOD SAFETY SYSTEM CERTIFICATION Part III: Requirements for Certification Process

WORKSHARE SECURITY OVERVIEW

RE866 Interface User Guide

BCS Practitioner Certificate in Information Risk Management Syllabus

Achilles System Certification (ASC) from GE Digital

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Request for Comments (RFC) Process Guide

ISO/IEC INTERNATIONAL STANDARD

ITG. Information Security Management System Manual

ISO/IEC TR TECHNICAL REPORT

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

AUDITOR / LEAD AUDITOR PHARMACEUTICAL AND MEDICAL DEVICE INDUSTRY

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

PTSPAS Product Assessment HAPAS Equivalent in accordance with MCHW SHW Volume 1 Clause and

Transcription:

ECSC UNRESTRICTED ISO27001:2013 The New Standard Revised Edition +44 (0) 1274 736223 consulting@ecsc.co.uk www.ecsc.co.uk A Blue Paper from Page 1 of 14

Version 1_00 Date: 27 January 2014 For more information about ECSC s full range of information security services, visit: http://www.ecsc.co.uk/ All Rights Reserved. This document contains information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated to another language without the prior written consent of ECSC Ltd. For the latest updates to this document, please visit: http://www.ecsc.co.uk/ Warranty This document is supplied on an as is basis with no warranty and no support. Limitations of Liability In no event shall ECSC Ltd. be liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages (including lost profit or lost data) whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. The information contained in this document is subject to change without notice. No trademark, copyright, or patent licenses are expressly or implicitly granted (herein) with this blue paper. Disclaimer Any brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. ECSC Ltd. are not associated with any vendors or products that may be mentioned in this document. Page 2 of 14

Executive Summary This Blue Paper is an introductory document. The comments and advice are based on our experience of developing, implementing, maintaining and improving Information Security Management Systems in accordance with ISO27001:2005. The maintenance of a certified information security management system can be challenging, and the changes introduced to ISO 27001:2013 will require alterations to systems currently deemed compliant with the 2005 version of the standard. In our position as vendor independent information security consultants, our clients seek our help to develop more effective ways to maintain compliance as standards develop. The field of Information Security has changed a great deal over the last 8 years with new technologies, business opportunities, threats and vulnerabilities emerging constantly. Therefore, the ISO 27001:2005 standard has been updated to reflect these changes while still being appropriate and flexible enough for the vast range of organisations that currently conform to its requirements. At first glance the standard appears to have changed considerably in structure and content and you d be forgiven for thinking this means a huge amount of work to transition your current ISMS to the requirement of the new standard. However when we examine these changes more carefully they are often subtle; the reworking has focussed on adding more clarity to the requirements and aligning the mandatory clauses with other ISO standards such as 9001. Key changes include an increased emphasis on monitoring and measuring the performance and effectiveness of the ISMS, clearer links between risks and chosen controls, and the need for defined skills and competences required to maintain the ISMS. In addition there have been changes to the control sections and individual controls within Annex A. The final version of the standard (ISO 27001:2013) was released in October 2013 and certification bodies should soon be able to offer UKAS accredited certification to this updated version of the standard. Page 3 of 14

Mandatory Clauses The mandatory management clauses have been subject to a considerable amount of restructuring. There are now new clause sections covering Leadership, Planning, Support, Operation, and Performance Evaluation. On closer inspection we can see that not much in the way of content and/or requirements have changed, these sections have simply been updated and clarified. Leadership This section focuses on the need for management commitment and involvement in the ISMS. As before, management must ensure that security is embedded in the organisations culture, and that the appropriate resources are in place to support the ISMS. Management must also set policy and security objectives and ensure that security requirements are communicated effectively throughout the organisation. Compared to the current standard there are no new requirements here. Planning Risk Assessment This section outlines the requirements of the risk assessment process you will note that the need for the identification of information assets, threats, vulnerabilities, and owners are no longer required. While the assessment of impact and likelihood, defined criteria for the acceptance of risks and identifying treatment plans still remain. The standards advises the use of ISO 31000 (a generic risk assessment standard) as a guide for conducting your risk assessment. Interestingly, after identifying your risks, this revised standard now requires you to determine all controls that are necessary to implement the information security risk treatment options. You must then compare these controls with those in Annex A and verify that no necessary controls have been omitted. This could imply that there must be a risk for every control in Annex A. Page 4 of 14

Mandatory Clauses cont. Statement of Applicability This section also defines the requirements for the Statement of Applicability. The significant change here is that you must provide justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls. Measurable Objectives This section also elevates the requirements for setting and measuring security objectives. You must now define what will be measured, what resources will be required to measure the objectives, who will be responsible, when it will be completed and how the results will be evaluated. The standard now requires objectives to be defined at a functional level not just by management. Support This section is concerned with ensuring the appropriate resources are provided to support the implementation and ongoing management of the ISMS, that key competences of individuals are identified, that there is effective communication (both internally and externally) regarding the ISMS and that the required documentation is in place. Much like with the Quality Standard ISO 9001 you are now required to identify what relevant competences individuals supporting the ISMS must have and ensure this is maintained through education and training initiatives. The biggest change being a requirement to retain appropriate documented information as evidence of competence. This section also defines the importance of effective communication relating to the ISMS throughout, and external to, the organisation. You must now formally define what will be communicated, who will communicate the information and to whom, and by what method. Page 5 of 14

Mandatory Clauses cont. Operation This is a rather vague section concerned with ensuring business changes are considered through the risk assessment and that appropriate risk treatments are identified and implemented in a timely manner. This particular section is somewhat weak on content when compared to other sections. Performance Evaluation This section places more importance on the need to measure the performance and effectiveness of the ISMS. You will be required to define what will be measured, who will perform these measurements and what will be done with the results? You must be able to provide documented evidence of both these measurements and the knowledge gained as a result. There is still a requirement to conduct Internal Audits at planned intervals and to maintain an audit programme which includes methods, frequencies and responsibilities etc., much the same as in the current standard. You must ensure that your Internal Audits cover the new controls in the standard (detailed later in this document). An updated Management Review agenda is detailed within this section with a few minor changes. There is now a need to review Change to internal and external issues relevant to the ISMS. Information security performance is key with an emphasis on feedback on the measurement of ISMS effectiveness and fulfilment of information security objectives. Note that the standard no longer dictates a minimum frequency of these reviews but we would still recommend a minimum of 6 monthly Management Review Meetings. Improvement This section has replaced the Corrective and Preventive Action section in the current standard. Page 6 of 14

Mandatory Clauses cont. It states the organisation shall identify and address nonconformities (corrective action) and then evaluate the need for action to eliminate the root causes of nonconformities (preventive action). It provides an extensive list of ways you might identify potential nonconformities. This section is a vast improvement on the current Corrective and Preventive Action Procedures, as it provides much more clarity around these requirements. This section emphasises the need for the organisation to continually strive to improve the adequacy, suitability and effectiveness of the ISMS. Page 7 of 14

Annex A Just when you thought you had learnt all the control numbers they now have a new order, and have increased to 14 sections: A.5 Security Policies A.6 Organisation of Information Security A.7 Human Resource Security A.8 Asset Management A.9 Access Control A.10 Cryptography A.11 Physical and Environmental Security A.12 Operations Security A.13 Communications Security A.14 Systems Acquisition, Development and Maintenance A.15 Supplier Relationships A.16 Information Security Incident Management A.17 Information Security Aspects of Business Continuity Management A.18 Compliance As you can see all of the old familiar sections are still there, albeit in a different order, with a couple of additions. Cryptography now gets its own section but this only contains the same two controls as in the current standard. Operations and Communications have been split into separate sections while Supplier Relationships is completely new (more on this later). Page 8 of 14

New Controls The following are some of the new controls: A.6.1.4 Information Security in Project management This control states that Information Security shall be addressed in project management, regardless of the type of the project. This could potentially have a significant impact as it suggests that security should be embedded in all areas of business process within the ISMS scope regardless of the type of project. A.14.2 Security in Development and Support Processes The section relating to Development has seen perhaps the most significant change from the current standard with four new controls being added: A.14.2.1 A.14.2.5 A.14.2.8 A.14.2.9 Secure Development Policy Secure Systems Engineering Principles System Security Testing Systems Acceptance Testing With these new controls the new standard recognises the importance of information security across the entire systems life-cycle from design through to implementation and testing and suggest a much more sensible approach than in the previous standard and as such, the following controls have been deleted from this section: A.12.2.1 A.12.2.2 A.12.2.3 A.12.2.4 A.12.5.4 Input data validation Control of internal processing Message integrity Output data validation Information leakage A.15.1 Supplier Relations The importance of managing the risks associated with your suppliers has been given greater prominence through the introduction of this new section. While the need for third Page 9 of 14

New Controls cont. party agreements and monitoring of third party services remain from the current standard the following new controls have been included: A.15.1.1 A.15.1.3 Information security policy for supplier relationships ICT supply chain A.16.1 Incident Management This section has been extended to include two new controls related to the assessment of severity of security events and the formal response taken to dealing with incidents. A.16.1.4 A.16.1.5 Assessment and decision of information security events Response to information security incidents A.17 Business Continuity Management This section has also seen noteworthy changes. While the new standard still requires you to have formal Business Continuity Plans it now specifically requires consideration of the continuity of information security in the event of a disaster. The control to test your plans has been amended to Verify, Review and Evaluate Information Security Continuity (A.17.1.3 ) thus requiring assessment of the information security continuity controls in place not just the plans. In addition, a new sub section has been added (A.17.2 Redundancies) and a single control within this new section (A.17.2.1 Availability of Information Processing Facilities) requires redundancies to be built into all information processing systems where required to meet documented tolerances. Page 10 of 14

Modified Controls The following controls, while very similar to the existing controls, have been altered to varying degrees so that the requirement is now slightly different: A.5.1.1 Policies for Information Security The current standard requires a single high level Information Security Policy while this proposed control states that a set of policies shall be defined, approved and communicated to all relevant parties. A.9.2.4 Management of Secret Authentication Information of Ssers & A.9.3.1 Use of Secret Authentication Information The term secret authentication information has replaced passwords taking into account that this may now include passwords, pass phrases, PINS etc. A.12.2.1 Controls Against Malware Previously covered by two controls for protecting against malicious code and mobile code these have now been merged into one sensible control. A.14.1.2 Securing Applications Services on Public Networks & A.14.1.3 Protecting Application Service Transactions These modified controls replace the previous controls in A.10.8 and A.10.9 related to exchange of information, e-commerce, on-line transactions and publicly available information. In the new revision there is a strong emphasis on authentication, non repudiation, and the integrity of information. Many of the these considerations can be addressed by the application of cryptographic controls. Please note that there is also a reworking of ISO 27002 to provide updated guidance on these new controls in ISO 27001:2013. Page 11 of 14

Controls Removed or Deleted The following controls have been removed altogether from the new standard (some of which you may be pleased to see the back of). Please note that the intent of some of these controls may have been merged into another control. A.6.1.1 A.6.1.2 A.6.1.4 A.6.2.2 A.10.7.3 A.10.8.5 A.10.9.1 A.10.9.2 A.11.4.2 A.11.4.3 A.11.4.4 A.11.4.6 A.11.4.7 A.11.6.1 A.11.6.2 A.12.2.1 A.12.2.2 A.12.2.3 A.12.2.4 A.12.5.4 Management Commitment Information Security Coordination Authorisation process for information processing facilities Addressing risks when dealing with customers Information handling procedures Business Information Systems Electronic commerce On-line transactions User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Network connection control Network routing control Information access restriction Sensitive system isolation Input data validation Control of internal processing Message integrity Output data validation Information leakage Page 12 of 14

Conclusion While these changes may appear daunting, for the most part they are aimed at clarifying the intent of a clause or control, or shifting the focus of security management efforts towards repeatable, measurable processes. The most significant changes are likely to be driven by audit practices; clearly these will develop as new certificates are awarded against the standard. All existing ISO 27001 certified Management Systems will require some modification in order to ensure certification against the new standard. However, this modification process should be relatively painless. Wholesale re-working of your existing systems may not be required. 1. Look for existing processes which already provide measurable data to feed into the new measurement and monitoring processes. 2. Ensure your high level objectives can be supported by the analysis of this data. 3. Plan for the inclusion of new risks in your risk assessment; use the revised Annex A controls to support this process. 4. Draft new policies on information security for supplier relationships, mobile devices and on secure development. Perhaps most importantly, you should ensure management are aware of the need for ongoing support for and commitment to the ISMS. Page 13 of 14

Where Next? When standards develop it is essential to understand the intentions and implications of any changes and how these are likely to be audited. This ECSC Blue Paper has been designed to outline the most significant changes to the ISO27001 standard, to enable you to plan any changes carefully and efficiently. If you feel we can be of assistance, then we will be more than happy to come to see you to discuss your particular project, and give you some initial guidance on building an effective Compliance and Certification programme. Call +44 (0) 1274 736223 or email consulting@ecsc.co.uk today. Page 14 of 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback