Information Security Exchange
ISO 27001:2013 The road to certification Mike Edwards 30 April 2014
Content Who is BSI? Annex SL Clauses 4 10 Annex A Transitioning from ISO 27001:2005 to 2013 3
Who is BSI 10 fast facts
Planning phase 20% of the time implementing We now need to spend time planning the task We should spend 80% of our time planning 20% of our time planning but we spend 20% of the time implementing 60% of the time fire fighting which then ends up lasting the life of the system or to our retirement which ever comes sooner. 5
Annex SL Appendix 2
Annex SL, Appendix 2 Purpose 7
ISO/IEC 27001:2013 Components Overview PLAN 4 Context of the organization Understanding of context Expectations of interested parties Scope and ISMS 5 Leadership Management commitment IS policy Roles, responsibilities and authorities 6 Planning Actions to address risk and opportunity IS objectives 7 Support Resources Competence Awareness Communication Documented Information DO 8 Operation Operational planning and control Risk assessment Risk treatment CHECK 9 Performance and Evaluation Monitoring, measurement, analysis and evaluation Internal audit Management review ACT 10 Improvement Nonconformity and corrective action Continual improvement 8
Comparison with ISO/IEC 27001:2005 9
Summary of recent changes to ISO/IEC 27001 Terms and definitions 10
4. Context of the Organization Understanding the organization and its context Understanding the needs and expectation of interested parties Determining the Scope of the management system 11
Interested Parties Civilians Customers Distributors Shareholders Investors Owners Insurers Government Regulators Information suppliers The Organization Management Those who implement and maintain the ISMS Security Incident Response Staff Other Staff Contractors Competitors Media Customers User groups Legal, compliance & risk Information interest groups Technical services Other response agencies Information services Staff dependents Suppliers 12
5 Leadership Leadership & Commitment Policy Organizational Roles, Responsibilities & Authorities 13
6 Planning Actions to address, risks and opportunities Map to context of the organization Looking at organizational risk No more preventative action! IS objectives 14
7 Support 7.4 Communication 7.5 Documented Information 15
7.5 Documented information Required by ISO 27001:2013 4.3 Scope of the ISMS 5.2 Information security policy 6.1.2 Information security risk assessment process 6.1.3 information security risk treatment process 6.1.3 d) statement of applicability 6.2 Information security objectives 7.2 d) Evidence of competence 7.5.1 a) documented information required by international standard and ISMS 8.1 Operational planning and control 8.2 Results of the information security risk assessments 8.3 Results of the information security risk treatment 9.1 Evidence of the monitoring and measurement results 9.2 g) Evidence of the audit programme(s) and the audit results 9.3 Evidence of the results of management reviews 10.1 f) Evidence of the nature of the nonconformities and any subsequent actions taken 10.1 g) Evidence of the results of any corrective action 09/05/2014 16
8 Operation 8.1 Operational planning and control 8.2 Information security risk assessment 8.3 Information security risk treatment 17
9 Performance Evaluation 18
9 Performance Evaluation Management Review 19
10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement 20
Controls (Annex A and ISO/IEC 27002) 21
Mapping of control groups in Annex A YOU ARE HERE 22
Transition to ISO/IEC 27001:2013
Transition to ISO/IEC 27001:2013 Transition arrangements Tips for making the transition 24
Transition plan for ISO/IEC 27001:2013 Transfer Completion Deadline:Within 24 months of the publication date of ISO/IEC 27001:2013 (1 October 2015) A new application can be assessed against ISO/IEC 27001:2005 if it will be completed within 12 months after the publication date of ISO/IEC 27001:2013 Year 2013 2014 2015 2016 New Application ISO/IEC 27001:2005 ISO/IEC 27001:2013 Transition Transition period (24months) 25
Contact us Address: BSI Group Kitemark Court Davy Avenue, Knowlhill Milton Keynes, MK5 8PP United Kingdom Telephone: +44 845 086 9000 Email: Links: training@bsigroup.com www.bsigroup.co.uk/training 26
Information Security Exchange 28