Update on ISO 27001 Revision by Sudarshan Mandyam, CISA CISM Director, ISACA Sydney chapter Global Program Manager ISMS, ISC on Tuesday 20 th October 2009
AGENDA 1.Process of publishing and auditing standards 2.About ISC and IT related services 3.Standards families Requirement & Guidelines 4.27001 family of standards 5.An Overview of 27001:2005 and 27002:2005 6.Activities of ISACA and AISA 7.Activities of ISMS User Group Australia 8.Changes proposed in ISO 27001 9.How to take part in revision activities
Process of publishing and auditing STANDARDS standards TRAINING CERTIFICATION www.iso.ch Switzerland Regional EU, PANAM, AP National ANZ, ANSI, BSI Industry PCI DSS Company IBM, HP www.ipc.org Greece Regional IRCA, RABQSA JRQA, NRBPT Company ISC, SAI Global Persons www.iaf.nu Sydney Regional EU, PANAM, AP National JAS-ANZ, UKAS Company
International Standards Certification Pty Ltd Family owned business Owner Mr. Tony Wilde o A pioneer in the certification industry o Quality practitioner since 1970s o The first Lead Auditor in Asia Pacific for a management system o Former CXO of SAI Global and managed about 175 Lead Auditors o Was involved in creating JAS-ANZ accreditation Body System Certification Quality, Environment, Health & Safety, Disability services, Information Security, Business Continuity, IT Service Management Product Certification, for example, fire safety equipment RABQSA certified Lead Auditor Training ISMS in addition to Quality, Environment, Health & Safety Internal training for disability services
Standards families Requirement & Guidelines Requirements are mandatory Shall is used in the text in Requirements standards. For example, Shall have an information security policy Guidelines are optional Should is used in the text in Guidelines standards For example, information security policy should include compliance with application regulations.
27001 family of standards A family can have only one vocabulary standard (ending with 000) and one requirement standard (ending with 001). The remaining are guidelines. A family can have any number of standards. 1.- Vocabulary 2.- Requirements 3.- Code of Practice 4.- Implementation Guidelines 5.- ISMS Metrics 6.- ISMS Risk Assessment 7.- Guidelines for Certification Bodies 8.- ISMS Audit Gudielines
An Overview of 27001:2005 and 27002:2005 27001 27002 1. Introduction 5. Security Policy 2. References to standards 6. Security Organisation 3. Definitions 7. Information Assets 4 Scope, Risk Assessment, SOA 8. Human Resources 5. Resourcing 9. Physical & Environmental Security 6. Internal Audit 10. Computer Operations 7. Management Review 11. Logical Security 8. Corr & Prev. Action 12. SDLC Annexure A.5 A.15 Annexure B OECD Annexure C - Comparison 13. Incident Management 14. BCM 15. Compliance
Activities of ISACA and AISA ISO/IEC JTC 1 / SC 27 International Organisation for Standards International Electrotechnical Commission Joint Technical Committee 1 Sub Committee 27-5 groups ISACA 1. Ron Hale, USA 2. Howard Nicholson, Australia AISA (www.aisa.org.au) There are three user groups; ISMS UGA is the latest. For comments on ISO 27001 revision, please contact ISMS User Group Australia - John Snare, Melbourne.
Activities of ISMS User Group Australia New User Group was formed in September 2009 Convener - Sudarshan Mandyam, ISC Member - David Begg, ServiceFirst, NSW Government Member Sunil Sharma, CSC About 90 members of ISMS User Groups Mainly in Sydney, Brisbane, Melbourne and Canberra Quarterly Video Conferencing. End product is a user guide for a specific area of ISMS Q 4-2009 - 20 th November 2009 - Scope of ISMS Q 1-2010 February 2010 - Statement of Applicability Q 2 2010 May 2010 Policy, Procedure & Guidelines
Changes proposed in ISO 27001 Although 27002 is a guidance standard (optional) it matches with Annexure A of 27001 Requirements. Any change proposed in 27002 will be a part of Annexure A of ISO 27001. Therefore the organisation needs to justify in the Statement of Applicability why a particular control is not selected. Note: 27003, 27004, etc are independent of ISO 27001.
Changes proposed in ISO 27001 1.Security Strategy and Governance 2.Security Organisation Structure 3.Enterprise Architecture 4.Enterprise Integrated Risk Management 5.Information Security Management & Operations 6.Information Security Strategic Plan 7.Reporting legal or criminal violations 8.Compliance inspections 9.Information Lifecycle management 10.Privacy Impact assessment
Changes proposed in ISO 27001 1.Physical security of laptops, smartphones, PDAs 2.Physical security certification 3.Emanations security 4.Software technical architecture security 5.Software data architecture security 6.Mainframe applications 7.Virtualised software and hardware 8.Information system security accreditation 9.Securing wireless communications 10.SCADA security controls 11.Network security controls Layer 1 to Layer 7 12.Cyber Security
How to take part in revision activities 1.Contact Ron Hale, ISACA, USA 2.Join AISA, the Melbourne chapter and the ISMS User Group ( a total fee of A$ 50.00 per annum). 3.Google search - JTC 1 / SC 27 4.h ttp://standards.iso.org/ittf/ PubliclyAvailableStandards/index.html 5.visit www.iso27001certifications.com 6.If you still need help, write to: sudarshan@iscworldwide.com
Questions? sudarshan@isc-worldwide.com