Download - Transitioning to iso 27001 2013
![Page 1: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/1.jpg)
Transitioning to ISO 27001:2013
![Page 2: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/2.jpg)
2
Welcome and Introductions SAI Global
Provides information services and solutions globally
to:
– Manage risk
– Achieve compliance
– Drive business improvement
Leading provider of ISO 27001 assurance services in
the region
Provides training in understanding, implementing and
auditing Information Security Management Systems
![Page 3: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/3.jpg)
3
Introductions CQR
Largest Australian-owned independent information
security consultancy
Experts in the design, implementation and operations
of ISMS’ based on ISO 27001
Our specialists have assisted in excess of 20
organisations globally through the certification
process
CQR has been certified to ISO 27001 for almost 9
years
![Page 4: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/4.jpg)
4
Learning Outcomes
At the end of the session, you will have:
– An understanding of the differences between the 2005 and 2013 version of ISO/IEC 27001
– Information to allow you to start to plan the necessary transition activities
![Page 5: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/5.jpg)
5
Agenda
Brief history of ISO 27001 and 27002
Drivers for updating the standard
Changes to the mandatory clauses
– 2005 – Clauses 4 to 8
– 2013 - Clauses 4 to 10
Key changes to Annex A
Transition Activities
Certification considerations
Q&A
![Page 6: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/6.jpg)
6
The evolution of ISO 27001 revisited
![Page 7: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/7.jpg)
7
ISO 27001 Revisited
Developed from BS 7799 Part 2
First released in 2005 as the core standard in
the 27000 family for information security
Supporting standard ISO 27002 renamed from
ISO 17799 in 2007
Both standards updated and published in 2013
ISO 27001 is the “auditable” and “certifiable”
standard
![Page 8: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/8.jpg)
8
Drivers for the update
![Page 9: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/9.jpg)
9
Why the update?
Experience over the last 2 decades with a large
number of organisations globally
The changing landscape (outsourcing, cloud
etc.)
To align the standard with key principles within
the ISO 31000 risk management standard
![Page 10: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/10.jpg)
10
Why the update?
Driven by the need to align the structure of ALL
ISO management systems standards
– Shared language for all non-specific
components of the management systems
– Conformance with Annex SL requirements
![Page 11: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/11.jpg)
11
Conceptual Differences
![Page 12: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/12.jpg)
12
Concepts and Context differences
No formal PDCA model any more as long as
continual improvement occurs
Shift to move support of the ISMS to the
executive management level (“top
management”)
Management of risks has higher focus than
control effectiveness
Now have the concept of “risk owner”
![Page 13: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/13.jpg)
13
Changes to the mandatory clauses
![Page 14: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/14.jpg)
14
Mandatory Clauses – 2005 version
Clauses 0-3 provide background and definitions
Clauses 4-8 provide the mandatory
requirements for the ISMS
Clause 4 – Information security management
system
Clause 5 – Management responsibility
Clause 6 – Internal ISMS audits
Clause 7 – Management review of the ISMS
Clause 8 – ISMS Improvement
![Page 15: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/15.jpg)
15
Mandatory Clauses – 2013 version
Clauses 0-3 provide background
Clauses 4-10 provide the mandatory
requirements for the ISMS
Clause 4 – Context of the organisation
Clause 5 – Leadership
Clause 6 – Planning
Clause 7 – Support
Clause 8 – Operation
Clause 9 – Performance evaluation
Clause 10 - Improvement
![Page 16: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/16.jpg)
16
Key differences
Need to document motivation and context for
operating an ISMS
Requirement to consider interfaces and
dependencies with other parties
Need to include external risk sources and
outsourced functions
Must be included in scope
The ISMS Policy has been removed and now only
refers to an Information Security Policy
![Page 17: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/17.jpg)
17
Key Differences
Alignment of risk approach to ISO 31000 rather than
the current version of ISO 27005
Don’t need to identify assets, threats and
vulnerabilities before risk identification
Risk sections now discuss “consequences” not
“impact”
Formally requires risk owners to approve the risk
treatment plans
![Page 18: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/18.jpg)
18
Key Differences
Preventive action as a concept disappears
– Replaced by “risks and opportunities”
Determination of controls is now part of the risk
assessment, not a separate selection process from
Annex A
However, still need to validate selected controls
against Annex A to verify no necessary controls have
been omitted
A Statement of Applicability is still required
![Page 19: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/19.jpg)
19
Key Differences – Mandatory Procedures
2005 had 5 mandatory procedures
2013 has removed the explicit requirement
Still required to control documented information
– Including supporting records
Internal Audit activity is still required but no longer
requires a formal procedure
Non-conformity and corrective action must still occur
Explicit preventive action requirement is removed
![Page 20: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/20.jpg)
20
Key Differences – Mandatory Requirements
Management Review changes
– Must occur at planned intervals (used to be at
least annually)
– No longer defines specific precise inputs and
outputs but provides a list of topics that need to
be considered
Internal Audit
– Statement that auditors shall not audit their won
work has been removed
– However, must be objective and impartial
![Page 21: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/21.jpg)
21
Annexure A Changes
![Page 22: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/22.jpg)
22
Annex A
2005 had 133 controls in 11 sections
2013 has 114 controls in 14 sections
Some controls have been removed completely
– E.g. A.12.5.4 Information leakage
– A.11.5.6 Limitation of connection time
Others are combined – E.g. malicious and mobile
code is now Malware (new A.12.2.1)
Some new controls added
My view – the new Annex A is a simplified set of
controls that are more easily understood
![Page 23: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/23.jpg)
23
Annex A
Have split Communications and Operations
Management (A.10) into two
– A.12 Operations security
– A.13 Communications security
Also now have a separate section (A.10) for
Cryptography
Business Continuity section has undergone
significant change, focusing on embedding
information security into the organisation’s BCMS
– This section also addresses redundant facilities
![Page 24: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/24.jpg)
24
Other Changes
![Page 25: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/25.jpg)
25
Annexures B and C (2005)
Annex B contained the cross reference to the OECD
principles
Also referred to the PDCA model which has been
dropped
There is no equivalent annexure in the 2013 version
Annex C provided a cross-reference between 27001
and other standards
Given the revision of the other standards this section
has also been removed with no replacement
![Page 26: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/26.jpg)
26
Transition Activities
![Page 27: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/27.jpg)
27
Transition Activities
Assumption – you have an ISMS in place based on
the ISO/IEC 27001:2005 standard
– Equivalent to AS/NZS ISO/IEC 27001:2006
Assumption – Goal is to keep changes to a
minimum
![Page 28: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/28.jpg)
28
Transition Activities
Where to start?
– Is a gap analysis worthwhile?
– Yes, level will depend on how close you are to
your system
You need to have some sort of transition plan and
a gap analysis may help identify tasks
Once you have identified key activities, add them
to your current system as improvement
opportunities
![Page 29: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/29.jpg)
29
Transition Activities
Document all “interested parties”
– Internal and external
Re-visit your Scope statement
– Make sure you capture the interfaces with third
parties and the security requirements around
these interfaces
![Page 30: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/30.jpg)
30
Transition Activities
For Management, specifically allocate responsibility
for
– Ensuring the ISMS conforms with the standard
– Reporting on the performance of the ISMS to
top management
Capture business objectives and understand how
your ISMS can assist in delivering against these
(align business and security objectives)
![Page 31: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/31.jpg)
31
Transition Activities
Review your ISMS policy (in 2013, called the
Information Security Policy) and simplify if there is
value in doing so.
– You can leave it unchanged if it’s working!
– Can add the roles and responsibilities previously
discussed in this document if you wish
![Page 32: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/32.jpg)
32
Transition Activities
Review your risk management procedure
– Can simplify by removing the asset-threat-
vulnerability approach
– Ensure that you have a process to identify and
record “risk owners”
Revisit your risk assessments and get approval of
treatments from the risk owners
– Still need a record of acceptance of residual risk
![Page 33: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/33.jpg)
33
Transition Activities
Revisit your Statement of Applicability (SoA)
– Map risks against new Annex A controls
– Just because a control has disappeared from
Annex A does not mean you should remove it
– If it still manages a risk, it should still appear in
your SoA
Check references in the rest of your system to
controls within the SoA (risk register etc.)
![Page 34: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/34.jpg)
34
Transition Activities
Review the required documentation
– Do you want to keep your versions of the old
mandatory procedures
– What documents can be retired?
– What new documents are needed?
– New documents may be required based on any
new controls selected in your Statement of
Applicability
![Page 35: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/35.jpg)
35
Transition Activities
Potential new documents
– Information security objectives (Not Annex A
related)
– A.14.2.1 Secure Development Policy
– A.14.2.5 Secure Systems Engineering principles
– A.15.1.1 InfoSec Policy for Supplier Relationships
– A.16.1.7 a procedure for evidence management
![Page 36: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/36.jpg)
36
Transition Activities
Revisit your metrics and measures
– New version has more focus on metrics and
measures
– Need to identify what your metrics will be and
how you will measure the performance of the
ISMS
Only measure that which provides value
(information on the performance of the ISMS)
![Page 37: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/37.jpg)
37
Transition Activities
Need to ensure that you define
– How things will be measured
– Who monitors/measures
– When will it be done
– Who is going to look at the results
– When will this happen
![Page 38: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/38.jpg)
38
Additional Workshops
Melbourne – 9th December
Sydney – 10th December
Further information www.saiglobal.com or
http://training.saiglobal.com/tis/promotion.aspx?id=a0
c20000005bAeQ
![Page 39: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/39.jpg)
39
Certification Considerations
![Page 40: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/40.jpg)
40
Certification
For new certifications, can choose to certify to the
2005 version until Sept 2014
For organisations currently certified to the 2005
version, you have until Sept 2015 to transition your
system
Don’t leave it until the last minute, start making the
necessary changes as soon as you can
![Page 41: Transitioning to iso 27001 2013](https://reader034.vdocuments.mx/reader034/viewer/2022042505/54bcd2474a7959ae418b46a3/html5/thumbnails/41.jpg)
41
Any questions?