Download - Transitioning to iso 27001 2013
Transitioning to ISO 27001:2013
2
Welcome and Introductions SAI Global
Provides information services and solutions globally
to:
– Manage risk
– Achieve compliance
– Drive business improvement
Leading provider of ISO 27001 assurance services in
the region
Provides training in understanding, implementing and
auditing Information Security Management Systems
3
Introductions CQR
Largest Australian-owned independent information
security consultancy
Experts in the design, implementation and operations
of ISMS’ based on ISO 27001
Our specialists have assisted in excess of 20
organisations globally through the certification
process
CQR has been certified to ISO 27001 for almost 9
years
4
Learning Outcomes
At the end of the session, you will have:
– An understanding of the differences between the 2005 and 2013 version of ISO/IEC 27001
– Information to allow you to start to plan the necessary transition activities
5
Agenda
Brief history of ISO 27001 and 27002
Drivers for updating the standard
Changes to the mandatory clauses
– 2005 – Clauses 4 to 8
– 2013 - Clauses 4 to 10
Key changes to Annex A
Transition Activities
Certification considerations
Q&A
6
The evolution of ISO 27001 revisited
7
ISO 27001 Revisited
Developed from BS 7799 Part 2
First released in 2005 as the core standard in
the 27000 family for information security
Supporting standard ISO 27002 renamed from
ISO 17799 in 2007
Both standards updated and published in 2013
ISO 27001 is the “auditable” and “certifiable”
standard
8
Drivers for the update
9
Why the update?
Experience over the last 2 decades with a large
number of organisations globally
The changing landscape (outsourcing, cloud
etc.)
To align the standard with key principles within
the ISO 31000 risk management standard
10
Why the update?
Driven by the need to align the structure of ALL
ISO management systems standards
– Shared language for all non-specific
components of the management systems
– Conformance with Annex SL requirements
11
Conceptual Differences
12
Concepts and Context differences
No formal PDCA model any more as long as
continual improvement occurs
Shift to move support of the ISMS to the
executive management level (“top
management”)
Management of risks has higher focus than
control effectiveness
Now have the concept of “risk owner”
13
Changes to the mandatory clauses
14
Mandatory Clauses – 2005 version
Clauses 0-3 provide background and definitions
Clauses 4-8 provide the mandatory
requirements for the ISMS
Clause 4 – Information security management
system
Clause 5 – Management responsibility
Clause 6 – Internal ISMS audits
Clause 7 – Management review of the ISMS
Clause 8 – ISMS Improvement
15
Mandatory Clauses – 2013 version
Clauses 0-3 provide background
Clauses 4-10 provide the mandatory
requirements for the ISMS
Clause 4 – Context of the organisation
Clause 5 – Leadership
Clause 6 – Planning
Clause 7 – Support
Clause 8 – Operation
Clause 9 – Performance evaluation
Clause 10 - Improvement
16
Key differences
Need to document motivation and context for
operating an ISMS
Requirement to consider interfaces and
dependencies with other parties
Need to include external risk sources and
outsourced functions
Must be included in scope
The ISMS Policy has been removed and now only
refers to an Information Security Policy
17
Key Differences
Alignment of risk approach to ISO 31000 rather than
the current version of ISO 27005
Don’t need to identify assets, threats and
vulnerabilities before risk identification
Risk sections now discuss “consequences” not
“impact”
Formally requires risk owners to approve the risk
treatment plans
18
Key Differences
Preventive action as a concept disappears
– Replaced by “risks and opportunities”
Determination of controls is now part of the risk
assessment, not a separate selection process from
Annex A
However, still need to validate selected controls
against Annex A to verify no necessary controls have
been omitted
A Statement of Applicability is still required
19
Key Differences – Mandatory Procedures
2005 had 5 mandatory procedures
2013 has removed the explicit requirement
Still required to control documented information
– Including supporting records
Internal Audit activity is still required but no longer
requires a formal procedure
Non-conformity and corrective action must still occur
Explicit preventive action requirement is removed
20
Key Differences – Mandatory Requirements
Management Review changes
– Must occur at planned intervals (used to be at
least annually)
– No longer defines specific precise inputs and
outputs but provides a list of topics that need to
be considered
Internal Audit
– Statement that auditors shall not audit their won
work has been removed
– However, must be objective and impartial
21
Annexure A Changes
22
Annex A
2005 had 133 controls in 11 sections
2013 has 114 controls in 14 sections
Some controls have been removed completely
– E.g. A.12.5.4 Information leakage
– A.11.5.6 Limitation of connection time
Others are combined – E.g. malicious and mobile
code is now Malware (new A.12.2.1)
Some new controls added
My view – the new Annex A is a simplified set of
controls that are more easily understood
23
Annex A
Have split Communications and Operations
Management (A.10) into two
– A.12 Operations security
– A.13 Communications security
Also now have a separate section (A.10) for
Cryptography
Business Continuity section has undergone
significant change, focusing on embedding
information security into the organisation’s BCMS
– This section also addresses redundant facilities
24
Other Changes
25
Annexures B and C (2005)
Annex B contained the cross reference to the OECD
principles
Also referred to the PDCA model which has been
dropped
There is no equivalent annexure in the 2013 version
Annex C provided a cross-reference between 27001
and other standards
Given the revision of the other standards this section
has also been removed with no replacement
26
Transition Activities
27
Transition Activities
Assumption – you have an ISMS in place based on
the ISO/IEC 27001:2005 standard
– Equivalent to AS/NZS ISO/IEC 27001:2006
Assumption – Goal is to keep changes to a
minimum
28
Transition Activities
Where to start?
– Is a gap analysis worthwhile?
– Yes, level will depend on how close you are to
your system
You need to have some sort of transition plan and
a gap analysis may help identify tasks
Once you have identified key activities, add them
to your current system as improvement
opportunities
29
Transition Activities
Document all “interested parties”
– Internal and external
Re-visit your Scope statement
– Make sure you capture the interfaces with third
parties and the security requirements around
these interfaces
30
Transition Activities
For Management, specifically allocate responsibility
for
– Ensuring the ISMS conforms with the standard
– Reporting on the performance of the ISMS to
top management
Capture business objectives and understand how
your ISMS can assist in delivering against these
(align business and security objectives)
31
Transition Activities
Review your ISMS policy (in 2013, called the
Information Security Policy) and simplify if there is
value in doing so.
– You can leave it unchanged if it’s working!
– Can add the roles and responsibilities previously
discussed in this document if you wish
32
Transition Activities
Review your risk management procedure
– Can simplify by removing the asset-threat-
vulnerability approach
– Ensure that you have a process to identify and
record “risk owners”
Revisit your risk assessments and get approval of
treatments from the risk owners
– Still need a record of acceptance of residual risk
33
Transition Activities
Revisit your Statement of Applicability (SoA)
– Map risks against new Annex A controls
– Just because a control has disappeared from
Annex A does not mean you should remove it
– If it still manages a risk, it should still appear in
your SoA
Check references in the rest of your system to
controls within the SoA (risk register etc.)
34
Transition Activities
Review the required documentation
– Do you want to keep your versions of the old
mandatory procedures
– What documents can be retired?
– What new documents are needed?
– New documents may be required based on any
new controls selected in your Statement of
Applicability
35
Transition Activities
Potential new documents
– Information security objectives (Not Annex A
related)
– A.14.2.1 Secure Development Policy
– A.14.2.5 Secure Systems Engineering principles
– A.15.1.1 InfoSec Policy for Supplier Relationships
– A.16.1.7 a procedure for evidence management
36
Transition Activities
Revisit your metrics and measures
– New version has more focus on metrics and
measures
– Need to identify what your metrics will be and
how you will measure the performance of the
ISMS
Only measure that which provides value
(information on the performance of the ISMS)
37
Transition Activities
Need to ensure that you define
– How things will be measured
– Who monitors/measures
– When will it be done
– Who is going to look at the results
– When will this happen
38
Additional Workshops
Melbourne – 9th December
Sydney – 10th December
Further information www.saiglobal.com or
http://training.saiglobal.com/tis/promotion.aspx?id=a0
c20000005bAeQ
39
Certification Considerations
40
Certification
For new certifications, can choose to certify to the
2005 version until Sept 2014
For organisations currently certified to the 2005
version, you have until Sept 2015 to transition your
system
Don’t leave it until the last minute, start making the
necessary changes as soon as you can
41
Any questions?