Transitioning to iso 27001 2013

Transitioning to ISO 27001:2013

2

Welcome and Introductions SAI Global

Provides information services and solutions globally

to:

– Manage risk

– Achieve compliance

– Drive business improvement

Leading provider of ISO 27001 assurance services in

the region

Provides training in understanding, implementing and

auditing Information Security Management Systems

3

Introductions CQR

Largest Australian-owned independent information

security consultancy

Experts in the design, implementation and operations

of ISMS’ based on ISO 27001

Our specialists have assisted in excess of 20

organisations globally through the certification

process

CQR has been certified to ISO 27001 for almost 9

years

4

Learning Outcomes

At the end of the session, you will have:

– An understanding of the differences between the 2005 and 2013 version of ISO/IEC 27001

– Information to allow you to start to plan the necessary transition activities

5

Agenda

Brief history of ISO 27001 and 27002

Drivers for updating the standard

Changes to the mandatory clauses

– 2005 – Clauses 4 to 8

– 2013 - Clauses 4 to 10

Key changes to Annex A

Transition Activities

Certification considerations

Q&A

6

The evolution of ISO 27001 revisited

7

ISO 27001 Revisited

Developed from BS 7799 Part 2

First released in 2005 as the core standard in

the 27000 family for information security

Supporting standard ISO 27002 renamed from

ISO 17799 in 2007

Both standards updated and published in 2013

ISO 27001 is the “auditable” and “certifiable”

standard

8

Drivers for the update

9

Why the update?

Experience over the last 2 decades with a large

number of organisations globally

The changing landscape (outsourcing, cloud

etc.)

To align the standard with key principles within

the ISO 31000 risk management standard

10

Why the update?

Driven by the need to align the structure of ALL

ISO management systems standards

– Shared language for all non-specific

components of the management systems

– Conformance with Annex SL requirements

11

Conceptual Differences

12

Concepts and Context differences

No formal PDCA model any more as long as

continual improvement occurs

Shift to move support of the ISMS to the

executive management level (“top

management”)

Management of risks has higher focus than

control effectiveness

Now have the concept of “risk owner”

13

Changes to the mandatory clauses

14

Mandatory Clauses – 2005 version

Clauses 0-3 provide background and definitions

Clauses 4-8 provide the mandatory

requirements for the ISMS

Clause 4 – Information security management

system

Clause 5 – Management responsibility

Clause 6 – Internal ISMS audits

Clause 7 – Management review of the ISMS

Clause 8 – ISMS Improvement

15

Mandatory Clauses – 2013 version

Clauses 0-3 provide background

Clauses 4-10 provide the mandatory

requirements for the ISMS

Clause 4 – Context of the organisation

Clause 5 – Leadership

Clause 6 – Planning

Clause 7 – Support

Clause 8 – Operation

Clause 9 – Performance evaluation

Clause 10 - Improvement

16

Key differences

Need to document motivation and context for

operating an ISMS

Requirement to consider interfaces and

dependencies with other parties

Need to include external risk sources and

outsourced functions

Must be included in scope

The ISMS Policy has been removed and now only

refers to an Information Security Policy

17

Key Differences

Alignment of risk approach to ISO 31000 rather than

the current version of ISO 27005

Don’t need to identify assets, threats and

vulnerabilities before risk identification

Risk sections now discuss “consequences” not

“impact”

Formally requires risk owners to approve the risk

treatment plans

18

Key Differences

Preventive action as a concept disappears

– Replaced by “risks and opportunities”

Determination of controls is now part of the risk

assessment, not a separate selection process from

Annex A

However, still need to validate selected controls

against Annex A to verify no necessary controls have

been omitted

A Statement of Applicability is still required

19

Key Differences – Mandatory Procedures

2005 had 5 mandatory procedures

2013 has removed the explicit requirement

Still required to control documented information

– Including supporting records

Internal Audit activity is still required but no longer

requires a formal procedure

Non-conformity and corrective action must still occur

Explicit preventive action requirement is removed

20

Key Differences – Mandatory Requirements

Management Review changes

– Must occur at planned intervals (used to be at

least annually)

– No longer defines specific precise inputs and

outputs but provides a list of topics that need to

be considered

Internal Audit

– Statement that auditors shall not audit their won

work has been removed

– However, must be objective and impartial

21

Annexure A Changes

22

Annex A

2005 had 133 controls in 11 sections

2013 has 114 controls in 14 sections

Some controls have been removed completely

– E.g. A.12.5.4 Information leakage

– A.11.5.6 Limitation of connection time

Others are combined – E.g. malicious and mobile

code is now Malware (new A.12.2.1)

Some new controls added

My view – the new Annex A is a simplified set of

controls that are more easily understood

23

Annex A

Have split Communications and Operations

Management (A.10) into two

– A.12 Operations security

– A.13 Communications security

Also now have a separate section (A.10) for

Cryptography

Business Continuity section has undergone

significant change, focusing on embedding

information security into the organisation’s BCMS

– This section also addresses redundant facilities

24

Other Changes

25

Annexures B and C (2005)

Annex B contained the cross reference to the OECD

principles

Also referred to the PDCA model which has been

dropped

There is no equivalent annexure in the 2013 version

Annex C provided a cross-reference between 27001

and other standards

Given the revision of the other standards this section

has also been removed with no replacement

26

Transition Activities

27

Transition Activities

Assumption – you have an ISMS in place based on

the ISO/IEC 27001:2005 standard

– Equivalent to AS/NZS ISO/IEC 27001:2006

Assumption – Goal is to keep changes to a

minimum

28

Transition Activities

Where to start?

– Is a gap analysis worthwhile?

– Yes, level will depend on how close you are to

your system

You need to have some sort of transition plan and

a gap analysis may help identify tasks

Once you have identified key activities, add them

to your current system as improvement

opportunities

29

Transition Activities

Document all “interested parties”

– Internal and external

Re-visit your Scope statement

– Make sure you capture the interfaces with third

parties and the security requirements around

these interfaces

30

Transition Activities

For Management, specifically allocate responsibility

for

– Ensuring the ISMS conforms with the standard

– Reporting on the performance of the ISMS to

top management

Capture business objectives and understand how

your ISMS can assist in delivering against these

(align business and security objectives)

31

Transition Activities

Review your ISMS policy (in 2013, called the

Information Security Policy) and simplify if there is

value in doing so.

– You can leave it unchanged if it’s working!

– Can add the roles and responsibilities previously

discussed in this document if you wish

32

Transition Activities

Review your risk management procedure

– Can simplify by removing the asset-threat-

vulnerability approach

– Ensure that you have a process to identify and

record “risk owners”

Revisit your risk assessments and get approval of

treatments from the risk owners

– Still need a record of acceptance of residual risk

33

Transition Activities

Revisit your Statement of Applicability (SoA)

– Map risks against new Annex A controls

– Just because a control has disappeared from

Annex A does not mean you should remove it

– If it still manages a risk, it should still appear in

your SoA

Check references in the rest of your system to

controls within the SoA (risk register etc.)

34

Transition Activities

Review the required documentation

– Do you want to keep your versions of the old

mandatory procedures

– What documents can be retired?

– What new documents are needed?

– New documents may be required based on any

new controls selected in your Statement of

Applicability

35

Transition Activities

Potential new documents

– Information security objectives (Not Annex A

related)

– A.14.2.1 Secure Development Policy

– A.14.2.5 Secure Systems Engineering principles

– A.15.1.1 InfoSec Policy for Supplier Relationships

– A.16.1.7 a procedure for evidence management

36

Transition Activities

Revisit your metrics and measures

– New version has more focus on metrics and

measures

– Need to identify what your metrics will be and

how you will measure the performance of the

ISMS

Only measure that which provides value

(information on the performance of the ISMS)

37

Transition Activities

Need to ensure that you define

– How things will be measured

– Who monitors/measures

– When will it be done

– Who is going to look at the results

– When will this happen

38

Additional Workshops

Melbourne – 9th December

Sydney – 10th December

Further information www.saiglobal.com or

http://training.saiglobal.com/tis/promotion.aspx?id=a0

c20000005bAeQ

39

Certification Considerations

40

Certification

For new certifications, can choose to certify to the

2005 version until Sept 2014

For organisations currently certified to the 2005

version, you have until Sept 2015 to transition your

system

Don’t leave it until the last minute, start making the

necessary changes as soon as you can

41

Any questions?

42

Thanks for your attention

Enjoy you day!

[email protected]