ISO 27002:2013 Version Change Summary

Transcription

1 Information Shield Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category changes between ISO 27002:2005 and the 2013 update. Changes are color coded. Control Category Change Key Control Removed Control Moved or Renamed Control Added (new outline) Change Map Key Minimum Changes to Domain Several key changes to Domain Major changes to Domain Change 2005 Control Category 2013 Control Category LOW 5 SECURITY POLICY 5 IFNORMATION SECURITY POLICIES 5.1 INFORMATION SECURITY POLICY 5.1 Management direction for information security Information security policy document Policies for information security Review of the information security policy Review of the policies for information security MED 6 ORGANIZATION OF INFORMATION SECURITY 6 ORGANIZATION OF INFORMATION SECURITY 6.1 INTERNAL ORGANIZATION 6.1 Internal organization Management commitment to information security (Removed) Information security co-ordination (removed) Allocation of information security responsibilities Information security roles and responsibilities Segregation of duties (moved) Segregation of duties (Moved) Contact with authorities Contact with authorities Contact with special interest groups Contact with special interest groups Independent review of information security (moved) Information security in project management (New)

2 11.7 MOBILE COMPUTING AND TELEWORKING (Moved) 6.2 Mobile devices and teleworking Mobile computing and communications Mobile device policy Teleworking Teleworking LOW 8 Human Resource Security 7 Human Resource Security 8.1 PRIOR TO EMPLOYMENT 7.1 Prior to employment Roles and responsibilities (Removed) Screening Screening Terms and conditions of employment Terms and conditions of employment 8.2 DURING EMPLOYMENT 7.2 During employment Management responsibilities Management responsibilities Information security awareness, education, and training Information security awareness, education and training Disciplinary process Disciplinary process 8.3 TERMINATION OR CHANGE OF EMPLOYMENT 7.3 Termination and change of employment Termination responsibilities Termination or change of employment responsibilities MED 7 Asset Management 8 Asset management 7.1 RESPONSIBILITY FOR ASSETS. 8.1 Responsibility for assets Inventory of assets Inventory of assets Ownership of assets Ownership of assets Acceptable use of assets Acceptable use of assets Return of assets (moved) Return of assets 7.2 INFORMATION CLASSIFICATION 8.2 Information classification Classification guidelines Classification of information Information labeling and handling Labeling of information Handling of assets (New) 10.7 MEDIA HANDLING (Moved) 8.3 Media handling Management of removable media Management of removable media Disposal of media Disposal of media Information handling procedures Physical media transfer Security of system documentation (Removed)

3 HIGH 11 ACCESS CONTROL 9 ACCESS CONTROL 11.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL 9.1 Business requirements of access control Access control policy Access control policy Access to networks and network services 11.2 USER ACCESS MANAGEMENT. 9.2 User access management User registration User registration and de-registration User access provisioning Privilege management Management of privileged access rights User password management (moved) Management of secret authentication information of users Review of user access rights Review of user access rights Removal of access rights (Moved) Removal or adjustment of access rights 11.3 USER RESPONSIBILITIES 9.3 User responsibilities Password use Use of secret authentication information (New) 11.5 OPERATING SYSTEM ACCESS CONTROL 9.4 System and application access control Information access restriction Information access restriction Secure log-on procedures Secure logon procedures User identification and authentication Password management system Password management system Use of system utilities Use of privileged utility programs Access control to program source code (moved) Access control to program source code Session time-out (Removed) Limitation of connection time 11.6 APPLICATION AND INFORMATION ACCESS CONTROL Sensitive system isolation LOW 12.3 CRYPTOGRAPHIC CONTROLS 10 Cryptography (NEW) Policy on the use of cryptographic controls Policy on the use of cryptographic controls Key management Key management LOW 9 PHYSICAL AND ENVIRONMENTAL SECURITY 11 PHYSICAL AND ENVIRONMENTAL SECURITY 9.1 SECURE AREAS 11.1 Secure areas

4 9.1.1 Physical security perimeter Physical security perimeter Physical entry controls Physical entry controls Securing offices, rooms, and facilities Securing offices, rooms and facilities Protecting against external and environmental threats Protecting against external and environ- mental threats Working in secure areas Working in secure areas Public access, delivery, and loading areas Delivery and loading areas 9.2 EQUIPMENT SECURITY 11.2 Equipment Equipment siting and protection Equipment siting and protection Supporting utilities Supporting utilities Cabling security Cabling security Equipment maintenance Equipment maintenance Removal of property (Moved) Removal of assets (moved) Security of equipment off-premises Security of equipment and assets off premises Secure disposal or re-use of equipment Secure disposal or re- use of equipment Unattended user equipment (moved) Unattended user equipment Clear desk and clear screen policy (Moved) Clear desk and clear screen policy HIGH 10. Operations Security 12 Operations security HIGH 10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES 12.1 Operational procedures and responsibilities Documented operating procedures Documented operating procedures Change management Change management Capacity management Capacity management Separation of development, testing and operational Separation of development, test, and operational facilities environments 10.3 SYSTEM PLANNING AND ACCEPTANCE System acceptance 10.4 PROTECTION AGAINST MALICIOUS AND MOBILE CODE 12.2 Protection from malware Controls against malicious code Controls against mal-ware Controls against mobile code (combined) 10.5 BACK-UP 12.3 Backup Information back-up Information backup MONITORING 12.4 Logging and monitoring Audit logging Event logging

5 Monitoring system use (combined) Protection of log information Protection of log information Administrator and operator logs Administrator and operator logs Fault logging (Removed) Clock synchronization Clock synchronisation 12.4 SECURITY OF SYSTEM FILES Control of operational software 12.5 Control of operational software Installation of soft-ware on operational systems 12.6 TECHNICAL VULNERABILITY MANAGEMENT 12.6 Technical vulnerability management Control of technical vulnerabilities Management of technical vulnerabilities Restrictions on software installation 15.3 INFORMATION SYSTEMS AUDIT CONSIDERATIONS (Moved) 12.7 Information systems audit considerations Information systems audit controls Information systems audit controls Protection of information systems audit tools HIGH 11.4 NETWORK ACCESS CONTROL. 13 Communications security Policy on use of network services 13.1 Network security management User authentication for external connections Network controls Equipment identification in networks Security of network services Remote diagnostic and configuration port protection Segregation in networks Segregation in net works Network connection control Network routing control 10.8 EXCHANGE OF INFORMATION (Moved) 13.2 Information transfer Information exchange policies and procedures Information transfer policies and procedures Exchange agreements Agreements on information transfer Physical media in transit (removed) Electronic messaging Electronic messaging Business information systems (removed) Confidentiality or non- disclosure agreements HIGH 12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE 14 System acquisition, development and maintenance 12.1 SECURITY REQUIREMENTS OF INFORMATION SYSTEMS 14.1 Security requirements of information systems

6 Security requirements analysis and specification Information security requirements analysis and specification 12.2 CORRECT PROCESSING IN APPLICATIONS (Removed) Securing application services on public networks Input data validation Protecting application services transactions Control of internal processing Message integrity Output data validation 12.4 SECURITY OF SYSTEM FILES (Moved) Control of operational software Access control to program source code 14.2 Security in development and support processes 12.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES Secure development policy Change control procedures System change control procedures Technical review of applications after operating system changes Technical review of applications after operating platform changes Restrictions on changes to software packages Restrictions on changes to software packages Information leakage (Removed) Secure system engineering principles Secure development environment Outsourced software development Outsourced development System security testing System acceptance testing 14.3 Test data (New) Protection of system test data Protection of test data MED 6.2 EXTERNAL PARTIES 15 Supplier relationships Identification of risks related to external parties 15.1 Information security in supplier relationships Addressing security when dealing with customers Information security policy for supplier relationships Addressing security in third party agreements Addressing security within supplier agreements Information and communication technology supply chain (New) 10.2 THIRD PARTY SERVICE DELIVERY MANAGEMENT Service delivery 15.2 Supplier service delivery management Monitoring and review of third party services Monitoring and review of supplier services Managing changes to third party services Managing changes to supplier services LOW 13 INFORMATION SECURITY INCIDENT MANAGEMENT 13 INFORMATION SECURITY INCIDENT MANAGEMENT

7 13.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS 16.1 Management of information security incidents and improvements Responsibilities and procedures Responsibilities and Procedures Reporting information security events Reporting information security events Reporting security weaknesses Reporting information security weaknesses Assessment of and decision on information security events 13.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES. (new) Response to information security incidents (new) Learning from information security incidents Learning from information security incidents Collection of evidence Collection of evidence MED 14 BUSINESS CONTINUITY MANAGEMENT 14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT Including information security in the business continuity management process 17 Information security aspects of business continuity management 17.1 Information security continuity Business continuity and risk assessment Planning information security continuity Developing and implementing continuity plans including information security Implementing information security continuity Business continuity planning framework Testing, maintaining and re-assessing business continuity plans Verify, review and evaluate information security continuity 17.2 Redundancies (new) Availability of information processing facilities MED 15 COMPLIANCE 15 COMPLIANCE 15.1 COMPLIANCE WITH LEGAL REQUIREMENTS 18.1 Compliance with legal and contractual requirements Identification of applicable legislation and contractual Identification of applicable legislation requirements Intellectual property rights (IPR) Intellectual property Rights Protection of organizational records Protection of records Data protection and privacy of personal information Privacy and protection of personally identifiable information Prevention of misuse of information processing facilities (Removed) Regulation of cryptographic controls Regulation of cryptographic controls 15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE 18.2 Information security reviews (New)

8 6.1.8 Independent review of information security (moved) Independent review of information security Compliance with security policies and standards Compliance with security policies and standards Technical compliance checking Technical compliance review Color Key Control Removed Control Moved or Renamed Control Added (new outline) Change Key Minimum Changes to Domain Several key changes to Domain Major changes to Domain *Information based on ISO 2700:2013 Security Techniques - Code of practice for information security controls, released in November, 2013 and published by the British Standards Institute (BSI) and ANSI.