What you can expect from the new ISO 27001

Transcription

1 What you can expect from the new ISO Based on the Draft International Standard (DIS) Suzanne Fribbins, EMEA Product Marketing Manager - Risk Copyright 2012 BSI. All rights reserved.

2 Outline Who is BSI? Status report ISO/IEC and 27002: Evolution Global growth in certification The ISO/IEC series Structure of ISO/IEC DIS Key changes Comparing ISO 27001:2005 with the ISO DIS Transition arrangements Copyright 2012 BSI. All rights reserved. 2

3 Who is BSI? Copyright 2012 BSI. All rights reserved. 3

4 ISO/IEC and 27002: Evolution BS 7799: 1995 ISO/IEC 17799:2000 ISO/IEC 17799:2005 ISO/IEC BS :1999 Revised in UK 1999: UK committee decision to submit to ISO fast-track Normal revision cycle in ISO International committee decision to change number 1995 BS : Developed to support 2004: UK Decision certification made to submit to ISO Fast-track ISO/IEC 27001:2005 Copyright 2012 BSI. All rights reserved. 4

5 Status report ISO 27001:2005 has been undergoing revision Draft International Standard (DIS) released to the National Standards Bodies on 16 January 2013 Consultation closes 23 March 2013 There is a meeting of the ISO Committee from April 2013 after which resolutions will be issued A second DIS or a Final Draft International Standard (FDIS) will follow Publication is expected toward the end of 2013 Copyright 2012 BSI. All rights reserved. 5

6 Global growth in certification Number of Certificates % 21% 40% Copyright 2012 BSI. All rights reserved. 6

7 The ISO/IEC series Standard ISO/IEC Overview and vocabulary ISO/IEC Information security management systems - Requirements ISO/IEC Code of practice for Information security management ISO/IEC ISMS implementation guidance ISO/IEC Information security management - Measurement ISO/IEC Information security risk management ISO/IEC Guidance to Certification Bodies ISO/IEC Guidelines for ISMS auditing ISO/IEC Guidelines for auditors on information security controls ISO/IEC Guidance for inter-sector and inter-organizational communications ISO/IEC Guidance to telecommunications Published Copyright 2012 BSI. All rights reserved. 7

8 The ISO/IEC series Under development Standard ISO/IEC Guidelines on the integrated implementation of ISO/IEC & ISO ISO/IEC Governance of information security ISO/IEC Information security management guidelines for financial services ISO/IEC Information security management organizational economics ISO/IEC Information security in cloud computing (relevant controls in 27001) ISO/IEC Information security in cloud computing (relevant controls in DP/Privacy) ISO/IEC Guidelines for ICT readiness for business continuity ISO/IEC Guidelines for cyber security ISO/IEC Security Techniques, Network Security (3 part standard) ISO/IEC Guidelines for application security (6 part standard) Published /10/ / Copyright 2012 BSI. All rights reserved. 8

9 The ISO/IEC series Under development Standard ISO/IEC Information security management (3 part standard) ISO/IEC Information security for supplier relationships (4 part standard) ISO/IEC Guidelines for identification, collection, acquisition and presentation of digital evidence ISO/IEC Specification for digital redaction ISO/IEC Selection, deployment and operations of intrusion detection and prevention systems ISO/IEC Storage security ISO/IEC Guidance on assuring suitability and adequacy of investigative measures ISO/IEC Guidelines for the analysis and interpretation of digital evidence ISO/IEC Investigation principles and processes ISO/IEC Guidelines for security information and event management (SIEM) Published 2012 Copyright 2012 BSI. All rights reserved. 9

10 New high level structure ISO has been developed using Annex SL Annex SL is for standards writers and provides a standardised text suitable for all ISO management system standards The new structure of the standard is to become common to all management system standards The intention is to standardise terminology and requirements for fundamental Management System requirements Copyright 2012 BSI. All rights reserved. 10

11 ISO structure PLAN DO CHECK ACT 4 Context of the organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance evaluation 10 Improvement Understanding the organization and its context Leadership and commitment Actions to address risks and opportunities Resources Operational planning and control Monitoring, measurement, analysis and evaluation Nonconformity and corrective action Expectations of interested parties Policy IS objectives and plans to achieve them Competence Information security risk assessment Internal audit Continual improvement Scope of ISMS Org roles, responsibilities and authorities Awareness Information security risk treatment Management review ISMS Communication Documented information Copyright 2012 BSI. All rights reserved. 11

12 Structure of ISO/IEC Clause Description 4.0 Is a component of Plan. It introduces requirements necessary to establish the context of the ISMS as it applies to the organization, as well as needs, requirements, and scope. 5.0 Is a component of Plan. It summarises the requirements specific to top management s role in the ISMS, and how leadership articulates its expectations to the organization via a policy statement. 6.0 Is a component of Plan. It describes requirements as it relates to setting objectives and guiding principles for the ISMS as a whole. Copyright 2012 BSI. All rights reserved. 12

13 Structure of ISO/IEC Clause Description 7.0 Is a component of Plan. It supports ISMS operations as they relate to establishing competence and communication on a recurring/as-needed basis with interested parties, while documenting, controlling, maintaining and retaining required documentation. 8.0 Is a component of Do. It defines ISMS requirements and determines how to address them, the need to perform information security risk assessments and implement the information security risk treatment plan. 9.0 Is a component of Check. It summarises requirements necessary to measure ISMS performance, ISMS compliance with the International Standard and management s expectations, and seeks feedback from management regarding expectations Is a component of Act. It identifies and acts on ISMS non-conformance through corrective action. Copyright 2012 BSI. All rights reserved. 13

14 Key differences Standard has been written in accordance with Annex SL ISO is no longer a normative reference (section 2) Definitions in 2005 version have been removed and relocated to ISO (section 3) which is now a normative reference There have been changes to the terminology used, e.g. information security policy is used rather than ISMS policy Requirements for Management Commitments have been revised and are presented in the Leadership Clause Preventive action has been replaced with actions to address, risks and opportunities and features earlier in the standard The risk assessment requirements are more general reflecting an alignment of ISO with ISO SOA requirements are similar but with more clarity on the determination of controls by the risk treatment process The new standard puts greater emphasis on setting the objectives, monitoring performance and metrics Copyright 2012 BSI. All rights reserved. 14

15 3. Terms and definitions All of the definitions that were in the 2005 version have been removed Those that are still relevant have been relocated in ISO Intention is to promote consistency of terms and definitions across the suite of ISO standards Copyright 2012 BSI. All rights reserved. 15

16 4. Context of the organization Clause 4 relates to the context of the organization which requires the organization to determine their external and internal issues There is now a clear requirement to consider interested parties This will determine its information security policy and objectives and how it will consider risk and the effect of risk on its business The requirements of interested parties may include legal and regulatory requirements and contractual obligations Copyright 2012 BSI. All rights reserved. 16

17 5. Leadership Clause 5 of the standard summarizes the requirements specific to top management s role in the ISMS The ISO outlines specific ways in which management must demonstrate its commitment to the system. Examples include: ensuring that the resources needed for the information security management system are available communicating the importance of effective information security management and conforming to the ISMS requirements. ISMS policy now referred to as information security policy, however original policy requirements still present Clause 5 contains a requirement that top management ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Copyright 2012 BSI. All rights reserved. 17

18 6. Planning New section relating to establishment of information security objectives and guiding principles for the ISMS as a whole When planning the ISMS, the context of the organization should be taken into account through the consideration of the risks and opportunities The organizations information security objectives must be clearly defined with plans in place to achieve them The risk assessment requirements are more general reflecting an alignment of ISO with ISO The SOA requirements are largely unchanged Copyright 2012 BSI. All rights reserved. 18

19 7. Support Clause 7 details the support required to establish, implement and maintain and continually improve an effective ISMS, including: Resource requirements Competence of people involved Awareness of and communication with interested parties Requirements for document management. The new standard refers to documented information rather than documents and records There is no longer a list of documents you need to provide or particular names they must be given The new revision puts the emphasis on the content rather than the name Copyright 2012 BSI. All rights reserved. 19

20 8. Operation ISO requires that organizations plan and control the operation of their information security requirements. Most importantly this will include: The carrying out of information security risk assessments at planned intervals The implementation of an information security risk treatment plan Copyright 2012 BSI. All rights reserved. 20

21 9. Performance evaluation Internal audits and management review continue to be key methods of reviewing the performance of the ISMS and tools for its continual improvement The new requirements for measurement of effectiveness are more specific Copyright 2012 BSI. All rights reserved. 21

22 10. Improvement Nonconformities of the ISMS have to be dealt with together with corrective actions to ensure they don t happen again As with all management system standards, continual improvement is a core requirement of the standard Copyright 2012 BSI. All rights reserved. 22

23 Controls Copyright 2012 BSI. All rights reserved. 23

24 Controls in the DIS Number of controls has been reduced from 133 to 113 Existing controls have been deleted or merged and some new controls have been added Some of the retained controls have been re-worded and this will need to be reviewed in more detail after the FDIS has been published Copyright 2012 BSI. All rights reserved. 24

25 Controls that have been deleted in the DIS A Management commitment to information security A Information security coordination A Authorization process for information processing facilities A Identification of risks related to external parties A Addressing security when dealing with customers A Service delivery A Security of system documentation A Monitoring system use A Fault logging A User authentication for external connections A Equipment identification A Remote diagnostic and configuration port protection Copyright 2012 BSI. All rights reserved. 25

26 Controls that have been deleted in the DIS A Remote diagnostic and configuration port protection A Network connection control A Network routing control A Business information systems A Sensitive system isolation A Input data validation A Control of internal processing A Message integrity A Output data validation A Information leakage A Prevention of misuse of information processing facilities A Protection of information systems audit tools Copyright 2012 BSI. All rights reserved. 26

27 New controls proposed in the DIS A Information security in project management A Restrictions on software installation A Secure development policy A System development procedures A Secure development environment A System security testing A Information security policy for supplier relationships A ICT supply chain A Assessment and decision of information security events A Response to information security incidents A Implementing information security continuity A Availability of information processing facilities Copyright 2012 BSI. All rights reserved. 27

28 Likely timeline for revision Scenario Jan Feb Mar Apr May-Jul Aug Sep Oct-Dec Jan-Mar 1. DIS goes straight to publication Public comment Likely publication 2. DIS goes to FDIS ballot Public comment Likely publication 3. DIS goes to second DIS ballot Public comment Likely publication ISO Committee Meeting DIS Draft International Standard FDIS Final Draft International Standard Copyright 2012 BSI. All rights reserved. 28

29 Transition arrangements Transition arrangements will be announced when the new standard is published Transition arrangements in the UK will be determined by UKAS and elsewhere by the national accreditation body A transition period will be set by UKAS (likely one to two years duration) Registrations to the old standard will likely be permitted for a period of time after the new standard has been published, after which only registrations to the new standard will be permitted Copyright 2012 BSI. All rights reserved. 29

30 Transition arrangements Organizations that are certified with BSI to ISO 27001:2005 will be provided with: A transition guideline A transition timescale Widely expected that transitions will be conducted during routine continuing assessment visit (CAV) Copyright 2012 BSI. All rights reserved. 30

31 How you can keep in touch Stay informed Monitor progress of standards Identify committees, work programmes and participants Comment on draft proposals Review draft proposals Submit comments for UK to consider Participate in the work Find out about our products and services Copyright 2012 BSI. All rights reserved. 31

32 Contact us Address: BSI Group Kitemark Court, Davy Avenue, Knowlhill Milton Keynes, MK5 8PP Telephone: +44 (0) Links: Copyright 2012 BSI. All rights reserved. 32

33 Copyright 2012 BSI. All rights reserved. 33