DEKRA Certification ISO 27000:2013 SHAPING THE FUTURE

Transcription

1 DEKRA Certification ISO 27000:2013 SHAPING THE FUTURE Henk Keijzer, 24 september 2013

2 Over DEKRA DEKRA HQ based in Stuttgart, Germany Active in more than 50 countries worldwide Organised in 3 Business Units with 15 specialised Services Lines Generating 1.7 billion euros in sales and employs staff DEKRA Certification BV Based in Arnhem All auditing, certification, testing and inspection activities of the former KEMA Quality are an integral part of the DEKRA Certification Group; This also applies to all related safety, conformity and certification marks, such as KEMA-KEUR Management System Certification portfolio - ISO 9001, ISO 14001, OHSAS 18001, ISO 13485, ISO , ISO 27001, TL 9001, AS 9100, TS HKZ, AHHAP - BRL 6000, BRL 9500, Borg, Toezicht, VCA*, VCA**, VCU,

3 Over ISO/IEC TC JTC1/SC27 IT Security Scope The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as - Security requirements capture methodology; - Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services; - Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; - Security management support documentation including terminology, guidelines as well as procedures for the registration of security components; - Security aspects of identity management, biometrics and privacy; - Conformance assessment, accreditation and auditing requirements in the area of information security; - Security evaluation criteria and methodology. Working Group 1 gaat over de ISO serie Ongeveer 42 landen zijn lid van de subcommittee Twee bijeenkomsten per jaar

4 ISO series of standards

5 ISO 27000, wat staat er in? Terms and definitions Geen afkortingen en definities meer in ISO27001 en ISO What is an ISMS? An Information Security Management System (ISMS) consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. Overview and principles Process approach Establishing, monitoring, maintaining and improving an ISMS ISMS critical success factors ISMS family of standards Beschrijft alle documenten van het overzicht:

6 Ontwikkeling ISO Managementsysteem standaards The aim is to enhance the consistency and alignment of ISO management system standards by providing a unifying and agreed high level structure, identical core text and common terms and core definitions The aim being that all ISO management system requirements standards are aligned and the compatibility of these standards is enhanced It is envisaged that individual management systems standard will add additional discipline-specific requirements as required. Eisen voor de opzet van deze High Level Structure zijn vastgelegd in ISO/IEC Directives - Annex SL, (normative) Proposal for management system standards» Appendix 3, (normative) High level structure, identical core text and common terms and core definitions for use in Management Systems Standards

7 FDIS 27001: Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement A. Reference control objectives and controls

8 Common text Directives Annex XL: FDIS Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the XXX management system by ensuring that the XXX policy and XXX objectives are established and are compatible with the strategic direction of the organization ensuring the integration of the XXX management system requirements into the organization s business processes ensuring that the resources needed for the XXX management system are available 5.1 Leadership and commitment Top management shall demonstrate leadership and commitment with respect to the information security management system by: a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; b) ensuring the integration of the information security management system requirements into the organization s processes; c) ensuring that the resources needed for the information security management system are available; d)

9 Belangrijkste wijzigingen 4 Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the information security management system 4.4 Information security management system 5 Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organizational roles, responsibilities and authorities 6 Planning 6.1 Actions to address risks and opportunities General

10 Belangrijkste wijzigingen Information security risk assessment In lijn gebracht met de principes van ISO Define and apply an information security risk assessment process» Criteria for risk acceptance» Criteria for performing risk assessment» Identify risks associated with loss of Confidentiality, Integrity and Availability» Identify risk owners» Assess potential consequences» Assess realistic likelihood» Determine risk levels» Compare with acceptance criteria and Prioritize risks

11 Belangrijkste wijzigingen Information security risk treatment - Define and apply an information security risk treatment process» Select appropriate information security risk treatment options» Determine all controls that are necessary to implement the information security risk treatment option(s) chosen NOTE: Organizations can design controls as required, or identify them from any source» Compare the controls with those in Annex A and verify that no necessary controls have been omitted» Produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A» Formulate an information security risk treatment plan» Obtain risk owners approval of the information security risk treatment plan and acceptance of the residual information security risks

12 Belangrijkste wijzigingen 6.2 Information security objectives and plans to achieve them 7 Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented information General Creating and updating Control of documented information

13 Belangrijkste wijzigingen 8 Operation 8.1 Operational planning and control 8.2 Information security risk assessment 8.3 Information security risk treatment 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review 10 Improvement 10.1 Nonconformity and corrective action 10.2 Continual improvement

14 Transitie NB HET VOLGENDE ONDER VOORBEHOUD Transitieperiode van 2 jaar Start op de datum van de publicatie van de nieuwe norm In het eerste jaar: - Audits volgens de oude of de nieuwe norm - Upgrade naar nieuwe norm mag, maar hoeft nog niet - Upgrade tijdens surveillance of verlengingsaudit - Certificaten volgens de oude norm zijn geldig tot einde transitieperiode In het tweede jaar: - Audits alleen nog maar volgens de nieuwe norm - Upgrade naar de nieuwe norm moet - Upgrade tijdens surveillance audit of verlengingsaudit Ge-upgrade certificaten hebben dezelfde looptijd als de oorspronkelijke 2005 certificaten

15 Vragen

16 Thank you! Henk Keijzer Lead Auditor Management Systemen Product Expert voor o.a. ISO