Frank Fransen | 24 September 2013

Nieuwe versie ISO/IEC 27002

Code of practice for information security controls management
Nieuwe titel

1 24 september 2013 Frank Fransen

Inhoudsopgave
Inleiding Wat is gewijzigd in ISO/IEC FDIS 27002:2013? Wat is de impact van deze wijzigingen? Samenvatting
Slides zijn in Engels

2 24 september 2013 Frank Fransen

ISO/IEC 27000 family of standards

Terminology IS ISMS Overview 27000 and vocabulary :2012 (freely available)

Requirements

IS IS System (ISMS) Requirements 27001 27006 Requirements for bodies providing :2007 :2005
audit and certification of ISMSs

Information Security Management

Guidelines

IS 27002 :2007

IS 27003 :2010

IS 27004 :2009

IS 27005 :2011

IS 27007 :2011
Guidelines for ISMSs auditing

TR 27008 :2011
Guidance for Auditor on ISMS Controls

Code of ISMS Info. sec. Information practice for implementation management security risk info. sec. guidance measurements management management

3 24 september 2013 Frank Fransen

ISO/IEC 27000 family of standards status

Terminology
DIS

27000 :2014

ISMS Overview and vocabulary (freely available)

Requirements

FDIS IS System (ISMS) Requirements 27001 27006 Requirements for bodies providing :2007 :2013
audit and certification of ISMSs

Information Security Management

Focus of this talk

Guidelines

FDIS 27002 :2013

Code of practice for info. sec. controls

IS 27003 :2010

IS 27004 :2009

IS 27005 :2011

IS 27007 :2011
Guidelines for ISMSs auditing

TR 27008 :2011
Guidance for Auditor on ISMS Controls

ISMS Info. sec. Information implementation management security risk guidance measurements management

4 24 september 2013 Frank Fransen

ISO/IEC 27002:2007 Code of practice

Set of commonly accepted control objectives (39) and best practice controls

(133) for information security management

Description of the controls is structured as follows: Control Implementation guidance Other information

11 clauses of ISO/IEC 27002

5. Security Policy

6. Organizing information security

7. Asset management 8. Human resources security 9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance

5 24 september 2013 Frank Fransen

ISO/IEC 27002 based sector-specific standards

Guidelines FDIS Code of practice for 27002 information security controls :2013
WG1 Roadmap Annex E Annex F

Annex E Principles for sector-specific ISMS standards Annex F Template for sector-specific ISMS standards

Sector Specific Guidelines

IS 27010 :2012

IS 27011 :2008
telecommunications
(ITU-T X.1051)

TR 27015 :2012

5th WD 27017 :201x

cloud computing services

IS 27799 :2010
healthcare

inter-sector and inter-organizational communications

financial services

NEN 7510

6 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

7 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

Overview
More focused on control selection Information technology Security techniques Code of practice for information security management controls Lot of changes to control objectives and controls
Text is updated (in particular control objectives, Implementation guidance & Other information) Titles changed Relocation & merging (re-structuring of sections) Removal of outdate ones & Introduction of new ones

2005 Clauses Control obj. Controls 11 39 133

FDIS 14 35 114

General structure of control description remained

Control Implementation guidance Other information

8 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

More focused on control selection
Some text in ISO/IEC 27002:2005 is closely associated with:
Guidance on the establishment of an ISMS
Guidance on security risk management (clause 4)

=> also covered in ISO/IEC 27003

=> also covered in ISO/IEC 27005

In the revisions the items covered in other 2700x standards are removed.

0.1 Background and context This International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001[10] or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s). ISO/IEC FDIS 27002

9 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

New structure of clauses, control objectives & controls
ISO/IEC 27002:2005
5. Security Policy 6. Organizing information security 7. Asset management 8. Human resources security

ISO/IEC FDIS 27002:2013

5. Security Policy 6. Organizing information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography

9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance

11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance

15. Supplier relationships

16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance

10 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

New structure of clauses, control objectives & controls
Clauses are highlighted in this talk
Clause 6

ISO/IEC FDIS 27002:2013

5. Security Policy 6. Organizing information security 7. Human resources security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security

Clause 12 & 13

12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance

Clause 14

15. Supplier relationships

16. Information security incident management 17. Information security aspects of business continuity management 18. Compliance

11 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

6 Organization of information security
6
6.1

Organization of information security

Internal Organization

E.g. control 6.1.1 was covered by ISO/IEC 27001

6.1.1 Management commitment to information security 6.1.2 Information security coordination 6.1.3 Allocation of information security responsibilities 6.1.4 Authorization process for information processing facilities 6.1.5 Confidentiality agreements moved to 13 Communications security 6.1.6 Contact with authorities 6.1.7 Contact with special interest groups 6.1.8 Independent review of information security moved to 18 Compliance 6.2 External Parties 6.2.1 Identification of risks related to external parties 6.2.2 Addressing security when dealing with customers 6.2.3 Addressing security in third party agreements moved to 15 Supplier relationships

ISO/IEC 27002:2005

12 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

6 Organization of information security
6 6
6.1 Internal organization 6.1 Internal Organization 6.1.1 Information security roles and responsibilities 6.1.1 Management commitment to information security 6.1.2 Segregation of duties 6.1.2 Information security coordination 6.1.3 Contact with authorities 6.1.3 Allocation of information security responsibilities 6.1.4 Contact with special interest groups 6.1.4 Authorization process for information processing 6.1.5 Information security in project management facilities 6.2 Mobile devices and teleworking 6.1.5 Confidentiality agreements moved 6.2.1 Mobile device policy 6.1.6 Contact with authorities 6.2.2 Teleworking ISO/IEC FDIS 27002 6.1.7 Contact with special interest groups 6.1.8 Independent review of information security 6.2 External Parties 6.2.1 Identification of risks related to external parties 6.2.2 Addressing security when dealing with customers 6.2.3 Addressing security in third party agreements

Organization of information security Organization of information security

E.g. control 6.1.1 was covered by ISO/IEC 27001 Control 6.1.2 is from clause 10 Communications and Operations Management

Controls in 6.2 are from 11 Access Control

ISO/IEC 27002:2005

13 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

Mobile devices and teleworking moved from Clause 11 to 6
11.7 Mobile computing and teleworking Objective: To ensure information security when using mobile computing and teleworking facilities. The protection required should be commensurate with the risks these specific ways of working cause. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied. In the case of 6.2 Mobile devices and teleworking teleworking the organization should apply protection to the teleworking site and ensure that suitable arrangements are in for this and wayuse of working. Objective: To ensure the security ofplace teleworking of mobile devices. 11.7.1 Mobile computing 6.2.1 Mobile device policy and communications Control Control formal policy should security be in place, and appropriate measures should be adopted AA policy and supporting measures should besecurity adopted to manage the risks to protect by against risksdevices. of using mobile computing and communication facilities. introduced usingthe mobile 11.7.2 Teleworking 6.2.2 Teleworking Control Control policy, operational plans and measures procedures should be developed and implemented for AA policy and supporting security should be implemented to protect information teleworking activities. accessed, processed or stored at teleworking sites. ISO/IEC 27002:2005 ISO/IEC FDIS 27002

14 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

12 Operations security & 13 Communications security
10 Communications and Operations Mngt
10.1 Operational procedures and responsibilities 10.2 Third party service delivery management moved to 15 Supplier relationships 10.3 System planning and acceptance moved to 14 System acquisition, development & maintenance 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management moved to 8 Asset Management 10.8 Exchange of information 10.7 Media handling 10.9 E-commerce services moved to 14 System acquisition, development & maintenance Renamed to application services on public networks 10.10Monitoring

ISO/IEC 27002:2005

15 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

12 Operations security & 13 Communications security
10 Communications and Operations Mngt
10.1 Operational procedures and responsibilities 10.2 Third party service delivery management 10.3 System planning and acceptance moved 10.4 Protection against malicious and mobile code 10.5 Back-up 10.6 Network security management moved to 8 Asset Mngt 10.8 Exchange of information 10.7 Media handling 10.9 E-commerce services moved 10.10Monitoring

12

Operations security

12.1 Operational procedures and responsibilities

12.2 Protection from malware 12.3 Backup 12.4 Logging and monitoring 12.5 Control of operational software 12.6 Technical vulnerability management 12.7 Information systems audit considerations From 15 From 12

13

Communications security

13.1 Network security management 13.2 Information transfer

ISO/IEC 27002:2005

ISO/IEC FDIS 27002

16 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

14 System acquisition, development and maintenance
12 14 Information System acquisition, systems development acquisition, development and maintenance and
14.1 Security requirements of information systems maintenance 14.1.1 Information security requirements analysis and specification 12.1 Security requirements of information systems 14.1.2 Securing applicationin services on public networks 12.2 Correct processing applications 14.1.3 Protecting application services transactions 12.3 Cryptographic controls 14.2 Security Securityof in system development 12.4 files and support processes 14.2.1 Secure development policy 12.5 Security in development and support processes 14.2.2 System change control procedures 12.6 Technical Vulnerability Management 14.2.4 Restrictions on changes to software packages 14.2.5 Secure system engineering principles 14.2.6 Secure development environment 14.2.7 Outsourced development 14.2.8 System security testing 14.2.9 System acceptance testing 14.3 Test data 14.3.1 Protection of test data

From clause 10 Comm. & Oper. Management

14.2.3 Technical review of applications after operating platform changes

ISO/IEC 27002:2005

ISO/IEC FDIS 27002

17 24 september 2013 Frank Fransen

Revision ISO/IEC 27002

My opinion
More logical structure for control objectives & controls More up-to-date & less trend specific

More to-the-point

18 24 september 2013 Frank Fransen

Impact of revision ISO/IEC 27002

19 24 september 2013 Frank Fransen

Impact of revision ISO/IEC 27002

For organisations
If ISO/IEC 27002 is used as basis of your Information Security Management,

then you will have to choose:

Still use the old version not recommended Use other framework up to you Migrate to new version recommended (SoA required for ISO/IEC 27001 certification)

ISO/IEC 27002:2013
New structure
Changed controls (obj.)

Impact
Update of information security policy documents Review impact of changed text on implemented controls and improve the controls if necessary.

Removed controls
New controls (obj.)

Determine if removed controls are implemented and for what risks. Select and implement alternatives.
Review risk assessment & risk treatment with the revised ISO/IEC 27002:2013

20 24 september 2013 Frank Fransen

Impact of revision ISO/IEC 27002

On other sector specific guidelines based on ISO/IEC 27002
Sector-specific guidelines that are based ISO/IEC 27002 will be updated
ISO/IEC 27010 (inter-sector and inter-organizational communications)
ISO/IEC 27011 (telecommunications-sector-specific) ISO 27799:2008 (health-sector-specific) ISO/IEC TR 27015:2012 (financial services-sector-specific) draft ISO/IEC 27017 already based on new version (cloud computing services)

National specific standards frameworks based ISO/IEC 27002

NEN 7510:2011 Baseline Informatiebeveiliging Rijksdienst (BIR) - Tactisch Normenkader (TNK); 2012 Tactische Baseline Informatiebeveiliging Nederlandse Gemeenten; 2013

21 24 september 2013 Frank Fransen

Recap
Updating of text; re-structuring of clauses; relocation, merging, removal of

controls; and introduction of new controls

Expected publication date: November 2013

Impact on existing use of ISO/IEC 27002:2007

22 24 september 2013 Frank Fransen

Questions

Frank Fransen +31 (0)88 866 7729 frank.fransen@tno.nl