Inhoudsopgave
Inleiding Wat is gewijzigd in ISO/IEC FDIS 27002:2013? Wat is de impact van deze wijzigingen? Samenvatting
Slides zijn in Engels
Requirements
IS IS System (ISMS) Requirements 27001 27006 Requirements for bodies providing :2007 :2005
audit and certification of ISMSs
Guidelines
IS 27002 :2007
IS 27003 :2010
IS 27004 :2009
IS 27005 :2011
IS 27007 :2011
Guidelines for ISMSs auditing
TR 27008 :2011
Guidance for Auditor on ISMS Controls
Code of ISMS Info. sec. Information practice for implementation management security risk info. sec. guidance measurements management management
27000 :2014
Requirements
FDIS IS System (ISMS) Requirements 27001 27006 Requirements for bodies providing :2007 :2013
audit and certification of ISMSs
Guidelines
IS 27003 :2010
IS 27004 :2009
IS 27005 :2011
IS 27007 :2011
Guidelines for ISMSs auditing
TR 27008 :2011
Guidance for Auditor on ISMS Controls
ISMS Info. sec. Information implementation management security risk guidance measurements management
Annex E Principles for sector-specific ISMS standards Annex F Template for sector-specific ISMS standards
IS 27010 :2012
IS 27011 :2008
telecommunications
(ITU-T X.1051)
TR 27015 :2012
IS 27799 :2010
healthcare
financial services
NEN 7510
FDIS 14 35 114
In the revisions the items covered in other 2700x standards are removed.
0.1 Background and context This International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001[10] or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s). ISO/IEC FDIS 27002
9. Physical and environmental security 10. Communications and operations management 11. Access control 12. Systems acquisition, development and maintenance 13. Information security incident management 14. Business continuity management 15. Compliance
11. Physical and environmental security 12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance
Clause 12 & 13
12. Operations security 13. Communications security 14. Systems acquisition, development and maintenance
Clause 14
6.1.1 Management commitment to information security 6.1.2 Information security coordination 6.1.3 Allocation of information security responsibilities 6.1.4 Authorization process for information processing facilities 6.1.5 Confidentiality agreements moved to 13 Communications security 6.1.6 Contact with authorities 6.1.7 Contact with special interest groups 6.1.8 Independent review of information security moved to 18 Compliance 6.2 External Parties 6.2.1 Identification of risks related to external parties 6.2.2 Addressing security when dealing with customers 6.2.3 Addressing security in third party agreements moved to 15 Supplier relationships
ISO/IEC 27002:2005
E.g. control 6.1.1 was covered by ISO/IEC 27001 Control 6.1.2 is from clause 10 Communications and Operations Management
ISO/IEC 27002:2005
ISO/IEC 27002:2005
12
Operations security
13
Communications security
ISO/IEC 27002:2005
ISO/IEC 27002:2005
More to-the-point
ISO/IEC 27002:2013
New structure
Changed controls (obj.)
Impact
Update of information security policy documents Review impact of changed text on implemented controls and improve the controls if necessary.
Removed controls
New controls (obj.)
Determine if removed controls are implemented and for what risks. Select and implement alternatives.
Review risk assessment & risk treatment with the revised ISO/IEC 27002:2013
Recap
Updating of text; re-structuring of clauses; relocation, merging, removal of
Questions