SlideShare una empresa de Scribd logo

27001 2013 iso geek

Descargar como PPT, PDF
O
officialmanager

27001 transition

Internet
1 de 24
LOGO Transition to ISO/IEC 27001:2013 Varinder Kumar Principal Consultant CEHv5, ITIL V3, LA27001, LA9001, CISA, MEPTM
Questions What has changed? What you need to know? Transition timeline? Any other questions?
What has changed?
Structural change Context of the Organization Leadership Planning OperationImprovement Performance Evaluation Support ISO/IEC 27001:2013 Management Responsibility Management Review Establish ISMS Implement ISMS Improve ISMS Monitor ISMS Doc. Req. Internal Audit ISMS Improve ISO/IEC 27001:2005 Mgmt. Review Structure simplified
Highlights of Changes • Structure change is part of harmonization effort from ISO • Annex SL – 10 Mandatory Clauses introduced – no exclusions from Cl 4 to 10 • Better alignment with business objectives • More emphasis on: – Risk management – Planning – Measurement – Communication • The word “documented procedure” is replaced with “documented information” in the body of the standard (4- 10)
Summary of Changes ISO/IEC 27001:2005 •132 “shall” statements (section 4-8) •Annexure A – 11 clauses – 39 categories – 133 controls ISO/IEC 27001:2013 •125 “shall” statements (section 4-10) •Annexure A – 14 clauses – 35 categories – 114 controls Number of requirements reduced
What you need to know?
4.0 Context of the organization 4.3 Determine scope of the ISMS • Internal and external issues • Requirements of interested parties • Interface between organizations 4.4 ISMS 4.1 Understanding the organization and its context • Determine external and internal issues to its purpose and relevant to ISMS • May refer to ISO 31000 Business risks, opportunities 4.2 Understanding the need and expectation of interested parties • Interested parties relevant to ISMS • Requirements relevant to ISMS • Regulatory requirements Interested parties - Customers, Shareholders, Regulatory agencies, Social groups, employees ISMS requirements
Grouping of controls # Clauses A.5 Information security policies A.6 Organization of information security A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
New and changed controls A.6 Organization of information security A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. A.6.1.5 Information security in project management Control Information security shall be addressed in project management, regardless of the type of the project. A.6.2 Mobile device and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy Control A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. New Objective expanded Changed Old control A.11.7.1
New and changed controls A.9 Access control A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration Control A formal user registration and de-registration process shall be implemented to enable assignment of access rights. A.9.2.2 User access provisioning Control A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. A.9.2.6 Removal or adjustment of access rights Control The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Changed Old control A.11.2.1 New Changed Old control A. 8.3.3
New and changed controls A.12 Operations security A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems Control Procedures shall be implemented to control the installation of software on operational systems. A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.2 Restrictions on software installation Control Rules governing the installation of software by users shall be established and implemented. New New New
New and changed controls A.14 System acquisition, development and maintenance A.14.1 Security requirements of information system Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. A.14.1.2 Securing application services on public networks Control Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. A.14.1.3 Protecting application services transactions Control Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Objective expanded Changed Old control A.10.9.1 Changed Old control A.10.9.2
New and changed controls A.14 System acquisition, development and maintenance A.14.2 Security in development and support process Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy Control Rules for the development of software and systems shall be established and applied to developments within the organization. A.14.2.5 Secure system engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. A.14.2.6 Secure development environment Control Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. New New New Objective expanded
New and changed controls A.14 System acquisition, development and maintenance A.14.2.8 System security testing Control Testing of security functionality shall be carried out during development. A.14.2.9 System acceptance testing Control Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. New Changed Old control A.10.3.2
16 New and changed controls A.15 Supplier relationship A.15.1 Information security in supplier relationship Objective: To ensure protection of the organization’s assets that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships Control Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. A.15.1.3 Information and communication Technology supply chain Control Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. New New New
New and changed controls A.16 Information security incident management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.4 Assessment of and decision on information security events Control Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.5 Response to information security incidents Control Information security incidents shall be responded to in accordance with the documented procedures. New New Combined A13.1, A13.2
New and changed controls A.17 Information security aspects of business continuity management A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information Processing facilities Control Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. New
Helpful guidelines • ISO/IEC 27002:2013- Code of practice for information security controls • ISO/IEC 27000:2014 – Information security management system overview and vocabulary • ISO 31000:2009 – Risk management principles and guidelines
Transition timeline?
Transition Timeline 1-10-2013 01-01-2014 01-05-2015 30-09-15 ISO/IEC 27001:2013 Released ISO/IEC 27001:2005 Sunset – no new applications accepted Completion of migration to ISO/IEC 27001:2013 Scope extension for 27001:2005 not permitted
Audit Days required for transition • Stage 1 review is required to review readiness. • Audit days required for re-certification audit (per ISO 27006) shall be used. • Organization can upgrade to the new standard during their surveillance audit cycle. • Organizations must plan for their transition audit before August 2015.
Any Questions ?
27001 2013 iso geek

Recomendados

ISO27001
ISO27001ISO27001
ISO27001Ruchit Ahuja
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
Aureon Proactive Care
Aureon Proactive CareAureon Proactive Care
Aureon Proactive CareMike Wallen
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Computer system overview
Computer system overviewComputer system overview
Computer system overviewVikrant Singh Parmar
 
Electronic batch manufacturing record
Electronic batch manufacturing recordElectronic batch manufacturing record
Electronic batch manufacturing recordRatan Agarwal
 

Recomendados

ISO27001
ISO27001ISO27001
ISO27001Ruchit Ahuja
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
Aureon Proactive Care
Aureon Proactive CareAureon Proactive Care
Aureon Proactive CareMike Wallen
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Computer system overview
Computer system overviewComputer system overview
Computer system overviewVikrant Singh Parmar
 
Electronic batch manufacturing record
Electronic batch manufacturing recordElectronic batch manufacturing record
Electronic batch manufacturing recordRatan Agarwal
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
Corporate Overview (1)
Corporate Overview (1)Corporate Overview (1)
Corporate Overview (1)Tim Chambers
 
Chapter008
Chapter008Chapter008
Chapter008Jeanie Delos Arcos
 
Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
 
Chapter005
Chapter005Chapter005
Chapter005Jeanie Delos Arcos
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistUnvired Inc.
 
Security
SecuritySecurity
Securitya1aass
 
Itauditcl
ItauditclItauditcl
Itauditclankukgoyal
 
Secured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsSecured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsYokogawa
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Anand Pandya
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Utilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airUtilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airMrs.Shanaz Akter
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasyHelpSystems
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information Systemijsrd.com
 
Ensuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comEnsuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comSonia Singh
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014DQS Inc.
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 

Más contenido relacionado

La actualidad más candente

CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
Corporate Overview (1)
Corporate Overview (1)Corporate Overview (1)
Corporate Overview (1)Tim Chambers
 
Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistUnvired Inc.
 
Security
SecuritySecurity
Securitya1aass
 
Secured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsSecured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsYokogawa
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Anand Pandya
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Utilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airUtilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airMrs.Shanaz Akter
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasyHelpSystems
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information Systemijsrd.com
 
Ensuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comEnsuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comSonia Singh
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 

La actualidad más candente (20)

CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements Document
 
Corporate Overview (1)
Corporate Overview (1)Corporate Overview (1)
Corporate Overview (1)
 
Chapter008
Chapter008Chapter008
Chapter008
 
Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber Security
 
Chapter005
Chapter005Chapter005
Chapter005
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness Checklist
 
Security
SecuritySecurity
Security
 
Itauditcl
ItauditclItauditcl
Itauditcl
 
Secured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsSecured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant Assets
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Utilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airUtilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed air
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information System
 
Ensuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comEnsuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.com
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal Presentation
 

Similar a 27001 2013 iso geek

Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014DQS Inc.
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wpketanaagja
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Yasmin AbdelAziz
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfJhonGIg
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Integrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyIntegrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyCovance
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Jerimi Soma
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Cybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfCybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfDaveNjoga1
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013SAIGlobalAssurance
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013SAIGlobalAssurance
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 

Similar a 27001 2013 iso geek (20)

Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Integrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyIntegrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug Safety
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Cybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfCybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdf
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdf
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
 

Último

2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 

Último (20)

2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 

27001 2013 iso geek

  • 1. LOGO Transition to ISO/IEC 27001:2013 Varinder Kumar Principal Consultant CEHv5, ITIL V3, LA27001, LA9001, CISA, MEPTM
  • 2. Questions What has changed? What you need to know? Transition timeline? Any other questions?
  • 4. Structural change Context of the Organization Leadership Planning OperationImprovement Performance Evaluation Support ISO/IEC 27001:2013 Management Responsibility Management Review Establish ISMS Implement ISMS Improve ISMS Monitor ISMS Doc. Req. Internal Audit ISMS Improve ISO/IEC 27001:2005 Mgmt. Review Structure simplified
  • 5. Highlights of Changes • Structure change is part of harmonization effort from ISO • Annex SL – 10 Mandatory Clauses introduced – no exclusions from Cl 4 to 10 • Better alignment with business objectives • More emphasis on: – Risk management – Planning – Measurement – Communication • The word “documented procedure” is replaced with “documented information” in the body of the standard (4- 10)
  • 6. Summary of Changes ISO/IEC 27001:2005 •132 “shall” statements (section 4-8) •Annexure A – 11 clauses – 39 categories – 133 controls ISO/IEC 27001:2013 •125 “shall” statements (section 4-10) •Annexure A – 14 clauses – 35 categories – 114 controls Number of requirements reduced
  • 7. What you need to know?
  • 8. 4.0 Context of the organization 4.3 Determine scope of the ISMS • Internal and external issues • Requirements of interested parties • Interface between organizations 4.4 ISMS 4.1 Understanding the organization and its context • Determine external and internal issues to its purpose and relevant to ISMS • May refer to ISO 31000 Business risks, opportunities 4.2 Understanding the need and expectation of interested parties • Interested parties relevant to ISMS • Requirements relevant to ISMS • Regulatory requirements Interested parties - Customers, Shareholders, Regulatory agencies, Social groups, employees ISMS requirements
  • 9. Grouping of controls # Clauses A.5 Information security policies A.6 Organization of information security A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
  • 10. New and changed controls A.6 Organization of information security A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. A.6.1.5 Information security in project management Control Information security shall be addressed in project management, regardless of the type of the project. A.6.2 Mobile device and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy Control A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. New Objective expanded Changed Old control A.11.7.1
  • 11. New and changed controls A.9 Access control A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration Control A formal user registration and de-registration process shall be implemented to enable assignment of access rights. A.9.2.2 User access provisioning Control A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. A.9.2.6 Removal or adjustment of access rights Control The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Changed Old control A.11.2.1 New Changed Old control A. 8.3.3
  • 12. New and changed controls A.12 Operations security A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems Control Procedures shall be implemented to control the installation of software on operational systems. A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.2 Restrictions on software installation Control Rules governing the installation of software by users shall be established and implemented. New New New
  • 13. New and changed controls A.14 System acquisition, development and maintenance A.14.1 Security requirements of information system Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. A.14.1.2 Securing application services on public networks Control Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. A.14.1.3 Protecting application services transactions Control Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Objective expanded Changed Old control A.10.9.1 Changed Old control A.10.9.2
  • 14. New and changed controls A.14 System acquisition, development and maintenance A.14.2 Security in development and support process Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy Control Rules for the development of software and systems shall be established and applied to developments within the organization. A.14.2.5 Secure system engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. A.14.2.6 Secure development environment Control Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. New New New Objective expanded
  • 15. New and changed controls A.14 System acquisition, development and maintenance A.14.2.8 System security testing Control Testing of security functionality shall be carried out during development. A.14.2.9 System acceptance testing Control Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. New Changed Old control A.10.3.2
  • 16. 16 New and changed controls A.15 Supplier relationship A.15.1 Information security in supplier relationship Objective: To ensure protection of the organization’s assets that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships Control Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. A.15.1.3 Information and communication Technology supply chain Control Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. New New New
  • 17. New and changed controls A.16 Information security incident management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.4 Assessment of and decision on information security events Control Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.5 Response to information security incidents Control Information security incidents shall be responded to in accordance with the documented procedures. New New Combined A13.1, A13.2
  • 18. New and changed controls A.17 Information security aspects of business continuity management A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information Processing facilities Control Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. New
  • 19. Helpful guidelines • ISO/IEC 27002:2013- Code of practice for information security controls • ISO/IEC 27000:2014 – Information security management system overview and vocabulary • ISO 31000:2009 – Risk management principles and guidelines
  • 21. Transition Timeline 1-10-2013 01-01-2014 01-05-2015 30-09-15 ISO/IEC 27001:2013 Released ISO/IEC 27001:2005 Sunset – no new applications accepted Completion of migration to ISO/IEC 27001:2013 Scope extension for 27001:2005 not permitted
  • 22. Audit Days required for transition • Stage 1 review is required to review readiness. • Audit days required for re-certification audit (per ISO 27006) shall be used. • Organization can upgrade to the new standard during their surveillance audit cycle. • Organizations must plan for their transition audit before August 2015.