What you can expect from the new ISO 27001 Based on the Draft International Standard (DIS) Suzanne Fribbins, EMEA Product Marketing Manager - Risk
Copyright © 2012 BSI. All rights reserved.
Outline • Who is BSI? • Status report • ISO/IEC 27001 and 27002: Evolution • Global growth in certification • The ISO/IEC 27000 series • Structure of ISO/IEC 27001 DIS • Key changes • Comparing ISO 27001:2005 with the ISO 27001 DIS • Transition arrangements
Copyright © 2012 BSI. All rights reserved.
2
Who is BSI?
Copyright © 2012 BSI. All rights reserved.
3
ISO/IEC 27001 and 27002: Evolution BS 7799: 1995
ISO/IEC 17799:2005
ISO/IEC 17799:2000
ISO/IEC 27002
BS 7799-1:1999 1999: UK committee decision to submit to ISO fast-track
Revised in UK
1995 BS 7799-2:1999 Developed to support certification
Copyright © 2012 BSI. All rights reserved.
Normal revision cycle in ISO
2000
International committee decision to change number
2005 2004: UK Decision made to submit to ISO Fast-track
2007 ISO/IEC 27001:2005 4
Status report • ISO 27001:2005 has been undergoing revision • Draft International Standard (DIS) released to the National Standards Bodies on 16 January 2013 • Consultation closes 23 March 2013 • There is a meeting of the ISO Committee from 22-30 April 2013 after which resolutions will be issued • A second DIS or a Final Draft International Standard (FDIS) will follow • Publication is expected toward the end of 2013
Copyright © 2012 BSI. All rights reserved.
5
Number of Certificates
Global growth in certification 20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0
12% 21% 40%
2006 Copyright © 2012 BSI. All rights reserved.
2007
2008
2009
2010
2011 6
The ISO/IEC 27000 series Standard
Published
ISO/IEC 27000 - Overview and vocabulary
2012
ISO/IEC 27001 - Information security management systems - Requirements
2005
ISO/IEC 27002 - Code of practice for Information security management
2005
ISO/IEC 27003 - ISMS implementation guidance
2010
ISO/IEC 27004 - Information security management - Measurement
2009
ISO/IEC 27005 - Information security risk management
2011
ISO/IEC 27006 - Guidance to Certification Bodies
2011
ISO/IEC 27007 - Guidelines for ISMS auditing
2011
ISO/IEC 27008 - Guidelines for auditors on information security controls
2011
ISO/IEC 27010 - Guidance for inter-sector and inter-organizational communications
2012
ISO/IEC 27011 - Guidance to telecommunications
2008
Copyright © 2012 BSI. All rights reserved.
7
The ISO/IEC 27000 series
Under development
Standard
Published
ISO/IEC 27013 – Guidelines on the integrated implementation of ISO/IEC 27001 & ISO 20000-1
2012
ISO/IEC 27014 – Governance of information security ISO/IEC 27015 – Information security management guidelines for financial services
2012
ISO/IEC 27016 – Information security management – organizational economics ISO/IEC 27017 – Information security in cloud computing (relevant controls in 27001) ISO/IEC 27018 – Information security in cloud computing (relevant controls in 27001 – DP/Privacy) ISO/IEC 27031 - Guidelines for ICT readiness for business continuity
2011
ISO/IEC 27032 – Guidelines for cyber security
2012
ISO/IEC 27033 - Security Techniques, Network Security (3 part standard)
2009/10/11
ISO/IEC 27034 - Guidelines for application security (6 part standard)
2011/
Copyright © 2012 BSI. All rights reserved.
8
The ISO/IEC 27000 series
Under development
Standard
Published
ISO/IEC 27035 – Information security management (3 part standard) ISO/IEC 27036 – Information security for supplier relationships (4 part standard) ISO/IEC 27037 – Guidelines for identification, collection, acquisition and presentation of digital evidence
2012
ISO/IEC 27038 – Specification for digital redaction ISO/IEC 27039 – Selection, deployment and operations of intrusion detection and prevention systems ISO/IEC 27040 – Storage security ISO/IEC 27041 – Guidance on assuring suitability and adequacy of investigative measures ISO/IEC 27042 – Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043 – Investigation principles and processes ISO/IEC 27044 – Guidelines for security information and event management (SIEM) Copyright © 2012 BSI. All rights reserved.
9
New high level structure • ISO 27001 has been developed using Annex SL • Annex SL is for standards writers and provides a standardised text suitable for all ISO management system standards • The new structure of the standard is to become common to all management system standards • The intention is to standardise terminology and requirements for fundamental Management System requirements
Copyright © 2012 BSI. All rights reserved.
10
ISO 27001 structure PLAN 4 Context of the organization
5 Leadership
DO
6 Planning
7 Support
CHECK
8 Operation
ACT
9 Performance evaluation
10 Improvement
Understanding the organization and its context
Leadership and commitment
Actions to address risks and opportunities
Resources
Operational planning and control
Monitoring, measurement, analysis and evaluation
Nonconformity and corrective action
Expectations of interested parties
Policy
IS objectives and plans to achieve them
Competence
Information security risk assessment
Internal audit
Continual improvement
Scope of ISMS
Org roles, responsibilities and authorities
Awareness
Information security risk treatment
Management review
ISMS
Communication
Documented information Copyright © 2012 BSI. All rights reserved.
11
Structure of ISO/IEC 27001 Clause
Description
4.0
Is a component of Plan. It introduces requirements necessary to establish the context of the ISMS as it applies to the organization, as well as needs, requirements, and scope.
5.0
Is a component of Plan. It summarises the requirements specific to top management’s role in the ISMS, and how leadership articulates its expectations to the organization via a policy statement.
6.0
Is a component of Plan. It describes requirements as it relates to setting objectives and guiding principles for the ISMS as a whole.
Copyright © 2012 BSI. All rights reserved.
12
Structure of ISO/IEC 27001 Clause
Description
7.0
Is a component of Plan. It supports ISMS operations as they relate to establishing competence and communication on a recurring/as-needed basis with interested parties, while documenting, controlling, maintaining and retaining required documentation.
8.0
Is a component of Do. It defines ISMS requirements and determines how to address them, the need to perform information security risk assessments and implement the information security risk treatment plan.
9.0
Is a component of Check. It summarises requirements necessary to measure ISMS performance, ISMS compliance with the International Standard and management’s expectations, and seeks feedback from management regarding expectations.
10.0
Is a component of Act. It identifies and acts on ISMS non-conformance through corrective action.
Copyright © 2012 BSI. All rights reserved.
13
Key differences • Standard has been written in accordance with Annex SL • ISO 27002 is no longer a normative reference (section 2) • Definitions in 2005 version have been removed and relocated to ISO 27000 (section 3) which is now a normative reference • There have been changes to the terminology used, e.g. information security policy is used rather than ISMS policy • Requirements for Management Commitments have been revised and are presented in the Leadership Clause • Preventive action has been replaced with “actions to address, risks and opportunities” and features earlier in the standard • The risk assessment requirements are more general reflecting an alignment of ISO 27001 with ISO 31000 • SOA requirements are similar but with more clarity on the determination of controls by the risk treatment process • The new standard puts greater emphasis on setting the objectives, monitoring performance and metrics Copyright © 2012 BSI. All rights reserved.
14
3. Terms and definitions • All of the definitions that were in the 2005 version have been removed • Those that are still relevant have been relocated in ISO 27000 • Intention is to promote consistency of terms and definitions across the suite of ISO 27000 standards
Copyright © 2012 BSI. All rights reserved.
15
4. Context of the organization • Clause 4 relates to the context of the organization which requires the organization to determine their external and internal issues • There is now a clear requirement to consider interested parties • This will determine its information security policy and objectives and how it will consider risk and the effect of risk on its business • The requirements of interested parties may include legal and regulatory requirements and contractual obligations
Copyright © 2012 BSI. All rights reserved.
16
5. Leadership • Clause 5 of the standard summarizes the requirements specific to top management’s role in the ISMS • The ISO outlines specific ways in which management must demonstrate its commitment to the system. Examples include: • ensuring that the resources needed for the information security management system are available • communicating the importance of effective information security management and conforming to the ISMS requirements.
• ISMS policy now referred to as information security policy, however original policy requirements still present • Clause 5 contains a requirement that top management ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Copyright © 2012 BSI. All rights reserved.
17
6. Planning • New section relating to establishment of information security objectives and guiding principles for the ISMS as a whole • When planning the ISMS, the context of the organization should be taken into account through the consideration of the risks and opportunities • The organizations information security objectives must be clearly defined with plans in place to achieve them • The risk assessment requirements are more general reflecting an alignment of ISO 27001 with ISO 31000 • The SOA requirements are largely unchanged
Copyright © 2012 BSI. All rights reserved.
18
7. Support • Clause 7 details the support required to establish, implement and maintain and continually improve an effective ISMS, including: • • • •
Resource requirements Competence of people involved Awareness of and communication with interested parties Requirements for document management.
• The new standard refers to “documented information” rather than “documents and records” • There is no longer a list of documents you need to provide or particular names they must be given • The new revision puts the emphasis on the content rather than the name
Copyright © 2012 BSI. All rights reserved.
19
8. Operation • ISO 27001 requires that organizations plan and control the operation of their information security requirements. • Most importantly this will include: • The carrying out of information security risk assessments at planned intervals • The implementation of an information security risk treatment plan
Copyright © 2012 BSI. All rights reserved.
20
9. Performance evaluation • Internal audits and management review continue to be key methods of reviewing the performance of the ISMS and tools for its continual improvement • The new requirements for measurement of effectiveness are more specific
Copyright © 2012 BSI. All rights reserved.
21
10. Improvement • Nonconformities of the ISMS have to be dealt with together with corrective actions to ensure they don’t happen again • As with all management system standards, continual improvement is a core requirement of the standard
Copyright © 2012 BSI. All rights reserved.
22
Controls
Copyright © 2012 BSI. All rights reserved.
23
Controls in the DIS • Number of controls has been reduced from 133 to 113 • Existing controls have been deleted or merged and some new controls have been added • Some of the retained controls have been re-worded and this will need to be reviewed in more detail after the FDIS has been published
Copyright © 2012 BSI. All rights reserved.
24
Controls that have been deleted in the DIS • • • • • • • • • • • •
A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.4 Authorization process for information processing facilities A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.10.2.1 Service delivery A.10.7.4 Security of system documentation A.10.10.2 Monitoring system use A.10.10.5 Fault logging A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification A.11.4.4 Remote diagnostic and configuration port protection Copyright © 2012 BSI. All rights reserved.
25
Controls that have been deleted in the DIS • • • • • • • • • • • •
A11.4.4 Remote diagnostic and configuration port protection A.11.4.6 Network connection control A.11.4.7 Network routing control A.10.8.5 Business information systems A.11.6.2 Sensitive system isolation A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.5.4 Information leakage A.15.1.5 Prevention of misuse of information processing facilities A.15.3.2 Protection of information systems audit tools Copyright © 2012 BSI. All rights reserved.
26
New controls proposed in the DIS • • • • • • • • • • • •
A.6.1.4 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 System development procedures A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 ICT supply chain A.16.1.4 Assessment and decision of information security events A.16.1.5 Response to information security incidents A.17.1.2 Implementing information security continuity A.17.2.1 Availability of information processing facilities Copyright © 2012 BSI. All rights reserved.
27
Likely timeline for revision Scenario
Jan
Feb
Mar
Apr
May-Jul
Aug
Sep
Oct-Dec
Jan-Mar
1. DIS goes straight to publication
Public comment
2. DIS goes to FDIS ballot
Public comment
Likely publication
3. DIS goes to second DIS ballot
Public comment
Likely publication
ISO Committee Meeting
Likely publication
DIS – Draft International Standard FDIS – Final Draft International Standard
Copyright © 2012 BSI. All rights reserved.
28
Transition arrangements • Transition arrangements will be announced when the new standard is published • Transition arrangements in the UK will be determined by UKAS and elsewhere by the national accreditation body • A transition period will be set by UKAS (likely one to two years duration) • Registrations to the old standard will likely be permitted for a period of time after the new standard has been published, after which only registrations to the new standard will be permitted
Copyright © 2012 BSI. All rights reserved.
29
Transition arrangements • Organizations that are certified with BSI to ISO 27001:2005 will be provided with: • A transition guideline • A transition timescale
• Widely expected that transitions will be conducted during routine continuing assessment visit (CAV)
Copyright © 2012 BSI. All rights reserved.
30
How you can keep in touch • Stay informed • Monitor progress of standards • Identify committees, work programmes and participants • http://standardsdevelopment.bsigroup.com/
• Comment on draft proposals • Review draft proposals • Submit comments for UK to consider • http://drafts.bsigroup.com/
• Participate in the work •
[email protected] • Find out about our products and services • http://www.bsigroup.com
Copyright © 2012 BSI. All rights reserved.
31
Contact us Address:
BSI Group
Kitemark Court, Davy Avenue, Knowlhill Milton Keynes, MK5 8PP Telephone:
+44 (0)845 080 9000
Email:
[email protected]
Links:
www.bsigroup.com
Copyright © 2012 BSI. All rights reserved.
32
Copyright © 2012 BSI. All rights reserved.
33