What you can expect from the new ISO 27001 Based on the Draft International Standard (DIS) Suzanne Fribbins, EMEA Product Marketing Manager - Risk

Copyright © 2012 BSI. All rights reserved.

Outline • Who is BSI? • Status report • ISO/IEC 27001 and 27002: Evolution • Global growth in certification • The ISO/IEC 27000 series • Structure of ISO/IEC 27001 DIS • Key changes • Comparing ISO 27001:2005 with the ISO 27001 DIS • Transition arrangements

Copyright © 2012 BSI. All rights reserved.

2

Who is BSI?

Copyright © 2012 BSI. All rights reserved.

3

ISO/IEC 27001 and 27002: Evolution BS 7799: 1995

ISO/IEC 17799:2005

ISO/IEC 17799:2000

ISO/IEC 27002

BS 7799-1:1999 1999: UK committee decision to submit to ISO fast-track

Revised in UK

1995 BS 7799-2:1999 Developed to support certification

Copyright © 2012 BSI. All rights reserved.

Normal revision cycle in ISO

2000

International committee decision to change number

2005 2004: UK Decision made to submit to ISO Fast-track

2007 ISO/IEC 27001:2005 4

Status report • ISO 27001:2005 has been undergoing revision • Draft International Standard (DIS) released to the National Standards Bodies on 16 January 2013 • Consultation closes 23 March 2013 • There is a meeting of the ISO Committee from 22-30 April 2013 after which resolutions will be issued • A second DIS or a Final Draft International Standard (FDIS) will follow • Publication is expected toward the end of 2013

Copyright © 2012 BSI. All rights reserved.

5

Number of Certificates

Global growth in certification 20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0

12% 21% 40%

2006 Copyright © 2012 BSI. All rights reserved.

2007

2008

2009

2010

2011 6

The ISO/IEC 27000 series Standard

Published

ISO/IEC 27000 - Overview and vocabulary

2012

ISO/IEC 27001 - Information security management systems - Requirements

2005

ISO/IEC 27002 - Code of practice for Information security management

2005

ISO/IEC 27003 - ISMS implementation guidance

2010

ISO/IEC 27004 - Information security management - Measurement

2009

ISO/IEC 27005 - Information security risk management

2011

ISO/IEC 27006 - Guidance to Certification Bodies

2011

ISO/IEC 27007 - Guidelines for ISMS auditing

2011

ISO/IEC 27008 - Guidelines for auditors on information security controls

2011

ISO/IEC 27010 - Guidance for inter-sector and inter-organizational communications

2012

ISO/IEC 27011 - Guidance to telecommunications

2008

Copyright © 2012 BSI. All rights reserved.

7

The ISO/IEC 27000 series

Under development

Standard

Published

ISO/IEC 27013 – Guidelines on the integrated implementation of ISO/IEC 27001 & ISO 20000-1

2012

ISO/IEC 27014 – Governance of information security ISO/IEC 27015 – Information security management guidelines for financial services

2012

ISO/IEC 27016 – Information security management – organizational economics ISO/IEC 27017 – Information security in cloud computing (relevant controls in 27001) ISO/IEC 27018 – Information security in cloud computing (relevant controls in 27001 – DP/Privacy) ISO/IEC 27031 - Guidelines for ICT readiness for business continuity

2011

ISO/IEC 27032 – Guidelines for cyber security

2012

ISO/IEC 27033 - Security Techniques, Network Security (3 part standard)

2009/10/11

ISO/IEC 27034 - Guidelines for application security (6 part standard)

2011/

Copyright © 2012 BSI. All rights reserved.

8

The ISO/IEC 27000 series

Under development

Standard

Published

ISO/IEC 27035 – Information security management (3 part standard) ISO/IEC 27036 – Information security for supplier relationships (4 part standard) ISO/IEC 27037 – Guidelines for identification, collection, acquisition and presentation of digital evidence

2012

ISO/IEC 27038 – Specification for digital redaction ISO/IEC 27039 – Selection, deployment and operations of intrusion detection and prevention systems ISO/IEC 27040 – Storage security ISO/IEC 27041 – Guidance on assuring suitability and adequacy of investigative measures ISO/IEC 27042 – Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043 – Investigation principles and processes ISO/IEC 27044 – Guidelines for security information and event management (SIEM) Copyright © 2012 BSI. All rights reserved.

9

New high level structure • ISO 27001 has been developed using Annex SL • Annex SL is for standards writers and provides a standardised text suitable for all ISO management system standards • The new structure of the standard is to become common to all management system standards • The intention is to standardise terminology and requirements for fundamental Management System requirements

Copyright © 2012 BSI. All rights reserved.

10

ISO 27001 structure PLAN 4 Context of the organization

5 Leadership

DO

6 Planning

7 Support

CHECK

8 Operation

ACT

9 Performance evaluation

10 Improvement

Understanding the organization and its context

Leadership and commitment

Actions to address risks and opportunities

Resources

Operational planning and control

Monitoring, measurement, analysis and evaluation

Nonconformity and corrective action

Expectations of interested parties

Policy

IS objectives and plans to achieve them

Competence

Information security risk assessment

Internal audit

Continual improvement

Scope of ISMS

Org roles, responsibilities and authorities

Awareness

Information security risk treatment

Management review

ISMS

Communication

Documented information Copyright © 2012 BSI. All rights reserved.

11

Structure of ISO/IEC 27001 Clause

Description

4.0

Is a component of Plan. It introduces requirements necessary to establish the context of the ISMS as it applies to the organization, as well as needs, requirements, and scope.

5.0

Is a component of Plan. It summarises the requirements specific to top management’s role in the ISMS, and how leadership articulates its expectations to the organization via a policy statement.

6.0

Is a component of Plan. It describes requirements as it relates to setting objectives and guiding principles for the ISMS as a whole.

Copyright © 2012 BSI. All rights reserved.

12

Structure of ISO/IEC 27001 Clause

Description

7.0

Is a component of Plan. It supports ISMS operations as they relate to establishing competence and communication on a recurring/as-needed basis with interested parties, while documenting, controlling, maintaining and retaining required documentation.

8.0

Is a component of Do. It defines ISMS requirements and determines how to address them, the need to perform information security risk assessments and implement the information security risk treatment plan.

9.0

Is a component of Check. It summarises requirements necessary to measure ISMS performance, ISMS compliance with the International Standard and management’s expectations, and seeks feedback from management regarding expectations.

10.0

Is a component of Act. It identifies and acts on ISMS non-conformance through corrective action.

Copyright © 2012 BSI. All rights reserved.

13

Key differences • Standard has been written in accordance with Annex SL • ISO 27002 is no longer a normative reference (section 2) • Definitions in 2005 version have been removed and relocated to ISO 27000 (section 3) which is now a normative reference • There have been changes to the terminology used, e.g. information security policy is used rather than ISMS policy • Requirements for Management Commitments have been revised and are presented in the Leadership Clause • Preventive action has been replaced with “actions to address, risks and opportunities” and features earlier in the standard • The risk assessment requirements are more general reflecting an alignment of ISO 27001 with ISO 31000 • SOA requirements are similar but with more clarity on the determination of controls by the risk treatment process • The new standard puts greater emphasis on setting the objectives, monitoring performance and metrics Copyright © 2012 BSI. All rights reserved.

14

3. Terms and definitions • All of the definitions that were in the 2005 version have been removed • Those that are still relevant have been relocated in ISO 27000 • Intention is to promote consistency of terms and definitions across the suite of ISO 27000 standards

Copyright © 2012 BSI. All rights reserved.

15

4. Context of the organization • Clause 4 relates to the context of the organization which requires the organization to determine their external and internal issues • There is now a clear requirement to consider interested parties • This will determine its information security policy and objectives and how it will consider risk and the effect of risk on its business • The requirements of interested parties may include legal and regulatory requirements and contractual obligations

Copyright © 2012 BSI. All rights reserved.

16

5. Leadership • Clause 5 of the standard summarizes the requirements specific to top management’s role in the ISMS • The ISO outlines specific ways in which management must demonstrate its commitment to the system. Examples include: • ensuring that the resources needed for the information security management system are available • communicating the importance of effective information security management and conforming to the ISMS requirements.

• ISMS policy now referred to as information security policy, however original policy requirements still present • Clause 5 contains a requirement that top management ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Copyright © 2012 BSI. All rights reserved.

17

6. Planning • New section relating to establishment of information security objectives and guiding principles for the ISMS as a whole • When planning the ISMS, the context of the organization should be taken into account through the consideration of the risks and opportunities • The organizations information security objectives must be clearly defined with plans in place to achieve them • The risk assessment requirements are more general reflecting an alignment of ISO 27001 with ISO 31000 • The SOA requirements are largely unchanged

Copyright © 2012 BSI. All rights reserved.

18

7. Support • Clause 7 details the support required to establish, implement and maintain and continually improve an effective ISMS, including: • • • •

Resource requirements Competence of people involved Awareness of and communication with interested parties Requirements for document management.

• The new standard refers to “documented information” rather than “documents and records” • There is no longer a list of documents you need to provide or particular names they must be given • The new revision puts the emphasis on the content rather than the name

Copyright © 2012 BSI. All rights reserved.

19

8. Operation • ISO 27001 requires that organizations plan and control the operation of their information security requirements. • Most importantly this will include: • The carrying out of information security risk assessments at planned intervals • The implementation of an information security risk treatment plan

Copyright © 2012 BSI. All rights reserved.

20

9. Performance evaluation • Internal audits and management review continue to be key methods of reviewing the performance of the ISMS and tools for its continual improvement • The new requirements for measurement of effectiveness are more specific

Copyright © 2012 BSI. All rights reserved.

21

10. Improvement • Nonconformities of the ISMS have to be dealt with together with corrective actions to ensure they don’t happen again • As with all management system standards, continual improvement is a core requirement of the standard

Copyright © 2012 BSI. All rights reserved.

22

Controls

Copyright © 2012 BSI. All rights reserved.

23

Controls in the DIS • Number of controls has been reduced from 133 to 113 • Existing controls have been deleted or merged and some new controls have been added • Some of the retained controls have been re-worded and this will need to be reviewed in more detail after the FDIS has been published

Copyright © 2012 BSI. All rights reserved.

24

Controls that have been deleted in the DIS • • • • • • • • • • • •

A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.4 Authorization process for information processing facilities A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.10.2.1 Service delivery A.10.7.4 Security of system documentation A.10.10.2 Monitoring system use A.10.10.5 Fault logging A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification A.11.4.4 Remote diagnostic and configuration port protection Copyright © 2012 BSI. All rights reserved.

25

Controls that have been deleted in the DIS • • • • • • • • • • • •

A11.4.4 Remote diagnostic and configuration port protection A.11.4.6 Network connection control A.11.4.7 Network routing control A.10.8.5 Business information systems A.11.6.2 Sensitive system isolation A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.5.4 Information leakage A.15.1.5 Prevention of misuse of information processing facilities A.15.3.2 Protection of information systems audit tools Copyright © 2012 BSI. All rights reserved.

26

New controls proposed in the DIS • • • • • • • • • • • •

A.6.1.4 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 System development procedures A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 ICT supply chain A.16.1.4 Assessment and decision of information security events A.16.1.5 Response to information security incidents A.17.1.2 Implementing information security continuity A.17.2.1 Availability of information processing facilities Copyright © 2012 BSI. All rights reserved.

27

Likely timeline for revision Scenario

Jan

Feb

Mar

Apr

May-Jul

Aug

Sep

Oct-Dec

Jan-Mar

1. DIS goes straight to publication

Public comment

2. DIS goes to FDIS ballot

Public comment

Likely publication

3. DIS goes to second DIS ballot

Public comment

Likely publication

ISO Committee Meeting

Likely publication

DIS – Draft International Standard FDIS – Final Draft International Standard

Copyright © 2012 BSI. All rights reserved.

28

Transition arrangements • Transition arrangements will be announced when the new standard is published • Transition arrangements in the UK will be determined by UKAS and elsewhere by the national accreditation body • A transition period will be set by UKAS (likely one to two years duration) • Registrations to the old standard will likely be permitted for a period of time after the new standard has been published, after which only registrations to the new standard will be permitted

Copyright © 2012 BSI. All rights reserved.

29

Transition arrangements • Organizations that are certified with BSI to ISO 27001:2005 will be provided with: • A transition guideline • A transition timescale

• Widely expected that transitions will be conducted during routine continuing assessment visit (CAV)

Copyright © 2012 BSI. All rights reserved.

30

How you can keep in touch • Stay informed • Monitor progress of standards • Identify committees, work programmes and participants • http://standardsdevelopment.bsigroup.com/

• Comment on draft proposals • Review draft proposals • Submit comments for UK to consider • http://drafts.bsigroup.com/

• Participate in the work • [email protected] • Find out about our products and services • http://www.bsigroup.com

Copyright © 2012 BSI. All rights reserved.

31

Contact us Address:

BSI Group

Kitemark Court, Davy Avenue, Knowlhill Milton Keynes, MK5 8PP Telephone:

+44 (0)845 080 9000

Email:

[email protected]

Links:

www.bsigroup.com

Copyright © 2012 BSI. All rights reserved.

32

Copyright © 2012 BSI. All rights reserved.

33