Wednesday, October 29, 2014

Changes to ISO 27001: What's new in the 2013 ISO 27001 update?



ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee. It is a specification for an information security management system (ISMS).
The recent standard ISO 27001:2013 replaced the ISO 27001:2005 standard. Mentioned below are the significant changes:

Section 4: Context of the Organization
·         More importance has been laid on the Internal and external factors which affect the organization’s ability to achieve security objectives

Section 5: leadership

·         Enhanced rigorous expectation from management
·         Top Management needs to ensure integration of ISMS requirements into the organization’s processes for various functions

Section 8: Operations
               
·         Risk assessment simplified and aligned to ISO 31000
·         Risk can now be determined based on process ,technology etc. without mapping them with assets, threats and vulnerabilities

General Changes

·         More emphasis on measuring and evaluating  how good organisations ISMS is performing
·         Preventive action is now part of PLAN phase and integrated with IS risk assessment
·         Controls in Annex A have been modified to reflect the changing threat scenarios, duplications removed and are better grouped
·         Separate section for cryptography
·         More emphasis on outsourcing. Thus a new section on Supplier relationship


  Annex A – New Controls

A.6.1.5 Information security in project management
A.12.6.2 Restrictions on software installation
A.14.2.1 Secure development policy
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.8 System security testing
A.15.1.1 Information security policy for supplier relationships
A.15.1.3 Information and communication technology supply chain
A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.17.2.1 Availability of information processing facilities



ISO 27001:2013 – Birds Eye View


Image Courtesy: www.bsigroup.com





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)