Pages

Friday, June 20, 2014

ISO 27001 : 2013 Changes

                                            



ISO 27001:2005
ISO 27001:2013
1
Annex A :has 133 controls
Annex A : has 114 controls

11 new controls
  • A.6.1.5 Information security in project management
  • A.12.6.2 Restrictions on software installation
  • A.14.2.1 Secure development policy
  • A.14.2.5 Secure system engineering principles
  • A.14.2.6 Secure development environment
  • A.14.2.8 System security testing
  • A.15.1.1 Information security policy for supplier relationships
  • A.15.1.3 Information and communication technology supply chain
  • A.16.1.4 Assessment of and decision on information security events
  • A.16.1.5 Response to information security incidents
  • A.17.2.1 Availability of information processing facilities

  • 2
    Annex A: 11 control objectives
    Annex A: 14 control objectives (A5 to A18)
    3
    Five implementation sections
    ·         4-ISMS
    ·         5-Management  responsibility
    ·         6-Internal  ISMS  audits
    ·         7-Management review  of  the  ISMS
    ·         8-ISMS  improvement
    Seven implementation sections
    ·         4-Context
    ·         5-Leadership
    ·         6-Planning
    ·         7-Support
    ·         8-Operation
    ·         9-Evaluation
    ·         10-Improvement
    4
    Non standard format
    Annex SL format(MS standard)
    5
    Process based approach
    Non process based
    6
    Structured around PDCA deming cycle
    No emphasis on PDCA cycle
    8
    Separate class of ‘Preventive’ controls
    ‘Preventive’ controls removed
    9
    Requires ‘Documents’ and ‘Records’
    Instead requires ‘Documented Information’
    10

    Parts derived from ISO 31000:2009 Risk mgmt
    11
    ‘control objectives and controls from Annex A shall be selected and implemented’
    ‘produce a “statement of applicability(SOA)” that contains the necessary controls’
    12
    Has Annex A, B and C
    Has Annex A
    13

    New important term ‘Risk owner’
    14
    Emphasis on documentation of Internal Audits
    No need to document internal audit


    Friday, June 13, 2014

    Information security quotes for awareness

    • "Security has a group ownership                  --not individual ownership"....G.R
    • "Tech Savvy does not mean                  --security conscious"
    • "Technology cannot replace security good habits"
    • "Simple and elegant the solutions                   -- better is the security"
    • "Money can buy security products                   -- but not security" ....G.R
    • "Security is not a product                                -- it is a process... Bruce Schneier
    • "We will forgive the breach                            -- but not the silence" 
    • "If you want PRIVACY             -- then maintain private posture and not public posture" 
    • "High security means                -- right awareness"....G.R
    • "Best medicine for security diseases is  -- high dosage of awareness"....G.R
    •  "Technology is just a security enabler           -- not a security ensurer"  ....G.R 
    • "Trust can be absolute                        -- but Security cannot be absolute".......GR.
    • "Stop - Read and Click".........GR
    • "Technology alone may not protect you better
    •                                        --but  awareness about the correct usage of technology may protect you better"....G.R