Friday, June 20, 2014

ISO 27001 : 2013 Changes


ISO 27001:2005
ISO 27001:2013
Annex A :has 133 controls
Annex A : has 114 controls

11 new controls
  • A.6.1.5 Information security in project management
  • A.12.6.2 Restrictions on software installation
  • A.14.2.1 Secure development policy
  • A.14.2.5 Secure system engineering principles
  • A.14.2.6 Secure development environment
  • A.14.2.8 System security testing
  • A.15.1.1 Information security policy for supplier relationships
  • A.15.1.3 Information and communication technology supply chain
  • A.16.1.4 Assessment of and decision on information security events
  • A.16.1.5 Response to information security incidents
  • A.17.2.1 Availability of information processing facilities

  • 2
    Annex A: 11 control objectives
    Annex A: 14 control objectives (A5 to A18)
    Five implementation sections
    ·         4-ISMS
    ·         5-Management  responsibility
    ·         6-Internal  ISMS  audits
    ·         7-Management review  of  the  ISMS
    ·         8-ISMS  improvement
    Seven implementation sections
    ·         4-Context
    ·         5-Leadership
    ·         6-Planning
    ·         7-Support
    ·         8-Operation
    ·         9-Evaluation
    ·         10-Improvement
    Non standard format
    Annex SL format(MS standard)
    Process based approach
    Non process based
    Structured around PDCA deming cycle
    No emphasis on PDCA cycle
    Separate class of ‘Preventive’ controls
    ‘Preventive’ controls removed
    Requires ‘Documents’ and ‘Records’
    Instead requires ‘Documented Information’

    Parts derived from ISO 31000:2009 Risk mgmt
    ‘control objectives and controls from Annex A shall be selected and implemented’
    ‘produce a “statement of applicability(SOA)” that contains the necessary controls’
    Has Annex A, B and C
    Has Annex A

    New important term ‘Risk owner’
    Emphasis on documentation of Internal Audits
    No need to document internal audit

    Friday, June 13, 2014

    Information security quotes for awareness

    • "Security has a group ownership                  --not individual ownership"....G.R
    • "Tech Savvy does not mean                  --security conscious"
    • "Technology cannot replace security good habits"
    • "Simple and elegant the solutions                   -- better is the security"
    • "Money can buy security products                   -- but not security" ....G.R
    • "Security is not a product                                -- it is a process... Bruce Schneier
    • "We will forgive the breach                            -- but not the silence" 
    • "If you want PRIVACY             -- then maintain private posture and not public posture" 
    • "High security means                -- right awareness"....G.R
    • "Best medicine for security diseases is  -- high dosage of awareness"....G.R
    •  "Technology is just a security enabler           -- not a security ensurer"  ....G.R 
    • "Trust can be absolute                        -- but Security cannot be absolute".......GR.
    • "Stop - Read and Click".........GR
    • "Technology alone may not protect you better
    •                                        --but  awareness about the correct usage of technology may protect you better"....G.R