Pages

Friday, June 20, 2014

ISO 27001 : 2013 Changes

                                            



ISO 27001:2005
ISO 27001:2013
1
Annex A :has 133 controls
Annex A : has 114 controls

11 new controls
  • A.6.1.5 Information security in project management
  • A.12.6.2 Restrictions on software installation
  • A.14.2.1 Secure development policy
  • A.14.2.5 Secure system engineering principles
  • A.14.2.6 Secure development environment
  • A.14.2.8 System security testing
  • A.15.1.1 Information security policy for supplier relationships
  • A.15.1.3 Information and communication technology supply chain
  • A.16.1.4 Assessment of and decision on information security events
  • A.16.1.5 Response to information security incidents
  • A.17.2.1 Availability of information processing facilities

  • 2
    Annex A: 11 control objectives
    Annex A: 14 control objectives (A5 to A18)
    3
    Five implementation sections
    ·         4-ISMS
    ·         5-Management  responsibility
    ·         6-Internal  ISMS  audits
    ·         7-Management review  of  the  ISMS
    ·         8-ISMS  improvement
    Seven implementation sections
    ·         4-Context
    ·         5-Leadership
    ·         6-Planning
    ·         7-Support
    ·         8-Operation
    ·         9-Evaluation
    ·         10-Improvement
    4
    Non standard format
    Annex SL format(MS standard)
    5
    Process based approach
    Non process based
    6
    Structured around PDCA deming cycle
    No emphasis on PDCA cycle
    8
    Separate class of ‘Preventive’ controls
    ‘Preventive’ controls removed
    9
    Requires ‘Documents’ and ‘Records’
    Instead requires ‘Documented Information’
    10

    Parts derived from ISO 31000:2009 Risk mgmt
    11
    ‘control objectives and controls from Annex A shall be selected and implemented’
    ‘produce a “statement of applicability(SOA)” that contains the necessary controls’
    12
    Has Annex A, B and C
    Has Annex A
    13

    New important term ‘Risk owner’
    14
    Emphasis on documentation of Internal Audits
    No need to document internal audit


    No comments:

    Post a Comment