IEC 27002-Frank Fransen

Frank Fransen | 24 September 2013

Nieuwe versie ISO/IEC 27002

Code of practice for

information security management controls

Nieuwe titel

24 september 2013

Frank Fransen

1

Inhoudsopgave

Inleiding

Wat is gewijzigd in ISO/IEC FDIS 27002:2013?

Wat is de impact van deze wijzigingen?

Samenvatting

Slides zijn in Engels

24 september 2013

Frank Fransen

2

ISO/IEC 27000 family of standards

IS

27001

:2005

IS

27006

:2007

IS

27000

:2012

Requirem

ents

Term

inolo

gy

Guid

elin

es IS

27004

:2009

IS

27003

:2010

IS

27002

:2007

IS

27005

:2011

TR

27008

:2011

IS

27007

:2011

ISMS Overview

and vocabulary

(freely available)

Information Security Management

System (ISMS) – Requirements

Requirements for bodies providing

audit and certification of ISMSs

Guidelines

for ISMSs

auditing

Information

security risk

management

Info. sec.

management

measurements

ISMS

implementation

guidance

Code of

practice for

info. sec.

management

Guidance

for Auditor

on ISMS

Controls

2

http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

24 september 2013

Frank Fransen

3

ISO/IEC 27000 family of standards – status

FDIS

27001

:2013

IS

27006

:2007

DIS

27000

:2014

IS

27004

:2009

IS

27003

:2010

FDIS

27002

:2013

IS

27005

:2011

TR

27008

:2011

IS

27007

:2011

ISMS Overview

and vocabulary

(freely available)

Information Security Management

System (ISMS) – Requirements

Requirements for bodies providing

audit and certification of ISMSs

Guidelines

for ISMSs

auditing

Information

security risk

management

Info. sec.

management

measurements

ISMS

implementation

guidance

Code of

practice for

info. sec.

controls

Guidance

for Auditor

on ISMS

Controls

3

Requirem

ents

Term

inolo

gy

Guid

elin

es

Focus

of this

talk

http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

24 september 2013

Frank Fransen

4

ISO/IEC 27002:2007 – Code of practice

Set of commonly accepted control objectives (39) and best practice controls

(133) for information security management

Description of the controls

is structured as follows:

Control

Implementation guidance

Other information

5. Security Policy

6. Organizing information security

7. Asset management

8. Human resources security

9. Physical and environmental security

10. Communications and operations management

11. Access control

12. Systems acquisition, development and maintenance

13. Information security incident management

14. Business continuity management

15. Compliance

11 clauses of ISO/IEC 27002

24 september 2013

Frank Fransen

5

ISO/IEC 27002 based sector-specific standards

Secto

r S

pecific

Gu

idelin

es

5th WD

27017

:201x

IS

27011

:2008

FDIS

27002

:2013

TR

27015

:2012

Code of practice for

information security controls

5

telecommunications

IS

27799

:2010

financial services healthcare

IS

27010

:2012

inter-sector and

inter-organizational

communications

cloud

computing

services

NEN 7510

(ITU-T X.1051)

Annex E – Principles for sector-specific ISMS standards

Annex F – Template for sector-specific ISMS standards

WG1

Roadmap

Annex E

Annex F

Guid

elin

es

24 september 2013

Frank Fransen

6

Revision ISO/IEC 27002

6

24 september 2013

Frank Fransen

7

Revision ISO/IEC 27002 Overview

More focused on control selection

Information technology — Security techniques — Code of practice for

information security management controls

Lot of changes to control objectives and controls

Text is updated (in particular control objectives,

Implementation guidance & Other information)

Titles changed

Relocation & merging (re-structuring of sections)

Removal of outdate ones & Introduction of new ones

General structure of control description remained

Control

Implementation guidance

Other information

2005 FDIS

Clauses 11 14

Control obj. 39 35

Controls 133 114

Revision ISO/IEC 27002 More focused on control selection

Some text in ISO/IEC 27002:2005 is closely associated with:

Guidance on the establishment of an ISMS => also covered in ISO/IEC 27003

Guidance on security risk management (clause 4) => also covered in ISO/IEC 27005

In the revisions the items covered in other 2700x standards are removed.

24 september 2013

Frank Fransen

8

0.1 Background and context

This International Standard is designed for organizations to use as a reference for

selecting controls within the process of implementing an Information Security

Management System (ISMS) based on ISO/IEC 27001[10] or as a guidance document

for organizations implementing commonly accepted information security controls. This

standard is also intended for use in developing industry- and organization-specific

information security management guidelines, taking into consideration their specific

information security risk environment(s). ISO/IEC FDIS 27002

24 september 2013

Frank Fransen

9

Revision ISO/IEC 27002 New structure of clauses, control objectives & controls

5. Security Policy


7. Asset management



10. Communications and operations management

11. Access control

12. Systems acquisition, development and

maintenance


14. Business continuity management

15. Compliance

ISO/IEC 27002:2005

5. Security Policy



8. Asset management

9. Access control

10. Cryptography


12. Operations security

13. Communications security


maintenance

15. Supplier relationships


17. Information security aspects of business

continuity management

18. Compliance

ISO/IEC FDIS 27002:2013

Clauses are highlighted

in this talk

Clause 6

Clause 12 & 13

Clause 14

Revision ISO/IEC 27002 New structure of clauses, control objectives & controls

24 september 2013

Frank Fransen

10

5. Security Policy



8. Asset management

9. Access control

10. Cryptography


12. Operations security

13. Communications security


maintenance

15. Supplier relationships


17. Information security aspects of business

continuity management

18. Compliance

ISO/IEC FDIS 27002:2013

6 Organization of information security

6.1 Internal Organization

6.1.1 Management commitment to information security

6.1.2 Information security coordination

6.1.3 Allocation of information security responsibilities

6.1.4 Authorization process for information processing

facilities

6.1.5 Confidentiality agreements

6.1.6 Contact with authorities

6.1.7 Contact with special interest groups

6.1.8 Independent review of information security

6.2 External Parties

6.2.1 Identification of risks related to external parties

6.2.2 Addressing security when dealing with customers

6.2.3 Addressing security in third party agreements

ISO/IEC 27002:2005

Revision ISO/IEC 27002 6 Organization of information security

24 september 2013

Frank Fransen

11

E.g. control 6.1.1 was covered

by ISO/IEC 27001

moved to 13 Communications security

moved to 18 Compliance

moved to 15 Supplier relationships


6.1 Internal Organization

6.1.1 Management commitment to information security

6.1.2 Information security coordination

6.1.3 Allocation of information security responsibilities

6.1.4 Authorization process for information processing

facilities

6.1.5 Confidentiality agreements



6.1.8 Independent review of information security

6.2 External Parties

6.2.1 Identification of risks related to external parties

6.2.2 Addressing security when dealing with customers

6.2.3 Addressing security in third party agreements

ISO/IEC 27002:2005

moved

Revision ISO/IEC 27002 6 Organization of information security

E.g. control 6.1.1 was covered

by ISO/IEC 27001

Control 6.1.2 is from clause

10 Communications and

Operations Management

24 september 2013

Frank Fransen

12


6.1 Internal organization

6.1.1 Information security roles and responsibilities

6.1.2 Segregation of duties



6.1.5 Information security in project management

6.2 Mobile devices and teleworking

6.2.1 Mobile device policy

6.2.2 Teleworking

ISO/IEC FDIS 27002

Controls in 6.2 are from

11 Access Control

Revision ISO/IEC 27002 Mobile devices and teleworking moved from Clause 11 to 6

24 september 2013

Frank Fransen

13

11.7 Mobile computing and teleworking

11.7.1 Mobile computing and communications

Control

A formal policy should be in place, and appropriate security measures should be adopted

to protect against the risks of using mobile computing and communication facilities.

…

11.7.2 Teleworking

Control

A policy, operational plans and procedures should be developed and implemented for

teleworking activities.

… ISO/IEC 27002:2005

Objective: To ensure information security when using mobile computing and teleworking

facilities.

The protection required should be commensurate with the risks these specific ways of

working cause. When using mobile computing the risks of working in an unprotected

environment should be considered and appropriate protection applied. In the case of

teleworking the organization should apply protection to the teleworking site and ensure

that suitable arrangements are in place for this way of working.

6.2 Mobile devices and teleworking

6.2.1 Mobile device policy

Control

A policy and supporting security measures should be adopted to manage the risks

introduced by using mobile devices.

…

6.2.2 Teleworking

Control

A policy and supporting security measures should be implemented to protect information

accessed, processed or stored at teleworking sites.

…

Objective: To ensure the security of teleworking and use of mobile devices.

ISO/IEC FDIS 27002

10 Communications and Operations Mngt

10.1 Operational procedures and responsibilities

10.2 Third party service delivery management

10.3 System planning and acceptance

10.4 Protection against malicious and mobile

code

10.5 Back-up

10.6 Network security management

10.7 Media handling

10.8 Exchange of information

10.9 E-commerce services

10.10 Monitoring

ISO/IEC 27002:2005

Revision ISO/IEC 27002 12 Operations security & 13 Communications security

24 september 2013

Frank Fransen

14

moved to 15 Supplier relationships

moved to 8 Asset Management

moved to 14 System acquisition, development & maintenance

moved to 14 System acquisition, development & maintenance

Renamed to application services on public networks

Revision ISO/IEC 27002 12 Operations security & 13 Communications security

24 september 2013

Frank Fransen

15

10 Communications and Operations Mngt


10.2 Third party service delivery management

10.3 System planning and acceptance

10.4 Protection against malicious and mobile

code

10.5 Back-up


10.7 Media handling

10.8 Exchange of information

10.9 E-commerce services

10.10 Monitoring

ISO/IEC 27002:2005

moved to 8 Asset Mngt

moved

12 Operations security


12.2 Protection from malware

12.3 Backup

12.4 Logging and monitoring

12.5 Control of operational software

12.6 Technical vulnerability management

12.7 Information systems audit considerations

13 Communications security


13.2 Information transfer

ISO/IEC FDIS 27002

From

12

From 15

moved

12 Information systems acquisition, development and

maintenance

12.1 Security requirements of information systems

12.2 Correct processing in applications

12.3 Cryptographic controls

12.4 Security of system files

12.5 Security in development and support processes

12.6 Technical Vulnerability Management ISO/IEC 27002:2005

Revision ISO/IEC 27002 14 System acquisition, development and maintenance

24 september 2013

Frank Fransen

16

14 System acquisition, development and maintenance

14.1 Security requirements of information systems

14.1.1 Information security requirements analysis and specification

14.1.2 Securing application services on public networks

14.1.3 Protecting application services transactions

14.2 Security in development and support processes

14.2.1 Secure development policy

14.2.2 System change control procedures

14.2.3 Technical review of applications after operating platform changes

14.2.4 Restrictions on changes to software packages

14.2.5 Secure system engineering principles

14.2.6 Secure development environment

14.2.7 Outsourced development

14.2.8 System security testing

14.2.9 System acceptance testing

14.3 Test data

14.3.1 Protection of test data

ISO/IEC FDIS 27002

From clause 10

Comm. & Oper.

Management

Revision ISO/IEC 27002 My opinion

More logical structure for control objectives & controls

More up-to-date & less trend specific

More to-the-point

24 september 2013

Frank Fransen

17

24 september 2013

Frank Fransen

18

Impact of revision ISO/IEC 27002

18

Impact of revision ISO/IEC 27002 For organisations

If ISO/IEC 27002 is used as basis of your Information Security Management,

then you will have to choose:

Still use the old version not recommended

Use other framework up to you

Migrate to new version recommended (SoA required for ISO/IEC 27001 certification)

24 september 2013

Frank Fransen

19

ISO/IEC 27002:2013 Impact

New structure Update of information security policy documents

Changed controls (obj.) Review impact of changed text on implemented

controls and improve the controls if necessary.

Removed controls Determine if removed controls are implemented and

for what risks. Select and implement alternatives.

New controls (obj.) Review risk assessment & risk treatment with the

revised ISO/IEC 27002:2013

Impact of revision ISO/IEC 27002 On other sector specific guidelines based on ISO/IEC 27002

Sector-specific guidelines that are based ISO/IEC 27002 will be updated

ISO/IEC 27010 (inter-sector and inter-organizational communications)

ISO/IEC 27011 (telecommunications-sector-specific)

ISO 27799:2008 (health-sector-specific)

ISO/IEC TR 27015:2012 (financial services-sector-specific)

draft ISO/IEC 27017 already based on new version (cloud computing services)

National specific standards frameworks based ISO/IEC 27002

NEN 7510:2011

Baseline Informatiebeveiliging Rijksdienst (BIR) - Tactisch Normenkader (TNK); 2012

Tactische Baseline Informatiebeveiliging Nederlandse Gemeenten; 2013

…

24 september 2013

Frank Fransen

20

24 september 2013

Frank Fransen

21

Recap

Updating of text; re-structuring of clauses; relocation, merging, removal of

controls; and introduction of new controls

Expected publication date: November 2013

Impact on existing use of ISO/IEC 27002:2007

24 september 2013

Frank Fransen

22

Questions

Frank Fransen

+31 (0)88 866 7729

[email protected]

IEC 27002-Frank Fransen

Documents

Transcript of IEC 27002-Frank Fransen