Upload
dogeveneziano
View
77
Download
4
Embed Size (px)
Citation preview
Frank Fransen | 24 September 2013
Nieuwe versie ISO/IEC 27002
Code of practice for
information security management controls
Nieuwe titel
24 september 2013
Frank Fransen
1
Inhoudsopgave
Inleiding
Wat is gewijzigd in ISO/IEC FDIS 27002:2013?
Wat is de impact van deze wijzigingen?
Samenvatting
Slides zijn in Engels
24 september 2013
Frank Fransen
2
ISO/IEC 27000 family of standards
IS
27001
:2005
IS
27006
:2007
IS
27000
:2012
Requirem
ents
Term
inolo
gy
Guid
elin
es IS
27004
:2009
IS
27003
:2010
IS
27002
:2007
IS
27005
:2011
TR
27008
:2011
IS
27007
:2011
ISMS Overview
and vocabulary
(freely available)
Information Security Management
System (ISMS) – Requirements
Requirements for bodies providing
audit and certification of ISMSs
Guidelines
for ISMSs
auditing
Information
security risk
management
Info. sec.
management
measurements
ISMS
implementation
guidance
Code of
practice for
info. sec.
management
Guidance
for Auditor
on ISMS
Controls
2
24 september 2013
Frank Fransen
3
ISO/IEC 27000 family of standards – status
FDIS
27001
:2013
IS
27006
:2007
DIS
27000
:2014
IS
27004
:2009
IS
27003
:2010
FDIS
27002
:2013
IS
27005
:2011
TR
27008
:2011
IS
27007
:2011
ISMS Overview
and vocabulary
(freely available)
Information Security Management
System (ISMS) – Requirements
Requirements for bodies providing
audit and certification of ISMSs
Guidelines
for ISMSs
auditing
Information
security risk
management
Info. sec.
management
measurements
ISMS
implementation
guidance
Code of
practice for
info. sec.
controls
Guidance
for Auditor
on ISMS
Controls
3
Requirem
ents
Term
inolo
gy
Guid
elin
es
Focus
of this
talk
24 september 2013
Frank Fransen
4
ISO/IEC 27002:2007 – Code of practice
Set of commonly accepted control objectives (39) and best practice controls
(133) for information security management
Description of the controls
is structured as follows:
Control
Implementation guidance
Other information
5. Security Policy
6. Organizing information security
7. Asset management
8. Human resources security
9. Physical and environmental security
10. Communications and operations management
11. Access control
12. Systems acquisition, development and maintenance
13. Information security incident management
14. Business continuity management
15. Compliance
11 clauses of ISO/IEC 27002
24 september 2013
Frank Fransen
5
ISO/IEC 27002 based sector-specific standards
Secto
r S
pecific
Gu
idelin
es
5th WD
27017
:201x
IS
27011
:2008
FDIS
27002
:2013
TR
27015
:2012
Code of practice for
information security controls
5
telecommunications
IS
27799
:2010
financial services healthcare
IS
27010
:2012
inter-sector and
inter-organizational
communications
cloud
computing
services
NEN 7510
(ITU-T X.1051)
Annex E – Principles for sector-specific ISMS standards
Annex F – Template for sector-specific ISMS standards
WG1
Roadmap
Annex E
Annex F
Guid
elin
es
24 september 2013
Frank Fransen
6
Revision ISO/IEC 27002
6
24 september 2013
Frank Fransen
7
Revision ISO/IEC 27002 Overview
More focused on control selection
Information technology — Security techniques — Code of practice for
information security management controls
Lot of changes to control objectives and controls
Text is updated (in particular control objectives,
Implementation guidance & Other information)
Titles changed
Relocation & merging (re-structuring of sections)
Removal of outdate ones & Introduction of new ones
General structure of control description remained
Control
Implementation guidance
Other information
2005 FDIS
Clauses 11 14
Control obj. 39 35
Controls 133 114
Revision ISO/IEC 27002 More focused on control selection
Some text in ISO/IEC 27002:2005 is closely associated with:
Guidance on the establishment of an ISMS => also covered in ISO/IEC 27003
Guidance on security risk management (clause 4) => also covered in ISO/IEC 27005
In the revisions the items covered in other 2700x standards are removed.
24 september 2013
Frank Fransen
8
0.1 Background and context
This International Standard is designed for organizations to use as a reference for
selecting controls within the process of implementing an Information Security
Management System (ISMS) based on ISO/IEC 27001[10] or as a guidance document
for organizations implementing commonly accepted information security controls. This
standard is also intended for use in developing industry- and organization-specific
information security management guidelines, taking into consideration their specific
information security risk environment(s). ISO/IEC FDIS 27002
24 september 2013
Frank Fransen
9
Revision ISO/IEC 27002 New structure of clauses, control objectives & controls
5. Security Policy
6. Organizing information security
7. Asset management
8. Human resources security
9. Physical and environmental security
10. Communications and operations management
11. Access control
12. Systems acquisition, development and
maintenance
13. Information security incident management
14. Business continuity management
15. Compliance
ISO/IEC 27002:2005
5. Security Policy
6. Organizing information security
7. Human resources security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. Systems acquisition, development and
maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business
continuity management
18. Compliance
ISO/IEC FDIS 27002:2013
Clauses are highlighted
in this talk
Clause 6
Clause 12 & 13
Clause 14
Revision ISO/IEC 27002 New structure of clauses, control objectives & controls
24 september 2013
Frank Fransen
10
5. Security Policy
6. Organizing information security
7. Human resources security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. Systems acquisition, development and
maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business
continuity management
18. Compliance
ISO/IEC FDIS 27002:2013
6 Organization of information security
6.1 Internal Organization
6.1.1 Management commitment to information security
6.1.2 Information security coordination
6.1.3 Allocation of information security responsibilities
6.1.4 Authorization process for information processing
facilities
6.1.5 Confidentiality agreements
6.1.6 Contact with authorities
6.1.7 Contact with special interest groups
6.1.8 Independent review of information security
6.2 External Parties
6.2.1 Identification of risks related to external parties
6.2.2 Addressing security when dealing with customers
6.2.3 Addressing security in third party agreements
ISO/IEC 27002:2005
Revision ISO/IEC 27002 6 Organization of information security
24 september 2013
Frank Fransen
11
E.g. control 6.1.1 was covered
by ISO/IEC 27001
moved to 13 Communications security
moved to 18 Compliance
moved to 15 Supplier relationships
6 Organization of information security
6.1 Internal Organization
6.1.1 Management commitment to information security
6.1.2 Information security coordination
6.1.3 Allocation of information security responsibilities
6.1.4 Authorization process for information processing
facilities
6.1.5 Confidentiality agreements
6.1.6 Contact with authorities
6.1.7 Contact with special interest groups
6.1.8 Independent review of information security
6.2 External Parties
6.2.1 Identification of risks related to external parties
6.2.2 Addressing security when dealing with customers
6.2.3 Addressing security in third party agreements
ISO/IEC 27002:2005
moved
Revision ISO/IEC 27002 6 Organization of information security
E.g. control 6.1.1 was covered
by ISO/IEC 27001
Control 6.1.2 is from clause
10 Communications and
Operations Management
24 september 2013
Frank Fransen
12
6 Organization of information security
6.1 Internal organization
6.1.1 Information security roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities
6.1.4 Contact with special interest groups
6.1.5 Information security in project management
6.2 Mobile devices and teleworking
6.2.1 Mobile device policy
6.2.2 Teleworking
ISO/IEC FDIS 27002
Controls in 6.2 are from
11 Access Control
Revision ISO/IEC 27002 Mobile devices and teleworking moved from Clause 11 to 6
24 september 2013
Frank Fransen
13
11.7 Mobile computing and teleworking
11.7.1 Mobile computing and communications
Control
A formal policy should be in place, and appropriate security measures should be adopted
to protect against the risks of using mobile computing and communication facilities.
…
11.7.2 Teleworking
Control
A policy, operational plans and procedures should be developed and implemented for
teleworking activities.
… ISO/IEC 27002:2005
Objective: To ensure information security when using mobile computing and teleworking
facilities.
The protection required should be commensurate with the risks these specific ways of
working cause. When using mobile computing the risks of working in an unprotected
environment should be considered and appropriate protection applied. In the case of
teleworking the organization should apply protection to the teleworking site and ensure
that suitable arrangements are in place for this way of working.
6.2 Mobile devices and teleworking
6.2.1 Mobile device policy
Control
A policy and supporting security measures should be adopted to manage the risks
introduced by using mobile devices.
…
6.2.2 Teleworking
Control
A policy and supporting security measures should be implemented to protect information
accessed, processed or stored at teleworking sites.
…
Objective: To ensure the security of teleworking and use of mobile devices.
ISO/IEC FDIS 27002
10 Communications and Operations Mngt
10.1 Operational procedures and responsibilities
10.2 Third party service delivery management
10.3 System planning and acceptance
10.4 Protection against malicious and mobile
code
10.5 Back-up
10.6 Network security management
10.7 Media handling
10.8 Exchange of information
10.9 E-commerce services
10.10 Monitoring
ISO/IEC 27002:2005
Revision ISO/IEC 27002 12 Operations security & 13 Communications security
24 september 2013
Frank Fransen
14
moved to 15 Supplier relationships
moved to 8 Asset Management
moved to 14 System acquisition, development & maintenance
moved to 14 System acquisition, development & maintenance
Renamed to application services on public networks
Revision ISO/IEC 27002 12 Operations security & 13 Communications security
24 september 2013
Frank Fransen
15
10 Communications and Operations Mngt
10.1 Operational procedures and responsibilities
10.2 Third party service delivery management
10.3 System planning and acceptance
10.4 Protection against malicious and mobile
code
10.5 Back-up
10.6 Network security management
10.7 Media handling
10.8 Exchange of information
10.9 E-commerce services
10.10 Monitoring
ISO/IEC 27002:2005
moved to 8 Asset Mngt
moved
12 Operations security
12.1 Operational procedures and responsibilities
12.2 Protection from malware
12.3 Backup
12.4 Logging and monitoring
12.5 Control of operational software
12.6 Technical vulnerability management
12.7 Information systems audit considerations
13 Communications security
13.1 Network security management
13.2 Information transfer
ISO/IEC FDIS 27002
From
12
From 15
moved
12 Information systems acquisition, development and
maintenance
12.1 Security requirements of information systems
12.2 Correct processing in applications
12.3 Cryptographic controls
12.4 Security of system files
12.5 Security in development and support processes
12.6 Technical Vulnerability Management ISO/IEC 27002:2005
Revision ISO/IEC 27002 14 System acquisition, development and maintenance
24 september 2013
Frank Fransen
16
14 System acquisition, development and maintenance
14.1 Security requirements of information systems
14.1.1 Information security requirements analysis and specification
14.1.2 Securing application services on public networks
14.1.3 Protecting application services transactions
14.2 Security in development and support processes
14.2.1 Secure development policy
14.2.2 System change control procedures
14.2.3 Technical review of applications after operating platform changes
14.2.4 Restrictions on changes to software packages
14.2.5 Secure system engineering principles
14.2.6 Secure development environment
14.2.7 Outsourced development
14.2.8 System security testing
14.2.9 System acceptance testing
14.3 Test data
14.3.1 Protection of test data
ISO/IEC FDIS 27002
From clause 10
Comm. & Oper.
Management
Revision ISO/IEC 27002 My opinion
More logical structure for control objectives & controls
More up-to-date & less trend specific
More to-the-point
24 september 2013
Frank Fransen
17
24 september 2013
Frank Fransen
18
Impact of revision ISO/IEC 27002
18
Impact of revision ISO/IEC 27002 For organisations
If ISO/IEC 27002 is used as basis of your Information Security Management,
then you will have to choose:
Still use the old version not recommended
Use other framework up to you
Migrate to new version recommended (SoA required for ISO/IEC 27001 certification)
24 september 2013
Frank Fransen
19
ISO/IEC 27002:2013 Impact
New structure Update of information security policy documents
Changed controls (obj.) Review impact of changed text on implemented
controls and improve the controls if necessary.
Removed controls Determine if removed controls are implemented and
for what risks. Select and implement alternatives.
New controls (obj.) Review risk assessment & risk treatment with the
revised ISO/IEC 27002:2013
Impact of revision ISO/IEC 27002 On other sector specific guidelines based on ISO/IEC 27002
Sector-specific guidelines that are based ISO/IEC 27002 will be updated
ISO/IEC 27010 (inter-sector and inter-organizational communications)
ISO/IEC 27011 (telecommunications-sector-specific)
ISO 27799:2008 (health-sector-specific)
ISO/IEC TR 27015:2012 (financial services-sector-specific)
draft ISO/IEC 27017 already based on new version (cloud computing services)
National specific standards frameworks based ISO/IEC 27002
NEN 7510:2011
Baseline Informatiebeveiliging Rijksdienst (BIR) - Tactisch Normenkader (TNK); 2012
Tactische Baseline Informatiebeveiliging Nederlandse Gemeenten; 2013
…
24 september 2013
Frank Fransen
20
24 september 2013
Frank Fransen
21
Recap
Updating of text; re-structuring of clauses; relocation, merging, removal of
controls; and introduction of new controls
Expected publication date: November 2013
Impact on existing use of ISO/IEC 27002:2007