Transition to ISO / IEC 27001: 2013. Subtleties of translation and not only
Hi, Habr!
On September 25, 2013, the updated ISO / IEC 27001: 2013 Standard for Information Security Management Systems was published. Requirements ”(Information security management systems - Requirements), which replaced the similar standard of 2005. I got into the hands of the Transition Guide, and in order to systematize my knowledge and share it with those who would be interested, I decided to organize this short note.
In itself, passing an audit for compliance with 27001 does not give the business anything but pride in its information security unit (correct me if I'm wrong). However, it can significantly facilitate the passage of such important audits as, for example, PCI DSS.
However, it seems to me that any large company with international business seeks to get the coveted crust.
Standard 27001: 2013 relies on a group of 31000 (risk assessment).
In this version, the term "asset" disappears. Instead, the broader concepts of "information" and "service" are used.
The term “opportunities” (clause 6.1.1) has been added as a potential area for improvement - a broad term that can include a whole range of measures to eliminate various risks.
“Action” turned into “Objective” - this is the current goal, specific and measurable, in contrast to the global goal (“Goal”).
Otherwise, all the same. Information Security is about ensuring confidentiality, integrity and availability , and risk management is carried out according to the Plan-Do-Check-Act method.
')
Some items are completely new, some have added sub-items. I will cite (and, at the same time, translate) the main ones.
Clause 6.1.1 :
During the planning of the ISMS, the organization should determine the risks and opportunities (opportunities) that should be aimed at:
a) confirmation that the ISMS is capable of achieving the expected results from it;
b) preventing or reducing undesirable effects; and
c) achieving continuous improvement.
Clause 6.1.2 means that the organization should have a formalized risk assessment methodology. At the same time, when identifying risks, each of them must be assigned an owner - this is a new requirement [ 6.1.2 ) 2) ].
Clause 6.2 :
The opportunities (opportunities) of information security should:
b) be measurable (if applicable);
c) take into account applicable IS requirements and the results of risk assessment and treatment.
During the planning of achieving information security capabilities, an organization should determine:
f) what should be done;
g) what resources are required;
h) who will be responsible;
i) when you need to finish; and
j) how results will be evaluated.
Clause 7.4 Interaction is a new item.
The organization should determine the need for internal and external interactions related to the ISMS, including:
a) What about;
b) when;
c) with whom;
d) who;
e) by what means.
Clause 9.1 Monitoring, Measurement, Analysis and Evaluation
The organization shall determine:
c) when and
b) who will monitor and measure;
f) who will analyze and evaluate the results.
From clause 9.3 (Management review), the requirement for management to review the annual ISMS is excluded.
Clause 10.1. Nonconformities and corrective actions.
When a discrepancy is found, the organization should:
a) respond to the nonconformity and, if applicable:
1) take measures to control and adjust it; and
2) work with consequences;
e) if necessary, make changes to the ISMS.
The organization should retain documented information as evidence:
f) the nature of the non-conformities and the follow-up measures taken, and
g) the results of corrective actions.
More general information about the standard can be found at the link from the wiki.
I would be glad if this note is useful to someone.
On September 25, 2013, the updated ISO / IEC 27001: 2013 Standard for Information Security Management Systems was published. Requirements ”(Information security management systems - Requirements), which replaced the similar standard of 2005. I got into the hands of the Transition Guide, and in order to systematize my knowledge and share it with those who would be interested, I decided to organize this short note.
Under the spoiler: why do we need this standard
Quote from wiki:
ISO / IEC 27001 is an international standard for information security. Contains requirements in the field of information security for the creation, development and maintenance of the Information Security Management System (ISMS).
The ISO / IEC 27001 (ISO 27001) standard contains descriptions of the world's best practices in information security management. ISO 27001 establishes information security management system requirements to demonstrate the ability of an organization to protect its information resources. This standard is prepared as a model for the development, implementation, operation, monitoring, analysis, support and improvement of the Information Security Management System (ISMS).
What about us?
In itself, passing an audit for compliance with 27001 does not give the business anything but pride in its information security unit (correct me if I'm wrong). However, it can significantly facilitate the passage of such important audits as, for example, PCI DSS.
However, it seems to me that any large company with international business seeks to get the coveted crust.
Changes in terms
Standard 27001: 2013 relies on a group of 31000 (risk assessment).
In this version, the term "asset" disappears. Instead, the broader concepts of "information" and "service" are used.
Someone will say: "How so?!". But wait, because this is logical: not all information that needs to be protected is an asset of the company (in the sense in which Robert Kiyosaki, for example, uses it).
The term “opportunities” (clause 6.1.1) has been added as a potential area for improvement - a broad term that can include a whole range of measures to eliminate various risks.
For example, opportunities for improving software include fixing specific bugs, changing the architecture, and even, perhaps, some measures affecting the vendor providing this software at the agreement level.
“Action” turned into “Objective” - this is the current goal, specific and measurable, in contrast to the global goal (“Goal”).
Otherwise, all the same. Information Security is about ensuring confidentiality, integrity and availability , and risk management is carried out according to the Plan-Do-Check-Act method.
')
The points
Some items are completely new, some have added sub-items. I will cite (and, at the same time, translate) the main ones.
Clause 6.1.1 :
During the planning of the ISMS, the organization should determine the risks and opportunities (opportunities) that should be aimed at:
a) confirmation that the ISMS is capable of achieving the expected results from it;
b) preventing or reducing undesirable effects; and
c) achieving continuous improvement.
Clause 6.1.2 means that the organization should have a formalized risk assessment methodology. At the same time, when identifying risks, each of them must be assigned an owner - this is a new requirement [ 6.1.2 ) 2) ].
Clause 6.2 :
The opportunities (opportunities) of information security should:
b) be measurable (if applicable);
c) take into account applicable IS requirements and the results of risk assessment and treatment.
During the planning of achieving information security capabilities, an organization should determine:
f) what should be done;
g) what resources are required;
h) who will be responsible;
i) when you need to finish; and
j) how results will be evaluated.
Clause 7.4 Interaction is a new item.
The organization should determine the need for internal and external interactions related to the ISMS, including:
a) What about;
b) when;
c) with whom;
d) who;
e) by what means.
The auditor can demonstrate, for example, entries in the outlook calendar. Usually, they have the entire required list.
Clause 9.1 Monitoring, Measurement, Analysis and Evaluation
The organization shall determine:
c) when and
b) who will monitor and measure;
f) who will analyze and evaluate the results.
From clause 9.3 (Management review), the requirement for management to review the annual ISMS is excluded.
Clause 10.1. Nonconformities and corrective actions.
When a discrepancy is found, the organization should:
a) respond to the nonconformity and, if applicable:
1) take measures to control and adjust it; and
2) work with consequences;
e) if necessary, make changes to the ISMS.
The organization should retain documented information as evidence:
f) the nature of the non-conformities and the follow-up measures taken, and
g) the results of corrective actions.
Afterword
More general information about the standard can be found at the link from the wiki.
I would be glad if this note is useful to someone.
Source: https://habr.com/ru/post/221359/
All Articles