ISO 27001:2013 transition webinar

Steve Watkins

Director, Training & Consultancy

IT Governance Ltd

Steve who?

• Author of ‘IT Governance; A

manager’s Guide to information

security and ISO 27001/2’(w A Calder)

• Chair of UK ISO 27001 User Group

• Member of IST33 &IST33/Panel 1

• UKAS ISMS Technical Assessor

and advising on ISO27001

transition

• : @swatty70

• http://uk.linkedin.com/pub/steve-

watkins/1/226/22b/

2 © IT Governance Ltd 2013

ISO 27001:2013 transition webinar

• The changes and what they mean for your

business?

– Continuous improvement processes

– Integration with your management framework

– Roles and responsibilities

– Risk assessment

– Mapping information security controls

• A less onerous and more integrated approach

• What it means for accredited certification

• Embarking on transition

3 © IT Governance Ltd 2013

Accredited Certification

4 © IT Governance Ltd 2013

National

Accreditation

Bodies

..… …..

Accredit

Certification

Bodies

..… ….. Certificate

ISO 27001:2013 “transition”

5 © IT Governance Ltd 2013

Certificated

Organisation

Accredited

Certification Body

Qualified

personnel

Auditors + Implementers

ISO 27001:2013

The changes

• Structure and implementation process

• Scope and risk

• Roles and responsibilities

• Resources

• Annex A security controls

6 © IT Governance Ltd 2013

ISO 27001: From 2005 to 2013

7 © IT Governance Ltd 2013

0. Introduction

1.Scope

2.Normative ref

3.Terms & definitions

4.Context of organization

5.Leadership

6.Planning

7.Support

8.Operation

9.Performance evaluation

10.Improvement

Annex A - Reference control

objectives and controls

ISO 27001:2005

0. Introduction

1.Scope

2.Normative ref

3.Terms & definitions.

4.ISMS

5.Management resp.

6.Internal ISMS audits

7.Management review

8.ISMS improvement

Annex A - Control objectives and

controls

ISO 27001 2013 (All MSS)

2013

2005

ISO 27001: From 2005 to 2013

8 © IT Governance Ltd 2013

4. Context of organization

5. Leadership

6. Planning

7. Support

8. Operation

9. Performance evaluation

10. Improvement

4. Establish ISMS

• Scope

• Policy

• Risk Assessment

• Document control

5. Management Responsibility

6. Internal Audit

7. Management Review

8. Continual Improvement

ISO 27001:2013

Implementation

9 © IT Governance Ltd 2013

The order in which requirements are presented in this International

Standard does not reflect their importance or imply the order in which they

are to be implemented. The list items are enumerated for reference

purpose only.

ISO/IEC 27001:2013

• No longer specifies Plan-Do-Check-

Act (P-D-C-A) to develop and

establish the ISMS: the organisation

is to determine and adopt a continual

improvement model that suits

• Terms and definitions section

removed: references ISO 27000 ?

ISO 27001:2013

Scope

Integrate

Requirements

Scope Organisation to identify ‘interested parties’

information security requirements of these

parties and ‘external and internal issues’

ISO 27001:2013

Risk Assessment

11 © IT Governance Ltd 2013

Risk: Effect of uncertainty on objectives” ISO 27000:2012

Threats Vulnerabilities

Likelihood

Assets

Impacts

Risk

ISO 27001:2013

Risk Treatment

12 © IT Governance Ltd 2013

ISO 27001:2013

Integration

13 © IT Governance Ltd 2013

Adoption of ISMS: “Strategic decision” for organisation

“Part of the overall management system, based

on a business risk approach, to establish,

implement, operate, monitor, review, maintain

and improve information security.

Note: The management system includes

organizational structure, policies, planning

activities, responsibilities, practices,

procedures, processes and resources.” ISO 27000:2012, sect 2.34

ISO 27001:2013

Roles and responsibilities

• Management involvement: strengthened in

leadership and review

– Significant increase in performance related

requirements:

• setting information security objectives

• evaluation of information security performance

• measuring effectiveness of the ISMS (as well as controls)

• Using these to inform improvement

• Risk owner

• Resources, competence, awareness,

communication

14 © IT Governance Ltd 2013

ISO 27001:2013

Other notable changes

• Requirement that internal auditors shall not audit

their own work is absent: Ensuring objectivity

and impartiality remains

• Preventive action is no longer a mandated as a

separate requirement

• A number of requirements for communication

have been introduced where this was not

explicitly identified in the 2005 version of the

standard

15 © IT Governance Ltd 2013

ISO 27001:2013

Resources

16 © IT Governance Ltd 2013

ISO/IEC 27001:2013

http://www.itgovernance.co.uk/shop/p-1443-

isoiec-27001-2013-iso27001-iso-27001-isms-

requirements.aspx

ISO/IEC 27002:2013

http://www.itgovernance.co.uk/shop/p-1444-

isoiec-27002-2013-iso27002-iso-27002-code-

of-practice-for-infosec-controls.aspx

27001 & 27002 :2013

http://www.itgovernance.co.uk/shop/p-1445-

iso-iec-27001-2013-and-iso-iec-27002-

2013.aspx

27000:2012

http://www.itgovernance.co.uk/shop/p-707-

iso27000-iso-27000-isms-overview-and-

vocabulary.aspx

ISO 27001:2013

Resources

17 © IT Governance Ltd 2013

http://www.itgovernance.co.uk/shop/p-

357-an-introduction-to-information-

security-and-iso-27001-2013-a-pocket-

guide-second-edition.aspx

http://www.itgovernance.co.uk/shop

/p-720-iso27001iso27002-a-pocket-

guide-second-edition.aspx

ISO 27001:2013

Annex A

18 © IT Governance Ltd 2013

Annex A

5 Information security policies

6 Organisation of info. security

7 Human resources security

8 Asset Management

9 Access Control

12 Operations security

14 System acq, dev & maintenance

16 Info. security incident management

17 Info. sec aspects of BC Mngt

18 Compliance

11 Physical & environmental sec

15 Supplier relationships

10 Cryptography

Policies

New

Split

New

114 controls

14 categories

13 Communications security

ISO 27001:2013 Summary

• Management system +

flexibility

• Aligns to internal and

external drivers

• Worldwide accepted

accredited certification

19 © IT Governance Ltd 2013

ISO 2700

ISO 27001:2013 transition webinar

The changes and what they mean for your

business?

Continuous improvement processes

Integration with your management framework

Roles and responsibilities

Risk assessment

Mapping information security controls

A less onerous and more integrated approach

• What it means for accredited certification

• Embarking on transition

20 © IT Governance Ltd 2013

Accredited certification: transition

21 © IT Governance Ltd 2013

Certificated

Organisation

Accredited

Certification Body

Competent

auditors

Competent

implementers

Accredited certification:

transition

22 © IT Governance Ltd 2013

Organisations “with ISO 27001”

Organisations “seeking ISO 27001”

2013 2014 2015 2016

ISO 27001:2013

published

All ISO 27001:2005 certificates to have transitioned to ISO 27001:2013

30th September 2016

30th September 2015 No new ISO 27001:2005 certificates

to be issued

Initial audit to ISO 27001:2005 available

Initial audit to ISO 27001:2013 available

Transition to ISO 27001:2013 may be mandated by CB

Surveillance audit to ISO 27001:2005 available

1st January 2014 Transition Assessments of CBs begin as part of the normal surveillance cycle

When to start your transition?

Personnel

23 © IT Governance Ltd 2013

Competent

Auditors

Competent

implementers

http://www.itgovernance.co.uk/shop/p-1454-

iso27001-2013-certified-isms-transition-training-

course.aspx

When to start your transition?

ISMS

• Familiarity with 2013

and what is required

http://www.itgovernance.co.u

k/shop/p-963-nine-steps-to-

success-an-iso-270012013-

implementation-overview-

second-edition.aspx

• Health Check and

action plan?

http://www.itgovernance.co.u

k/iso27001_2013_healthche

ck.aspx 24 © IT Governance Ltd 2013

Think ISO 27001:2013

may be for you?

• Strategic decision – the

case is best laid out in the

well respected and widely

recognised ‘Case for …”

now update for

ISO 27001:2013

25 © IT Governance Ltd 2013

http://www.itgovernance.co.uk/s

hop/p-1158-the-case-for-iso-

27001-2013-second-

edition.aspx

New to ISO 27001:2013?

Don’t delay

26 © IT Governance Ltd 2013

http://www.itgovernance.co.uk/shop/p-710-

iso27001-certified-isms-foundation-training-

course.aspx

http://www.itgovernance.co.uk/shop/p-

713-iso27001-certified-isms-lead-

implementer-masterclass.aspx

http://www.itgovernance.co.uk/shop/p-

712-iso27001-certified-isms-lead-

auditor-training-course.aspx

New to ISO 27001:2013?

Don’t delay

27 © IT Governance Ltd 2013

http://www.itgovernance.co.uk/shop/p-

1462-iso-27001-2013-isms-standalone-

documentation-toolkit.aspx

http://www.itgovernance.co.uk

/iso27001_consultancy.aspx

Summary ISO 27001:2005 2013

28 © IT Governance Ltd 2013

? ?

Summary ISO 27001:2005 2013

• Accredited certification: Timescales not yet confirmed, however probably …

– To 2005: Available now through to 30 Sept 2015

– To 2013: Could be available in first 3 months of 2014

– Move from 2005 to 2013 certificate within a year of

Certification Body achieving accreditation to 2013

standard

29 © IT Governance Ltd 2013

Further information and reading

• http://www.itgovernance.co.uk/download/27001-update.pdf

4 pages introducing 2013 version

• http://www.itgovernance.co.uk/download/27001-update-reference-sheet.pdf

5 pages comparing 2005 to 2013

• http://www.itgovernance.co.uk/download/27001-2013-technical-guidance.pdf

11 pages of technical guidance for making the transition from ISO 27001:2005

30

Questions?

• Call us: +44 (0)845 070 1750

• Email us: servicecentre@itgovernance.co.uk

• : @ITGovernance : @swatty70

• : www.facebook.com/ITGovernanceLtd

• : www.linkedin.com/company/IT-Governance

• UK: www.itgovernance.co.uk

• USA: www.itgovernanceusa.com

• EU: www.itgovernance.eu

• India: www.itgovernance.in

• Asia Pacific: www.itgovernance.asia

31

© IT Governance Ltd 2013