The Information Security Management System

Published Date: 02 Nov 2017

Section D part 1

The three main differences of the 27001 are: the management system more easly to integrate, integrate into the enterprises are facing the new challenges, more guidelines extend the reference.

10. Improvement

9. Performance evaluation

8. Operation

7. Support

6. Planning

4. Context of organization

Terms and definitions

Normative reference

Introduction

Introduction

5. Leadership

8. ISMS important

7. Management review

Internal ISMS audits

Management responsibility

4.3 Documentation requirements

4.2 Establishing/managing ISMS

4.1 General

Terms and definitions

Introduction

Scope

Normative reference

4. Information security management system ISO /IEC 27001:2005 ISO/IEC DIS 27001

There is a separate clause in the ISO 27001:2013, that all the interested parties are involved: shareholders, authorities, clients, partners and so on. Generally, this is an excellent way to defining the key inputs of the ISMS.

The biggest change in the new version is no preventive actions anymore, another clear distinction in the standards which the central list of required documents are deleted.

For the communication part of the new version, it is to summarize what should be considered and communicated, when, by whom, through the means and etc.

In the draft, the "documents" and "records" are combined. Now the new section it is called "documented information." , all the rules are required for documentation control and record are listed in this section.

In the latest version of the 27001:2013, the documented procedures such as Preventive action Document control, , Corrective action, Internal audit. However, in the new standard the documenting the output from those processes remains is still exist.

In the new version, there is a distinction between corrections that are made as a direct response to a nonconformity, the new standard for action to eliminate the threats, it can track the reason for the existence of the nonconformity.

In the new draft, the Risk Assessment Methodology are unnecessary to documented again; the concept of asset owner also gone. However, there is a new term is added: "risk owners" the responsibility in a higher level, the responsibility becomes more and more important.

For the Objectives, monitoring and measurement, there is no some other requirements in the new version of the ISO 27001:2005.However there are some concrete rules added to the separate clauses. With the help of the new rules you need to set objectives more clear, to define when/who will measure them, to define who should analyze and evaluate the results.

In ISO /IEC 27001:2005, it was involved 133 discretionary Control Objectives listed in Annex A and approximately 102 control points listed in the Mandatory from clause 4 to clause 8, it was provided the structure to the ISMS. However, the latest release of the ISO/IEC 27001:2013, the control point which is increased from 102 to 130, that’s an increase of 28 Mandatory Control Points.

For the Annex, the original 27001:2005 contains three Annex A, B, C but, in the 27001:2013, it just hold the Annex A, the useless of Annex B and C are unnecessary in the lasted one. There are also some changes of the number of control objectives. Compared with the 27001:2005, the number of control objectives decreased from 133 to 114, approximately 19 control objectives have been deleted in ISO 27001:2005. In the original one the Annex A involved 11 domains of the discretionary control objectives. With the updated of the document this part also updated, in the latest one the number of domains are expended to 18.

ISO 27002

With the updated of the 27001, 27002 also be updated, there are some main changes listed:

Number of sections – the number of sections has increased. In the original one, there were 11 sections containing controls. In the new one it is expended to 14. In this way, the structure of the document become more clear and reasonable.

Number of controls the number of controls has decreased – from 133 to only 114. This is due to some of the controls were too specific or it already outdated.

Structure of sections in the draft of the ISO 27001:2013 the Cryptography has become a separate section 10, it is not part of Information systems acquisition, development and maintenance any more. The Supplier relationships are also been changed. Now, the Supplier relationships become a separate section 15. In the new one, the Communications and operations management are divided into Operations security section 12, and Communications security section 13.

Placement of security categories

In ISO/IEC 27001:2013 some items classified have been adjusted:

Mobile devices and teleworking, previously contained in Access control, now it is in 6.2 part of section 6 Organization of information security.

In the previous one, media handling was part of Communications and operations management, but now it is in 8.3, part of 8 Asset management.

The Operating system access control, Application, information access control are now moved as part of the System and application access control 9.4.

In the previous version, the Control of operational software is the single section in Information System acquisition, development and maintenance. Now it is contains in 12.5, part of the Operations security section. ï‚·

In the ISO 27001:2013, the Information systems audit considerations have been moved to 12.7, as part of the Operations security section. ï‚·

In the previous, one of the part was called Network access control, in the new version it already gone. Some of its controls already moved to Communications security. ï‚·

Information transfer In the previous version one of the part is called Exchange of information, now the name is changed to Information transfer, it is also moved to 13, part of Communications security.

In the new version the controversial category Correct processing in applications is also gone.

The Electronic commerce services not exist as a separate category anymore, its controls are merged into Security requirements of information systems.

From the section of Information Security Incident Management, in the new draft are combined into one.

In the new version, the Business continuity section has create a new category 17.2.

In the new draft of the 27002, there are some new controls be added:

14.2.1 Secure development policy

14.2.5 System development procedures

14.2.6 Secure development environment

14.2.8 System security testing

16.1.4 Assessment and decision of information security events

17.2.1 Availability of information processing facilities

To conclude, the ISO/IEC 27001:2013 and 27002:2013 make a large number of improvements how the standard was designed adding clarity. These changes should make the security more convenient.