Professional Documents
Culture Documents
Info Security ISO IEC 27001 Controls 1683622519
Info Security ISO IEC 27001 Controls 1683622519
ISO/IEC 27001
1 Intro
ISO/IEC 27001:
systematic framewokr, manage info sec related risks & protects important info
ISO/IEC 27002:
guidance for implementation of controls in Annex A of ISO/IEC 27001
Concepts
Information security: practice of preventing unauthorized access, use, disclosure,
disruption, modifiation, inpsection, recording or destructino of information
Confidentiality
information is not available or disclosed to unathorized individuals, entities, or processes
Integrity
to maintain the acccuracy and completeness of data over its entire life-cycle. data cannot
be modified in an unauthorized or undetected manner
Availability
info is available when needed. For information to be available it means that the computing
systems that process the info and the comm channels through which info is being sent are
working correctly
Risk
the lielihood of something happening
Risk management
process of identifying information security risks, evaluating them and dealing with risks
threat
anything that can harm an information asset (it can be man-made or a natural event)
vulnerability
a weakness that can be used to harm an information asset
information asset
content of valuable info and the hardware or software where it is contained
Section 2: Context of the organisation
Internal Issues
Interested parties and their needs and expections
scope can be limited to only parts of the organisation or it can cover the whole
organisation
top managmenet needs to demonstrate leadership & commitment with respect to the
ISMS
How
Ensure ISMS policy and objectives are established
Ensure info sec is integrated with the business processes provide resources for the
ISMS
communicate on the importance of info sec
monitor the management system
provide an example by promoting continual improvement
support others to demonstrate leadership
1. start from information assets and try to identify the threats and vulnerabilities related
to the assets
use:
asset
threat
vulnerability
impact
likelihood
risk level
acceptable
risk owner
risk owners - persons (strucrtures) who are accountable for the management of the
management of the risk
ISO 31000
IEC 31010
ISO/IEC 27005
the choice belongs to the organisation and should be balanced taking into account
resources and impact
use
No
controls
detailed
Justification for inclusion
Justification for exclusion
Implemented (y/N)
evidence of implementation
the risk that is being addressed and its level according to the assessment
the aciton proposed to treat the risk
who is in charge iwth implementing the actions
resources (budget)
timeframe for implementation
Residual Risk
The remaining risk after treatment action are applied. Residual risk needs to be evaluated
similar to the inital process to see if it falls into the acceptable category. If not, new
treatment should be decided
objectain the approval of the risk owners for the risk treatment plan as well as for the
risidual risks
Competence
The organisation is required to:
determine the necessary comptence of persons whose work may affect info sec
take actions to acquire the needed competence and evaluate the effectiveness of
those actions
know about risk assessment and risk treatment processes including the controls of
Annex A and the guidelines provided by ISO/IEC 27002
encouraging self-study
mentoring
Awareness is key in improving the security level and make people see info sec as
an integral part of their day-to-day operations
Awareness Activites:
training
positing on the social media of the organisation
events like "info sec day"
newsletters, etc
Awareness activities should take place periodically and awareness toipics should be in line
with business needs
13 Communication
The organisation shall determine the need for internal and external
communications relevant to the ISMS
Determine:
on what to communicate
when to communicate
with whom to commuinicate
who shall communicate
the process by which communication shall be effected
The organisation shall plan, implement and control the processes needed to meet
info sec requirements and to implement the actions that were decided following
the risk assessment and risk treatment processes
Changes
should be planned with a review of consequences and risk involved
uninteded changes: consequences should be reviewed and actions taken to mitigate
undesired effects
In case of changes - perform risk assessments to evaluate new or modified risks and
decide on risk treatement actions
information security events and out of them how many have been info sec incidents
accomplishment of info sec objectives
reported security vulnerabilities
The information collected through monitoring and measurement has to be analyused and
evaluated to see what can be improved
for development of internal audit programme the organisation should take into
consideration
18 Management review
Top management shall review at planned intervals the ISMS to ensure it continues
to be suitable, adequate and effective.
Input data:
Output data:
nonconformity identified
react (correct the situation and handle the consequences)
Investigate (find similar situations)
Propose and Implement corrective actions (to eliminate cause of nonconformity)
Review effectiveness of the corrective actions
Section 9: intro to second part of the course
35 security categories
The organisation should define, publish and communicate to its employees and to
any external parties as needed a set of info sec policies.
(definition of info sec, the objectives and principles; reasoning for the ISMS; info sec is
actively supported by management; responsibilities for info sec in the organisation;
references to lower level policies, regulations, manuals; how any deviation from the policy
are to be handled by the management; etc)
Info Sec policy - communicated to staff, persons working for organisation and external
parties
access controls,
information classification
physical and environment security
acceptable use of resources
clear desk and clear screen
information transfer
mobile devices and teleworking
restrictions on software installation and use
backup
protection from malware
management of technical vulnerabilities
cryptographic controls
communication security
privacy and protection of personally identifiable information
supplier relationships
The Responsibilities for all personnel should be defined and clearly communicated
All staff should have a basic responsibility for security included in job descriptions and
should understand their security responsibility
There should be measures in place so that duties and areas of responsibility that
are in conflict be segregated
Principles:
Dividing the job between 2 or more staff provides a system of verification of one by the
other ( ex 2 keys or passwords)
Segregation of duties - more difficult to implement for small companies (if is not possible
record all activities and to review the records independently to identify suspicious or
unauthorised activity)
23 Contact with authorities and special interest groups
Procedures to specifify:
Benefits of memberships:
The organisation needs to includ info sec in project management never mind the
type of project
Info sec should be integrated into the organisation's project management to ensure that
security risks are identified and addressesd as part of the projects
Responsibilities for info sec should be defined and allocated for each project
24 Mobile devices and teleworking
The organisation should have a policy and security measures in place to manage
risks associated to mobile devices use
seperate business and private use of the ddevices (ex with a software)
give access to business information only after the user has signed an agreement
acknowledging duties, waiving the ownership of business data and allowing remote
wiping of the data by the organisation in case of theft or loss of the device
Control - 6.2.2 Teleworking
Decide whether to allow private owned equipment for teleworking or provide equipment
there have to be background checks for all candidates for employment done in
accordance with the legislations and ethics. The checks are to be proportional to
the sensitivity of the information to be accessed by the employee, the risks
involved and the business requirements
character references
verificattion of the CV
confirmation of claimed academic and professional qualifications
independent verification of identity of the candidate
more detailed review (such as credit review, review of criminal record)
The level of the detail for the verifications during screening are correlated with the access
held by the individual to confidential information
The responsibilities of employees and contractors for info sec as well as the
responsibilities of the organisation should be documented in the contractual
agreements
all individuals who have acess to confidential information have to sign a confidentiality
or non-disclosure agreement berfore accessing information
what are the employee's legal responsibilities and rights (ex with regards to copyright
legislation, privacy and protection of personally identifiable information etc.)
actions that can be taken by the organisation in case the employee disregards security
requirements
informated of their info sec sroles and responsibilities before obtaining access to
confidential information
Management should excercise control and check th ecompliance with policies, procedures
and regulations in the day-to-day work
The organisation should develop security awareness programme to make individuals aware
of their responsibilities for info sec and how they should act
All personnel should be trained on info sec procedures and policies and on the use of
equipment and software relevant to their jobs (internal or external training)
The organisation has to define and commuinicate to its employees and its
contractors their duties and responsibilities related to information security
that remain valid after their employment is terminated or changed
The organisation has to identify all assets associated with information and
information processing facilities and should create and establish an inventory of
assets
physical assets - equipment identity, location, maker, model, serial number and
inventory tag
documentation - including system documentation, contracts, procedures and business
continuity plans etc
software products - including licensing information and where they are used
services - including utilities
the organisation should identify, document and implement rules for the acceptable
use of assets associated with information and information processing facilities
Individuals should be made aware of the security requirements associated with the assets
and should be responsible for the use of the resources
there have to be rules describing the acceptable use of resources and users should be
made aware of the rules and agree with them.
upon termination of employment, contract or agreement the users should return the
assets belonging to the organisation
Procedures should ensure assets are returned when the job is terminat4ed
if the employee purchases the organisation's equipment or if it uses its own personal
equipment for busihness purposes - rules should be in place to ensure that relevant
information is transferred to the organisation and the equipment is securely erased.
29 Information classification
classification should be done by taking into consideration the level of protection needed
to ensure the confidentiality, integrity and availability of information
Procedures for information labelling need to cover information and its related assets in
physical and electronic formats
employees and contractors should be made aware of the labelling procedures
when receiving information from other organisations - care should be given to the labels
of documents as other organisations may have different definitions for the same labels
the orgainisation should implement procedures for the handling of assets in the
line with the classification scheme
Procedures for asset handling are meant to prevent the risk of sensitive information
being mishandled and should detail:
30 Media handling
Removable media (flash disks, removable hard drives, cds, dvds, printed media, etc)
containing the organisation's data presents a vulnerability to loss of data and breaches of
confidentiality
Procedures for secure disposal reduce the risk of confidential informationm leakage to
unauthorised persons
Transportation of media = risks for loss, corruption, unauthorised access and misuse
Access control rules, access rights and restrictions for specific user roles should be
established
An access control poilicy should exist and should address some elements:
Users should onlyh have access to the network and network services that they have
been specifically authorized to use
ISO/IEC 27002 recommends a policy on the access to networks that should cover:
Users logging to a network, computer or application should have access only to the
information and services required for their business function that they have been
authorised to use
Every user should be formally authorised and registered to each information system,
network or service that is accesses for the business needs
An easier way to manage access rights is by using role based access - defining user profiles
for different roles and positions in the organisation
The allocation of privileged access rights should be controlled and there should
be a formal process for this
Privileges = means to shortcut controls Uncessarry allocations and use of privileges may
lead to security breaches
Access rights have to be based on business needs and when the business need changes or
passes the access should be cancelled
Period access rights should be reviewed and if found that some access rights are not
needed they have to be withdrawn.
If the user is part of a group - and access rights are allocated at group level - the individual
leaving should be removed from the group and the other members should be informed to
no longer share information with the person departing.
33 User responsibilities
The users are to be required to follow the organisation procedures for the use of
secret authentication information
Users need to be aware of the fact that they can be held accountable for someone else
using their passwords
Access to information and application should be restricted in line with the acces
control policy
control the access of users in terms of what they can do - read, write, delete, execute
control which data can be accessed by each particular user
control the access rights of applications
provide menus to control access to application system functions
easy to understand
user-friendly
must not give information about the system or application that the user is trying to
access (before accessing it)
should minimize the opportunity for unauthorized access
b) displaying a general notice warning that the computer should only be accessed by
authorised users
h) display the following information on completion of a successful log-on: date and time of
the previous successful log-on; details of any unsuccessful log-on attempts
The organisation should use interactive password management systems that ensure
quality passwords
enforce the use of individual user IDs and passwords to maintain accountability
allow users to select and change their own passwords and includes a confirmation
procedure
maintain a record of previously used passwords and prevent the re-use of past
passwords
The organisation should restrict and strictly control the use of utility programs
that are capable of overriding system and application controls
Because utility programs may provide access to the parts of the system by overriding
controls they can be risk for security
users have to be identified and authorised for their use and logs should be maintained
utility programs should be segregated from application software and users should not
have access to privilege functions from their normal user accounts
Unauthorised access to program source code can be a great opportunity for an intruder
to modify the system
there have to be some rules for the management of program source code and
libraries where they are stored
the updating of program source libraries should only be done with authorization
35 Cryptographic controls
the organisation should develop and implemenmt a policy for the use of
cryptographic controls
ISO/IEC 27002 recommends a policy for the use of cryptographic controls that should
address a few aspects:
general principles under which busines information should be protected and the
approach on the use of cryptographic controls
approached about using encryption for protection of information taken outside the
organisation
approach to key management - how are they protected and what happens in case
keyhs are lost or compromised
responsibilities - who is in charge for the implementation of this policy and the
management of the keys
There are regulations and restirictions to the use of cryptographic controls that may exist
in different countries and jurisdictions.
The organisation has to protect the cryptographic keys against loss, modification,
unauthorised access and disclosure
Key management process should cover the whole lifecycle of the keys - generating, storing
it, archiving, retrieving, distributing, retiring and destroying of keys
Policy on key management: a set of rules that will apply to a number of activites like:
storing keys
destroying keys
To reduce the likelihood of improper use IS/IEC 27002 recommends defining activation
deactivation dates for keys - so that they can only be used for a period of time
The organisation should define and use security permiters to protect aareas that
contain either sensiteve or critical information and information processing
facilities
Have multiple barriers or systems to prevent unauthorised access so the failure of one
barrier does not compromise the securityh immediately
There should be entry controls to ensure that only authorised personnel are
allowed to access secure areas
Guidelines for designing entry controls:
The organisation should design and apply physical protection measures for
offices, rooms and facilities
Control measures for offices, rooms and facilities should be suitable to the value and
importance of assets inside.
directories and phone books should not be readily accessible to anyone from outside
the organisation
For many of those in most countries there is a specific legislations and ISO/IEC 27002
recommends the use of specialist advice on this matter
The organisation should develop and use procedures for working in secure areas
Guidelines:
personnel should only be aware of the existence of, or activities within a secure area
on a need-to-know basis
onlyu authorised personnel shall be allowed inside
unsupervised work in secure area should be avoided as much as possible and
depending of course on the specifics of the area
vacant secure areas should be locked and checked periodically
photogrpahic, video and audio recording equipment should not be allowed in secure
areas unless specifically authorised
Delivery and loading areas, as well as any other access points where unauthorised
persons could enter the premises should be controlled and if its possible they
should be isoloated from the information processing facilities to avoid
unauthorised access
delivery and laoding areas should be desinged so that delivery and loading personnel
cannot access other parts of the building from the areas
external doors of delivery and loading areas should be closed when internal doors
that lead inside the organisation are open
records of deliveries and dispatches shouuld be kept (on paper or video recording)
The equipment needs to be sited and protected from environmental threats and
hazards and unauthorised access
Guidelines:
A problem with any supporting utility should be identified by an alarm system. Supporting
utilities should be in line with the legal requirements and meet the needs of business
growth. They should be inspected regularly to ensure proper functioning.
Redundant connections for network connectivity should be obtained through the use of
more than one provider.
Guidelines:
Guidelines:
The organisation should have rules covering and a process to authorise taking assets
out of the premises
Assets off-site should be protected taking into consideration the different risks
involved by working outside the organisation premises
The use of equipment outside the premises involves many security threats
it should not be left unattended in public places and it should be protected (according
to its manufacturer specifications - ex protection from electromagnetic fields)
if the equipment is transferred between individuals there should be a log that defines
the chain of custody
**Have controls in place to ensure that equipment to be disposed of or re-used does not
contain sensitive information
The organisation should develop and implement a clear desk polikcy for papers and
removable storage media and a clear screen policy for information processing
facilities
Defining and applying a clear desk/clear screen policy reduces the risks of unauthorised
access, loss and damage of information
Guidelines include:
The organisation should document and make available to all users operating
procedures
The use of resources should be monitored, tuned and projections made of future
capacity requirements to ensure the required system performance
Capacity management refers to information processing facilities but also to office space
and human resources
Critical systems like network gateways or main database servers should be prioritized and
there should be a documented capacity plan made for those resources
The operational systems must be kept reliable and using the same equipment or software
for both current operation and development and testing of new systems - can affect the
operational environment's integrity and availablity
Its desirable that development and operational softweare be segregated through strong
acess controls
seperate domains completely segregated from each other (if not seperate log-on
procedures)
users should use different profiles and operational and testing systems
compilers, editors and other development tools or system utilities should not be
accessible from operational systems when not required
40 Protection from malware
Guidance:
- define a policy to prohibit the use of unauthorized software and implement
controls to detect the use of such software
- have a policy aimed to protect against risks associated with obtaining files
and software from or via external networks
- use and regular update of malware detection and repair software and scan
computers and media on a regular basis
**For systems where sensitive information is being processed, the use of more
than one vendor's antivirus software may improve detection rate**
## 41 Backup
The organisation should have a backup policy to ensure that backups of information and
software are taken and tested regularly
- the extent of backup should be in line with the business requirements and the
criticality of the information being backed-up
- the backups should be located where they cannot be damaged by a disaster at the
main site
- backup media should be tested periodically to ensure they can be relied upong
Event logs record user activites, exceptions, faults and security events. the organisation
should ensure that such logs are produced, lept and regularly reviewed
Logs are valuable to investigate incidents, events that led to security problems
and to determine who is accountable for different activites
For every information processing facility there should be an event log kept -
that is independent and not accessible by the user
- user IDs
- system activities
- dates, times and details of key events, e.g. log-on and log-off
- device identity or location if possible
-- records of successful and rejected system access attempts
- changes to system configuration
- use of privileges
- use of system utilities and applications
- files accessed
- alarms raised
- activitation and de-activation of protected systems, such as the anti-virus
systems
- records of transaction executed by users in applications...
Logs should be kept for a sufficent period of time so that they can be used if
needed for an investigation
The organisation should protect logging facilites and log information against tampering
and unauthorised access
A method to safeguard logs is to copy them in real time to a system outside the
control of the system adminsitrator
Control - 12.4.3. Adminsitrator and operator logs
The activites of system administrators and the activites of operators should be logged and
the logs should be protected and reviewed regularly
A user with privileges amy be able to manipulate logs so its necessary to employ
some protection for such situations
the clocks of all relevant information system within an organisation or security domain
should be synchronised to a single reference time source
Clock synchronisation is needed because most logs are time and date stamped
The organisation should have procedures for the installation of software on operational
systems
Systems can be affected by the installation of unauthorised software and by
unauthorised changes to software
- operational systems should only hold approved executable code and not
development code or compilers
Physical or logical access to suppliers for software support should only be given
for specific activites, under approval from amangement and be it should be
monitored
Technical vulnerabilites being exploited is among the most commong type of attacks on
organisations information systems.
once a technical vulnerability has been identified - assess associated risks and
decidedd actions
if a path is available from a legitimate source the risks associated with installing the
patch should be assessed and patches should be tested before being installed. there
should be a possibility to uninstall apatch and go back to the previous state
if no patch is available some other actions should be taken - turning off services
related to the vulnerability, changing or adding acess controls ( like firewalls );
increasing monitoring to detect attacks and raising awareness
The organisation should established and implement rules for the installation of
software by users
In most organisations a certain group of users enjoy increased privileges - allowing them
to install software.
Rules on what types of software installations are permitted and what installations are
prohibited
No informaiton should be changed during audit activities and access should be logged as
in the case of any other operation
The audit should be limited to read-only access to software and data If some audit tests
that could affect system availability are needed to performed during the audit - they
should be scheduled to run outside business hours.
The networks have to be controlled and managed so that the information in systems
and applications is protected
ISO/IEC 27001 requires the organisation to implement controls to ensure the security of
the information passing through networks and the protection of devices connected to the
networks
define and apply some supplementatary controls to protect the confidentiality and
integrity of data passing over public networks or through wireless networks - as the
risks are considerably higher
Third party supplied network services carrry a risk of unauthorised access attempts that
may lead to security breaches
Network services may include - provision of connections, private network services, security
solutions for the networks (like firewalls or instrusion detection systems)...
The organisation should agree with the service provider (and document in the contracts)
on the security features for the services it provides and should monitor the services to see
if they meet requirements.
Security can be managed easier if the network is divided into physical or logical
domains and security measures are implemented to manage the gateways between the
domains
Wireless networks - difficult to define exactly the perimeter - ISO/IEC 27002 recommends
for sensitive networks (where critical data is stored or processed) to treat all wireless access
as external connections and to segregate the access from internal networks and the pass
the wireless access through a gateway before accessing internal systems
The domains and their relationship should be documented in a network map or similar
document
47 Information transfer
The organisation should have transfer polices, procedures and controls to protect
the transfer of information for all types of communication facilities
Guidelines:
- rules to protect against malware that can be transmitted through the use of
electronic communications
The organisation should include in agreements with other parties the secure transfer of
business information
- escrow agreements
- courier identification
Email involves many risks if used withouth appropriate controls (ex financial
fraud, infection, legal issues)
**There should be some rules or procedures in place fo rthe use of email and tis
essential that staff are aware of: the risks involved, the organisations
requirements and the control mechanisms in place.
Contorl - 13.2.4. Confidentiality or non-disclosure agreements
The organisation should have suitable confidentiality and non-disclosure agreements that
are in line with the neds for the protection of information
The organisation should include security requirements in its requirements for new
information systems or enhancements to existing information systems
**The organisation needs to recognise information security requirements from the first
stages of information system acquisition or development
Information from application services that are passing over public networks
should be protected from fraudulent activity, contract dispute and unauthorised
disclosure and modification
encyrption to ensure the confidentiality of information like billing details and personal
information
digital signatures to ensure the integrity of electronic transactions and to authenticate
the partners in the transactions
both encryption and digital signatures to achieve non-repudiation that mayu be
needed in case of disputes on the occurrence or non-occurrence of a certain event
who is allowed to carry out electronic commerce activities and what is the employee
authorised to do
what controls are in place to monitor activities and ensure protection of the
information involved
The organisation should develop and apply rules for the development of software
and systems
A risk assessment and analysis on the impact of change should exist along with the
specificaiton of security controls needed
authorisation of changes
fallback arrangements
reviews and tests
version control of all software updates
audit trail of all changes
Update system documentation on the completion of the change
implementing changes so that distubance to business processes is minimal
ISO/IEC 27002 recommends to have a formal process to review the applications and test
for possible vulnerabilities that may appear after a new operating system is implemenmted
or the existing one is changed
If a software package needs to be modified to suit a business need the following should be
considered:
The organisation should establish, document, maintain and apply principles for
engineering secure systems for all its implemenmtation efforts
**Security engineering focuses on the security aspects in the design of systems that need
to be able to deal with possible sources of disruption, ranging from natural disasters to
malicious acts
Principles for security engineering have to be reviewed periodically to ensure they are
still up-to-date
Development outsourcing involves risks since the process is not under the control of the
organisation
The organisation should have clear agreements with the software development suppliers
to protect against risks and to ensure on-time delivery of the product and functionality
aspects
For in-house developments such tests should be performed by the development team and
the extent of testing should be of course proportional to the importance and nature of the
system
The organisation should establish acceptance testing programs and criteria for
new information systems, upgrades and for new versions.
The organisation should define acceptance criteria and testing to ensure that those criteria
are met before the new system is introduced.
Automated tools can be used - like code analysis tools or vulnerability scanners and
security related defects should be remediated.
Avoid the use of operational data containing personally identifiable information or any
other confidential information for testing pruposes
Guidelines of ISO/IEC 27002 for protecting operational data used for testing:
Use the same access control procedures for test application systems as for operation
systems
existence of an authorisation each time opoerational information is used in a test
environment
after testing is finalised the data is no longer needed should be securely erased from
the test system
Logging the use of operational information for testing purposes
Section 20 - Supplier relationships
The organisation needs ot agree with its suppliers and to document the
requirements for information security needed to mitigate risks that may arise
from the supplier's access to its assets.
The contracts signed with teh suppliers should include all relevant information
security requirements
The contracts signed with supplier depends on the risks involved but the best practice is
to make the contracts as detailed as possible in terms of information security
Suppliers should not be allowed access to the organisation's assets before the contracts
are not agreed and signed and any other controls agreed by the parties are not
implemented.
if the parties agree that the organisation can audit the supplier
This is meant to address the risks associated with the supplier's sub-suppliers
So the organisation should investigate its IT&C supply chain and document in the
contracts with its suppliers some aspects on this topic, like:
asking the supplier to propagate the organisation's security reequirements
throughout the supply chain
getting assurance that critical components origins can be traced throughout the
supply chain
how the supplier evaluates its own suppliers and how it chooses them
have regular meetings with the supplier to discuss the conformity of the services to
requirements
Important aspects: how the supplier deals with security incidents; if the supplier has
security requirements for its own suppliers and if the suppplier has the capability to
ensure continuity of services in case of major problems or disasters
Section 21: Information security incident
management
There should be procedures in place to ensure that security incidents are reviewed and
investigated
A security event can be considered anything that can result in loss or damage to assets
or an action that is against the security policies of the organisation
Point of contact - a person or department where events are being reported and that is the
first line of response to the incident.
The reporting of events should be standardized and all staff should be advised to report
events as soon as possible
All employees and contractors need to be trained to report any security weakness
- be it observed or suspected
Weaknesses need to be reported to the point of contact to prevent information security
incidents
All users should understand that they are required to report any weaknesses and not try to
test the weaknesses to be sure or exploit them.
Contact point provides initial triage - review of each event and evaluate the impact to
decide whether it has to be classified as information security incident.
The contact point may not be the single decision layer with regards to incidents - the
organisation may have an information security incident response team (ISIRT) and the
incident will be escalated here for assessment and decision.
Incidents should be responded to with the first goal being to resume "normal security
level" and then initiate recovery
The organisation is required to use the knowledge it gets from dealing with
security incidents to learn reduce the likelihood and impact of future incidents
Besides resolving security incidents its important that people learn from the security
incidents to avoid them happening in the future or if they happen to deal with them
more effectively.
Case studies and anecdotes from actual security incidents can be used in awareness
training as examples of what can happen, how to avoid situations and how to respond
The organisation should collect and preserve information which can serve as
evidence according to established procedures
In most cases its not clear whether a certain incident will end up in court or not The
organisation should collect information that can serve as evidence for every information
security incident
If there is a need for information security when things are ok, then there is a need for
information security when things go wrong too
information security aspects should be inserted in the planning for business continuity and
disaster recovery.
The requirement here is for the organisation to have processes, procedures and
controls in place to ensure the continuity of information security during an
adverse situation
have a management structure in place that will preapre for and respond to an a
disruptive event using personnel with sufficient competence and authority
nominate personnel with the specifics tasks to maintain information security in case of
an unexpected event
have plans and procedures for the response and recovery that include aspects on how
to maintain information security while managing the disruptive event.
Information security continuity processes, procedures and controls need to be tested for
functionality
The organisation needs to identify the business requirements for availability of information
systems, see what the current systems provides and where the existing architecture cannot
guarantee availability needed the organisation should consider the use redundant
components or systems to match the needs for availability.
Identify, document and keep up to date all legal regulatory and contractual
requirements applicable to each information system of the organisation
The risk is for legal action against the organisation for unauthorised use of copyright
material
Guidelines:
make inventory checks at least once per year to ensure all software in use is licensed
There is legislation defining retention periods for many types of records and the
organisation is required to complyh
When keeping records for loing periods considerations should be given to the risk of
deterioration
The organisation should have a policy to ensure the complaince with relevant legislation
related to privacy and personally identifiable information.
A solution is to nominate a "Privacy officer"
Some countries prohibit the export of cryptography software, some restrict the import of
such software; some legislations require licensing for the use of the cryptography software.
Look for legal advice to make sure it complies with specific legislation on all the markets
where it activates.
An independent review is useful to ensure that the approach taken by the organisation
on information security is suitable and also to find opportunities for improvement.
The review should be done by individuals that are independent from the area under
review.
Technical compliance review requires skilled personnel and the help of automated tools:
Penetration tests
Vulnerability assessments
Technical reviews have to be done with the proper planning, have to be authorised and
documented
ISO 27001:2022 What has changed?
1. Name changed
Old Name:
ISO/IEC 27001:2013
Information technology —
Security techniques—
systems — Requirements
New Name
ISO/IEC 27001:2022
Systems — Requirements
2. Abstract
This document specifies the requirements for establishing, implementing, maintaining and
continually improving an information security management system within the context of the
organization.
This document also includes requirements for the assessment and treatment of information security
risks tailored to the needs of the organization.
The requirements set out in this document are generic and are intended to be applicable to all
organizations, regardless of type, size or nature.
3. Number of pages
ISO/IEC 27001:2013
23 Pages
ISO/IEC 27001:2022
19 Pages
4. New terminology databases
ISO/IEC 27001:2013
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
ISO/IEC 27001:2022
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses
ISO/IEC 27001:2013
a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security
ISO/IEC 27001:2022
a) interested parties that are relevant to the information security management system
b) the relevant requirements of these interested parties
c) which of these requirements will be addressed through the information security
management system
ISO/IEC 27001:2013
The organization shall establish, implement, maintain and continually improve an information
security management system, in accordance with the requirements of this International Standard.
ISO/IEC 27001:2022
The organization shall establish, implement, maintain and continually improve an information
security management system, including the processes needed and their interactions, in accordance
with the requirements of this document.
ISO/IEC 27001:2013
The organization shall establish information security objectives at relevant functions and levels.
ISO/IEC 27001:2022
The organization shall establish information security objectives at relevant functions and levels
ISO/IEC 27001:2013
No
ISO/IEC 27001:2022
When the organization determines the need for changes to the information security management
system, the changes shall be carried out in a planned manner.
ISO/IEC 27001:2013
7.4 Communication
The organization shall determine the need and external information security relevant to the
information security management system including:
a) on what to communicate
b) when to communicate
c) with whom to communicate
d) who shall communicate
e) the processes by which communication shall be affected
ISO/IEC 27001:2022
7.4 Communication
The organization shall determine the need for internal and external communications for internal
communications relevant to the management system including:
a) on what to communicate
b) when to communicate
c) with whom to communicate
d) how to communicate.
ISO/IEC 27001:2013
The organization shall plan, implement and control the processes needed to meet information
security requirements, and to implement the actions determined in 6.1. The organization shall also
implement plans to achieve information security objectives determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that
the process have been carried out as planned.
The organization shall control planed changes and review the consequences of unintended change,
taking action to mitigate any adverse effects, as necessary.
The organization shall ensure that outsourced process is determined and controlled.
ISO/IEC 27001:2022
The organization shall plan, implement and control the processes needed to meet requirements, and
to implement the actions determined in Clause 6, by
Documented information shall be available to the extent necessarily have confidence that the
processes have been carried out as planned.
The organization shall control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.
The organization shall ensure that externally provided processes, product or services relevant to the
information security management are controlled.
ISO/IEC 27001:2013
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results.
ISO/IEC 27001:2022
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
ISO/IEC 27001:2013
ISO/IEC 27001:2022
9.2 Internal audit
9.2.1 General
9.3.1 General
c) changes in needs and expectations of interested parties that are relevant to the information
security management system
ISO/IEC 27001:2013
ISO/IEC 27001:2022
Annex A