News from the information security standard ISO 27001 version 2013
Last update: 26 April 2021
The ISO 27001 version 2013 standard was published in 2013 and replaces the 2005 version.
Choosing to implement an information security management system makes it possible to:
- guarantee the confidentiality, integrity, availability and traceability of information
- reduce information security risks
- seize opportunities for continual improvement
ISO 27001 requirements version 2013
Quiz ISO 27001 requirements version 2013
The course T 24v13 ISO 27001 readiness version 2013 and its free demo without registration, soon
The course T 44v13 ISO 27001 Internal audit version 2013 and its free demo without registration, soon
The course T 74v13 ISO 27001 training package readiness and internal audit version 2013, soon
1. THE clauses ARE 10 ACCORDING TO THE Annex SL (AND THEIR PLACE IN THE PDCA CYCLE):
- Scope
- Normative references
- Terms and definitions
- Context of the organization (P)
- Leadership (P, D, C, A)
- Planning (P)
- Support (P)
- Operation (D)
- Performance evaluation (C)
- Improvement (A)
Annex A (normative) Reference control objectives and controls
2. DIFFERENCES FROM THE 2005 VERSION
- higher level structure (10 clauses including 4 to 10 with requirements)
- PDCA cycle not explicit
- non-explicit process approach
- the needs and expectations of interested parties are explicit
- leadership and commitment
- efficiency of the ISMS
- policy and commitment
- risk-based approach
- plan actions to achieve information security objectives
- evaluation of the effectiveness of actions
- explicit awareness
- explicit communication
- risk assessment
- evaluate information security performance and the effectiveness of the ISMS
- no preventive action
3. DOCUMENTED INFORMATION (PROCEDURES, POLICIES AND RECORDS) REQUIRED
- documented information to maintain (procedures, available):
- scope of the ISMS (sub-clause 4.3)
- documented information (sub-clause 7.5)
- training and awareness (A.7.2.2 ; sub-clauses 7.2, 7.3)
- classification and labelling (A.8.2.1 ; A.8.2.2)
- handling of assets (A.8.2.3)
- removable media (A.8.3.1)
- disposal of media (A.8.3.2 ; A.11.2.7)
- secure log-on (A.9.4.2)
- secure areas (A.11.1.2 ; A.11.1.5 ; A.11.1.6)
- change management (A.12.1.2 ; A.14.2.2)
- installation of software (A.12.5.1 ; A.12.6.2)
- information transfer (A.13.2.1)
- incidents (A.16.1)
- business continuity (A.17.1)
- regulatory watch (A.18.1.1)
- intellectual property rights (A.18.1.2)
- policies:
- information security (sub-clause 5.2, A.5.1.1)
- mobile device (A.6.2.1)
- teleworking (A.6.2.2)
- asset management (A.8.1)
- access control (A.9)
- cryptographic controls (A.10.1 ; A.18.1.5)
- clear desk and clear screen (A.11.2.9)
- protecting against malware (A.11.1.4 ; A.12.2.1 ; A.13.2.1)
- backup (A.12.3.1)
- management of vulnerabilities (A.12.6.1)
- network controls (A.13.1.1)
- development (A.14.2)
- supplier relationships (A.15.1 ; A.15.2)
- compliance (A.18.1.1 ; A.18.2.2 ; A.18.2.3)
- personal data (A.18.1.4)
- documented information to retain (records, identified and controlled, instructions):
- external and internal issues (sub-clause 4.1)
- list of interested parties (sub-clause 4.2)
- job descriptions (sub-clause 5.3)
- risk acceptance criteria (sub-clause 6.1.2)
- criteria for performing information security risk assessments (sub-clause 6.1.2)
- statement of applicability (sub-clause 6.1.3)
- risk treatment plan (sub-clause 6.1.3)
- objective achievement plan (sub-clause 6.2)
- provided resources (sub-clause 7.1)
- competence development plan (sub-clause 7.2)
- awareness improvement plan (sub-clause 7.3)
- communication improvement plan (sub-clause 7.4)
- list of documented information (sub-clause 7.5.3)
- documented information of external origin (sub-clause 7.5.3)
- codification of documents (sub-clause 7.5.3)
- process follow-up (sub-clause 8.1)
- change management plan (sub-clause 8.1)
- risk assessment results (sub-clause 8.2)
- risk treatment results (sub-clause 8.3)
- monitoring and measurement results (sub-clause 9.1)
- audit program (sub-clause 9.2)
- audit report (sub-clause 9.2)
- management review conclusions (sub-clause 9.3)
- nature of the nonconformities (sub-clause 10.1)
- results of corrective actions (sub-clause 10.1)
- ISMS improvement plan (sub-clause 10.2)
- functions and responsibilities (A.6.1.1)
- notification of authorities (A.6.1.3)
- mobile device security (A.6.2.1)
- security for teleworking (A.6.2.2)
- terms and conditions of employment (A.7.1.1)
- engagement of safety rules (A.7.2.1)
- certificate of attendance (A.7.2.2)
- training assessment (A.7.2.2)
- disciplinary rules (A.7.2.3)
- breach of contract rules (A.7.3.1)
- inventory of assets (A.8.1.1)
- rules for the use of assets (A.8.1.3)
- classification plan (A.8.2.1)
- scrap inventory (A.8.3.2; A.11.2.7)
- protection of supports during transport (A.8.3.3)
- registration and de-registration (A.9.2.1)
- access provisioning (A.9.2.2)
- user engagement (A.9.2.4; A.13.2.4)
- review of access rights (A.9.2.5)
- password (A.9.4.3)
- privileged authorizations (A.9.4.4)
- cryptographic keys (A.10.1.2)
- security perimeter (A.11.1.1)
- visitor access (A.11.1.2)
- equipment protection (A.11.2.1)
- cabling security (A.11.2.3)
- equipment maintenance (A.11.2.4)
- removal of assets (A.11.2.5)
- change request (A.12.1.2)
- malware protection (A.12.2.1)
- event logging (A.12.4.1)
- technical vulnerabilities (A.12.6.1)
- network protection (A.13.1.1)
- system change request (A.14.2.2)
- engineering principles (A.14.2.5)
- information security with suppliers (A.15.1.1)
- supplier agreement (A.15.1.2)
- supplier performance (A.15.2.1)
- changes in supplier services (A.15.2.2)
- incident record (A.16.1.1)
- list of evidence (A.16.1.7)
- business continuity plan (A.17.1.2)
- list of requirements (A.18.1.1)
- corrective action report (A.18.2.2)
4. REQUIRED PROCESSES .jpg)
- assess risks (sub-clause 6.1.2)
- treat risks (sub-clause 6.1.3)
- apply discipline (sub-clause 7.2)
- manage the employment contract (sub-clause 7.2)
- communicate (sub-clause 7.4)
- meet information security requirements (sub-clause 8.1)
- control the outsourced processes (sub-clause 8.1)
- register and unsubscribe users (sub-clause 8.1)
- provide user access (sub-clause 8.1)
- manage user authentication (sub-clause 8.1)
- develop and support information security (sub-clause 8.1)
- manage the continuity of information security (sub-clause 8.1)
- apply information security (sub-clause 8.1)
- inspect information security (sub-clause 9.1)
- audit internally (sub-clause 9.2)
5. ON THE CONTENT
- the terms documented procedure and record are now quite confusing and replaced by:
- documented information to be available
- documented information to be retained
- documented information to be kept
- documented operating procedures
- documented procedures
- policies
- no process mapping requirement
- no requirement on staff satisfaction, perception, appreciation and recognition