Friday, January 28 2022

News from the information security standard ISO 27001 version 2013


Last update: 26 April 2021

The ISO 27001 version 2013 standard was published in 2013 and replaces the 2005 version.

Choosing to implement an information security management system makes it possible to:

  • guarantee the confidentiality, integrity, availability and traceability of information
  • reduce information security risks
  • seize opportunities for continual improvement

ISO 27001 requirements version 2013

Quiz ISO 27001 requirements version 2013

The course T 24v13 ISO 27001 readiness version 2013 and its free demo without registration, soon

The course T 44v13 ISO 27001 Internal audit version 2013 and its free demo without registration, soon

The course T 74v13 ISO 27001 training package readiness and internal audit version 2013, soon

1. THE clauses ARE 10 ACCORDING TO THE Annex SL (AND THEIR PLACE IN THE PDCA CYCLE):

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization (P)
  5. Leadership (P, D, C, A)
  6. Planning (P)
  7. Support (P)
  8. Operation (D)
  9. Performance evaluation (C)
  10. Improvement (A)

Annex A (normative) Reference control objectives and controls

2. DIFFERENCES FROM THE 2005 VERSION

  • higher level structure (10 clauses including 4 to 10 with requirements)
  • PDCA cycle not explicit
  • non-explicit process approach
  • the needs and expectations of interested parties are explicit
  • leadership and commitment
  • efficiency of the ISMS
  • policy and commitment
  • risk-based approach
  • plan actions to achieve information security objectives
  • evaluation of the effectiveness of actions
  • explicit awareness
  • explicit communication
  • risk assessment
  • evaluate information security performance and the effectiveness of the ISMS
  • no preventive action

3. DOCUMENTED INFORMATION (PROCEDURES, POLICIES AND RECORDS) REQUIRED

  • documented information to maintain (procedures, available): procédure
    • scope of the ISMS (sub-clause 4.3)
    • documented information (sub-clause 7.5)
    • training and awareness (A.7.2.2 ; sub-clauses 7.2, 7.3)
    • classification and labelling (A.8.2.1 ; A.8.2.2)
    • handling of assets (A.8.2.3)
    • removable media (A.8.3.1)
    • disposal of media (A.8.3.2 ; A.11.2.7)
    • secure log-on (A.9.4.2)
    • secure areas (A.11.1.2 ; A.11.1.5 ; A.11.1.6)
    • change management (A.12.1.2 ; A.14.2.2)
    • installation of software (A.12.5.1 ;  A.12.6.2)
    • information transfer (A.13.2.1)
    • incidents (A.16.1)
    • business continuity (A.17.1)
    • regulatory watch (A.18.1.1)
    • intellectual property rights (A.18.1.2)
  • policies: politique 
    • information security (sub-clause 5.2, A.5.1.1)
    • mobile device (A.6.2.1) 
    • teleworking (A.6.2.2)
    • asset management (A.8.1)
    • access control (A.9)
    • cryptographic controls (A.10.1 ; A.18.1.5)
    • clear desk and clear screen (A.11.2.9)
    • protecting against malware (A.11.1.4 ; A.12.2.1 ; A.13.2.1)
    • backup (A.12.3.1)
    • management of vulnerabilities (A.12.6.1)
    • network controls (A.13.1.1)
    • development (A.14.2)
    • supplier relationships (A.15.1 ; A.15.2)
    • compliance (A.18.1.1 ; A.18.2.2 ; A.18.2.3)
    • personal data (A.18.1.4)
  • documented information to retain (records, identified and controlled, instructions): enregistrement
    • external and internal issues (sub-clause 4.1)
    • list of interested parties (sub-clause 4.2)
    • job descriptions (sub-clause 5.3)
    • risk acceptance criteria (sub-clause 6.1.2)
    • criteria for performing information security risk assessments (sub-clause 6.1.2)
    • statement of applicability (sub-clause 6.1.3)
    • risk treatment plan (sub-clause 6.1.3)
    • objective achievement plan (sub-clause 6.2)
    • provided resources (sub-clause 7.1)
    • competence development plan (sub-clause 7.2)
    • awareness improvement plan (sub-clause 7.3)
    • communication improvement plan (sub-clause 7.4)
    • list of documented information (sub-clause 7.5.3)
    • documented information of external origin (sub-clause 7.5.3)
    • codification of documents (sub-clause 7.5.3)
    • process follow-up (sub-clause 8.1)
    • change management plan (sub-clause 8.1)
    • risk assessment results (sub-clause 8.2)
    • risk treatment results (sub-clause 8.3)
    • monitoring and measurement results (sub-clause 9.1)
    • audit program (sub-clause 9.2)
    • audit report (sub-clause 9.2)
    • management review conclusions (sub-clause 9.3)
    • nature of the nonconformities (sub-clause 10.1)
    • results of corrective actions (sub-clause 10.1)
    • ISMS improvement plan (sub-clause 10.2)
    • functions and responsibilities (A.6.1.1)
    • notification of authorities (A.6.1.3)
    • mobile device security (A.6.2.1)
    • security for teleworking (A.6.2.2)
    • terms and conditions of employment (A.7.1.1)
    • engagement of safety rules (A.7.2.1)
    • certificate of attendance (A.7.2.2)
    • training assessment (A.7.2.2)
    • disciplinary rules (A.7.2.3)
    • breach of contract rules (A.7.3.1)
    • inventory of assets (A.8.1.1)
    • rules for the use of assets (A.8.1.3)
    • classification plan (A.8.2.1)
    • scrap inventory (A.8.3.2; A.11.2.7)
    • protection of supports during transport (A.8.3.3)
    • registration and de-registration (A.9.2.1)
    • access provisioning (A.9.2.2)
    • user engagement (A.9.2.4; A.13.2.4)
    • review of access rights (A.9.2.5)
    • password (A.9.4.3)
    • privileged authorizations (A.9.4.4)
    • cryptographic keys (A.10.1.2)
    • security perimeter (A.11.1.1)
    • visitor access (A.11.1.2)
    • equipment protection (A.11.2.1)
    • cabling security (A.11.2.3)
    • equipment maintenance (A.11.2.4)
    • removal of assets (A.11.2.5)
    • change request (A.12.1.2)
    • malware protection (A.12.2.1)
    • event logging (A.12.4.1)
    • technical vulnerabilities (A.12.6.1)
    • network protection (A.13.1.1)
    • system change request (A.14.2.2)
    • engineering principles (A.14.2.5)
    • information security with suppliers (A.15.1.1)
    • supplier agreement (A.15.1.2)
    • supplier performance (A.15.2.1)
    • changes in supplier services (A.15.2.2)
    • incident record (A.16.1.1)
    • list of evidence (A.16.1.7)
    • business continuity plan (A.17.1.2)
    • list of requirements (A.18.1.1)
    • corrective action report (A.18.2.2)

4. REQUIRED PROCESSES process

  • assess risks (sub-clause 6.1.2)
  • treat risks (sub-clause 6.1.3)
  • apply discipline (sub-clause 7.2)
  • manage the employment contract (sub-clause 7.2)
  • communicate (sub-clause 7.4)
  • meet information security requirements (sub-clause 8.1)
  • control the outsourced processes (sub-clause 8.1)
  • register and unsubscribe users (sub-clause 8.1)
  • provide user access (sub-clause 8.1)
  • manage user authentication (sub-clause 8.1)
  • develop and support information security (sub-clause 8.1)
  • manage the continuity of information security (sub-clause 8.1)
  • apply information security (sub-clause 8.1)
  • inspect information security (sub-clause 9.1)
  • audit internally (sub-clause 9.2)

5. ON THE CONTENT

  • the terms documented procedure and record are now quite confusing and replaced by:
    • documented information to be available
    • documented information to be retained
    • documented information to be kept
    • documented operating procedures
    • documented procedures
    • policies
  • no process mapping requirement
  • no requirement on staff satisfaction, perception, appreciation and recognition