-
INFORMATION TECHNOLOGY FLASH REPORT Security Standards ISO/IEC
27001 and 27002 Have Been Revised: What Are the Significant
Changes? October 17, 2013
What happened? In November 2013, the International Organization
for Standardization (ISO) and the International Electrotechnical
Commission (IEC) will formally release long-anticipated updates to
ISO/IEC 27001 and 27002. The last time these standards were updated
was in 2005.
ISO/IEC Standard Title Information Technology Security
Techniques
27001: 2013 Information security management systems
Requirements
27002: 2013 Code of practice for information security
controls
What are ISO and IEC? Founded in 1947, ISO is the worlds largest
developer of voluntary international standards. ISO has published
more than 19,500 standards, which are used in government, business
and industry. Representing more than 160 countries and attracting
over 30,000 experts a year, ISO gathers their opinions to form
consensus around an international standard.
Developed in collaboration with the IEC (an international
standards organization dealing with electrical, electronic and
related technologies), ISO has supported long-recognized standards
for information security called ISO/IEC 27001 and ISO/IEC 27002.
The effective use of these standards can help companies achieve
best practices in information security, avoid re-inventing security
controls, optimize the use of scarce resources, and reduce the
occurrence of major risks such as project failures, wasted
investments, security breaches, system crashes, data compromise,
and failures of service providers to understand and meet customer
requirements.
Why should companies care? Tens of thousands of companies have
adopted ISO/IEC 27001 and 27002 as their standards for information
security programs and controls. Together, they are the de facto
standards for many governance, risk and compliance (GRC) frameworks
and provide the requirements and code of practice for security
regulations, assessments, insurance premiums and frameworks. They
provide a baseline for initiating, implementing, maintaining and
improving an information security management system in any size
organization.
-
Protiviti | 2
There have been significant changes made to these two standards.
Since many organizations use these standards as a
framework/baseline/target, there may be ramifications for their
policies, standards and processes that warrant careful
consideration. Many of the changes represent the standards catching
up with ever-changing technology. Other changes are restructuring
and clarification of the existing controls. Therefore, the changes
reflected in the new security standards will need to be
incorporated into most companies information security policies,
standards and processes.
Companies currently certified with the old ISO standards (around
7,940 in total) will need to update to the new standards and
recertify using the new standards after September 2015, but many
companies may want to use the new standards to recertify before the
deadline.
Companies that use ISO/IEC as a baseline or framework for their
own security programs can update when they are comfortable with the
changes because it is their choice to use these standards. However,
one of the justifications for using ISO/IEC as standards is to take
advantage of updates and current thinking, so many companies may
choose to adopt the new standards sooner rather than later. This
Flash Report will help companies anticipate the requirements of the
new standards and the possible ramifications for the
organization.
What has changed? As summarized below, the changes are divided
into two categories (1) changes to the information security
management system (ISMS), and (2) changes to controls.
Changes to ISMS
The familiar Plan-Do-Check-Act (PDCA) process framework has been
removed.
: The ISMS remains the cornerstone of the ISO/IEC 27001 and
27002 standards. Changes made to the ISMS include:
Interested parties and their requirements need to be listed in
the ISMS and may include legal, regulatory and contractual
obligations.
The concepts of documents and records are merged together; they
now are called documented information. The requirement in the old
standard for documented procedures (document control, internal
audit, corrective action and preventive) has been removed. However,
documenting the results of processes is required. As a result,
procedures are not required, but the documented information related
to managing documents, performing internal audits and executing
corrective actions is required.
Required documents listed in the old standard (reference 4.3.1)
have been removed.
Risk assessment using an assets value, vulnerabilities and
threats has been removed in the new standard. Risks are now
associated with the confidentiality, integrity and availability of
information, and risks are assessed using the level of risk based
on their consequences and the likelihood they will materialize.
Risk ownership is also required.
Objectives for information security need to be defined,
measureable and account for requirements, and risks and results
communicated, updated and documented. Further, plans to achieve the
objectives should include what will be done, resources required,
responsibility, time frame and how results will be evaluated.
Changes to controls: Many GRC frameworks use ISO/IEC and will
need to be updated at some point to reflect the changes made in the
new standards. The table on the following page shows the structural
changes between the 2005 and 2013 versions of the ISO/IEC 27001 and
27002 standards. Differences to note include:
-
Protiviti | 3
There were 11 control domains; now there are 14, including three
additional sections. The three new sections are not really new
since these were included in the previous ISO/IEC 27001:
1. Cryptography was part of the systems acquisition, development
and maintenance domain (old control 12.3).
2. Supplier relationships were part of communications and
operations management (old control 6.2).
3. Communications security was part of the communications and
operations management (old control 10.6).
There are 19 fewer controls. (The old version had 133 controls
and the new one has 114.) There are six new controls, and 25
controls were eliminated because they were too specific or
outdated.
The following is a list of the new controls:
o 14.2.1: Secure development policy Standards for the
development of software and systems shall be established.
o 14.2.5: System development procedures Principles for
developing secure systems shall be established, documented,
maintained and applied to any information system.
o 14.2.6: Secure development environment Organizations shall
establish and appropriately protect secure development environments
for system development and integration.
o 14.2.8: System security testing Testing of security
functionality shall be carried out during development.
o 16.1.4: Assessment and classification of information security
events Information security events shall be assessed, and it shall
be decided if they are to be classified as information security
incidents.
o 17.2.1: Availability of information processing facilities
Information processing facilities shall be implemented with
redundancy sufficient to meet availability requirements.
The following table breaks down the number of controls by
section:
ISO Domain Count
Section Description
New ISO 2013
Old ISO 2005
Section Ref 2013
Controls Count
Section Ref 2005
Controls Count
1 Security policies 5 2 5 2 2 Organization of information
security 6 7 6 11 3 Human resource security 7 6 8 5 4 Asset
management 8 10 7 9 5 Access control 9 14 11 25 6 Cryptography 10 2
N/A N/A 7 Physical and environmental security 11 15 9 13 8
Operations security 12 14 10 32
-
Protiviti | 4
ISO Domain Count
Section Description
New ISO 2013
Old ISO 2005
Section Ref 2013
Controls Count
Section Ref 2005
Controls Count
9 Communication security 13 7 N/A N/A
10 System acquisition, development and maintenance 14 13 12
16
11 Supplier relationships 15 5 N/A N/A
12 Information security incident management 16 7 13 5
13 Information security aspects of business continuity 17 4 14
5
14 Compliance 18 8 15 10 Total 114 133
The following is a list of the controls that were eliminated:
6.2.2: Addressing security when dealing with
customers 10.4.2: Controls against mobile code 10.7.3:
Information-handling procedures 10.7.4: Security of system
documentation 10.8.5: Business information systems 10.9.3: Publicly
available information 11.4.2: User authentication for external
connections 11.4.3: Equipment identification in networks 11.4.4:
Remote diagnostic and configuration
port protection 11.4.6: Network connection control 11.4.7:
Network routing control 11.5.5: Session time out 11.5.6: Limitation
of connection time
11.6.2: Sensitive system isolation 12.2.1: Input data validation
12.2.2: Control of internal processing 12.2.3: Message integrity
12.2.4: Output data validation 12.5.4: Information leakage 14.1.2:
Business continuity and risk
assessment 14.1.3: Developing and implementing
business continuity plans 14.1.4: Business continuity
planning
framework 15.1.5: Prevention of misuse of information
processing facilities 15.3.2: Protection of information
systems
audit tools
In Closing While many will say that these changes to ISO/IEC
27001 and 27002 are long overdue and perhaps more changes are
required, the revised standards provide a package of security
techniques that is practical in assisting an organization in
identifying its security requirements and risks and selecting
controls to address those requirements and mitigate those risks.
Two areas that will require attention are realignment of policies,
standards and awareness training to align with the new standard,
and assigning risk owners and having them approve risk treatment
plans and residual risks. The updated standards will better align
ISO/IEC with other frameworks and evolving management and
governance practices. Companies using ISO/IEC as a framework or
those that are ISO/IEC certified should consider adopting the new
ISO/IEC standards as time and resources permit. Many of the changes
will better align security objectives with business goals and
objectives and that alignment will help everyone across the whole
organization to better appreciate the importance of information
security to the companys sustainability, viability and
reputation.
-
2013 Protiviti Inc. An Equal Opportunity Employer. Protiviti is
not licensed or registered as a public accounting firm and does not
issue opinions on financial statements or offer attestation
services.
About Protiviti Protiviti (www.protiviti.com) is a global
consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit.
Through our network of more than 70 offices in over 20 countries,
we have served more than 35 percent of FORTUNE 1000 and FORTUNE
Global 500 companies. We also work with smaller, growing companies,
including those looking to go public, as well as with government
agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE:
RHI). Founded in 1948, Robert Half is a member of the S&P 500
index.
About Our IT Security and Privacy Solutions As technology
becomes more and more integral to the business, it is critical to
view information security and privacy as a part of the business,
not just IT. Critical intellectual property and regulated personal
information need to be protected from security threats,
vulnerabilities and privacy exposures that challenge every
organization today. Risks must be understood and managed. Often
organizations do not know the information risks in their
environment or how these risks can be reduced. Equally important,
good security and privacy practices can permit companies to take
advantage of new technologies to provide revenue growth and cost
containment opportunities.
Protiviti provides a wide variety of security and privacy
assessment, architecture, transformation and management services to
help organizations identify and address security and privacy risks
and potential exposures (e.g., loss of customer data, loss of
revenue, or reputation impairment to a customer) so they can be
reduced before they become problems.
We have a demonstrated track record of helping companies prevent
and respond to security incidents, establish security programs,
implement identity and access management, and reduce
industry-specific risks by providing enhanced data security and
privacy. Protiviti can also help organizations comply with
regulations and standards including ISO/IEC 27001-2, PCI, privacy
and disclosure laws, HIPAA, GLBA and many more. We invite you to
explore the various IT security and privacy services that we
offer:
Security Strategy & Program Management Services (frameworks
including ISO/IEC 27001-2, NIST, CoBit)
Program and Compliance Assessments (including ISO/IEC 27001/2,
PCI, HIPAA, Safe Harbor, Incident & Breach Response, FFIEC,
SOX, etc.)
Identity & Access Management Services
Data Security & Privacy Management Services
Vulnerability Assessment & Penetration Testing
Security Operations & Implementation Services
Incident Response & Forensic Services
