Você está na página 1de 5

Major changes in ISO 27001: 2013

Change 1 Standard will be closer to enterprise risk management. The fact that information protection
cannot remain aloof from organization risk is well articulated in the new standard and is reflected in
almost each management section clauses.
Change 2 There is an insistence on understanding information from a business perspective.
References of enterprise context in the new standard means that ou see information from a business
success or failure. !"uall important is identification of external and internal issues in the success and
failure of information securit management.
Change 3 Scope definition is no more a phsical or a logical boundar but a link between strategic
issues to a boundar. #n the earlier standard ou could chose a subset of the organization as a scope
$such as #nformation technolog team% but in the new standard merel picking up a team for scope ma
be difficult as thus has to be aligned with business strateg. &eaving a strategic team facing customer
ma not therefore be eas and therefore '(ST be included in the scope statement.
Change 4 Replacement of 'anagement commitment with &eadership again an alignment with
#S) *+,,,. #n the past certain organizations have has -#)s signing the information securit polic. this
would be a thing of the past with the new standard.
Change 5 Risk assessment and risk treatment the foundation of the sub/ect are clearer. elaborate
and more ob/ective. 0 section of information securit ob/ectives is ver specific1
When planning how to achieve its information security objectives, the organization shall determine:
what will be done
what resources will be required
who will be responsible
when it will be completed
how the results will be evaluated
Change 6 clause 2 performance evaluation covers three essential topics. namel
2.+ 'onitoring. measurement. analsis and evaluation
2.3 #nternal audit
2.* 'anagement review
The alignment of this three issues is uni"ue and gives more teeth to the implementation. 4or clause 2.+
the organisation needs to define what the need to measure and monitor as the management sstem
level. -lause 2.3 internal audit then focuses on those specific measurements. and clause 2.*
management review is further aligned to review the performance based on the audit results.
Change 7 -hanges in domains. control ob/ectives and detail controls
#n 0nnex 0 there will be +5 domains. *6 control ob/ectives and ++3 detail controls. The number of
domains have increased however the total number of controls have reduced. the latter is a an
optimization effort. The grouping of earlier clauses seems to make a lot more sense.
Some of the main clauses which are either new or are more specific in the new standard1
0.7.+.5 #nformation securit in pro/ect management this is a new clause. consider securit ever time
ou do a pro/ect8
0.7.3.+ 'obile device polic more specific in #S) 39,,+1 3,+* compared to #S) 39,,+1 3,,6
0.:.*.* ;hsical media transfer more specific in #S) 39,,+1 3,+* compared to #S) 39,,+1 3,,6
0.2.3.+ (ser registration and de<registration more specific in #S) 39,,+1 3,+*
0.2.3.* 'anagement of secret authentication information of users this focuses on handling sensitive
authentication data such as a password
0.2.3.6 Removal or ad/ustment of access rights considers ad/ustment of access
0.2.*.+ (se of secret authentication information insistence on a procedure and awareness
0.2.5.5 (se of privileged utilit programs new name to the older clauses use of sstem utilities in the
previous standard
0.+*.3.+ #nformation transfer policies and procedures new name to the older clause polic on
exchange of information
0.+5.+.+ Securit re"uirements analsis and specification more elaborate clause description compared
to the previous standard
0.+5.+.3 Securing applications services on public networks more specific in #S) 39,,+1 3,+*
compared to #S) 39,,+1 3,,6
0.+5.+.* ;rotecting application services transactions more specific in #S) 39,,+1 3,+* compared to
#S) 39,,+1 3,,6
0.+5.3.+ Secure development polic seeks to cover securit in the entire development lifeccle.
clearer more specific
0.+5.3.7 Secure development environment this is a new clause
0.+5.3.: Sstem securit testing this is a new clause
0.+6 Supplier relationships this is a new domain
0.+6.+.+ #nformation securit polic for supplier relationships this is a new clause
0.+6.+.3 0ddressing securit within supplier agreements this is a new clause
0.+6.+.* #-T suppl chain this is a new clause
0.+7.+.5 0ssessment and decision of information securit events part of incident management this
section is clearer
0.+7.+.6 Response to information securit incidents part of incident management this section is more
specific to an escalation procedure
0.+9.+ #nformation securit continuit removes the ambiguit of the previous standard clearl
focuses on protection during continuit
0.+9.3.+ 0vailabilit of information processing facilities part of 0.+9 Redundanc clause this is a new
re"uirement
Main changes in the new ISO 27002 (2013 draft version)
Number of sections as expected, the number of sections has increased from 11 sections containing controls in the old
standard to 14 in the new. This way, the problem in the old standard, where some controls were artificially inserted in certain
areas where they did not belong, is now resolved.
Number of contros surprisingly, the number of controls has decreased from 133 to only 113! This is due to eliminating
some controls that were too specific or outdated.
Structure of sections ryptography has become a separate section !"1#$ it is !logically$ not part of %nformation systems
ac&uisition, development and maintenance any more. ' similar thing has happened with (upplier relationships as deserved,
they have become a separate section !"1)$. ommunications and operations management is divided now into *perations
security !section 1+$, and ommunications security !now section 13$. ,ere is how the sections loo- now.
) (ecurity /olicies
0 *rgani1ation of information security
2 ,uman resource security
3 'sset management
4 'ccess control
1# ryptography
11 /hysical and environmental security
1+ *perations security
13 ommunications security
14 (ystem ac&uisition, development and maintenance
1) (upplier relationships
10 %nformation security incident management
12 %nformation security aspects of business continuity
13 ompliance
!acement of securit" categories categories have mixed a bit.
5obile devices and telewor-ing, previously in 'ccess control, is now 0.+ part of section 0 *rgani1ation of information
security.
5edia handling was previously part of ommunications and operations management, but now it is 3.3, part of 3 'sset
management.
*perating system access control, and 'pplication and information access control, have now merged into (ystem and
application access control !4.4$, and have remained in section 4 'ccess control.
ontrol of operational software, previously a single control in %nformation (ystem ac&uisition, development and
maintenance, is now a separate category 1+.), part of the *perations security section.
%nformation systems audit considerations have moved from ompliance to 1+.2, part of the *perations security
section.
' (ecurity category called 6etwor- access control is gone, and some of its controls have moved to section 13
ommunications security.
%nformation transfer !previously called 7xchange of information$ is now 13.+, part of section 13 ommunications
security.
The controversial category orrect processing in applications !part of the old %nformation (ystem ac&uisition,
development and maintenance$ is now gone.
7lectronic commerce services does not exist as a separate category anymore, and controls are merged into 14.1
(ecurity re&uirements of information systems.
Two categories from the section %nformation (ecurity %ncident 5anagement are now merged into one.
The 8usiness continuity section has received a new category 12.+ 9edundancies. 8asically, this is about disaster
recovery.
New contros here are a few controls that are new.
14.+.1 (ecure development policy rules for development of software and information systems
14.+.) (ystem development procedures principles for system engineering
14.+.0 (ecure development environment establishing and protecting development environment
14.+.3 (ystem security testing tests of security functionality
10.1.4 'ssessment and decision of information security events this is part of incident management
12.+.1 'vailability of information processing facilities achieving redundancy
#ontros that are gone finally, here are some of the controls that do not exist anymore.
0.+.+ 'ddressing security when dealing with customers
1#.4.+ ontrols against mobile code
1#.2.3 %nformation handling procedures
1#.2.4 (ecurity of system documentation
1#.3.) 8usiness information systems
1#.4.3 /ublicly available information
11.4.+ :ser authentication for external connections
11.4.3 7&uipment identification in networ-s
11.4.4 9emote diagnostic and configuration port protection
11.4.0 6etwor- connection control
11.4.2 6etwor- routing control
1+.+.1 %nput data validation
1+.+.+ ontrol of internal processing
1+.+.3 5essage integrity
1+.+.4 *utput data validation
11.).) (ession time out
11.).0 ;imitation of connection time
11.0.+ (ensitive system isolation
1+.).4 %nformation lea-age
14.1.+ 8usiness continuity and ris- assessment
14.1.3 <eveloping and implementing business continuity plans
14.1.4 8usiness continuity planning framewor-
1).1.) /revention of misuse of information processing facilities
1).3.+ /rotection of information systems audit tools
(ince the structure of %(* +2##+ is completely aligned with controls from %(* +2##1, all these changes are also valid for new
%(* +2##1 'nnex '.

Você também pode gostar