Transition to ISO / IEC 27001: 2013. Subtleties of translation and not only

    Hello, Habr!
    September 25, 2013 the updated standard ISO / IEC 27001: 2013 “Information Security Management Systems. Requirements ”(Information security management systems - Requirements), which replaced the similar standard of 2005. I got into the hands of the Transition Guide, and in order to organize my knowledge and share it with those who would be interested, I decided to organize this short note.

    Under the spoiler: why do we need this standard
    Quote from the wiki:
    ISO / IEC 27001 is an international standard for information security. Contains information security requirements for the creation, development, and maintenance of an Information Security Management System (ISMS).
    The standard ISO / IEC 27001 (ISO 27001) contains descriptions of the best world practices in the field of information security management. ISO 27001 establishes requirements for an information security management system to demonstrate an organization’s ability to protect its information resources. This International Standard is prepared as a model for the development, implementation, operation, monitoring, analysis, support and improvement of the Information Security Management System (ISMS).

    What about us?

    By itself, passing an audit on compliance with 27001 gives the business nothing but pride in its information security department (correct me if I'm wrong). However, it can significantly facilitate the passage of important audits such as, for example, PCI DSS.
    However, it seems to me that any large company with international business seeks to get the coveted crust.

    Changes in terms

    Standard 27001: 2013 relies on group 31000 (risk assessment).
    In this version, the term “Asset” disappears. Instead, the broader concepts of “information” and “service” are used.
    Someone will say: “How so ?!” But wait, it's logical: not all information that needs to be protected is an asset of the company (in the sense in which it is used, for example, by Robert Kiyosaki).

    The term “opportunities” (Section 6.1.1) has been added as a potential area for improvement - a broad term that may include a whole set of measures to eliminate various risks.
    For example, opportunities for improving software include fixing specific bugs, changing the architecture, and even, possibly, some measures of influence on the vendor that provides this software at the level of agreements.

    "Action" has become "Objective" - ​​this is the current goal, specific and measurable, in contrast to the global goal ("Goal").

    Otherwise, everything is the same. Information Security means ensuring confidentiality, integrity and accessibility , and risk management is carried out according to the Plan-Do-Check-Act method .

    The points

    Some items are completely new, some have added sub-items. I will cite (and, at the same time, translate) the main ones.

    Clause 6.1.1 :
    During the planning of an ISMS, the organization shall determine the risks and opportunities, which should be aimed at:
    a) confirmation that the ISMS is capable of achieving the expected results from it;
    b) preventing or reducing unwanted effects; and
    c) achieving continuous improvement.

    Clause 6.1.2 boils down to the fact that a risk assessment methodology should be formalized in the organization. Moreover, when identifying risks, each of them must be assigned an owner - this is a new requirement [ 6.1.2 c) 2) ].

    Section 6.2 :
    Information security opportunities should:
    b) be measurable (if applicable);
    c) take into account applicable IS requirements and the results of risk assessment and processing.
    When planning to achieve IS capabilities, the organization should determine:
    f) what needs to be done;
    g) what resources are required;
    h) who will be responsible;
    i) when to finish; and
    j) how the results will be measured.

    Section 7.4 Interaction - a new paragraph.
    The organization shall determine the need for internal and external interactions related to the ISMS, including:
    a) What;
    b) when;
    c) with whom;
    d) who;
    e) by what means.
    The auditor can be shown, for example, entries in the outlook calendar. Usually, they have all the required list.

    Clause 9.1 Monitoring, measurement, analysis and evaluation The
    organization shall determine:
    c) when and
    b) who will monitor and measure;
    f) who will analyze and evaluate the results.

    From p. 9.3 (Management review) eliminated the requirement for an annual review of the ISMS management review.

    Clause 10.1. Nonconformities and Corrective Actions
    When a nonconformity is detected, the organization shall:
    a) respond to the nonconformity and, if applicable:
    1) take measures to control and correct it; and
    2) work with the consequences;
    e) if necessary, amend the ISMS.
    The organization shall retain documented information as evidence of:
    f) the nature of the nonconformities and the subsequent actions taken, and
    g) the results of the corrective actions.


    More general information about the standard can be found on the link from Wiki.
    I would be glad if this note is useful to someone.

    Also popular now: