SlideShare a Scribd company logo

ISO/IEC 27001:2013

Ramiro Cid
Ramiro Cid

Main changes on ISO/IEC 27001:2013. A comparative with ISO/IEC 27001:2005. List of new domains, List of new controls, references

Related slideshows

Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
1 of 7
Download to read offline
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 ISO/IEC 27001:2013 Ramiro Cid | @ramirocid
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 ISO/IEC 27001:2013 References: ISO/IEC 27001:2013. Final draft: Published on 07/2013. Final version: End of 2013.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Changes on ISO/IEC 27001:2013 Main changes in comparte with the previous version (ISO/IEC 27001:2005): • ISO/IEC 27001:2013 will have 114 controls into 14 domains (the actual version have 133 controls in 11 domains). • 11 new controls: • A.6.1.5 Information security in project management • A.12.6.2 Restrictions on software installation • A.14.2.1 Secure development policy • A.14.2.5 Secure system engineering principles • A.14.2.6 Secure development environment • A.14.2.8 System security testing • A.15.1.1 Information security policy for supplier relationships • A.15.1.3 Information and communication technology supply chain • A.16.1.4 Assessment of and decision on information security events • A.16.1.5 Response to information security incidents • A.17.2.1 Availability of information processing facilities
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Main changes in comparte with the previous version (ISO/IEC 27001:2005): • 14 domains instead of 11. The new domains will be: • A.5: Information security policies • A.6: How information security is organised • A.7: Human resources security - controls that are applied before, during, or after employment. • A.8: Asset management • A.9: Access controls and managing user access • A.10: Cryptographic technology • A.11: Physical security of the organisation's sites and equipment • A.12: Operational security • A.13: Secure communications and data transfer • A.14: Secure acquisition, development, and support of information systems • A.15: Security for suppliers and third parties • A.16: Incident management • A.17: Business continuity/disaster recovery (to the extent that it affects information security) • A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws Changes on ISO/IEC 27001:2013
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Domains comparision chart: ISO/IEC 27001:2005 ISO/IEC 27001:2013 A.5 -Security policy A.5: Information security policies A.6 -Organization ofinformation security A.6: How information security is organised A.8 -Human resources security A.7: Human resources security -controls that are applied before, during, or after employment. A.7 -Asset management A.8: Asset management A.11 - Access control A.9: Access controls and managing user access A.10: Cryptographic technology A.9 -Physical and environmental security A.11: Physical security ofthe organisation's sites and equipment A.12: Operational security A.10 -Communications and operations management A.13: Secure communications and data transfer A.12 -Information systems acquisition, development and maintenance A.14: Secure acquisition, development, and support ofinformation systems A.15: Security for suppliers and third parties A.13 -Information security incident management A.16: Incident management A.14 -Business continuity management A.17: Business continuity/disaster recovery (to the extent that it affects information security) A.15 -Compliance A.18: Compliance -with internal requirements, such as policies, and with external requirements, such as laws Changes on ISO/IEC 27001:2013
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 References URL to complete the knowledge: ISO: 1. ISO Oficial web: http://www.iso.org/ 2. 2013 version on ISO Oficinal web: http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1767 3. Wikipedia (ISO/IEC 27001:2005): http://en.wikipedia.org/wiki/ISO/IEC_27001 4. Wikipedia (ISO/IEC 27001:2013): http://en.wikipedia.org/wiki/ISO/IEC_27001:2013
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Questions ? Many thanks! ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL

More Related Content

ISO/IEC 27001:2013

  • 1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 ISO/IEC 27001:2013 Ramiro Cid | @ramirocid
  • 2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 ISO/IEC 27001:2013 References: ISO/IEC 27001:2013. Final draft: Published on 07/2013. Final version: End of 2013.
  • 3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Changes on ISO/IEC 27001:2013 Main changes in comparte with the previous version (ISO/IEC 27001:2005): • ISO/IEC 27001:2013 will have 114 controls into 14 domains (the actual version have 133 controls in 11 domains). • 11 new controls: • A.6.1.5 Information security in project management • A.12.6.2 Restrictions on software installation • A.14.2.1 Secure development policy • A.14.2.5 Secure system engineering principles • A.14.2.6 Secure development environment • A.14.2.8 System security testing • A.15.1.1 Information security policy for supplier relationships • A.15.1.3 Information and communication technology supply chain • A.16.1.4 Assessment of and decision on information security events • A.16.1.5 Response to information security incidents • A.17.2.1 Availability of information processing facilities
  • 4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Main changes in comparte with the previous version (ISO/IEC 27001:2005): • 14 domains instead of 11. The new domains will be: • A.5: Information security policies • A.6: How information security is organised • A.7: Human resources security - controls that are applied before, during, or after employment. • A.8: Asset management • A.9: Access controls and managing user access • A.10: Cryptographic technology • A.11: Physical security of the organisation's sites and equipment • A.12: Operational security • A.13: Secure communications and data transfer • A.14: Secure acquisition, development, and support of information systems • A.15: Security for suppliers and third parties • A.16: Incident management • A.17: Business continuity/disaster recovery (to the extent that it affects information security) • A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws Changes on ISO/IEC 27001:2013
  • 5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Domains comparision chart: ISO/IEC 27001:2005 ISO/IEC 27001:2013 A.5 -Security policy A.5: Information security policies A.6 -Organization ofinformation security A.6: How information security is organised A.8 -Human resources security A.7: Human resources security -controls that are applied before, during, or after employment. A.7 -Asset management A.8: Asset management A.11 - Access control A.9: Access controls and managing user access A.10: Cryptographic technology A.9 -Physical and environmental security A.11: Physical security ofthe organisation's sites and equipment A.12: Operational security A.10 -Communications and operations management A.13: Secure communications and data transfer A.12 -Information systems acquisition, development and maintenance A.14: Secure acquisition, development, and support ofinformation systems A.15: Security for suppliers and third parties A.13 -Information security incident management A.16: Incident management A.14 -Business continuity management A.17: Business continuity/disaster recovery (to the extent that it affects information security) A.15 -Compliance A.18: Compliance -with internal requirements, such as policies, and with external requirements, such as laws Changes on ISO/IEC 27001:2013
  • 6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 References URL to complete the knowledge: ISO: 1. ISO Oficial web: http://www.iso.org/ 2. 2013 version on ISO Oficinal web: http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1767 3. Wikipedia (ISO/IEC 27001:2005): http://en.wikipedia.org/wiki/ISO/IEC_27001 4. Wikipedia (ISO/IEC 27001:2013): http://en.wikipedia.org/wiki/ISO/IEC_27001:2013
  • 7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid ISO/IEC 27001:2013 Questions ? Many thanks! ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL