You are on page 1of 36

27001 & 27002:2013

Dr.-Ing. Oliver Weissmann

Sonntag, 9. Juni 13
Inhalt
Historie
Status
Standards
27001
27002
Fazit

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
Sh
1980 e

Sonntag, 9. Juni 13
ll I
nfo
1989 DT
I se
CC c M
SC an
1993 BS Co ual
de
ID
IS of
C Pr
1995 BS PD ac
77 0 0 tic
99 3 e
Historie

ve D TI
BS r
1998 77 ffe
Co
99 nt de
- lic of
2 h t
1999 BS ve Pr
ac
77 r tic
99 ffe e
2000 BS -1 nt
lic
77 b ht
99 e
-1 rarb
w eit
ur et
de
BS
2005 77
17
79
99 9
-2
w
2007 IS ur
O de
17 IS
79 O
9 27
IS in 00
2008 O 27 1
27 00 &
IS
00 2 17
O 5 u m 79
2009 27 w be 9
00
ur
de na w
ur
4 ve nn de
IS w r f t b
2010 O ur
d fe un
d er
27 e nt 2 ar
00 ve lic 7 be
r ht 00
0, ff e 6 ite
t
IS
27 n ve
2013 O 00 tlic r
3, h t ffe
27 27 nt
00 0 lic
1: 04 ht
20 ve
13 r
un ffe
d nt
lic
27
00 ht
2:
20
13
ve
r
ffe
nt
lic
ht
xiv-consult GmbH 2013
Status
Weltweit ca. 8000 zertifizierte Unternehmen
Davon ber 4000 in Japan
Weitverbreitetster ganzheitlicher Sicherheitsstandard der Welt
Starke Entwicklung sektorspezifischer Standards
Finance
Energy

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
Verteilung der Zertifizierungen
Japan
UK
India
Taiwan
China
Germany
Czech Republic
Korea
USA
Italy
Spain
Hungary
Malay
Poland
Thailand
Greece
Rest

0 1250 2500 3750 5000

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
270XX Familie
27000 Terms and Definitions

27001 Requirements

27002 Code of Practice

27003 Impl. Guidance

27004 Measurements

27005 IS Risk Management

27006 Req. for Cert. Bodies

27007 Guidel. to Auditing

27008 GL. for Auditors on Controls

27010 Inter sector inter org. comm. xiv-consult GmbH 2013

Sonntag, 9. Juni 13
270XX Familie
27000 Terms and Definitions 27011 Sector Telecommunication

27001 Requirements 27013 Integ. Impl. of 20000 & 27001

27002 Code of Practice 27014 Gov. of InfoSec

27003 Impl. Guidance 27015 Sector Financial Services

27004 Measurements 27016 Organisational Economics

27005 IS Risk Management 27017 Cloud Computing

27006 Req. for Cert. Bodies 27018 Public Cloud Computing Serv.

27007 Guidel. to Auditing

27008 GL. for Auditors on Controls 27799 Healthcare

27010 Inter sector inter org. comm. xiv-consult GmbH 2013

Sonntag, 9. Juni 13
270XX Familie 27031 ICT Readiness BC

27032 Cyber Security

27000 Terms and Definitions 27011 Sector Telecommunication 27033 Network Security

27001 Requirements 27013 Integ. Impl. of 20000 & 27001 27034 Application Security

27002 Code of Practice 27014 Gov. of InfoSec 27035 Information Security Inc. Mgmt.

27003 Impl. Guidance 27015 Sector Financial Services 27036 Suppl Relationships

27004 Measurements 27016 Organisational Economics 27037 Digital Evidence

27005 IS Risk Management 27017 Cloud Computing 27039 IDPS

27006 Req. for Cert. Bodies 27018 Public Cloud Computing Serv. 27040 Storage Security

27007 Guidel. to Auditing 27041-43 Investigation

27008 GL. for Auditors on Controls 27799 Healthcare 27044 Sec. Inform. and Event Mgmt.

27010 Inter sector inter org. comm. xiv-consult GmbH 2013

Sonntag, 9. Juni 13
270XX Familie 27031 ICT Readiness BC

27032 Cyber Security

27000 Terms and Definitions 27011 Sector Telecommunication 27033 Network Security

27001 Requirements 27013 Integ. Impl. of 20000 & 27001 27034 Application Security

27002 Code of Practice 27014 Gov. of InfoSec 27035 Information Security Inc. Mgmt.

27003 Impl. Guidance 27015 Sector Financial Services 27036 Suppl Relationships

27004 Measurements 27016 Organisational Economics 27037 Digital Evidence

27005 IS Risk Management 27017 Cloud Computing 27039 IDPS

27006 Req. for Cert. Bodies 27018 Public Cloud Computing Serv. 27040 Storage Security

27007 Guidel. to Auditing 27041-43 Investigation

27008 GL. for Auditors on Controls 27799 Healthcare 27044 Sec. Inform. and Event Mgmt.

27010 Inter sector inter org. comm. xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:2013

Sonntag, 9. Juni 13
ISO Struktur
ISO Directives

ISO Directives Annex SL

ISO Guide 72

TQM ISO 90XX ISO 140XX

ISO 270XX ISO 500xx


xiv-consult GmbH 2013

Sonntag, 9. Juni 13
ISO Struktur
ISO Directives

ISO Directives Annex SL

ISO Guide 72

TQM ISO 90XX ISO 140XX

ISO 270XX ISO 500xx


xiv-consult GmbH 2013

Sonntag, 9. Juni 13
ISO Struktur
ISO Directives

ISO Directives Annex SL

Depreciated ISO Guide 72

TQM ISO 90XX ISO 140XX

ISO 270XX ISO 500xx


xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Fokus
Compliance mit ISO Directives Annex SL fr Managementsysteme
Ziel: Vereinfachung integrierter Managementsysteme

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Fokus
Compliance mit ISO Directives Annex SL fr Managementsysteme
Ziel: Vereinfachung integrierter Managementsysteme
This International Standard applies the high-level structure, identical sub-clause titles, identical text,
common terms, and core definitions defined in Annex SL of ISO/IEC Directives, Part 1, and therefore
maintains compatibility with other management system standards that have adopted the Annex SL.

This common approach defined in the Annex SL will be useful for those organizations that choose to
operate a single management system that meets the requirements of two or more management
system standards.

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership

6 - Planning

7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership 5.1 Leadership and commitment
5.2 Policy
6 - Planning
5.3 Organisational roles, responsibilities
7 - Support and authorities

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership

6 - Planning

7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership 6.1 Actions to adress risk and
opportunities
6 - Planning
6.2 Information security objectives and
7 - Support plans to achieve them

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership

6 - Planning

7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership 7.1 Resources
7.2 Competences
6 - Planning
7.3 Awareness
7 - Support 7.4 Communication
7.5 Documented Information
8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership

6 - Planning

7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership 8.1 Operational planning and control
8.2 Information security risk assessment
6 - Planning
8.3 Information security risk treatment
7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership

6 - Planning

7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership 9.1 Monitoring, measurement, analysis
and evaluation
6 - Planning
9.2 Internal Audit
7 - Support 9.3 Management Review

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership

6 - Planning

7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27001:Struktur
5 - Leadership 10.1 Nonconformity and corrective
action
6 - Planning
10.2 Continual improvement
7 - Support

8 - Operation

9 - Performance evaluation

10 - Improvement

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27002:2013

Sonntag, 9. Juni 13
27002:Fokus
Stand-alone anwendbar
Klarere Formulierungen
Einfachere Implementation
Reduktion von Redundanz
Aktualisierung und Verschlankung auf dem technischen Bereichen
ca. 3000 technische nderungen verarbeitet

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27002:Struktur
5 - Security Policies 13 - Communications Security

6 - Organisation of Information Security 14 - Sys. Acc. Dev. and Maintenance

7 - Human Ressource Security 15 - Supplier Relationships

8 - Asset Management 16 - Info. Sec. Incident Management

9 - Access Control 17 - Info. Sec. Aspects of BCM

10 - Cryptography 18 - Compliance

11 - Physical and Environmental Security

12 - Operations Security
xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27002:Incident Management
13 - Communications Security 16.1 Management of information Security Incident and
Improvements
14 - Sys. Acc. Dev. and Maintenance 16.1.1 Responsibilities and procedures
16.1.2 Reporting information security events
15 - Supplier Relationships 16.1.3 Reporting information security weaknesses
16.1.4 Assesment and decision of information security
16 - Info. Sec. Incident Management events
16.1.5 Response to information security incidents
17 - Info. Sec. Aspects of BCM 16.1.6 Learning from information security incidents
16.1.7 Collection of evidence
18 - Compliance

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27002:Mobile Devices and Teleworking
Objective: To ensure the security of teleworking and use of mobile devices.

6.2.1 Mobile Device Policy

A policy and supporting security measures should be adopted to protect against the risks introduced by
using mobile devices.

Implementation Guidance (... excerpt ...)

Care should be taken when using mobile devices in public places, meeting rooms and other unprotected
areas. Protection should be in place to avoid the unauthorized access to or disclosure of the information
stored and processed by these devices, e.g. using cryptographic techniques (see chapter 10) and enforcing
use of secret authentication information (see control 9.2.3)...

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27002:Secure Development Policy
14.2.1 Secure development policy

Rules for the development of software and systems should be established and applied to developments
within the organization.

Implementation Guidance (... excerpt ...)

... Secure programming techniques should be used both for new developments and in code re-use
scenarios where the standards applied to development may not be known or were not consistent with
current best practices. Secure coding standards should be considered and where relevant mandated for
use. Developers should be trained in their use and testing and code review should verify their use...

Other Information
Development may also take place inside applications, such as office applications, scripting, browsers and
databases.
xiv-consult GmbH 2013

Sonntag, 9. Juni 13
27002:Secure Development Policy
14.2.1 Secure development policy

Rules for the development of software and systems should be established and applied to developments
within the organization.

Implementation Guidance (... excerpt ...)


Other Information
... Secure programming techniques should be used both for new developments and in code re-use
Development
scenarios may
wherealso
the take placeapplied
standards inside to
applications,
developmentsuch
may as
notoffice applications,
be known scripting,
or were not browsers
consistent with and
databases.
current best practices. Secure coding standards should be considered and where relevant mandated for
use. Developers should be trained in their use and testing and code review should verify their use...

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
Fazit
Der Standard hat erheblich an Redundanz verloren
Adressiert die Ziel und Verantwortlichkeiten strker ber Policies
Viele der Controls sind besser messbar geworden
Die Anzahl der Lnder die den Standard nutzen ist erheblich
gestiegen
Das gesamte Framework ergnzt sich gegenseitig

xiv-consult GmbH 2013

Sonntag, 9. Juni 13
Personals

Dr.-Ing. Oliver Weissmann


Editor ISO/IEC 27002:2013

xiv-consult GmbH
Knigswinterer Str. 409
53639 Knigswinter
Mail: ow@xiv-consult.de
Tel.: +49 2223 9192540
xiv-consult GmbH 2013

Sonntag, 9. Juni 13