Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ISO 27001/02 Templates

Posted on 2014-03-14
8
Medium Priority
?
3,893 Views
Last Modified: 2014-03-31
does anyone have a such one? preferrably in *.docx
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39930716
See the toolkit http://www.iso27001security.com/html/iso27k_toolkit.html from the community which varied guidance document and checklist and also from (doc) sans (maybe old but as starter)
0
 

Author Comment

by:DukewillNukem
ID: 39934157
nothing usable there. preferrably,I`d like to have new ISO 27003 templates.-so i can adjust them,instead of writing them new
0
 

Author Comment

by:DukewillNukem
ID: 39934177
even more important: what are the differences between the new and the old ISO polices?
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39934245
If we were to compare ISO/IEC 27001:2005 to ISO/IEC 27001:2013, in quick counting (wrt to Annex A) - The number of controls has decreased from 133 to 114, while the number of sections has increased from 11 to 14. There is greater emphasis and focus for management oversight through monitoring of controls, as well as the need to have clear communication across on information security. Risk owner, focus and assessment are another area to note to give more leeway to emphasis not purely on asset but the risk owner...

 we would identify an increase is mandatory control points. In 2005 they totaled 102 and in 2013 they will increase to 148. The pdf states the details going into the clauses, it has a nice table mapping of ISO/IEC 27001:2013 clauses
to ISO/IEC 27001:2005.

What you can find helpful in the pdf is the Transition guidance, some example include

However, there are other documented information requirements in
ISO/IEC 27001:2013 that an organization may consider to be matters
of policy, and therefore should be included in its ‘ISMS’ policy. These
are:
1 The criteria for performing information security risk assessments
(see Clause 6.1.2 a) 2));
2 The organization’s policy towards releasing its information
security policy to interested parties (see Clause 5.2 g)); and
3 The organization’s policy regarding external communications (see
Clause 7.4)
0
 

Author Comment

by:DukewillNukem
ID: 39944793
thats a lot of information.
io need basically to see,where the biggest differences are?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39945039
Sure I understand as you will not be alone to appreciate 2013 version. The challenge is if you have not even went through 2010, the difference may be even newer. Nonetheless, the overall governance and checks did not change. The controls has changed and I do see the new controls will be the one to focus (assume the 2010 is already in consideration) and verify they are well in place or relevant to the environment. e.g.

a) A.6.1.5 Information security in proj mgmt
b) 14.2.1 Secure development policy
c) 14.2.5 Secure system engineering principles
d) 14.2.8 System security testing
e) 16.1.4. Assessment of and decision on information security events
f) 17.2.1 Availability of information processing facilities

If you see a/m, you can see the "do" instead of "say" more in 2013. There are more verification to ascertain the risk are not only assessed but also mitigated and remediated in governed and approved fashion.
0
 

Author Comment

by:DukewillNukem
ID: 39952825
we are already ISO 27001 certified. what i still dont understand,what changes ISO/IEC 27001:2013 will bring into our infrastructure? forgive me being so dumb,but i dont see a direct impact at all...
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39953226
no worries, I am none the wiser.

There is no "big" changes since you already onboard with 2005 version, there are a lot of mapping and reviewing using those 2013 new terms. All this is not really big concern and I do see you can take minimalist approach such as straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation.

For example, if I can extract from the PDF

a) Documented information
‘Documented information’ is a new term that applies to what the 2005 version of the standard referred to as ‘documents’ and ‘records’. In transitioning to ISO/IEC 27001:2013, simply replace the terms ‘documents’ and ‘records’ with the term 'documented information’.

b) Terms of reference for top management
A change may be required to accommodate the specific responsibilities given in Clauses 5.1 a) to h).

c) Responsibilities
A change may be required to accommodate the specific responsibilities given in Clauses 5.3 a) and b).

d) Awareness
A change may be required to accommodate the requirements of Clause 7.4 as the process of creating awareness may be regarded as a form of communication

e) The Statement of Applicability
Annex A has been updated to reflect the controls that are now described in ISO/IEC 27002:2013. Whilst organizations are no longer required to select controls from Annex A, it is still used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)) and organizations are required to produce a SOA. The format of
an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, the control set is different, and therefore organizations will be required to update their SOAs. When doing so, be careful to ensure that control
implementation strictly conforms to the wording given in Annex A.

f) Actions to address risks and opportunities – general
Existing preventive action procedures will need to be revised or replaced to ensure conformance with Clauses 4.1, 4.2 and 6.1.1.

g) Monitoring, measurement, analysis and evaluation
The requirements of Clause 9.1 are more detailed and exact than the requirements for the ISMS and control effectiveness in ISO/IEC 27001:2005. From the perspective of transition it may be best to start with a clean sheet of paper

Actually (my thoughts) even if you stay status quo for now, I dont think you are far off lesser secure or in compliance - you are not the first or the last to grapple with transition over.

**Sometimes, it is good not to change as changes has ramification beyond control and create more risk than safeguard cover on the initial well intent to comply to latest. It is like patching to latest release is not always viable overnight and need to make sure nothing break as the business must run without hassle or become dragged by inadvertent changes
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question