ISO 27001/02 Templates

does anyone have a such one? preferrably in *.docx
DukewillNukemAsked:
Who is Participating?
 
btanExec ConsultantCommented:
no worries, I am none the wiser.

There is no "big" changes since you already onboard with 2005 version, there are a lot of mapping and reviewing using those 2013 new terms. All this is not really big concern and I do see you can take minimalist approach such as straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation.

For example, if I can extract from the PDF

a) Documented information
‘Documented information’ is a new term that applies to what the 2005 version of the standard referred to as ‘documents’ and ‘records’. In transitioning to ISO/IEC 27001:2013, simply replace the terms ‘documents’ and ‘records’ with the term 'documented information’.

b) Terms of reference for top management
A change may be required to accommodate the specific responsibilities given in Clauses 5.1 a) to h).

c) Responsibilities
A change may be required to accommodate the specific responsibilities given in Clauses 5.3 a) and b).

d) Awareness
A change may be required to accommodate the requirements of Clause 7.4 as the process of creating awareness may be regarded as a form of communication

e) The Statement of Applicability
Annex A has been updated to reflect the controls that are now described in ISO/IEC 27002:2013. Whilst organizations are no longer required to select controls from Annex A, it is still used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)) and organizations are required to produce a SOA. The format of
an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, the control set is different, and therefore organizations will be required to update their SOAs. When doing so, be careful to ensure that control
implementation strictly conforms to the wording given in Annex A.

f) Actions to address risks and opportunities – general
Existing preventive action procedures will need to be revised or replaced to ensure conformance with Clauses 4.1, 4.2 and 6.1.1.

g) Monitoring, measurement, analysis and evaluation
The requirements of Clause 9.1 are more detailed and exact than the requirements for the ISMS and control effectiveness in ISO/IEC 27001:2005. From the perspective of transition it may be best to start with a clean sheet of paper

Actually (my thoughts) even if you stay status quo for now, I dont think you are far off lesser secure or in compliance - you are not the first or the last to grapple with transition over.

**Sometimes, it is good not to change as changes has ramification beyond control and create more risk than safeguard cover on the initial well intent to comply to latest. It is like patching to latest release is not always viable overnight and need to make sure nothing break as the business must run without hassle or become dragged by inadvertent changes
0
 
btanExec ConsultantCommented:
See the toolkit http://www.iso27001security.com/html/iso27k_toolkit.html from the community which varied guidance document and checklist and also from (doc) sans (maybe old but as starter)
0
 
DukewillNukemAuthor Commented:
nothing usable there. preferrably,I`d like to have new ISO 27003 templates.-so i can adjust them,instead of writing them new
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
DukewillNukemAuthor Commented:
even more important: what are the differences between the new and the old ISO polices?
0
 
btanExec ConsultantCommented:
If we were to compare ISO/IEC 27001:2005 to ISO/IEC 27001:2013, in quick counting (wrt to Annex A) - The number of controls has decreased from 133 to 114, while the number of sections has increased from 11 to 14. There is greater emphasis and focus for management oversight through monitoring of controls, as well as the need to have clear communication across on information security. Risk owner, focus and assessment are another area to note to give more leeway to emphasis not purely on asset but the risk owner...

 we would identify an increase is mandatory control points. In 2005 they totaled 102 and in 2013 they will increase to 148. The pdf states the details going into the clauses, it has a nice table mapping of ISO/IEC 27001:2013 clauses
to ISO/IEC 27001:2005.

What you can find helpful in the pdf is the Transition guidance, some example include

However, there are other documented information requirements in
ISO/IEC 27001:2013 that an organization may consider to be matters
of policy, and therefore should be included in its ‘ISMS’ policy. These
are:
1 The criteria for performing information security risk assessments
(see Clause 6.1.2 a) 2));
2 The organization’s policy towards releasing its information
security policy to interested parties (see Clause 5.2 g)); and
3 The organization’s policy regarding external communications (see
Clause 7.4)
0
 
DukewillNukemAuthor Commented:
thats a lot of information.
io need basically to see,where the biggest differences are?
0
 
btanExec ConsultantCommented:
Sure I understand as you will not be alone to appreciate 2013 version. The challenge is if you have not even went through 2010, the difference may be even newer. Nonetheless, the overall governance and checks did not change. The controls has changed and I do see the new controls will be the one to focus (assume the 2010 is already in consideration) and verify they are well in place or relevant to the environment. e.g.

a) A.6.1.5 Information security in proj mgmt
b) 14.2.1 Secure development policy
c) 14.2.5 Secure system engineering principles
d) 14.2.8 System security testing
e) 16.1.4. Assessment of and decision on information security events
f) 17.2.1 Availability of information processing facilities

If you see a/m, you can see the "do" instead of "say" more in 2013. There are more verification to ascertain the risk are not only assessed but also mitigated and remediated in governed and approved fashion.
0
 
DukewillNukemAuthor Commented:
we are already ISO 27001 certified. what i still dont understand,what changes ISO/IEC 27001:2013 will bring into our infrastructure? forgive me being so dumb,but i dont see a direct impact at all...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.