Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ISO 27001/02 Templates

Posted on 2014-03-14
8
3,728 Views
Last Modified: 2014-03-31
does anyone have a such one? preferrably in *.docx
0
Comment
Question by:DukewillNukem
  • 4
  • 4
8 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39930716
See the toolkit http://www.iso27001security.com/html/iso27k_toolkit.html from the community which varied guidance document and checklist and also from (doc) sans (maybe old but as starter)
0
 

Author Comment

by:DukewillNukem
ID: 39934157
nothing usable there. preferrably,I`d like to have new ISO 27003 templates.-so i can adjust them,instead of writing them new
0
 

Author Comment

by:DukewillNukem
ID: 39934177
even more important: what are the differences between the new and the old ISO polices?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39934245
If we were to compare ISO/IEC 27001:2005 to ISO/IEC 27001:2013, in quick counting (wrt to Annex A) - The number of controls has decreased from 133 to 114, while the number of sections has increased from 11 to 14. There is greater emphasis and focus for management oversight through monitoring of controls, as well as the need to have clear communication across on information security. Risk owner, focus and assessment are another area to note to give more leeway to emphasis not purely on asset but the risk owner...

 we would identify an increase is mandatory control points. In 2005 they totaled 102 and in 2013 they will increase to 148. The pdf states the details going into the clauses, it has a nice table mapping of ISO/IEC 27001:2013 clauses
to ISO/IEC 27001:2005.

What you can find helpful in the pdf is the Transition guidance, some example include

However, there are other documented information requirements in
ISO/IEC 27001:2013 that an organization may consider to be matters
of policy, and therefore should be included in its ‘ISMS’ policy. These
are:
1 The criteria for performing information security risk assessments
(see Clause 6.1.2 a) 2));
2 The organization’s policy towards releasing its information
security policy to interested parties (see Clause 5.2 g)); and
3 The organization’s policy regarding external communications (see
Clause 7.4)
0
 

Author Comment

by:DukewillNukem
ID: 39944793
thats a lot of information.
io need basically to see,where the biggest differences are?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39945039
Sure I understand as you will not be alone to appreciate 2013 version. The challenge is if you have not even went through 2010, the difference may be even newer. Nonetheless, the overall governance and checks did not change. The controls has changed and I do see the new controls will be the one to focus (assume the 2010 is already in consideration) and verify they are well in place or relevant to the environment. e.g.

a) A.6.1.5 Information security in proj mgmt
b) 14.2.1 Secure development policy
c) 14.2.5 Secure system engineering principles
d) 14.2.8 System security testing
e) 16.1.4. Assessment of and decision on information security events
f) 17.2.1 Availability of information processing facilities

If you see a/m, you can see the "do" instead of "say" more in 2013. There are more verification to ascertain the risk are not only assessed but also mitigated and remediated in governed and approved fashion.
0
 

Author Comment

by:DukewillNukem
ID: 39952825
we are already ISO 27001 certified. what i still dont understand,what changes ISO/IEC 27001:2013 will bring into our infrastructure? forgive me being so dumb,but i dont see a direct impact at all...
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39953226
no worries, I am none the wiser.

There is no "big" changes since you already onboard with 2005 version, there are a lot of mapping and reviewing using those 2013 new terms. All this is not really big concern and I do see you can take minimalist approach such as straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation.

For example, if I can extract from the PDF

a) Documented information
‘Documented information’ is a new term that applies to what the 2005 version of the standard referred to as ‘documents’ and ‘records’. In transitioning to ISO/IEC 27001:2013, simply replace the terms ‘documents’ and ‘records’ with the term 'documented information’.

b) Terms of reference for top management
A change may be required to accommodate the specific responsibilities given in Clauses 5.1 a) to h).

c) Responsibilities
A change may be required to accommodate the specific responsibilities given in Clauses 5.3 a) and b).

d) Awareness
A change may be required to accommodate the requirements of Clause 7.4 as the process of creating awareness may be regarded as a form of communication

e) The Statement of Applicability
Annex A has been updated to reflect the controls that are now described in ISO/IEC 27002:2013. Whilst organizations are no longer required to select controls from Annex A, it is still used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)) and organizations are required to produce a SOA. The format of
an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, the control set is different, and therefore organizations will be required to update their SOAs. When doing so, be careful to ensure that control
implementation strictly conforms to the wording given in Annex A.

f) Actions to address risks and opportunities – general
Existing preventive action procedures will need to be revised or replaced to ensure conformance with Clauses 4.1, 4.2 and 6.1.1.

g) Monitoring, measurement, analysis and evaluation
The requirements of Clause 9.1 are more detailed and exact than the requirements for the ISMS and control effectiveness in ISO/IEC 27001:2005. From the perspective of transition it may be best to start with a clean sheet of paper

Actually (my thoughts) even if you stay status quo for now, I dont think you are far off lesser secure or in compliance - you are not the first or the last to grapple with transition over.

**Sometimes, it is good not to change as changes has ramification beyond control and create more risk than safeguard cover on the initial well intent to comply to latest. It is like patching to latest release is not always viable overnight and need to make sure nothing break as the business must run without hassle or become dragged by inadvertent changes
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question