Solved

ISO 27001/02 Templates

Posted on 2014-03-14
8
3,705 Views
Last Modified: 2014-03-31
does anyone have a such one? preferrably in *.docx
0
Comment
Question by:DukewillNukem
  • 4
  • 4
8 Comments
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39930716
See the toolkit http://www.iso27001security.com/html/iso27k_toolkit.html from the community which varied guidance document and checklist and also from (doc) sans (maybe old but as starter)
0
 

Author Comment

by:DukewillNukem
ID: 39934157
nothing usable there. preferrably,I`d like to have new ISO 27003 templates.-so i can adjust them,instead of writing them new
0
 

Author Comment

by:DukewillNukem
ID: 39934177
even more important: what are the differences between the new and the old ISO polices?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39934245
If we were to compare ISO/IEC 27001:2005 to ISO/IEC 27001:2013, in quick counting (wrt to Annex A) - The number of controls has decreased from 133 to 114, while the number of sections has increased from 11 to 14. There is greater emphasis and focus for management oversight through monitoring of controls, as well as the need to have clear communication across on information security. Risk owner, focus and assessment are another area to note to give more leeway to emphasis not purely on asset but the risk owner...

 we would identify an increase is mandatory control points. In 2005 they totaled 102 and in 2013 they will increase to 148. The pdf states the details going into the clauses, it has a nice table mapping of ISO/IEC 27001:2013 clauses
to ISO/IEC 27001:2005.

What you can find helpful in the pdf is the Transition guidance, some example include

However, there are other documented information requirements in
ISO/IEC 27001:2013 that an organization may consider to be matters
of policy, and therefore should be included in its ‘ISMS’ policy. These
are:
1 The criteria for performing information security risk assessments
(see Clause 6.1.2 a) 2));
2 The organization’s policy towards releasing its information
security policy to interested parties (see Clause 5.2 g)); and
3 The organization’s policy regarding external communications (see
Clause 7.4)
0
 

Author Comment

by:DukewillNukem
ID: 39944793
thats a lot of information.
io need basically to see,where the biggest differences are?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39945039
Sure I understand as you will not be alone to appreciate 2013 version. The challenge is if you have not even went through 2010, the difference may be even newer. Nonetheless, the overall governance and checks did not change. The controls has changed and I do see the new controls will be the one to focus (assume the 2010 is already in consideration) and verify they are well in place or relevant to the environment. e.g.

a) A.6.1.5 Information security in proj mgmt
b) 14.2.1 Secure development policy
c) 14.2.5 Secure system engineering principles
d) 14.2.8 System security testing
e) 16.1.4. Assessment of and decision on information security events
f) 17.2.1 Availability of information processing facilities

If you see a/m, you can see the "do" instead of "say" more in 2013. There are more verification to ascertain the risk are not only assessed but also mitigated and remediated in governed and approved fashion.
0
 

Author Comment

by:DukewillNukem
ID: 39952825
we are already ISO 27001 certified. what i still dont understand,what changes ISO/IEC 27001:2013 will bring into our infrastructure? forgive me being so dumb,but i dont see a direct impact at all...
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39953226
no worries, I am none the wiser.

There is no "big" changes since you already onboard with 2005 version, there are a lot of mapping and reviewing using those 2013 new terms. All this is not really big concern and I do see you can take minimalist approach such as straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation.

For example, if I can extract from the PDF

a) Documented information
‘Documented information’ is a new term that applies to what the 2005 version of the standard referred to as ‘documents’ and ‘records’. In transitioning to ISO/IEC 27001:2013, simply replace the terms ‘documents’ and ‘records’ with the term 'documented information’.

b) Terms of reference for top management
A change may be required to accommodate the specific responsibilities given in Clauses 5.1 a) to h).

c) Responsibilities
A change may be required to accommodate the specific responsibilities given in Clauses 5.3 a) and b).

d) Awareness
A change may be required to accommodate the requirements of Clause 7.4 as the process of creating awareness may be regarded as a form of communication

e) The Statement of Applicability
Annex A has been updated to reflect the controls that are now described in ISO/IEC 27002:2013. Whilst organizations are no longer required to select controls from Annex A, it is still used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)) and organizations are required to produce a SOA. The format of
an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, the control set is different, and therefore organizations will be required to update their SOAs. When doing so, be careful to ensure that control
implementation strictly conforms to the wording given in Annex A.

f) Actions to address risks and opportunities – general
Existing preventive action procedures will need to be revised or replaced to ensure conformance with Clauses 4.1, 4.2 and 6.1.1.

g) Monitoring, measurement, analysis and evaluation
The requirements of Clause 9.1 are more detailed and exact than the requirements for the ISMS and control effectiveness in ISO/IEC 27001:2005. From the perspective of transition it may be best to start with a clean sheet of paper

Actually (my thoughts) even if you stay status quo for now, I dont think you are far off lesser secure or in compliance - you are not the first or the last to grapple with transition over.

**Sometimes, it is good not to change as changes has ramification beyond control and create more risk than safeguard cover on the initial well intent to comply to latest. It is like patching to latest release is not always viable overnight and need to make sure nothing break as the business must run without hassle or become dragged by inadvertent changes
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ensuring effective and secure communication in the age of healthcare BYOD.
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question