Solved

ISO 27001/02 Templates

Posted on 2014-03-14
8
3,802 Views
Last Modified: 2014-03-31
does anyone have a such one? preferrably in *.docx
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39930716
See the toolkit http://www.iso27001security.com/html/iso27k_toolkit.html from the community which varied guidance document and checklist and also from (doc) sans (maybe old but as starter)
0
 

Author Comment

by:DukewillNukem
ID: 39934157
nothing usable there. preferrably,I`d like to have new ISO 27003 templates.-so i can adjust them,instead of writing them new
0
 

Author Comment

by:DukewillNukem
ID: 39934177
even more important: what are the differences between the new and the old ISO polices?
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39934245
If we were to compare ISO/IEC 27001:2005 to ISO/IEC 27001:2013, in quick counting (wrt to Annex A) - The number of controls has decreased from 133 to 114, while the number of sections has increased from 11 to 14. There is greater emphasis and focus for management oversight through monitoring of controls, as well as the need to have clear communication across on information security. Risk owner, focus and assessment are another area to note to give more leeway to emphasis not purely on asset but the risk owner...

 we would identify an increase is mandatory control points. In 2005 they totaled 102 and in 2013 they will increase to 148. The pdf states the details going into the clauses, it has a nice table mapping of ISO/IEC 27001:2013 clauses
to ISO/IEC 27001:2005.

What you can find helpful in the pdf is the Transition guidance, some example include

However, there are other documented information requirements in
ISO/IEC 27001:2013 that an organization may consider to be matters
of policy, and therefore should be included in its ‘ISMS’ policy. These
are:
1 The criteria for performing information security risk assessments
(see Clause 6.1.2 a) 2));
2 The organization’s policy towards releasing its information
security policy to interested parties (see Clause 5.2 g)); and
3 The organization’s policy regarding external communications (see
Clause 7.4)
0
 

Author Comment

by:DukewillNukem
ID: 39944793
thats a lot of information.
io need basically to see,where the biggest differences are?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39945039
Sure I understand as you will not be alone to appreciate 2013 version. The challenge is if you have not even went through 2010, the difference may be even newer. Nonetheless, the overall governance and checks did not change. The controls has changed and I do see the new controls will be the one to focus (assume the 2010 is already in consideration) and verify they are well in place or relevant to the environment. e.g.

a) A.6.1.5 Information security in proj mgmt
b) 14.2.1 Secure development policy
c) 14.2.5 Secure system engineering principles
d) 14.2.8 System security testing
e) 16.1.4. Assessment of and decision on information security events
f) 17.2.1 Availability of information processing facilities

If you see a/m, you can see the "do" instead of "say" more in 2013. There are more verification to ascertain the risk are not only assessed but also mitigated and remediated in governed and approved fashion.
0
 

Author Comment

by:DukewillNukem
ID: 39952825
we are already ISO 27001 certified. what i still dont understand,what changes ISO/IEC 27001:2013 will bring into our infrastructure? forgive me being so dumb,but i dont see a direct impact at all...
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39953226
no worries, I am none the wiser.

There is no "big" changes since you already onboard with 2005 version, there are a lot of mapping and reviewing using those 2013 new terms. All this is not really big concern and I do see you can take minimalist approach such as straightforward “make-over”, taking the minimum necessary changes to the existing ISMS processes and existing documentation.

For example, if I can extract from the PDF

a) Documented information
‘Documented information’ is a new term that applies to what the 2005 version of the standard referred to as ‘documents’ and ‘records’. In transitioning to ISO/IEC 27001:2013, simply replace the terms ‘documents’ and ‘records’ with the term 'documented information’.

b) Terms of reference for top management
A change may be required to accommodate the specific responsibilities given in Clauses 5.1 a) to h).

c) Responsibilities
A change may be required to accommodate the specific responsibilities given in Clauses 5.3 a) and b).

d) Awareness
A change may be required to accommodate the requirements of Clause 7.4 as the process of creating awareness may be regarded as a form of communication

e) The Statement of Applicability
Annex A has been updated to reflect the controls that are now described in ISO/IEC 27002:2013. Whilst organizations are no longer required to select controls from Annex A, it is still used to determine whether any necessary controls have been omitted (see Clause 6.1.3 c)) and organizations are required to produce a SOA. The format of
an ISO/IEC 27002:2013 conformant SOA doesn’t need to be different from the previous standard. However, the control set is different, and therefore organizations will be required to update their SOAs. When doing so, be careful to ensure that control
implementation strictly conforms to the wording given in Annex A.

f) Actions to address risks and opportunities – general
Existing preventive action procedures will need to be revised or replaced to ensure conformance with Clauses 4.1, 4.2 and 6.1.1.

g) Monitoring, measurement, analysis and evaluation
The requirements of Clause 9.1 are more detailed and exact than the requirements for the ISMS and control effectiveness in ISO/IEC 27001:2005. From the perspective of transition it may be best to start with a clean sheet of paper

Actually (my thoughts) even if you stay status quo for now, I dont think you are far off lesser secure or in compliance - you are not the first or the last to grapple with transition over.

**Sometimes, it is good not to change as changes has ramification beyond control and create more risk than safeguard cover on the initial well intent to comply to latest. It is like patching to latest release is not always viable overnight and need to make sure nothing break as the business must run without hassle or become dragged by inadvertent changes
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question