Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 28 April 2014

ISO 27001 : 2013 Transition - Stage Five

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain. 

This is the fifth part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

The certificate will show compliance with ISO27001:2013 but the procedures are defined within the code of Practice ISO 27002:2013. This Standard has a good deal of guidance.

Here are the procedures that make up the minimum requirements:

  1. INFORMATION SECURITY POLICIES
    1. MANAGEMENT DIRECTION FOR INFORMATION SECURITY
  2. ORGANISATION OF INFORMATION SECURITY
    1. INTERNAL ORGANISATION
    2. MOBILE DEVICES AND TELEWORKING
  3. HUMAN RESOURCES SECURITY
    1. PRIOR TO EMPLOYMENT
    2. DURING EMPLOYMENT
    3. TERMINATION OR CHANGE OF EMLOYMENT
  4. ASSET MANAGEMENT
    1. RESPONSIBILITY FOR ASSETS
    2. INFOPMATION CLASSIFICATION
    3. MEDIA HANDLING
  5. ACCESS CONTROL
    1. BUSINESS REQUIREMENT FOR ACCESS CONTROL
    2. USER ACCESS MANAGEMENT
    3. USER RESPONSIBILITIES
    4. SYSTEM AND APPLICATION ACCESS CONTROL
  6. CRYPTOGRAPHY
    1. CRYPTOGRAPHIC CONTROLS
  7. PHYSICAL AND ENVIRONMENTAL SECURITY
    1. SECURE AREAS
    2. EQUIPMENT
  8. OPERATIONS MANAGEMENT
    1. OPERATIONAL PROCEDURES AND RESPONSIBILITIES
    2. PROTECTION FROM MALWARE
    3. BACKUP
    4. LOGGING AND MONITORING
    5. CONTROL OF OPERATIONAL SOFTWARE
    6. TECHNICAL VULNERABILITY MANAGEMENT
    7. INFORMATION SYSTEMS AUDIT CONSIDERATIONS
  9. COMMUNICATIONS SECURITY
    1. NETWORK SECURITY MANAGEMENT
    2. INFORMATION TRANSFER
  10. SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
    1. SECURITY REQUIREMENTS OF INFORMATION SYSTEMS
    2. SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
    3. TEST DATA
  11. SUPPLIER RELATIONSHIPS
    1. INFORMATION SECURITY IN SUPPLIER RELATIONSHIPS
    2. SUPPLIER SERVICE DELIVERY MANAGEMENT
  12. INFORMATION SECURITY INCIDENT MANAGEMENT
    1. MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS
  13. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
    1. INFORMATION SECURITY CONTINUITY
    2. REDUNDANCIES
  14. COMPLIANCE
    1. COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS
    2. INFORMATION SECURITY REVIEWS
The procedures need to be written around the organisation’s actual practices; some are reasonably generic but others require bespoke action. These, of course, do need to satisfy the requirements of the Standard.

Our company specialises in 27001 consultancy and we are available to assist companies that need help.

In stage 6 we will look at the records and logs required to provide evidence that the procedures are being followed

Monday, 14 April 2014

ISO 27001:2013 Transition Stage 4

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.  This is the fourth part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.
   
All certifications require a detailed set of requirements, that have been met (or excluded) to be identified and documented.  This document is called a S.O.A. Statement of applicability.  This is  public document that accompanies the certificate and shows which elements of 27001 are compliant (and which are not).

It is usual to look at annex A which has all the requirements set out in ISO27001 ( The Code of Practice). There are 18 sections and a number of sub-sections.

Below you will see a typical SOA. If the organisation is compliant it should show what control, policy or process is being used.  If the organisation is going to exclude that element it should be shown as EXCLUDED.











In the next stage we will look at the type of documentation which is required.

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design