IS027002 Information Security Code of Practice

This Standard last reviewed and updated in 2005 and linked to ISO27001, is about to be re-issued as ISO27002:2013 later this year.  The current position is that the draft has reached the “draft for public discussion” stage.

There were a number of inconsistencies in the 2005 code of practice which do seem to have been addressed in this draft:

Some of the section elements have been removed:

Addressing security when dealing with customers (6.2.2)               
Controls against mobile code (10.4.2)                                 
Information handling procedures (10.7.3)                             
Security of system documentation (10.7.4)                            
Business information systems (10.8.5)                                 
Publicly available information (10.9.3)                              
User information for external connections (11.4.2)                    
Equipment identification in networks (11.4.3)                        
Remote diagnostic and configuration port protection (11.4.4)          
Network connection control (11.4.6)                                   
Network routing control (11.4.7)                                      
Input data validation (12.2.1)                                        
Control of internal processing (12.2.2)                               
Message integrity (12.2.3)                                            
Output data validation (12.2.4)                                      
Session timeout (11.5.5)                                              
Limitation of connection time (11.5.6)                                
Sensitive system isolation (11.6.2)
Information leakage (12.5.4)                                          
Business continuity and risk assessment (14.1.2)                      
Developing and implementing business continuity plans (14.1.3)        
Business continuity planning framework (14.1.4)                       
Prevention of misuse of information processing facilities (15.1.5)    
Protection of information systems audit tools ( 15.3.2)

These controls have not entirely abandoned but have been incorporated elsewhere in the standard or have been renamed for clarity but are not duplicated as before.

There will be 14 sections in the new standard instead of the 11 sections in the 2005 standard but the number of controls required to be addressed has come down from 133 to a mere 113.

1. Scope
2. Normative references
3. Terms and definitions
4. Structure of this standard
5. Security Policies
6. Organisation of information security (now includes controls for mobile devices, apps and teleworking).
7. Human resource security
8. Asset management
9. Access control (Password is supplemented by Secret Authentication to recognise that other methods may be used to validate users identity)
10. Cryptography (now given a separate section to recognise its importance)
11. Physical and environmental security
12. Operations security (operations and communication now separate sections)
13. Communications security
14. System acquisition, development and maintenance
15. Supplier relationships (new separate section). 
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance

The revised standard seems to be more ordered rather that the splatter approach used in the 2005 standard.  As mentioned in the 27001 blog last time, it is a pity that there is not more emphasis on the cloud, but there is still time for this to be incorporated.

Remember, this is only a draft and it may (almost certainly will) change before final publication in 4th qtr 2013.