Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo
"Quality Matters in your Business"

Monday, 8 April 2013

IS027002 Information Security Code of Practice

This Standard last reviewed and updated in 2005 and linked to ISO27001, is about to be re-issued as ISO27002:2013 later this year.  The current position is that the draft has reached the “draft for public discussion” stage.

There were a number of inconsistencies in the 2005 code of practice which do seem to have been addressed in this draft:

Some of the section elements have been removed:

Addressing security when dealing with customers (6.2.2)               
Controls against mobile code (10.4.2)                                 
Information handling procedures (10.7.3)                             
Security of system documentation (10.7.4)                            
Business information systems (10.8.5)                                 
Publicly available information (10.9.3)                              
User information for external connections (11.4.2)                    
Equipment identification in networks (11.4.3)                        
Remote diagnostic and configuration port protection (11.4.4)          
Network connection control (11.4.6)                                   
Network routing control (11.4.7)                                      
Input data validation (12.2.1)                                        
Control of internal processing (12.2.2)                               
Message integrity (12.2.3)                                            
Output data validation (12.2.4)                                      
Session timeout (11.5.5)                                              
Limitation of connection time (11.5.6)                                
Sensitive system isolation (11.6.2)
Information leakage (12.5.4)                                          
Business continuity and risk assessment (14.1.2)                      
Developing and implementing business continuity plans (14.1.3)        
Business continuity planning framework (14.1.4)                       
Prevention of misuse of information processing facilities (15.1.5)    
Protection of information systems audit tools ( 15.3.2)

These controls have not entirely abandoned but have been incorporated elsewhere in the standard or have been renamed for clarity but are not duplicated as before.

There will be 14 sections in the new standard instead of the 11 sections in the 2005 standard but the number of controls required to be addressed has come down from 133 to a mere 113.

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Structure of this standard
  5. Security Policies
  6. Organisation of information security (now includes controls for mobile devices, apps and teleworking).
  7. Human resource security
  8. Asset management
  9. Access control (Password is supplemented by Secret Authentication to recognise that other methods may be used to validate users identity)
  10. Cryptography (now given a separate section to recognise its importance)
  11. Physical and environmental security
  12. Operations security (operations and communication now separate sections)
  13. Communications security
  14. System acquisition, development and maintenance
  15. Supplier relationships (new separate section). 
  16. Information security incident management
  17. Information security aspects of business continuity management
  18. Compliance

The revised standard seems to be more ordered rather that the splatter approach used in the 2005 standard.  As mentioned in the 27001 blog last time, it is a pity that there is not more emphasis on the cloud, but there is still time for this to be incorporated.

Remember, this is only a draft and it may (almost certainly will) change before final publication in 4th qtr 2013.

No comments:

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design