Vous êtes sur la page 1sur 13

White Paper - Scurit Informatique

La nouvelle norme ISO/IEC 27001:2013


Les changements et les impacts pour les professionnels de la scurit informatique de la nouvelle norme ISO/IEC 27001:2013.
Stphane Perroud Lead Trainer IT Security, Digicomp Lausanne Raphael Rues Product Manager IT Management et Governance, Digicomp Genve

1. Introduction
La nouvelle version du standard international de gestion de la scurit de linformation ISO/IEC 27001 vient dtre publie le 25 septembre 2013. les changements introduits impliquent, pour les socits dj certifies ou en passe de le devenir, de modifier limplmentation de leur systme de gestion de la scurit de linformation (SMSI). Ce Livre blanc vous donne un aperu des modifications et de leur impact sur la scurit de linformation, les processus et les systmes.

2. Contexte
Le standard originel de scurit de linformation ISO/IEC 27001 a t adopt en 2005 et tait largement bas sur la norme anglaise BSI 7799. Huit ans aprs, il faut constater que le monde de la scurit de linformation a beaucoup chang en termes de Menaces, Vulnrabilits et Risques. La scurit de linformation na jamais t aussi omniprsente avec une augmentation du nombre de profils dincidents rapports au cours de ces dernires annes1. Cest en se basant sur la nouvelle norme publie, que ce Livre blanc dcrit les changements et leur incidence sur le systme de scurit de linformation des organisations qui utilisent celle-ci pour soutenir leur politique de scurit.

3. Les changements et leur signification


Les changements les plus vidents en comparant lancienne et la nouvelle version sont lis tant la structure de la norme qu la rpartition des contrles dans les diffrents domaines de la scurit de linformation. La rvision de la norme a permis de supprimer les exigences en double et le texte est moins prescriptif, ce qui donne une plus grande libert aux organisations pour mettre en uvre les exigences dune manire qui leur convient le mieux. Les sections suivantes dcrivent ces diffrences et prsentent la faon dont elles peuvent influencer le systme de gestion de la scurit de linformation.

Voir le site de la Centrale denregistrement et danalyse pour la sret de linformation MELANI www.melani.ch

201013

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique

4. Changements dans ISO 27001

(Source: Gamma Secure Systems Limited)

Lgende des changements selon la numrotation donne :


1. L  a nouvelle structure est commune toutes les nouvelles normes de systme de management ou celles qui sont rvises. La section sur lapproche processus , y compris le modle PDCA a t supprime. ISO reconnait que lexigence importante est lamlioration continue et quil y a dautres faons que le PDCA. Lordre dans lequel vous mettez en uvre les exigences est hors de propos. Ce qui importe, cest que toutes ces exigences soient remplies une fois limplmentation termine. 2. Le champ dapplication de la nouvelle norme est trs similaire lancienne. Pour revendiquer la conformit du systme de gestion de la scurit de linformation la norme, toutes les exigences spcifies dans les clauses 4 10 doivent tre respectes sans exception. 3. ISO/CEI 27002 nest plus une rfrence normative et nest pas indispensable la comprhension de la norme ISO/IEC 27001. Il faut toujours produire une dclaration dapplicabilit (DdA), mais ISO reconnait que lannexe A contient toutes les informations dont vous avez besoin. La norme ISO/IEC 27000 est indispensable car elle contient toutes les dfinitions des termes et devient donc une rfrence normative. 4. Toutes les dfinitions qui figuraient dans la version 2005 ont t supprimes et reloges dans la norme ISO/IEC 27000 pour assurer la cohrence des termes et dfinitions travers toutes les normes de la srie 27000. 5. Lexigence gnral , donne dans le 4.1 de la version 2005, et qui consiste mettre en uvre le SMSI, se trouve au 4.4 de la nouvelle norme sans la rfrence au cycle PDCA (voir point 1 ci-dessus). 6. Les exigences pour dterminer la porte du SMSI (4.2(a) de la version 2005) se trouvent au 4.3 de la nouvelle norme, avec deux nouveaux ensembles dexigences, appeles Comprendre lorganisation et son contexte et Comprendre les besoins et les attentes des parties intresses .

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique

7. Les exigences de 2005 pour fournir un cadre de dfinition des objectifs (4.2(b)(1)) se trouvent au 6.2 de la nouvelle norme. Il faut relever que les objectifs doivent tre fixs aux niveaux et fonctions concerns, ce ne sont plus seulement des objectifs de politique comme dans la norme 2005. Cependant, vous navez plus besoin de fournir un cadre, les objectifs politiques peuvent tre simplement mentionns dans votre politique de scurit de linformation. Les exigences de 2005 pour lvaluation des risques (4.2(c), (d) et (e)) se trouvent dans le 6.1.2 de la nouvelle norme, tandis que les exigences pour le traitement des risques (4.2 (f) et (g) de la version 2005) et la production de la DdA (4.2(j)) se trouvent dans le 6.1.3. Les changements importants sont : (a) Les exigences en matire dvaluation des risques sont plus gnrales parce que la nouvelle version a t aligne sur la norme ISO 31000:2009 (Gestion du risque - Principes et lignes directrices). (b) En consquence, vous ntes plus tenu didentifier les actifs, les menaces et les vulnrabilits afin didentifier les risques. Il existe dautres mthodes, parfaitement valables pour identifier les risques. (c) Les exigences de la DdA sont en grande partie inchanges par rapport la version 2005, sauf que la nouvelle norme clairement indique que vous ne slectionnez pas les contrles dans lannexe A. Au lieu de a, vous dterminez les contrles ncessaires dans le cadre du traitement du risque et vous les comparez avec ceux de lannexe A pour sassurer quaucun contrle important na t nglig. (d) Il y a de nouvelles exigences gnrales (6.1.1) qui sont destines couvrir les risques qui ne sont pas lis la scurit des informations. Cest le nouveau moyen de lISO pour traiter ce qui, dans la version 2005 de la norme, est appel action prventive . 8. Les exigences documentaires de 2005 (4.3) sont en grande partie inchanges, se trouvent au 7.5 de la nouvelle norme. La nouvelle norme se rfre linformation documente plutt quaux documents et enregistrements . Il ny a plus de section rpertoriant tous les documents que vous devez fournir afin dviter les redondances et la production de documents avec des noms particuliers. Cest le contenu qui est important et pas le nom du document, sauf pour la dclaration dapplicabilit (DdA). 9. Les exigences de 2005 pour fournir des ressources (5.2.1) se trouvent au 7.1 de la nouvelle norme, tandis que les exigences en matire de formation, de sensibilisation et de comptence (5.2.2) sont maintenant rpartis entre les 7.2 et 7.3. Il y a un nouvel ensemble dexigences en matire de communication (7.4). 10. Les exigences de 2005 pour lengagement de la direction (5.1) se trouvent au 5.1 de la nouvelle norme, avec des exigences plus dtailles pour : (a) la politique (5.2) (b) les rles organisationnels, les responsabilits et lautorit (5.3) La nouvelle norme ne fait plus rfrence une politique SMSI, mais uniquement la politique de scurit de linformation . Cependant, certaines exigences adresses par la politique SMSI, comme les critres de risque , doivent encore tre documentes. 11. Les exigences de 2005 pour laudit interne (6) et la revue de direction (7) se trouvent respectivement au 9.2 et 9.3 de la nouvelle norme. Les exigences de 2005 pour la mesure de lefficacit (4.2.2(d) et 4.2.3(c)) se trouvent au 9.1 de la nouvelle norme. 12. Les exigences de 2005 pour lamlioration continue (8.1) et les mesures correctives (8.2) se trouvent respectivement au 10.2 et 10.1 de la nouvelle norme. Les exigences de 2005 pour la prvention (8.3) sont remanies au 6.1.1 de la nouvelle norme dans les exigences gnrales de la gestion des risques.

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique

4.1. Contrles obligatoires ISO/IEC 27001


Limportance des clauses obligatoires dans la norme vient du fait que si lauditeur dcouvre lors dun audit du SMSI que lune de ces clauses manque ou est inefficace, cela est considr comme une non-conformit majeure et est une raison pour ne pas recommander la certification ou son renouvellement. En comparant les versions de la norme ISO/IEC 27001, nous apercevons une augmentation des points de contrle obligatoires de 102 148.

IT World Canada The new ISMS, ISO/IEC 27001 :2013 Expert insight by Ron Richard

5. Changements dans ISO/IEC 27001 Annexe A


Lannexe A maintient la liste des contrles discrtionnaires que lorganisation doit mettre en place afin de rpondre aux traitements des risques et constitue llment de base pour la dfinition de la dclaration dapplicabilit (DdA). Les modifications apportes par la nouvelle norme concernent principalement laugmentation du nombre de section (11 14) et la rduction du nombre dobjectifs de contrle (133 113). Le rsultat de ces amliorations est une clarification des contrles et un meilleur alignement avec les politiques, procdures et standards mtiers existants. En consquence, les organisations devront revoir leur dclaration dapplicabilit (DdA) afin de sassurer que les nouveaux contrles sont inclus ou exclus avec justification.

IT World Canada The new ISMS, ISO/IEC 27001 :2013 Expert insight by Ron Richard

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique


Nombre de sections le nombre de sections a augment de 11 14.
 Politiques de la scurit de linformation est une nouvelle section (N5) pour fournir la direction et le support du management avec les diverses exigences de lorganisation.

 Cryptographie est devenue une section distincte (N10) car logiquement il ne fait pas seulement partie de lacquisition, du dveloppement et de la maintenance des systmes dinformation.  Communication et la gestion des oprations se divise maintenant en deux sections oprations de scurit (N12), et scurit des communications (N13).  Relations avec les fournisseurs est dsormais inclus dans une section distincte (N15) afin de rpondre la popularit du Cloud Computing et aux efforts pour scuriser nos chanes dapprovisionnement .

Nombre de contrles le nombre de contrles a diminu, passant de 133 seulement 113.


Certains contrles ont t supprims car ils ntaient plus considrs comme actuels dans un mode interconnect. Dautres ont t fusionns car ils parlaient de la mme chose mais de manire diffrente. ll y a galement quelques nouveaux contrles.

6. Conclusion
Les nouvelles dispositions et la restructuration des contrles aura un impact sur linterprtation de la norme et le dploiement du systme de gestion de la scurit de linformation des organisations. Il faut cependant reconnatre que la majorit de la norme reste la mme. Nanmoins, il est important que les organisations comprennent ces changements et sassurent que leur systme dinformation soit conforme la nouvelle norme pour les futurs audits ISO/IEC 27001:2013. En effet, une priode transitoire de 2 ans sera accorde aux organisations certifies pour se conformer la nouvelle version. Digicomp vous propose, partir de janvier 2014, des cours et des certifications internationales (Lead Auditeur) en phase avec cette nouvelle version du standard ISO/IEC 27001:2013. Stphane Perroud & Raphael Rues 20.10.2013

A propos de Digicomp Centre dexpertise exclusivement ddi la formation professionnelle, Digicomp dispense, auprs de ses centres de Lausanne et de Genve, des cursus technologiques trs forte valeur ajoute prparant des certifications professionnelles officielles (ITIL, Prince2, PMP, MOC, etc.). Ses valeurs humaines, les comptences techniques et pdagogiques de ses formateurs expriments ainsi que son indpendance sont les moteurs du formidable taux de succs des participants aux examens de certification.

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique

7. Annexe 1 : Mapping des contrles dans ISO 27001 Annexe A


ISO 27001 :2013 Annex A
A.5 Information Security Policy
A.5.1 Management Directions for Information Security
Objective:To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

ISO 27001:2005 Annex A

A.5.1.1Policies for information security A.5.1.2Review of the policies for information security

A.5.1.1 Information security policy document A.5.1.2 Review of the information security policy

A.6 Organisation of Information Security


A.6.1 Internal Organisation
Objective:To establish a management framework to initiate and control the implementation of information security within the organization.


A.6.1.3 Allocation of information security responsibilities A.8.1.1 Roles and responsibilities A.6.1.6 Contact with authorities A.6.1.7 Contact with special interest groups A.10.1.3 Segregation of duties A.11.7.1 Mobile computing and communications A.11.7.2 Teleworking

A.6.1.1Information security roles and responsibilities A.6.1.2Contact with authorities A.6.1.3Contact with special interest groups A.6.1.4Information security in project management A.6.1.5Segregation of duties A.6.2 Mobile devices and teleworking
Objective:To ensure the security of teleworking and use of mobile devices.

A.6.2.1Mobile device policy A.6.2.2Teleworking

A.7 Human Resource Security


A.7.1 Prior to employment
Objective:To ensure that employees, contractors and external party users understand their responsibilities and are suitable for the roles they are considered for.

A.7.1.1Screening A.7.1.2Terms and conditions of employment A.7.2 During Employment


Objective:To ensure that employees and external party users are aware of, and fulfill, their information security responsibilities.

A.8.1.2 Screening A.8.1.3 Terms and conditions of employment A.8.2.1 Management responsibilities A.8.2.3 Disciplinary process A.8.3.1 Termination responsibilities

A.7.2.1Management responsibilities A.7.2.3Disciplinary process A.7.3 Termination and change of employment


Objective:To protect the organizations interests as part of the process of changing or terminating employment.

A.7.2.2Information security awareness, education and training A.8.2.2 Information security awareness, education and training

A.7.3.1Termination or change of employment responsibilities

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique


A.8 Asset Management
A.8.1 Responsibility for Assets
Objective:To achieve and maintain appropriate protection of organizational assets.

A.7.1.1 Inventory of assets A.7.1.2 Ownership of assets A.7.1.3 Acceptable use of assets A.7.2.1 Classification guidelines A.7.2.2 Information labeling and handling A.10.7.3 Information Handling procedures A.8.3.2 Return of assets A.10.7.1 Management of removable media A.10.7.2 Disposal of Media A.10.8.3 Physical media in transit

A.8.1.1Inventory of assets A.8.1.2Ownership of assets A.8.1.3Acceptable use of assets A.8.2 Information classification
Objective:To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.2.1Classification of information A.8.2.2Labeling of information A.8.2.3Handling of assets A.8.2.4Return of assets A.8.3 Media Handling
Objective:To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.8.3.1Management of removable media A.8.3.2Disposal of media A.8.3.3Physical media transfer

A.9 Logical Security / Access Control


A.9.1 Business requirements of access control
Objective:To restrict access to information and information processing facilities.

A.11.1.1 Access control policy A.11.4.1 Policy on use of network services A.11.2.1 User registration A.11.5.2 User identification and authentication A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights A.8.3.3 Removal of access rights

A.9.1.1Access control policy A.9.1.2Policy on the use of network services A.9.2 User access management
Objective:To ensure authorized user access and to prevent unauthorized access to systems and services.

A.9.2.1User registration and de-registration A.9.2.2Privilege management A.9.2.3Management of secret authentication information of users A.9.2.4Review of user access rights A.9.2.5Removal or adjustment of access rights A.9.3 User responsibilities
Objective:To make users accountable for safeguarding their authentication information.

A.11.3.1 Password use A.11.6.1 Information access restriction

A.9.3.1Use of secret authentication information A.9.4 System and application access control
Objective:To prevent unauthorized access to systems and applications.

A.9.4.1Information access restriction

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique


A.11.5.1 Secure log-on procedures A.9.4.2Secure log-on procedures A.9.4.3Password management system A.9.4.4Use of privileged utility programs A.9.4.5Access control to program source code A.11.5.5 Session time-out A.11.5.6 Limitation of connection time A.11.5.3 Password management system A.11.5.4 Use of system utilities A.12.4.3 Access control to program source code

A.10 Cryptography
A.10.1 Cryptographic controls
Objective:To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information.

A.12.3.1 Policy on the use of cryptographic controls A.12.3.2 Key management

A.10.1.1Policy on the use of cryptographic controls A.10.1.2Key management

A.11 Physical and environmental Security


A.11.1 Secure areas
Objective:To prevent unauthorized physical access, damage and interference to the organizations information and information processing facilities.

A.11.1.1Physical security perimeter A.11.1.2Physical entry controls A.11.1.3Securing office, room and facilities A.11.1.4Protecting against external end environmental threats A.11.1.5Working in secure areas A.11.1.6Delivery and loading areas A.11.2 Equipment
Objective:To prevent loss, damage, theft or compromise of assets and interruption to the organizations operations.

A.9.1.1 Physical security perimeter A.9.1.2 Physical entry controls A.9.1.3 Securing offices, rooms and facilities A.9.1.4 Protecting against external and environmental threats A.9.1.5 Working in secure areas A.9.1.6 Public access, delivery and loading areas

A.9.2.1 Equipment sitting and protection A.9.2.2 Supporting utilities A.9.2.3 Cabling security A.9.2.4 Equipment maintenance A.9.2.7 Removal of property A.9.2.5 Security of equipment off-premises A.9.2.6 Secure disposal or re-use of equipment A.11.3.2 Unattended user equipment A.11.3.3 Clear desk and clear screen policy

A.11.2.1Equipment siting and protection A.11.2.2Supporting utilities A.11.2.3Cabling security A.11.2.4Equipment maintenance A.11.2.5Removal of assets A.11.2.6Security of equipment and assets offpremises A.11.2.7Security disposal or re-use of equipment A.11.2.8Unattended user equipment A.11.2.9Clear desk and clear screen policy

A.12 Operations Security


A.12.1 Operational Procedures and Responsibilities
Objective:To ensure the correct and secure operation of information processing facilities.

A.10.1.1 Documented operating procedures A.10.1.2 Change management A.10.3.1 Capacity management A.10.1.4 Separation of development, test and operational facilities

A.12.1.1Documented operating procedures A.12.1.2Change management A.12.1.3Capacity management A.12.1.4Separation of development, test and operational environments

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique


A.12.2 Protection from Malware
Objective:To ensure that information and information processing facilities are protected against malware.

A.10.4.1 Controls against malicious code A.10.5.1 Information back-up A.10.10.1 Audit logging A.10.10.3 Protection of log information A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.10.10.6 Clock synchronisation A.12.4.1 Control of operational software A.12.6.1 Control of technical vulnerabilities A.15.3.1 Information system audit controls

A.12.2.1Controls against malware A.12.3 Back-Up


Objective:To protect against loss of data.

A.12.3.1Information backup A.12.4 Logging and Monitoring To record events and generate evidence.
Objective:16

A.12.4.1Event logging A.12.4.2Protection of log information A.12.4.3Administrator and operator logs A.12.4.4Clock Synchronisaton A.12.5 Control of operational software
Objective:To ensure the integrity of operational systems.

A.12.5.1Installation of software on operational systems A.12.6 Technical Vulnerability Management


Objective:To prevent exploitation of technical vulnerabilities.

A.12.6.1Management of technical vulnerabilities A.12.6.2Restrictions on software installation A.12.7 Information Systems Audit Considerations
Objective:To minimize the impact of audit activities on operational systems.

A.12.7.1Information systems audit controls

A.13 Communications Security


A.13.1 Network Security Management
Objective:To ensure the protection of information in networks and its supporting information processing facilities.

A.10.6.1 Network controls A.10.6.2 Security of network services A.11.4.5 Segregation in Networks A.10.8.1 Information exchange policies and procedures A.10.8.2 Exchange agreements A.10.8.4 Electronic messaging A.6.1.5 Confidentiality agreements

A.13.1.1Network controls A.13.1.2Security of network services A.13.1.3Segregation in networks A.13.2 Information transfer
Objective:To maintain the security of information transferred within an organization and with any external entity.

A.13.2.1Information transfer policies and procedures A.13.2.2Agreements on information transfer A.13.2.3Electronic messaging A.13.2.4Confidentiality or non-disclosure agreements A.14 System acquisition, development and maintenance

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique


A.14.1 Security requirements of information systems
Objective:To ensure that security is an integral part of information systems across the entire lifecycle. This includes in particular specific security requirement for information systems which provide services over public networks.

10

A.14.1.1Security requirements analysis and specification A.14.1.2Securing applications services on public networks A.14.1.3Protecting application services transactions A.14.2 Security in development and support processes
Objective:To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.12.1.1 Security requirements analysis and specification A.10.9.1 Electronic commerce A.10.9.3 Publicly available information A.10.9.2 Online-transactions

A.14.2.1Secure development policy A.14.2.2Change control procedures A.14.2.3Technical review of applications after operating platform changes A.14.2.4Restrictions on changes to software packages A.14.2.5System development procedures A.14.2.6Secure development environment A.14.2.7Outsourced development A.14.2.8System security testing A.14.2.9System acceptance testing A.14.3 Test data
Objective:To ensure the protection of data used for testing.

A.12.5.1 Change control procedures A.12.5.2 Technical review of applications after operating system changes A.12.5.3 Restrictions on changes to software packages A.12.5.5 Outsourced software development A.10.3.2 System Acceptance A.12.4.2 Protection of system test data

A.14.3.1Protection of test data

A.15 Supplier relationships


A.15.1 Security in supplier relationship
Objective:To ensure protection of the organizations information that is accessible by suppliers.

A.6.2.3 Addressing security in third party agreements A.6.2.3 Addressing security in third party agreements A.10.2.2 Monitoring and review of third party services A.10.2.3 Managing changes to third party services

A.15.1.1Information security policy for supplier relationships A.15.1.2Addressing security within supplier agreements A.15.1.3ICT Supply chain A.15.2 Supplier service delivery management
Objective:To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.15.2.1Monitoring and review of supplier services A.15.2.2Managing changes to supplier services

A.16 Information Security Incident Management


A.16.1 Management of information security incidents and improvements
Objective:To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

A.16.1.1Responsibilities and procedures

A.13.2.1 Responsibilities and Procedures

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique


A.16.1.2Reporting information security events A.16.1.3Reporting information security weaknesses A.16.1.4Assessment and decision of information security events A.16.1.5Response to information security incidents A.16.1.6Learning from information security incidents A.16.1.7Collection of evidence A.13.1.1 Reporting information security events A.13.1.2 Reporting security weakness A.13.2.2 Learning from information security incidents A.13.2.3 Collection of evidence

11

A.17 Business Continuity


A.17.1 Information security aspects of business continuity management
Objective:Information security continuity should be embedded in organizations business continuity management (BCM) to ensure protection of information at any time and to anticipate adverse occurrences.

A.17.1.1Planning information security continuity A.17.1.2Implementing information security continuity A.17.1.3Verify, review and evaluate information security continuity A.17.2 Redundancies
Objective:To ensure availability of information processing facilities.

A.14.1.2 Business continuity and risk assessment A.14.1.5 Testing, maintaining and re-assessing business continuity plans

A.17.2.1Availability of information processing facilities

A.18 Compliance
A.18.1 Information security reviews
Objective:To ensure that information security is implemented and operated in accordance with the organisational policies and procedures.

A.18.1.1Independent review of information security A.18.1.2Compliance with security policies and standards A.18.1.3Technical compliance inspection A.18.2 Compliance with legal and contractual requirements
Objective:To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

A.6.1.8 Independent review of information security A.15.2.1 Compliance with security policies and standards A.15.2.2 Technical compliance checking

A.18.2.1Identification of applicable legislation and contractual requirements A.18.2.2Intellectual property rights (IPR) A.18.2.3Protection of documented information A.18.2.4Privacy and protection of personal information A.18.2.5Regulation of cryptographic controls
(Source: Gamma Secure Systems Limited)

A.15.1.1 Identification of applicable legislation A.15.1.2 Intellectual property rights (IPR) A.15.1.3 Protection of organisational records A.15.1.4 Data protection and privacy of personal information A.15.1.6 Regulation of cryptographic controls

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique

12

8. Annexe 2 : Contrles supprims dans ISO 27001 Annexe A


27001:2005 control deleted in DIS
A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.4 Authorisation process for information processing facilities A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.10.2.1 Service delivery

Comment
Claimed that this is not a control but part of the ISO/IEC 27001 management commitment requirement Claimed removed as this deals with the establishment of an ISMS and guidance is to be found in ISO/IEC 27003 Appears no longer explicitly addressed, as it seems to be an aspect of A.6.1.1 Claimed that this is not a control but part of the ISO/IEC 27001 risk assessment/risk treatment requirements. Claimed that this is not a control but part of the ISO/IEC 27001 risk assessment/risk treatment requirements No reason given Claimed that this control has been removed on the grounds that system documentation is just another form of asset that requires protection. Its removal therefore requires consideration during risk assessment of whether such documents, should they fall into the wrong hands, present a source of risk. Claimed removed on the grounds that the control really relates to the whole standard reflecting and trying to do it more or less in a single control doesnt really work. Appears considered to be part of Event Logging (A.12.4.1) Now appears referenced in Event Logging (A.12.4.1) Claimed covered by access control (A.9.1.1) Appears covered by A.13.1.3 Claimed that separate physical diagnostic ports are becoming rare and that protection is covered through access control (A.9.1.1) and segregation in networks control (A.13.1.3). Claimed covered by A.13.1.3 Claimed covered by A.13.1.3 Deleted, as it is claimed that in an interconnected world such a control defeats the objective. However, we note that it may still apply in certain cases. It is claimed that since this control was introduced, technology has moved on, and input data validation is just one small aspect of protecting web interfaces from attacks such as SQL injection. There are some remarks in the Other Information section of A.14.2.5, but the general understanding appears now is that such techniques lie firmly in the domain of professional software developers and are therefore outside the scope of ISO/IEC 27002. See A.14.2.5 and the explanation above. This appears to be a duplication of material in A.13.2.1. See A.14.2.5 and the explanation above.

A.10.7.4 Security of system documentation

A.10.8.5 Business Information Systems A.10.10.2 Monitoring system use A.10.10.5 Fault logging A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote Diagnostic and configuration port protection A.11.4.6 Network Connection control A.11.4.7 Network routing control A.11.6.2 Sensitive system isolation

A.12.2.1 Input data validation

A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr

White Paper - Scurit Informatique

13

A.12.5.4 Information leakage

It is claimed that this control was deleted because it only covered part of the problem associated with information leakage, and indeed there is coverage elsewhere. For example, the term leakage appears in A.8.3.2, A.11.2.1, A.12.6.2 and A.13.2.4 as guidance and other information. Note., however, we note that the term covert channel does not appear in the DIS. Adware viruses, some of which are known to leak information, would be addressed by A.12.2.1. There used to be five controls and now there are three. Two these (planning/RA and testing) map well onto two of these originals. The other three originals perhaps merit being called controls even less than everything else in the 2005 version; principles would be a more apt description. From our experience, this control is often just mapped to the BCP as a whole and therefore this control could be mapped to A.17.1.2. For the reason cited above, this control could be mapped to A.17.1.2. For the reason cited above, this control could be mapped to A.17.1.2. This control corresponds to a UK law and could be a remnant of the original BS7799:1995 standard which was completely UK centric. Its omission is effectively covered by the new A.18.2.1 which requires all relevant laws to to identified. Thus, in the UK, this control is effectively dealt with by that control. Moreover, there is mention of warning banners in A.9.4.2. It is claimed that this control has been removed on the grounds that an audit tool is just another form of asset that requires protection. Its removal therefore requires consideration during risk assessment of whether such tools present a source of risk.

A.14.1.1 Including information security in the business continuity management process

A.14.1.3 Developing and implementing continuity plans including formation security. A.14.1.4 Business continuity planning framework

A.15.1.5 Prevention of misuse of information processing facilities

A.15.3.2 Protection of information systems audit tools

(Source: Gamma Secure Systems Limited)

Digicomp Academy Suisse Romande SA Tl 021 321 65 00, Fax 021 321 65 10, romandie@digicomp.ch, www.digicomp.ch/fr