Scribd Logo
Importer

Bienvenue sur Scribd !

  • Ism Presentation Slides

    Transféré par

    nithi_123
    50 vues13 pages
    Ism Presentation Slides

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PPTX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Ism Presentation Slides

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    50 vues13 pages

    Ism Presentation Slides

    Transféré par

    nithi_123
    Ism Presentation Slides

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 13

    Overview and Transitioning

    from ISO/IEC 27001:2005 to


    ISO/IEC 27001:2013
    You Cheng Hwee, Co-Chair, ISMS WG,
    ITSC Director, Maximus Consulting Pte

    What is information
    management system
    security
    establish
    (ISMS)
    continually
    improve
    maintain

    Policy &
    Guideline

    Practice

    implement

    Technical
    Implementation

    Procedure

    Organisation Structure

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    ISMS family of standards


    3

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    ISMS program structure


    4

    Existing
    Safeguards

    Issues &
    Needs
    Risk
    Management
    Requirements

    New
    Safeguards
    Objectives

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    ISO/IEC 27001:2013 ISMS


    structure

    0 Introduction
    1Scope
    2 Normative references
    3 Terms and definitions
    4 Context of the Organisation
    5 Leadership
    6 Planning
    7 Support
    8 Operation
    9Performance evaluation
    10 Improvement
    Annex A (normative)
    Reference control
    objectives and controls

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    Main Annex SL highlights


    7

    Organisation needs to understand their reason for existence


    Organisation top management needs to be more involved to lead the
    programme
    Proactive approach to reduce the need for correction and corrective
    action
    More emphasis to the development of objectives aligned to the business
    Awareness needed for everyone to know the implications of not
    conforming
    to management system requirements
    Need for both internal and external communications relevant to
    the management system what, when and with whom it will
    communicate.
    Document and record concept merged into control of documented
    information
    Preventive action dropped

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    Main Changes to ISO/IEC


    27001:2013

    2013 no longer requires the ISMS to be run according to the PDCA process
    approach
    2013 has dropped the need for ISMS framework and ISMS policy as
    documented information
    2013 requires organisation to understand the reason of existence and the
    internal and external issues faced by the organisation
    2013 requires leadership and involvement from top management but
    allows flexibility in terms of direction and support
    2013 has introduced a new role into ISMS programme requirement
    risk ownership
    2013 requires risk treatment process to be formalised in addition to risk
    assessment
    process
    2013 needs organisation to identify interfaces and dependencies
    2013 needs the organisation to develop a communication plan
    2013 increases the visibility of competencies required to support an
    ISMS programme

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    Conceptual changes to Annex A


    usage
    2005 Edition

    2013 Edition

    Organisation
    identifiable
    risks

    ISMS Annex A
    (Common Known Risks)

    Additional
    Controls

    I
    S
    M
    S

    A
    n
    n
    e
    Copyright 2014 Maximus International
    LLC. All Rights
    Reserved.
    x

    Changes in Annex A
    10

    25 controls deleted
    11 controls added
    Over 80 controls
    changed

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    Headline Changes in Annex A


    11

    Changed

    Deleted

    A.5.1.1 Policies for information security


    A.17.1 Information security continuity
    A.6.2.1 Identification of risks related to external
    parties
    A.10.9.3 Publicly available information

    New

    A.6.1.5 Information security in project management


    A.14.2.5 Secure system engineering principles
    A.15.1.3 Information and communications
    technology supply chain
    Copyright 2014 Maximus International LLC. All Rights
    Reserved.

    12

    Understanding the sequence of


    ISMS audits
    Issues
    Needs
    Expectations
    Requirements
    Information
    Security Objectives

    Risk Assessment
    Security Safeguards
    Risk Treatment

    Copyright 2014 Maximus International LLC. All Rights


    Reserved.

    Conclusion to changes
    13

    2013 standard has updated itself to keep abreast


    with
    todays information security landscape
    2013 standard requires organisation to have
    more security knowledge and skills to upkeep
    its security shields
    2013 standard recommends the need to
    engage security experts for implementation
    assistance for certain controls
    2013 standard focus even more information
    security risk management as the basis for
    Copyright 2014 Maximus International LLC. All Rights
    organisation to select and
    adopt security controls
    Reserved.

    Vous aimerez peut-être aussi