November 2013

New releases of ISO 27001:2013 and ISO 27002:2013

The new versions of ISO 27001 Information Security Management System (ISMS requirements) and ISO 27002 Code of Practice for Information Security Controls (aids the implementation of ISO 27001) were published in September 2013. An effectively implemented ISMS can improve the state of information security in an organisation. Organisations already ISO certified are allowed a period of two years to meet the requirements of the new ISO version.

Changes in ISO 27002:2013

The revised Annex SL format has a new set of chapters and structure, as illustrated in the image in the Appendix. The new structure is intended to standardise terminology and requirements to all management system standards, such as ISO 9000 Quality Management and ISO 20000 Information Technology Service Management. The Information Security Management System (ISMS) is renamed as Context of the Organisation. The new version of the standard requires clear demonstration of leadership. Leadership and management are now clearly defined as two requirements. Leaders need to demonstrate commitment by defining strategic goals and ensuring that sufficient resources are available to implement information security correctly. Management is defined as the implementation and day to day running of the systems. Organisations will now have the flexibility to implement the requirements in the most suitable way for them, since the new standard is less prescriptive. A noticeable change is the withdrawal of the Plan-Do-Check-Act (PDCA) model which was an important section of the standard. The 2013 version uses a model in the mandatory clauses; however it is not a dedicated section. The importance of interested parties is recognised in the new standard, where a separate clause is included which requires all interested parties to be listed under Understanding the needs and expectations of interested parties, along with their requirements. Chapters on Risk Assessment and Risk Treatment were removed. The documentation of a Risk Management Methodology is not required and the assets-vulnerabilities-threats are not the basis of the risk assessment. Only risks associated with confidentiality, integrity and availability need to be identified. Also, the new concept of risk owners is introduced instead of asset owners. The new standard includes 114 controls in 14 security control clauses (categories), whereas the 2005 standard had 133 controls in 11 security control clauses. Two new categories are added Cryptography and Supplier Relationships and the existing category Communications and operations management is split into two categories Operations Security and Communications Security. Many controls included in the standard are not altered while some controls are deleted or merged together. Additionally, some new controls are added and the guidance text is accordingly updated. The tables below illustrate the security control clauses (categories) included in ISO 27002:20013 and ISO 27001:2005. ISO 27002:2013 Information Security Policies Organisation of Information Security Human Resource Security Asset Management Access Control ISO 27002:2005 Security Policy Organisation of Information Security Asset Management Human Resource Security Physical and Environmental Security 1

5 6 7 8 9

Risk Assurance Consulting (RAC)

November 2013

10 11 12 13 14 15 16 17 18

ISO 27002:2013 Cryptography Physical and Environmental Security Operations Security

Communications Security System acquisition, Development and Maintenance Supplier Relationships Compliance Information Security Incident Management Information Security Aspects of Business Continuity Management Compliance

ISO 27002:2005 Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management

New controls proposed in the ISO 27002:2013 release

Controls added in 27002:2013 A.6.1.5 Information security in project management A.12.6.2 Restrictions on software installation A.14.2.1 Secure development policy A.14.2.5 System development procedures A.14.2.6 Secure development environment A.14.2.8 System security testing A.15.1.1 Information security policy for supplier relationships A.15.1.3 Information and Communication Technology supply chain A.16.1.4 Assessment and decision of information security events A.16.1.5 Response to information security incidents A.17.1.2 Implementing information security continuity A.17.2.1 Availability of information processing facilities

ISO 27002:2005 controls deleted

27001:2005 control deleted in ISO 27001:2013 A.6.1.1 Management commitment to information security A.6.1.2 Information security coordination A.6.1.4 Authorisation process for information processing facilities A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.10.2.1 Service delivery A.10.7.4 Security of system documentation A.10.8.5 Business Information Systems A.10.10.2 Monitoring system use A.10.10.5 Fault logging A.11.4.2 User authentication for external connections A.11.4.3 Equipment identification in networks A.11.4.4 Remote Diagnostic and configuration port protection A.11.4.6 Network Connection control A.11.4.7 Network routing control A.11.6.2 Sensitive system isolation

Risk Assurance Consulting (RAC)

November 2013

27001:2005 control deleted in ISO 27001:2013 A.12.2.1 Input data validation A.12.2.2 Control of internal processing A.12.2.3 Message integrity A.12.2.4 Output data validation A.12.5.4 Information leakage A.14.1.1 Including information security in the business continuity management process A.14.1.3 Developing and implementing continuity plans including formation security. A.14.1.4 Business continuity planning framework A.15.1.5 Prevention of misuse of information processing facilities A.15.3.2 Protection of information systems audit tools We would be pleased to meet with you and provide you with any clarifications and / or additional information on matters raised.

Risk Assurance Consulting (RAC)

November 2013

Appendix: Revised ISO 27002:2013 structure

Risk Assurance Consulting (RAC)

November 2013

Your contacts for IT Governance & Security matters in PwC Cyprus:

George Lambrou Partner Risk Assurance Consulting Tel. +357 - 22 555 728 george.lambrou@cy.pwc.com Christos Tsolakis Partner Risk Assurance Consulting Tel. +357 - 22 555 570 christos.tsolakis@cy.pwc.com Demos Demou Manager Risk Assurance Consulting Tel. +357 - 22 555 056 demos.demou@cy.pwc.com Efthyvoulos Efthyvoulou Manager Risk Assurance Consulting Tel. +357 - 22 555 460 efhtyvoulos.efthyvoulou@cy.pwc.com @cy.pwc.com Alexis Thomas Manager Risk Assurance Consulting Tel. +357 - 22 555 625 alexis.thomas@cy.pwc.com www.pwc.com.cy/technology technology-conculting

PwC Cyprus
Julia House 3 Themistocles Dervis Street CY-1066 Nicosia, Cyprus P O Box 21612 CY-1591 Nicosia, Cyprus www.pwc.com.cy

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

2013 PricewaterhouseCoopers Ltd. All rights reserved. PwC refers to the Cyprus member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details