COMPARISON OF ISO 27001:2005 TO 27001:2013
This is to show
changes introduced in ISMS standard ISO 27001:2013 with respect to ISO
27001:2005
27001:2005
|
27001:2013
|
|
A.5 Information Security Policy
|
A.5.1 Management Directions for Information Security
Objective:
To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
|
|
A.5.1.1 Information security policy
document
|
A.5.1.1 Policies for information
security
|
A.5.1.2 Review of the information
security policy
|
A.5.1.2 Review of the policies for
information security
|
27001:2005
|
27001:2013
|
|
A.6 Organization of information
security
|
A.6.1 Internal Organization
Objective:
To establish a management framework to initiate and control the implementation
of information security within the organization.
|
|
A.6.1.3 Allocation of information
security responsibilities
|
A.6.1.1 Information security roles and
responsibilities
|
A.8.1.1 Roles and responsibilities
|
|
A.6.1.6 Contact with authorities
|
A.6.1.2 Contact with authorities
|
A.6.1.7 Contact with special interest
groups
|
A.6.1.3 Contact with special interest
groups
|
|
A.6.1.4 Information security in
project management
|
A.10.1.3 Segregation of duties
|
A.6.1.5 Segregation of duties
|
27001:2005
|
27001:2013
|
A.6.2 Mobile devices and teleworking
Objective:
To ensure the security of teleworking and use of mobile devices.
|
|
A.11.7.1 Mobile computing and
communications
|
A.6.2.1 Mobile device policy
|
A.11.7.2 Teleworking
|
A.6.2.2 Teleworking
|
27001:2005
|
27001:2013
|
|
A.7 Human Resource Security
|
A.7.1 Prior to employment
Objective:
To ensure that employees, contractors and external party users understand
their responsibilities and are suitable for the roles they are considered
for.
|
|
A.8.1.2 Screening
|
A.7.1.1 Screening
|
A.8.1.3 Terms and conditions of
employment
|
A.7.1.2 Terms and conditions of
employment
|
27001:2005
|
27001:2013
|
A.7.2 During Employment
Objective:
To ensure that employees and external party users are aware of, and fulfill,
their information security responsibilities.
|
|
A.8.2.1 Management responsibilities
|
A.7.2.1 Management responsibilities
|
A.8.2.2 Information security
awareness, education and training
|
A.7.2.2 Information security
awareness, education and training
|
A.8.2.3 Disciplinary process
|
A.7.2.3 Disciplinary process
|
27001:2005
|
27001:2013
|
A.7.3 Termination and change of employment
Objective:
To protect the organization’s interests as part of the process of changing or
terminating employment.
|
|
A.8.3.1 Termination responsibilities
|
A.7.3.1 Termination or change of
employment responsibilities
|
27001:2005
|
27001:2013
|
|
A.8 Asset Management
|
A.8.1 Responsibility for Assets
Objective:
To achieve and maintain appropriate protection of organization assets.
|
|
A.7.1.1 Inventory of assets
|
A.8.1.1 Inventory of assets
|
A.7.1.2 Ownership of assets
|
A.8.1.2 Ownership of assets
|
A.7.1.3 Acceptable use of assets
|
A.8.1.3 Acceptable use of assets
|
27001:2005
|
27001:2013
|
A.8.2 Information classification
Objective:
To ensure that information receives an appropriate level of protection in
accordance with its importance to the organization.
|
|
A.7.2.1 Classification guidelines
|
A.8.2.1 Classification of information
|
A.7.2.2 Information labeling and
handling
|
A.8.2.2 Labeling of information
|
A.7.2.3 Information Handling
procedures
|
A.8.2.3 Handling of assets
|
A.8.3.2 Return of assets
|
A.8.2.4 Return of assets
|
27001:2005
|
27001:2013
|
A.8.3 Media Handling
Objective:
To prevent unauthorized disclosure, modification, removal or destruction of
information stored on media.
|
|
A.10.7.1 Management of removable media
|
A.8.3.1 Management of removable media
|
A.10.7.2 Disposal of Media
|
A.8.3.2 Disposal of media
|
A.10.8.3 Physical media in transit
|
A.8.3.3 Physical media transfer
|
27001:2005
|
27001:2013
|
|
A.9
Logical Security / Access Control
|
A.9.1 Business requirements of access control
Objective:
To restrict access to information and information processing facilities.
|
|
A.11.1.1 Access control policy
|
A.9.1.1 Access control policy
|
A.11.4.1 Policy on use of network
services
|
A.9.1.2 Policy on the use of network
services
|
27001:2005
|
27001:2013
|
A.9.2 User access management
Objective:
To ensure authorized user access and to prevent unauthorized access to
systems and services.
|
|
A.11.2.1 User registration
|
A.9.2.1 User registration and
de-registration
|
A.11.5.2 User identification and
authentication
|
|
A.11.2.2 Privilege management
|
A.9.2.2 Privilege management
|
A.11.2.3 User password management
|
A.9.2.3 Management of secret
authentication information of users
|
A.11.2.4 Review of user access rights
|
A.9.2.4 Review of user access rights
|
A.8.3.3 Removal of access rights
|
A.9.2.5 Removal or adjustment of
access rights
|
27001:2005
|
27001:2013
|
A.9.3 User responsibilities
Objective:
To make users accountable for safeguarding their authentication information.
|
|
A.11.3.1 Password use
|
A.9.3.1 Use of secret authentication
information
|
A.9.4 System and application access control
Objective:
To prevent unauthorized access to systems and application
|
|
A.11.6.1 Information access restriction
|
A.9.4.1 Information access restriction
|
A.11.5.1 Secure log-on procedures
|
A.9.4.2 Secure log-on procedures
|
A.11.5.5 Session time-out
|
|
A.11.5.6 Limitation of connection time
|
|
A.11.5.3 Password management system
|
A.9.4.3 Password management system
|
A.11.5.4 Use of system utilities
|
A.9.4.4 Use of privileged utility
programs
|
A.12.4.3 Access control to program
source code
|
A.9.4.5 Access control to program
source code
|
27001:2005
|
27001:2013
|
|
A.10 Cryptography
|
A.10.1 Cryptographic controls
Objective:
To ensure proper and effective use of cryptography to protect the
confidentiality, authenticity or integrity of information.
|
|
A.12.3.1 Policy on the use of
cryptographic controls
|
A.10.1.1 Policy on the use of
cryptographic controls
|
A.12.3.2 Key management
|
A.10.1.2 Key management
|
27001:2005
|
27001:2013
|
|
A.11
Physical and environmental security
|
A.11.1 Secure areas
Objective:
To prevent unauthorized physical access, damage and interference to the
organization’s information and information processing facilities.
|
|
A.9.1.1 Physical security perimeter
|
A.11.1.1 Physical security perimeter
|
A.9.1.2 Physical entry controls
|
A.11.1.2 Physical entry controls
|
A.9.1.3 Securing offices, rooms and
facilities
|
A.11.1.3 Securing office, room and
facilities
|
A.9.1.4 Protecting against external
and environmental threats
|
A.11.1.4 Protecting against external
end environmental threats
|
A.9.1.5 Working in secure areas
|
A.11.1.5 Working in secure areas
|
A.9.1.6 Public access, delivery and
loading areas
|
A.11.1.6 Delivery and loading areas
|
27001:2005
|
27001:2013
|
A.11.2 Equipment
Objective:
To prevent loss, damage, theft or compromise of assets and interruption to
the organization’s operations.
|
|
A.9.2.1 Equipment sitting and
protection
|
A.11.2.1 Equipment siting and
protection
|
A.9.2.2 Supporting utilities
|
A.11.2.2 Supporting utilities
|
A.9.2.3 Cabling security
|
A.11.2.3 Cabling security
|
A.9.2.4 Equipment maintenance
|
A.11.2.4 Equipment maintenance
|
A.9.2.7 Removal of property
|
A.11.2.5 Removal of assets
|
A.9.2.5 Security of equipment
off-premises
|
A.11.2.6 Security of equipment and
assets off-premises
|
A.9.2.6 Secure disposal or re-use of
equipment
|
A.11.2.7 Security disposal or re-use
of equipment
|
A.11.3.2 Unattended user equipment
|
A.11.2.8 Unattended user equipment
|
A.11.3.3 Clear desk and clear screen
policy
|
A.11.2.9 Clear desk and clear screen
policy
|
27001:2005
|
27001:2013
|
|
A.12
Operations Security
|
A.12.1 Operational Procedures and Responsibilities
Objective:
To ensure the correct and secure operations of information processing
facilities.
|
|
A.10.1.1 Documented operating
procedures
|
A.12.1.1 Documented operating
procedures
|
A.10.1.2 Change management
|
A.12.1.2 Change management
|
A.10.3.1 Capacity management
|
A.12.1.3 Capacity management
|
A.10.1.4 Separation of development,
test and operational facilities
|
A.12.1.4 Separation of development,
test and operational environments
|
27001:2005
|
27001:2013
|
A.12.2 Protection from Malware
Objective:
To ensure that information and information processing facilities are
protected against malware.
|
|
A.10.4.1 Controls against malicious
code
|
A.12.2.1 Controls against malware
|
A.12.3 Back-up
Objective:
To protect against loss of data.
|
|
A.10.5.1 Information back-up
|
A.12.3.1 Information backup
|
27001:2005
|
27001:2013
|
A.12.4 Logging and Monitoring To record events and
generate evidence.
Objective:
|
|
A.10.10.1 Audit logging
|
A.12.4.1 Event logging
|
A.10.10.3 Protection of log
information
|
A.12.4.2 Protection of log information
|
A.10.10.3 Protection of log
information
|
A.12.4.3 Administrator and operator
logs
|
A.10.10.4 Administrator and operator
logs
|
|
A.10.10.6 Clock synchronization
|
A.12.4.4 Clock synchronization
|
27001:2005
|
27001:2013
|
A.12.5 Control of operational software
Objective:
To ensure the integrity of operational systems.
|
|
A.12.4.1 Control of operational
software
|
A.12.5.1 Installation of software on
operational systems
|
A.12.6 Technical Vulnerability Management
Objective:
To prevent exploitation of technical vulnerabilities.
|
|
A.12.6.1 Control of technical
vulnerabilities
|
A.12.6.1 Management of technical
vulnerabilities
|
|
A.12.6.2 Restrictions on software
installation
|
A.12.7 Information Systems Audit Considerations
Objective:
To minimize the impact of audit activities on operational systems.
|
|
A.15.3.1 Information system audit
controls
|
A.12.7.1 Information systems audit controls
|
27001:2005
|
27001:2013
|
|
A.13
Communications Security
|
A.13.1 Network Security Management
Objective:
To ensure the protection of information in networks its supporting
information processing facilities.
|
|
A.10.6.1 Network controls
|
A.13.1.1 Network controls
|
A.10.6.2 Security of network services
|
A.13.1.2 Security of network services
|
A.11.4.5 Segregation in Network
|
A.13.1.3 Segregation in networks
|
27001:2005
|
27001:2013
|
A.13.2 Information transfer
Objective:
To maintain the security of information transferred within an organization
and with any external entity.
|
|
A.10.8.1 Information exchange policies
and procedures
|
A.13.2.1 Information transfer policies
and procedures
|
A.10.8.2 Exchange agreements
|
A.13.2.2 Agreements on information
transfer
|
A.10.8.4 Electronic messaging
|
A.13.2.3 Electronic messaging
|
A.6.1.5 Confidentiality agreements
|
A.13.2.4 Confidentiality or
non-disclosure agreements
|
27001:2005
|
27001:2013
|
|
A.14
System acquisition, development and maintenance
|
A.14.1 Security requirements of information systems
Objective:
To ensure that security is an integral part of information systems across the
entire lifecycle. This includes in particular specific security requirement
for information systems which provide services over public networks.
|
|
A.12.1.1 Security requirements analysis
and specification
|
A.14.1.1 Security requirements
analysis and specification
|
A.10.9.1 Electronic commerce
|
A.14.1.2 Securing applications
services on public networks
|
A.10.9.3 Publically available information
|
|
A.10.9.2 Online-transactions
|
A.14.1.3 Protecting application
services transactions
|
27001:2005
|
27001:2013
|
A.14.2 Security in development and support processes
Objective:
To ensure that information security is designed and implemented whithin the
development lifecycle of information systems.
|
|
|
A.14.2.1 Secure development policy
|
A.12.5.1 change control procedures
|
A.14.2.2 Change control procedures
|
A.12.5.2 Technical review of
applications after operating system changes
|
A.14.2.3 Technical review of
applications after operating platform changes
|
A.12.5.3 Restrictions on changes to
software packages
|
A.14.2.4 Restrictions on changes to
software packages
|
|
A.14.2.5 System development procedures
|
|
A.14.2.6 Secure development
environment
|
A.12.5.5 Outsourced software
development
|
A.14.2.7 Outsourced development
|
|
A.14.2.8 System security testing
|
A.10.3.2 System Acceptance
|
A.14.2.9 System acceptance testing
|
A.14.3 Test data
Objective:
To ensure the protection of data used for testing.
|
|
A.12.4.2 Protection of system test
data
|
A.14.3.1 Protection of test data
|
27001:2005
|
27001:2013
|
|
A.15
Supplier relationships
|
A.15.1 Security in supplier relationship
Objective:
To ensure protection of the organization’s information that is accessible by
suppliers.
|
|
A.6.2.3 Addressing security in third
party agreements
|
A.15.1.1 Information security policy
for supplier relationships
|
A.6.2.3 Addressing security in third
party agreements
|
A.15.1.2 Addressing security within
supplier agreements
|
|
A.15.1.3 ICT Supply chain
|
27001:2005
|
27001:2013
|
A.15.2 Supplier service delivery management
Objective:
To maintain an agreed level of information security and service delivery in
line with supplier agreements.
|
|
A.10.2.2 Monitoring and review of
third party services
|
A.15.2.1 Monitoring and review of
supplier services
|
A.10.2.3 Managing changes to third
party services
|
A.15.2.2 Managing changes to supplier
services
|
27001:2005
|
27001:2013
|
|
A.16
Information Security Incident Management
|
A.16.1 Management of information security incidents
and improvements
Objective:
To ensure a consistent and effective approach to the management of
information security incidents, including communication on security events
and weaknesses.
|
|
A.13.2.1 Responsibilities and
Procedures
|
A.16.1.1 Responsibilities and
procedures
|
A.13.1.1 Reporting information
security events
|
A.16.1.2 Reporting information
security events
|
A.13.1.2 Reporting security weakness
|
A.16.1.3 Reporting information
security weaknesses
|
|
A.16.1.4 Assessment and decision of
information security events
|
|
A.16.1.5 Response to information
security incidents
|
A.13.2.2 Learning from information
security incidents
|
A.16.1.6 Learning from information
security incidents
|
A.13.2.3 Collection of evidence
|
A.16.1.7 Collection of evidence
|
27001:2005
|
27001:2013
|
|
A.17
Business Continuity
|
A.17.1 Information security aspects of business
continuity management
Objective:
Information security continuity should be embedded in organization’s business
continuity management (BCM) to ensure protection of information at any time
and to anticipate adverse occurrences.
|
|
A.14.1.2 Business continuity and risk
assessment
|
A.17.1.1 Planning information security
continuity
|
|
A.17.1.2 Implementing information
security continuity
|
A.14.1.5 Testing, maintaining and
re-assessing business continuity plans
|
A.17.1.3 Verify, review and evaluate
information security continuity
|
A.17.2 Redundancies
Objective:
to ensure availability of information processing facilities.
|
|
|
A.17.2.1 Availability of information
processing facilities
|
27001:2005
|
27001:2013
|
|
A.18 Compliance
|
A.18.1 Information security reviews
Objective:
To ensure that information security is implemented and operated in accordance
with the organizational policies and procedures
|
|
A.6.1.8 Independent review of information
security
|
A.18.1.1 Independent review of
information security
|
A.15.2.1 Compliance with security
policies
|
A.18.1.2 Compliance with security
policies and standards
|
A.15.2.2 Technical compliance checking
|
A.18.1.3 Technical compliance
inspection
|
27001:2005
|
27001:2013
|
A.18.2 Compliance with legal and contractual
requirements
Objective:
To avoid breaches of legal, statutory, regulatory or contractual obligations
related to information security and of any security requirements.
|
|
A.15.1.1 Identification of applicable
legislation
|
A.18.2.1 Identification of application
legislation and contractual requirements
|
A.15.1.2 Intellectual property rights
(IPR)
|
A.18.2.2 Intellectual property rights
(IPR)
|
A.15.1.3 Protection of organizational
records
|
A.18.2.3 Protection of documented
information
|
A.15.1.4 Data protection and privacy
of personal information
|
A.18.2.4 Privacy and protection of
personal information
|
A.15.1.6 Regulation of cryptographic
controls
|
A.18.2.5 Regulation of cryptographic
controls
|
This comment has been removed by the author.
ReplyDeleteHi there! great post. Thanks for sharing some very interesting and informative content it is a big help to me as well, keep it up!!!
ReplyDeleteISO 27001 Audit Checklist