SlideShare a Scribd company logo

Mapping of ISO 27001:2005 with ISO 27001:2013

Download as PPTX, PDF
Mahendra Pratap Singh
Mahendra Pratap Singh

Whats is new in ISO 27001:2013, control mapping of ISO 27001:2005 with ISO 27001:2013

Technology
1 of 33
ISO 27001 Mapping of Controls ISO 27001:2005 with ISO 27001:2013 Mahendra Pratap Singh {Team Whitehat People} Email: mpsinghrathore@yahoo.co.in Email: mp@whitehatpeople.com Facebook: www.facebook.com/mpsinghrathore1 Twitter: @mpsinghrathore
Introduction This presentation has been prepared to show changes introduced in ISMS standard ISO 27001:2013 with respect to ISO 27001:2005. In ISO 27001:2013, few controls has been removed due to ambiguity and duplication with other controls. Few controls are added newly and some existing controls are segregated as separate domain. In ISO 27001:2005, there were 133 controls and 11 domains. ISO 27001:2013 is revised with 114 controls with 14 domains.
What is New in ISO 27001:2013 ISO 27001:2013 is fine tuned with other relevant ISO standards like ISO 22301 (Business Continuity Management), ISO 9001 (Quality Management Standard) and ISO 20000 (IT Service Management) for better integration with each other. Organizations looking for compliance with multiple standard will be at ease to manage implementation and documentation work. In revised version of ISO 27001, focus is given on measuring effectiveness of ISMS performance. Also on maintaining relationship with vendors from information security perspective.
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.5 Information Security Policy A.5.1 Management Directions for Information Security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. A.5.1.1 Policies for information security A.5.1.1 Information security policy document A.5.1.2 Review of the policies for information security A.5.1.2 Review of the information security policy
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.6 Organisation of Information Security A.6.1 Internal Organization Objective: To establish a management framework to initiate and control the implementation of information security within the organization. A.6.1.1 Information security roles and responsibilities A.6.1.3 Allocation of information security responsibilities A.8.1.1 Roles and responsibilities A.6.1.2 Contact with authorities A.6.1.6 Contact with authorities A.6.1.3 Contact with special interest groups A.6.1.7 Contact with special interest groups A.6.1.4 Information security in project management A.6.1.5 Segregation of duties A.10.1.3 Segregation of duties
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy A.11.7.1 Mobile computing and communications A.6.2.2 Teleworking A.11.7.2 Teleworking
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.7 Human Resource Security A.7.1 Prior to employment Objective: To ensure that employees, contractors and external party users understand their responsibilities and are suitable for the roles they are considered for. A.7.1.1 Screening A.8.1.2 Screening A.7.1.2 Terms and conditions of employment A.8.1.3 Terms and conditions of employment
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.7.2 During Employment Objective: To ensure that employees and external party users are aware of, and fulfill, their information security responsibilities. A.7.2.1 Management responsibilities A.8.2.1 Management responsibilities A.7.2.2 Information security awareness, education and training A.8.2.2 Information security awareness, education and training A.7.2.3 Disciplinary process A.8.2.3 Disciplinary process
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.7.3 Termination and change of employment Objective: To protect the organization’s interests as part of the process of changing or terminating employment. A.7.3.1 Termination or change of employment responsibilities A.8.3.1 Termination responsibilities
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.8 Asset Management A.8.1 Responsibility for Assets Objective: To achieve and maintain appropriate protection of organizational assets. A.8.1.1 Inventory of assets A.7.1.1 Inventory of assets A.8.1.2 Ownership of assets A.7.1.2 Ownership of assets A.8.1.3 Acceptable use of assets A.7.1.3 Acceptable use of assets
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. A.8.2.1 Classification of information A.7.2.1 Classification guidelines A.8.2.2 Labeling of information A.7.2.2 Information labeling and handling A.8.2.3 Handling of assets A.10.7.3 Information Handling procedures A.8.2.4 Return of assets A.8.3.2 Return of assets
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.8.3 Media Handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. A.8.3.1 Management of removable media A.10.7.1 Management of removable media A.8.3.2 Disposal of media A.10.7.2 Disposal of Media A.8.3.3 Physical media transfer A.10.8.3 Physical media in transit
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.9 Logical Security / Access Control A.9.1 Business requirements of access control Objective: To restrict access to information and information processing facilities. A.9.1.1 Access control policy A.11.1.1 Access control policy A.9.1.2 Policy on the use of network services A.11.4.1 Policy on use of network services
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration A.11.2.1 User registration A.11.5.2 User identification and authentication A.9.2.2 Privilege management A.11.2.2 Privilege management A.9.2.3 Management of secret authentication information of users A.11.2.3 User password management A.9.2.4 Review of user access rights A.11.2.4 Review of user access rights A.9.2.5 Removal or adjustment of access rights A.8.3.3 Removal of access rights
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. A.9.3.1 Use of secret authentication information A.11.3.1 Password use A.9.4 System and application access control Objective: To prevent unauthorized access to systems and applications. A.9.4.1 Information access restriction A.11.6.1 Information access restriction A.9.4.2 Secure log-on procedures A.11.5.1 Secure log-on procedures A.11.5.5 Session time-out A.11.5.6 Limitation of connection time A.9.4.3 Password management system A.11.5.3 Password management system A.9.4.4 Use of privileged utility programs A.11.5.4 Use of system utilities A.9.4.5 Access control to program source code A.12.4.3 Access control to program source code
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.10 Cryptography A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. A.10.1.1 Policy on the use of cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.10.1.2 Key management A.12.3.2 Key management
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.11 Physical and environmental Security A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. A.11.1.1 Physical security perimeter A.9.1.1 Physical security perimeter A.11.1.2 Physical entry controls A.9.1.2 Physical entry controls A.11.1.3 Securing office, room and facilities A.9.1.3 Securing offices, rooms and facilities A.11.1.4 Protecting against external end environmental threats A.9.1.4 Protecting against external and environmental threats A.11.1.5 Working in secure areas A.9.1.5 Working in secure areas A.11.1.6 Delivery and loading areas A.9.1.6 Public access, delivery and loading areas
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. A.11.2.1 Equipment siting and protection A.9.2.1 Equipment sitting and protection A.11.2.2 Supporting utilities A.9.2.2 Supporting utilities A.11.2.3 Cabling security A.9.2.3 Cabling security A.11.2.4 Equipment maintenance A.9.2.4 Equipment maintenance A.11.2.5 Removal of assets A.9.2.7 Removal of property A.11.2.6 Security of equipment and assets off- premises A.9.2.5 Security of equipment off-premises A.11.2.7 Security disposal or re-use of equipment A.9.2.6 Secure disposal or re-use of equipment A.11.2.8 Unattended user equipment A.11.3.2 Unattended user equipment A.11.2.9 Clear desk and clear screen policy A.11.3.3 Clear desk and clear screen policy
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12 Operations Security A.12.1 Operational Procedures and Responsibilities Objective: To ensure the correct and secure operation of information processing facilities. A.12.1.1 Documented operating procedures A.10.1.1 Documented operating procedures A.12.1.2 Change management A.10.1.2 Change management A.12.1.3 Capacity management A.10.3.1 Capacity management A.12.1.4 Separation of development, test and operational environments A.10.1.4 Separation of development, test and operational facilities
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12.2 Protection from Malware Objective: To ensure that information and information processing facilities are protected against malware. A.12.2.1 Controls against malware A.10.4.1 Controls against malicious code A.12.3 Back-Up Objective: To protect against loss of data. A.12.3.1 Information backup A.10.5.1 Information back-up
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12.4 Logging and Monitoring To record events and generate evidence. Objective: A.12.4.1 Event logging A.10.10.1 Audit logging A.12.4.2 Protection of log information A.10.10.3 Protection of log information A.12.4.3 Administrator and operator logs A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.12.4.4 Clock Synchronisaton A.10.10.6 Clock synchronization
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems A.12.4.1 Control of operational software A.12.6 Technical Vulnerability Management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.1 Management of technical vulnerabilities A.12.6.1 Control of technical vulnerabilities A.12.6.2 Restrictions on software installation A.12.7 Information Systems Audit Considerations Objective: To minimize the impact of audit activities on operational systems. A.12.7.1 Information systems audit controls A.15.3.1 Information system audit controls
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.13 Communications Security A.13.1 Network Security Management Objective: To ensure the protection of information in networks and its supporting information processing facilities. A.13.1.1 Network controls A.10.6.1 Network controls A.13.1.2 Security of network services A.10.6.2 Security of network services A.13.1.3 Segregation in networks A.11.4.5 Segregation in Networks
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. A.13.2.1 Information transfer policies and procedures A.10.8.1 Information exchange policies and procedures A.13.2.2 Agreements on information transfer A.10.8.2 Exchange agreements A.13.2.3 Electronic messaging A.10.8.4 Electronic messaging A.13.2.4 Confidentiality or non-disclosure agreements A.6.1.5 Confidentiality agreements
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.14 System acquisition, development and maintenance A.14.1 Security requirements of information systems Objective: To ensure that security is an integral part of information systems across the entire lifecycle. This includes in particular specific security requirement for information systems which provide services over public networks. A.14.1.1 Security requirements analysis and specification A.12.1.1 Security requirements analysis and specification A.14.1.2 Securing applications services on public networks A.10.9.1 Electronic commerce A.10.9.3 Publicly available information A.14.1.3 Protecting application services transactions A.10.9.2 Online-transactions
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy A.14.2.2 Change control procedures A.12.5.1 Change control procedures A.14.2.3 Technical review of applications after operating platform changes A.12.5.2 Technical review of applications after operating system changes A.14.2.4 Restrictions on changes to software packages A.12.5.3 Restrictions on changes to software packages A.14.2.5 System development procedures A.14.2.6 Secure development environment A.14.2.7 Outsourced development A.12.5.5 Outsourced software development A.14.2.8 System security testing A.14.2.9 System acceptance testing A.10.3.2 System Acceptance A.14.3 Test data Objective: To ensure the protection of data used for testing. A.14.3.1 Protection of test data A.12.4.2 Protection of system test data
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.15 Supplier relationships A.15.1 Security in supplier relationship Objective: To ensure protection of the organization’s information that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships A.6.2.3 Addressing security in third party agreements A.15.1.2 Addressing security within supplier agreements A.6.2.3 Addressing security in third party agreements A.15.1.3 ICT Supply chain
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. A.15.2.1 Monitoring and review of supplier services A.10.2.2 Monitoring and review of third party services A.15.2.2 Managing changes to supplier services A.10.2.3 Managing changes to third party services
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.16 Information Security Incident Management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.1 Responsibilities and procedures A.13.2.1 Responsibilities and Procedures A.16.1.2 Reporting information security events A.13.1.1 Reporting information security events A.16.1.3 Reporting information security weaknesses A.13.1.2 Reporting security weakness A.16.1.4 Assessment and decision of information security events A.16.1.5 Response to information security incidents A.16.1.6 Learning from information security incidents A.13.2.2 Learning from information security incidents A.16.1.7 Collection of evidence A.13.2.3 Collection of evidence
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.17 Business Continuity A.17.1 Information security aspects of business continuity management Objective: Information security continuity should be embedded in organization’s business continuity management (BCM) to ensure protection of information at any time and to anticipate adverse occurrences. A.17.1.1 Planning information security continuity A.14.1.2 Business continuity and risk assessment A.17.1.2 Implementing information security continuity A.17.1.3 Verify, review and evaluate information security continuity A.14.1.5 Testing, maintaining and re-assessing business continuity plans A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information processing facilities
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.18 Compliance A.18.1 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. A.18.1.1 Independent review of information security A.6.1.8 Independent review of information security A.18.1.2 Compliance with security policies and standards A.15.2.1 Compliance with security policies and standards A.18.1.3 Technical compliance inspection A.15.2.2 Technical compliance checking
ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.18.2 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. A.18.2.1 Identification of applicable legislation and contractual requirements A.15.1.1 Identification of applicable legislation A.18.2.2 Intellectual property rights (IPR) A.15.1.2 Intellectual property rights (IPR) A.18.2.3 Protection of documented information A.15.1.3 Protection of organisational records A.18.2.4 Privacy and protection of personal information A.15.1.4 Data protection and privacy of personal information A.18.2.5 Regulation of cryptographic controls A.15.1.6 Regulation of cryptographic controls
By Mahendra Pratap Singh {Team Whitehat People} Email: mpsinghrathore@yahoo.co.in Email: mp@whitehatpeople.com Facebook: www.facebook.com/mpsinghrathore1 Twitter: @mpsinghrathore Content in slides is best of my understanding with the source. (Source: Internet) Thank You

Recommended

Iso 27001:2013新版轉版差異
Iso 27001:2013新版轉版差異Iso 27001:2013新版轉版差異
Iso 27001:2013新版轉版差異Wanhung Chou
 
由國際資安標準Iso27001解析營業秘密管理指針作法
由國際資安標準Iso27001解析營業秘密管理指針作法由國際資安標準Iso27001解析營業秘密管理指針作法
由國際資安標準Iso27001解析營業秘密管理指針作法Wanhung Chou
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS BasicsMahendra Pratap Singh
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Recommended

Iso 27001:2013新版轉版差異
Iso 27001:2013新版轉版差異Iso 27001:2013新版轉版差異
Iso 27001:2013新版轉版差異Wanhung Chou
 
由國際資安標準Iso27001解析營業秘密管理指針作法
由國際資安標準Iso27001解析營業秘密管理指針作法由國際資安標準Iso27001解析營業秘密管理指針作法
由國際資安標準Iso27001解析營業秘密管理指針作法Wanhung Chou
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS BasicsMahendra Pratap Singh
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 

More Related Content

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Featured

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 

Mapping of ISO 27001:2005 with ISO 27001:2013

  • 1. ISO 27001 Mapping of Controls ISO 27001:2005 with ISO 27001:2013 Mahendra Pratap Singh {Team Whitehat People} Email: mpsinghrathore@yahoo.co.in Email: mp@whitehatpeople.com Facebook: www.facebook.com/mpsinghrathore1 Twitter: @mpsinghrathore
  • 2. Introduction This presentation has been prepared to show changes introduced in ISMS standard ISO 27001:2013 with respect to ISO 27001:2005. In ISO 27001:2013, few controls has been removed due to ambiguity and duplication with other controls. Few controls are added newly and some existing controls are segregated as separate domain. In ISO 27001:2005, there were 133 controls and 11 domains. ISO 27001:2013 is revised with 114 controls with 14 domains.
  • 3. What is New in ISO 27001:2013 ISO 27001:2013 is fine tuned with other relevant ISO standards like ISO 22301 (Business Continuity Management), ISO 9001 (Quality Management Standard) and ISO 20000 (IT Service Management) for better integration with each other. Organizations looking for compliance with multiple standard will be at ease to manage implementation and documentation work. In revised version of ISO 27001, focus is given on measuring effectiveness of ISMS performance. Also on maintaining relationship with vendors from information security perspective.
  • 4. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.5 Information Security Policy A.5.1 Management Directions for Information Security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. A.5.1.1 Policies for information security A.5.1.1 Information security policy document A.5.1.2 Review of the policies for information security A.5.1.2 Review of the information security policy
  • 5. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.6 Organisation of Information Security A.6.1 Internal Organization Objective: To establish a management framework to initiate and control the implementation of information security within the organization. A.6.1.1 Information security roles and responsibilities A.6.1.3 Allocation of information security responsibilities A.8.1.1 Roles and responsibilities A.6.1.2 Contact with authorities A.6.1.6 Contact with authorities A.6.1.3 Contact with special interest groups A.6.1.7 Contact with special interest groups A.6.1.4 Information security in project management A.6.1.5 Segregation of duties A.10.1.3 Segregation of duties
  • 6. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy A.11.7.1 Mobile computing and communications A.6.2.2 Teleworking A.11.7.2 Teleworking
  • 7. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.7 Human Resource Security A.7.1 Prior to employment Objective: To ensure that employees, contractors and external party users understand their responsibilities and are suitable for the roles they are considered for. A.7.1.1 Screening A.8.1.2 Screening A.7.1.2 Terms and conditions of employment A.8.1.3 Terms and conditions of employment
  • 8. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.7.2 During Employment Objective: To ensure that employees and external party users are aware of, and fulfill, their information security responsibilities. A.7.2.1 Management responsibilities A.8.2.1 Management responsibilities A.7.2.2 Information security awareness, education and training A.8.2.2 Information security awareness, education and training A.7.2.3 Disciplinary process A.8.2.3 Disciplinary process
  • 9. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.7.3 Termination and change of employment Objective: To protect the organization’s interests as part of the process of changing or terminating employment. A.7.3.1 Termination or change of employment responsibilities A.8.3.1 Termination responsibilities
  • 10. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.8 Asset Management A.8.1 Responsibility for Assets Objective: To achieve and maintain appropriate protection of organizational assets. A.8.1.1 Inventory of assets A.7.1.1 Inventory of assets A.8.1.2 Ownership of assets A.7.1.2 Ownership of assets A.8.1.3 Acceptable use of assets A.7.1.3 Acceptable use of assets
  • 11. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. A.8.2.1 Classification of information A.7.2.1 Classification guidelines A.8.2.2 Labeling of information A.7.2.2 Information labeling and handling A.8.2.3 Handling of assets A.10.7.3 Information Handling procedures A.8.2.4 Return of assets A.8.3.2 Return of assets
  • 12. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.8.3 Media Handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. A.8.3.1 Management of removable media A.10.7.1 Management of removable media A.8.3.2 Disposal of media A.10.7.2 Disposal of Media A.8.3.3 Physical media transfer A.10.8.3 Physical media in transit
  • 13. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.9 Logical Security / Access Control A.9.1 Business requirements of access control Objective: To restrict access to information and information processing facilities. A.9.1.1 Access control policy A.11.1.1 Access control policy A.9.1.2 Policy on the use of network services A.11.4.1 Policy on use of network services
  • 14. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration A.11.2.1 User registration A.11.5.2 User identification and authentication A.9.2.2 Privilege management A.11.2.2 Privilege management A.9.2.3 Management of secret authentication information of users A.11.2.3 User password management A.9.2.4 Review of user access rights A.11.2.4 Review of user access rights A.9.2.5 Removal or adjustment of access rights A.8.3.3 Removal of access rights
  • 15. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. A.9.3.1 Use of secret authentication information A.11.3.1 Password use A.9.4 System and application access control Objective: To prevent unauthorized access to systems and applications. A.9.4.1 Information access restriction A.11.6.1 Information access restriction A.9.4.2 Secure log-on procedures A.11.5.1 Secure log-on procedures A.11.5.5 Session time-out A.11.5.6 Limitation of connection time A.9.4.3 Password management system A.11.5.3 Password management system A.9.4.4 Use of privileged utility programs A.11.5.4 Use of system utilities A.9.4.5 Access control to program source code A.12.4.3 Access control to program source code
  • 16. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.10 Cryptography A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity or integrity of information. A.10.1.1 Policy on the use of cryptographic controls A.12.3.1 Policy on the use of cryptographic controls A.10.1.2 Key management A.12.3.2 Key management
  • 17. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.11 Physical and environmental Security A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. A.11.1.1 Physical security perimeter A.9.1.1 Physical security perimeter A.11.1.2 Physical entry controls A.9.1.2 Physical entry controls A.11.1.3 Securing office, room and facilities A.9.1.3 Securing offices, rooms and facilities A.11.1.4 Protecting against external end environmental threats A.9.1.4 Protecting against external and environmental threats A.11.1.5 Working in secure areas A.9.1.5 Working in secure areas A.11.1.6 Delivery and loading areas A.9.1.6 Public access, delivery and loading areas
  • 18. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. A.11.2.1 Equipment siting and protection A.9.2.1 Equipment sitting and protection A.11.2.2 Supporting utilities A.9.2.2 Supporting utilities A.11.2.3 Cabling security A.9.2.3 Cabling security A.11.2.4 Equipment maintenance A.9.2.4 Equipment maintenance A.11.2.5 Removal of assets A.9.2.7 Removal of property A.11.2.6 Security of equipment and assets off- premises A.9.2.5 Security of equipment off-premises A.11.2.7 Security disposal or re-use of equipment A.9.2.6 Secure disposal or re-use of equipment A.11.2.8 Unattended user equipment A.11.3.2 Unattended user equipment A.11.2.9 Clear desk and clear screen policy A.11.3.3 Clear desk and clear screen policy
  • 19. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12 Operations Security A.12.1 Operational Procedures and Responsibilities Objective: To ensure the correct and secure operation of information processing facilities. A.12.1.1 Documented operating procedures A.10.1.1 Documented operating procedures A.12.1.2 Change management A.10.1.2 Change management A.12.1.3 Capacity management A.10.3.1 Capacity management A.12.1.4 Separation of development, test and operational environments A.10.1.4 Separation of development, test and operational facilities
  • 20. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12.2 Protection from Malware Objective: To ensure that information and information processing facilities are protected against malware. A.12.2.1 Controls against malware A.10.4.1 Controls against malicious code A.12.3 Back-Up Objective: To protect against loss of data. A.12.3.1 Information backup A.10.5.1 Information back-up
  • 21. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12.4 Logging and Monitoring To record events and generate evidence. Objective: A.12.4.1 Event logging A.10.10.1 Audit logging A.12.4.2 Protection of log information A.10.10.3 Protection of log information A.12.4.3 Administrator and operator logs A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs A.12.4.4 Clock Synchronisaton A.10.10.6 Clock synchronization
  • 22. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems A.12.4.1 Control of operational software A.12.6 Technical Vulnerability Management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.1 Management of technical vulnerabilities A.12.6.1 Control of technical vulnerabilities A.12.6.2 Restrictions on software installation A.12.7 Information Systems Audit Considerations Objective: To minimize the impact of audit activities on operational systems. A.12.7.1 Information systems audit controls A.15.3.1 Information system audit controls
  • 23. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.13 Communications Security A.13.1 Network Security Management Objective: To ensure the protection of information in networks and its supporting information processing facilities. A.13.1.1 Network controls A.10.6.1 Network controls A.13.1.2 Security of network services A.10.6.2 Security of network services A.13.1.3 Segregation in networks A.11.4.5 Segregation in Networks
  • 24. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. A.13.2.1 Information transfer policies and procedures A.10.8.1 Information exchange policies and procedures A.13.2.2 Agreements on information transfer A.10.8.2 Exchange agreements A.13.2.3 Electronic messaging A.10.8.4 Electronic messaging A.13.2.4 Confidentiality or non-disclosure agreements A.6.1.5 Confidentiality agreements
  • 25. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.14 System acquisition, development and maintenance A.14.1 Security requirements of information systems Objective: To ensure that security is an integral part of information systems across the entire lifecycle. This includes in particular specific security requirement for information systems which provide services over public networks. A.14.1.1 Security requirements analysis and specification A.12.1.1 Security requirements analysis and specification A.14.1.2 Securing applications services on public networks A.10.9.1 Electronic commerce A.10.9.3 Publicly available information A.14.1.3 Protecting application services transactions A.10.9.2 Online-transactions
  • 26. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy A.14.2.2 Change control procedures A.12.5.1 Change control procedures A.14.2.3 Technical review of applications after operating platform changes A.12.5.2 Technical review of applications after operating system changes A.14.2.4 Restrictions on changes to software packages A.12.5.3 Restrictions on changes to software packages A.14.2.5 System development procedures A.14.2.6 Secure development environment A.14.2.7 Outsourced development A.12.5.5 Outsourced software development A.14.2.8 System security testing A.14.2.9 System acceptance testing A.10.3.2 System Acceptance A.14.3 Test data Objective: To ensure the protection of data used for testing. A.14.3.1 Protection of test data A.12.4.2 Protection of system test data
  • 27. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.15 Supplier relationships A.15.1 Security in supplier relationship Objective: To ensure protection of the organization’s information that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships A.6.2.3 Addressing security in third party agreements A.15.1.2 Addressing security within supplier agreements A.6.2.3 Addressing security in third party agreements A.15.1.3 ICT Supply chain
  • 28. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. A.15.2.1 Monitoring and review of supplier services A.10.2.2 Monitoring and review of third party services A.15.2.2 Managing changes to supplier services A.10.2.3 Managing changes to third party services
  • 29. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.16 Information Security Incident Management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.1 Responsibilities and procedures A.13.2.1 Responsibilities and Procedures A.16.1.2 Reporting information security events A.13.1.1 Reporting information security events A.16.1.3 Reporting information security weaknesses A.13.1.2 Reporting security weakness A.16.1.4 Assessment and decision of information security events A.16.1.5 Response to information security incidents A.16.1.6 Learning from information security incidents A.13.2.2 Learning from information security incidents A.16.1.7 Collection of evidence A.13.2.3 Collection of evidence
  • 30. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.17 Business Continuity A.17.1 Information security aspects of business continuity management Objective: Information security continuity should be embedded in organization’s business continuity management (BCM) to ensure protection of information at any time and to anticipate adverse occurrences. A.17.1.1 Planning information security continuity A.14.1.2 Business continuity and risk assessment A.17.1.2 Implementing information security continuity A.17.1.3 Verify, review and evaluate information security continuity A.14.1.5 Testing, maintaining and re-assessing business continuity plans A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information processing facilities
  • 31. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.18 Compliance A.18.1 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. A.18.1.1 Independent review of information security A.6.1.8 Independent review of information security A.18.1.2 Compliance with security policies and standards A.15.2.1 Compliance with security policies and standards A.18.1.3 Technical compliance inspection A.15.2.2 Technical compliance checking
  • 32. ISO 27001: 2013 Vs 2005 27001:2013 27001:2005 A.18.2 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. A.18.2.1 Identification of applicable legislation and contractual requirements A.15.1.1 Identification of applicable legislation A.18.2.2 Intellectual property rights (IPR) A.15.1.2 Intellectual property rights (IPR) A.18.2.3 Protection of documented information A.15.1.3 Protection of organisational records A.18.2.4 Privacy and protection of personal information A.15.1.4 Data protection and privacy of personal information A.18.2.5 Regulation of cryptographic controls A.15.1.6 Regulation of cryptographic controls
  • 33. By Mahendra Pratap Singh {Team Whitehat People} Email: mpsinghrathore@yahoo.co.in Email: mp@whitehatpeople.com Facebook: www.facebook.com/mpsinghrathore1 Twitter: @mpsinghrathore Content in slides is best of my understanding with the source. (Source: Internet) Thank You