Documentos de Académico
Documentos de Profesional
Documentos de Cultura
WG1 ISMS Standards Chair Ted Humphreys Vice Chair Angelika Plate
ISO/IEC JTC1 SC27 Chair Walter Fumy Vice Chair Marijike de Soete Secretary Krystyna Passia (DIN)
Information Information security security management management system system (ISMS) (ISMS) [27001] [27001]
Accreditation Accreditation requirements requirements for for ISMS ISMS [27006] [27006] ISMS ISMS audit audit guidelines guidelines [27007] [27007]
Information security security controls controls Information (ex17799) [27002] [27002] (ex17799)
Information security security Information management measurements measurements management [27004] [27004]
ISMS Overview Overview & & ISMS terminology [27000] [27000] terminology
ISMS ISMS for for Telecoms Telecoms [27011] [27011] Other Other sector-specific sector-specific developments developments
Sector-Specific developments
copyright AEXIS Security Consultants, 2000-2009
Standard 27000 27001 27002 27003 27004 27005 27006 27007 27008
Title Overview and vocabulary ISMS requirements Information security management Code of Practice ISMS Implementation guide ISM Measurements ISMS Risk management Accreditation requirements for certification bodies ISMS Audit guidelines Guidance on auditing ISMS controls
Status FDIS Published now revised Published now revised FCD 2nd FCD Published Published WD WD
copyright AEXIS Security Consultants, 2000-2009
Title New NP: Sector to sector interworking and communications for industry and government Information security management guidelines for telecommunications based on ISO/IEC 27002 ISMS guidelines for e-government ISMS for the financial and insurance service sector ISMS for service management Information security governance framework
Continuous improvement model Measures of effectiveness Auditable specification (internal and external ISMS auditing) Now under revision
copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27002 Code of practice for information security management A catalogue of Best Practice Suggesting a holistic set of controls Not a certification or auditable standard
Security policy Organising information security Asset management Human resources security Physical & environmental security Communications & operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance
copyright AEXIS Security Consultants, 2000-2009
Meeting with the 27002 editor to discuss the strategy for Beijing Recommendation: Comment not only won changes, but also on what you would like to keep
copyright AEXIS Security Consultants, 2000-2009
Clause Structure
Activity - Defines what is necessary to satisfy
all or part of the objectives
Other information
copyright AEXIS Security Consultants, 2000-2009
Diagrams
Introduction explaining the main parts of the measurement programme Management overview to ease the understanding, especially for SMEs
Clause Structure
Information security measurement overview Management responsibilities Measures and measurement development Measurement operation Reporting of measurement results Evaluation and improvements of measurements
copyright AEXIS Security Consultants, 2000-2009
Password Policies
Password Quality - manual Password Quality - automated
Management Commitment Protection Against Malicious Code Physical Entry Controls Log Files Review Manage Periodic Maintenance Security in Third Party Agreements
copyright AEXIS Security Consultants, 2000-2009
Annexes give useful examples Downsizing is often necessary More information needed on
How to select good measures How to condense results of measurements
copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27005
ISO/IEC 27005 Information security risk management
Provides guidance for information security risk management as laid out in ISO/IEC 27001 Is applicable for all organizations (size, type of business, etc.) that need to manage information security risks
ISO/IEC 27006
ISO/IEC 27006 is the Requirements for the accreditation of bodies providing certification of ISMSs
Joint initiative from ISO, IAF and CASCO
Based on
ISO/IEC 17021 ISO/IEC 27001
Published since February 2006 Your view about audit time, etc?
ISO/IEC 27007
ISMS Auditor Guidelines Specific ISMS guidance to complement ISO 19011 Following the revision of ISO 19011 Dealing with guidance for auditors on subjects such as
ISMS Scopes Risk assessment reports Measurements
copyright AEXIS Security Consultants, 2000-2009
25
ISO/IEC 27008
New WD on auditing ISMS controls Issues with that scope:
If this became part of ISMS certification audits, there is inconsistency with other MS audits The ISMS should give information about the well-functioning of controls
26
ISO/IEC 27010
New WD on sector to sector interworking and communications for industry and government Result of a Study Period on Critical Infrastructures Confusion at the last meeting no new draft available, only a Dispo of Comments Scope: This International Standard provides guidance for information
security interworking and communications between industries in the same sectors, in different industry sectors and with governments, either in times of crisis and to protect critical infrastructure or for mutual recognition under normal business circumstances to meet legal, regulatory and contractual obligations.
27
ISO/IEC 27011
The ITU-T standards group Question 7/17 developed the standard X.1051 Information security management guidelines for telecommunications based on ISO/IEC 27002 The aim is to support the implementation of ISO/IEC 27002 in the telecommunications sector
copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27011
The standard contains
An overview giving the framework in which it operates Extended versions of the controls from ISO/IEC 27002 to address telecoms
This standard has been adopted by SC 27 as ISO/IEC 27011 (on its way to publication)
copyright AEXIS Security Consultants, 2000-2009
ISO/IEC 27012
A new standard containing ISMS guidelines for e-government 1st WD
The scope of this Standard is to define guidelines supporting the implementation of Information Security Management (ISM) in e-government services To provide guidance to the Public Administration on how to adapt 27002 controls and processes to specific e-government services and legally binding procedures
NP Financial services
A NWIP for financial and insurance services
Scope: This international standard provides guidance for supporting the implementation of information security management in financial and insurance services sectors This standard is intended to provide guidance on how to adapt the 2700x ISMS Framework. It aims to support in fulfilling sector specific information security related legal and regulatory requirements through an internationally agreed and well-accepted framework
copyright AEXIS Security Consultants, 2000-2009
Q&A
copyright AEXIS Security Consultants, 2000-2009