In my previous blog post I analyzed the changes between the old ISO 27001 (published in 2005) and the 2013 draft; naturally, controls from ISO 27001 Annex A cannot change without changing ISO 27002 because the essence of these two standards is to be aligned.
So, let’s take a look at what changes are proposed for ISO 27002 (source: BSI website) – it is important to note here that since this is only a DIS (draft) version of ISO 27002:2013, it is expected that the final version will differ quite a bit. Here I’ll focus mainly on how the controls are structured, and not so much on their description – so here are the main differences:
Number of sections – as expected, the number of sections has increased – from 11 sections containing controls in the old standard to 14 in the new. This way, the problem in the old standard, where some controls were artificially inserted in certain areas where they did not belong, is now resolved.
Number of controls – surprisingly, the number of controls has decreased – from 133 to only 113! This is due to eliminating some controls that were too specific or outdated.
Structure of sections – Cryptography has become a separate section (#10) – it is (logically) not part of Information systems acquisition, development and maintenance any more. A similar thing has happened with Supplier relationships – as deserved, they have become a separate section (#15). Communications and operations management is divided now into Operations security (section 12), and Communications security (now section 13). Here is how the sections look now:
- 5 Security Policies
- 6 Organization of information security
- 7 Human resource security
- 8 Asset management
- 9 Access control
- 10 Cryptography
- 11 Physical and environmental security
- 12 Operations security
- 13 Communications security
- 14 System acquisition, development and maintenance
- 15 Supplier relationships
- 16 Information security incident management
- 17 Information security aspects of business continuity
- 18 Compliance
Placement of security categories – categories have mixed a bit:
- Mobile devices and teleworking, previously in Access control, is now 6.2 – part of section 6 Organization of information security.
- Media handling was previously part of Communications and operations management, but now it is 8.3, part of 8 Asset management.
- Operating system access control, and Application and information access control, have now merged into System and application access control (9.4), and have remained in section 9 Access control.
- Control of operational software, previously a single control in Information System acquisition, development and maintenance, is now a separate category 12.5, part of the Operations security section.
- Information systems audit considerations have moved from Compliance to 12.7, part of the Operations security section.
- A Security category called Network access control is gone, and some of its controls have moved to section 13 Communications security.
- Information transfer (previously called Exchange of information) is now 13.2, part of section 13 Communications security.
- The controversial category Correct processing in applications (part of the old Information System acquisition, development and maintenance) is now gone.
- Electronic commerce services does not exist as a separate category anymore, and controls are merged into 14.1 Security requirements of information systems.
- Two categories from the section Information Security Incident Management are now merged into one.
- The Business continuity section has received a new category – 17.2 Redundancies. Basically, this is about disaster recovery.
New controls – here are a few controls that are new:
- 14.2.1 Secure development policy – rules for development of software and information systems
- 14.2.5 System development procedures – principles for system engineering
- 14.2.6 Secure development environment – establishing and protecting development environment
- 14.2.8 System security testing – tests of security functionality
- 16.1.4 Assessment and decision of information security events – this is part of incident management
- 17.2.1 Availability of information processing facilities – achieving redundancy
Controls that are gone – finally, here are some of the controls that do not exist anymore:
- 6.2.2 Addressing security when dealing with customers
- 10.4.2 Controls against mobile code
- 10.7.3 Information handling procedures
- 10.7.4 Security of system documentation
- 10.8.5 Business information systems
- 10.9.3 Publicly available information
- 11.4.2 User authentication for external connections
- 11.4.3 Equipment identification in networks
- 11.4.4 Remote diagnostic and configuration port protection
- 11.4.6 Network connection control
- 11.4.7 Network routing control
- 12.2.1 Input data validation
- 12.2.2 Control of internal processing
- 12.2.3 Message integrity
- 12.2.4 Output data validation
- 11.5.5 Session time out
- 11.5.6 Limitation of connection time
- 11.6.2 Sensitive system isolation
- 12.5.4 Information leakage
- 14.1.2 Business continuity and risk assessment
- 14.1.3 Developing and implementing business continuity plans
- 14.1.4 Business continuity planning framework
- 15.1.5 Prevention of misuse of information processing facilities
- 15.3.2 Protection of information systems audit tools
Since the structure of ISO 27002 is completely aligned with controls from ISO 27001, all these changes are also valid for new ISO 27001 Annex A.
At first sight, there are many changes… However, I don’t think most of these changes are really fundamental – many of them have actually corrected the incorrect structure of the old ISO 27002, and added the controls that were missing in the first place. Some things did change – like network security and development process – these areas are now more loosely described and thus more freedom is given to companies on how to implement them.
To conclude, I like these changes – it seems to me implementing this new standard is going to be easier.