WIXLIB

27001 & 27002:2013Dr.-Ing. Oliver WeissmannSonntag, 9. Juni 13

InhaltHistorieStatusStandards2700127002Fazit xiv-consult GmbH 2013Sonntag, 9. Juni 13

Sonntag, 9. Juni 1980foseCC c MSC anCo hte99-1 13röffeunntdlic27ht002:2013veröffentlichtDTIll InSheHistorie xiv-consult GmbH 2013

StatusWeltweit ca. 8000 zertifizierte UnternehmenDavon über 4000 in JapanWeitverbreitetster ganzheitlicher Sicherheitsstandard der WeltStarke Entwicklung sektorspezifischer StandardsFinanceEnergy xiv-consult GmbH 2013Sonntag, 9. Juni 13

Verteilung der h ndGreeceRest01250250037505000 xiv-consult GmbH 2013Sonntag, 9. Juni 13

270XX Familie27000 Terms and Definitions27001 Requirements27002 Code of Practice27003 Impl. Guidance27004 Measurements27005 IS Risk Management27006 Req. for Cert. Bodies27007 Guidel. to Auditing27008 GL. for Auditors on Controls27010 Inter sector inter org. comm.Sonntag, 9. Juni 13 xiv-consult GmbH 2013

270XX Familie27000 Terms and Definitions27011 Sector Telecommunication27001 Requirements27013 Integ. Impl. of 20000 & 2700127002 Code of Practice27014 Gov. of InfoSec27003 Impl. Guidance27015 Sector Financial Services27004 Measurements27016 Organisational Economics27005 IS Risk Management27017 Cloud Computing27006 Req. for Cert. Bodies27018 Public Cloud Computing Serv.27007 Guidel. to Auditing27008 GL. for Auditors on Controls27010 Inter sector inter org. comm.Sonntag, 9. Juni 1327799 Healthcare xiv-consult GmbH 2013

270XX Familie27031 ICT Readiness BC27032 Cyber Security27000 Terms and Definitions27011 Sector Telecommunication27033 Network Security27001 Requirements27013 Integ. Impl. of 20000 & 2700127034 Application Security27002 Code of Practice27014 Gov. of InfoSec27035 Information Security Inc. Mgmt.27003 Impl. Guidance27015 Sector Financial Services27036 Suppl Relationships27004 Measurements27016 Organisational Economics27037 Digital Evidence27005 IS Risk Management27017 Cloud Computing27039 IDPS27006 Req. for Cert. Bodies27018 Public Cloud Computing Serv.27040 Storage Security27007 Guidel. to Auditing27008 GL. for Auditors on Controls27010 Inter sector inter org. comm.Sonntag, 9. Juni 1327041-43 Investigation27799 Healthcare27044 Sec. Inform. and Event Mgmt. xiv-consult GmbH 2013

270XX Familie27031 ICT Readiness BC27032 Cyber Security27000 Terms and Definitions27011 Sector Telecommunication27033 Network Security27001 Requirements27013 Integ. Impl. of 20000 & 2700127034 Application Security27002 Code of Practice27014 Gov. of InfoSec27035 Information Security Inc. Mgmt.27003 Impl. Guidance27015 Sector Financial Services27036 Suppl Relationships27004 Measurements27016 Organisational Economics27037 Digital Evidence27005 IS Risk Management27017 Cloud Computing27039 IDPS27006 Req. for Cert. Bodies27018 Public Cloud Computing Serv.27040 Storage Security27007 Guidel. to Auditing27008 GL. for Auditors on Controls27010 Inter sector inter org. comm.Sonntag, 9. Juni 1327041-43 Investigation27799 Healthcare27044 Sec. Inform. and Event Mgmt. xiv-consult GmbH 2013

27001:2013Sonntag, 9. Juni 13

ISO StrukturISO DirectivesISO Directives Annex SLISO Guide 72TQM ISO 90XXISO 140XXISO 270XXISO 500xx xiv-consult GmbH 2013Sonntag, 9. Juni 13

ISO StrukturISO DirectivesISO Directives Annex SLISO Guide 72TQM ISO 90XXISO 140XXISO 270XXISO 500xx xiv-consult GmbH 2013Sonntag, 9. Juni 13

ISO StrukturISO DirectivesISO Directives Annex SLDepreciatedISO Guide 72TQM ISO 90XXISO 140XXISO 270XXISO 500xx xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:FokusCompliance mit ISO Directives Annex SL für ManagementsystemeZiel: Vereinfachung integrierter Managementsysteme xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:FokusCompliance mit ISO Directives Annex SL für ManagementsystemeZiel: Vereinfachung integrierter ManagementsystemeThis International Standard applies the high-level structure, identical sub-clause titles, identical text,common terms, and core definitions defined in Annex SL of ISO/IEC Directives, Part 1, and thereforemaintains compatibility with other management system standards that have adopted the Annex SL.This common approach defined in the Annex SL will be useful for those organizations that choose tooperate a single management system that meets the requirements of two or more managementsystem standards. xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support5.1 Leadership and commitment5.2 Policy5.3 Organisational roles, responsibilitiesand authorities8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support6.1 Actions to adress risk andopportunities6.2 Information security objectives andplans to achieve them8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support8 - Operation7.1 Resources7.2 Competences7.3 Awareness7.4 Communication7.5 Documented Information9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning8.1 Operational planning and control8.2 Information security risk assessment8.3 Information security risk treatment7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support9.1 Monitoring, measurement, analysisand evaluation9.2 Internal Audit9.3 Management Review8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27001:Struktur5 - Leadership6 - Planning10.1 Nonconformity and correctiveaction10.2 Continual improvement7 - Support8 - Operation9 - Performance evaluation10 - Improvement xiv-consult GmbH 2013Sonntag, 9. Juni 13

27002:2013Sonntag, 9. Juni 13

27002:FokusStand-alone anwendbarKlarere FormulierungenEinfachere ImplementationReduktion von RedundanzAktualisierung und Verschlankung auf dem technischen Bereichenca. 3000 technische Änderungen verarbeitet xiv-consult GmbH 2013Sonntag, 9. Juni 13

27002:Struktur5 - Security Policies13 - Communications Security6 - Organisation of Information Security14 - Sys. Acc. Dev. and Maintenance7 - Human Ressource Security15 - Supplier Relationships8 - Asset Management16 - Info. Sec. Incident Management9 - Access Control17 - Info. Sec. Aspects of BCM10 - Cryptography18 - Compliance11 - Physical and Environmental Security12 - Operations Security xiv-consult GmbH 2013Sonntag, 9. Juni 13

27002:Incident Management13 - Communications Security14 - Sys. Acc. Dev. and Maintenance15 - Supplier Relationships16 - Info. Sec. Incident Management17 - Info. Sec. Aspects of BCM16.1 Management of information Security Incident andImprovements16.1.1 Responsibilities and procedures16.1.2 Reporting information security events16.1.3 Reporting information security weaknesses16.1.4 Assesment and decision of information securityevents16.1.5 Response to information security incidents16.1.6 Learning from information security incidents16.1.7 Collection of evidence18 - Compliance xiv-consult GmbH 2013Sonntag, 9. Juni 13

27002:Mobile Devices and TeleworkingObjective: To ensure the security of teleworking and use of mobile devices.6.2.1 Mobile Device PolicyA policy and supporting security measures should be adopted to protect against the risks introduced byusing mobile devices.Implementation Guidance (. excerpt .)Care should be taken when using mobile devices in public places, meeting rooms and other unprotectedareas. Protection should be in place to avoid the unauthorized access to or disclosure of the informationstored and processed by these devices, e.g. using cryptographic techniques (see chapter 10) and enforcinguse of secret authentication information (see control 9.2.3). xiv-consult GmbH 2013Sonntag, 9. Juni 13

27002:Secure Development Policy14.2.1 Secure development policyRules for the development of software and systems should be established and applied to developmentswithin the organization.Implementation Guidance (. excerpt .). Secure programming techniques should be used both for new developments and in code re-usescenarios where the standards applied to development may not be known or were not consistent withcurrent best practices. Secure coding standards should be considered and where relevant mandated foruse. Developers should be trained in their use and testing and code review should verify their use.Other InformationDevelopment may also take place inside applications, such as office applications, scripting, browsers anddatabases. xiv-consult GmbH 2013Sonntag, 9. Juni 13

27002:Secure Development Policy14.2.1 Secure development policyRules for the development of software and systems should be established and applied to developmentswithin the organization.Implementation Guidance (. excerpt .)OtherInformation. Secure programming techniques should be used both for new developments and in code re-useDevelopmentplaceappliedinside cenarios maywherealsothe takestandardsdevelopmentsuchmay asnotofficebe knownor were notconsistentwithdatabases.current best practices. Secure coding standards should be considered and where relevant mandated foruse. Developers should be trained in their use and testing and code review should verify their use. xiv-consult GmbH 2013Sonntag, 9. Juni 13

FazitDer Standard hat erheblich an Redundanz verlorenAdressiert die Ziel und Verantwortlichkeiten stärker über PoliciesViele der Controls sind besser messbar gewordenDie Anzahl der Länder die den Standard nutzen ist erheblichgestiegenDas gesamte Framework ergänzt sich gegenseitig xiv-consult GmbH 2013Sonntag, 9. Juni 13

PersonalsDr.-Ing. Oliver WeissmannEditor ISO/IEC 27002:2013xiv-consult GmbHKönigswinterer Str. 40953639 KönigswinterMail: ow@xiv-consult.deTel.: 49 2223 9192540 xiv-consult GmbH 2013Sonntag, 9. Juni 13

Editor ISO/IEC 27002:2013 xiv-consult GmbH Königswinterer Str. 409 53639 Königswinter Mail: ow@xiv-consult.de Tel.: 49 2223 9192540 Sonntag, 9. Juni 13. Created Date: 6/23/2013 4:13:15 PM .