неделя, 18 май 2014 г.

ISO/IEC 27001, Annex A - стар и нов анекс ...


Това засяга Декларацията за приложимост в система, базирана на версия 2005.
Може да се наложи такова сравнение при редактиране и на други документи на СУСИ.

Уточнения
1. Сравнението е показано на равнище "наименование на контроли".
    Не е показано съдържанието на самите контроли.
    При работа над система трябва да се анализира и съдържанието на контролите!
2. Показани са както точни съответствия, така и приблизителни.
    Възможно е да има някои неточности. Моля, ако някой забележи, да коментира!
3. С ххх са маркирани местата, където не е намерено съответствие или преценката
    изисква по-задълбочен анализ 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  




ANNEX A/ISO/IEC 27001:2005
ANNEX A/ISO/IEC 27001:2013
A.5      Security policy
A.5      Information security policies
A.5.1   Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.5.1   Management direction for information security
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
A.5.1.1
Information security policy document
A.5.1.1
Policies for information security
A.5.1.2
Review of the information security policy
А.5.1.2
Review of the policies for information security
A.6      Organization of information security
A.6      Organization of information security
A.6.1   Internal organization
Objective: To manage information security within the organization.
A.6.1   Internal organization
Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.
A.6.1.1
Management commitment to information security
ххх
 
A.6.1.2
Information security co-ordination
ххх
 
A.6.1.3
Allocation of information security responsibilities
A.6.1.1
Information security roles and responsibilities
A.6.1.4
Authorization process for information processing facilities
ххх
 
A.6.1.5
Confidentiality agreements
A.13.2.4
Confidentiality or nondisclosure agreements
A.6.1.6
Contact with authorities
A.6.1.3
Contact with authorities
A.6.1.7
Contact with special interest groups
A.6.1.4
Contact with special interest groups
A.6.1.8
Independent review of information security
A.18.2.1
Independent review of information security
A.6.2   External parties
Objective: To maintain the security of the organization's information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
ххх
A.6.2.1
Identification of risks related to external parties
ххх
 
A.6.2.2
Addressing security when dealing with customers
ххх
 
A.6.2.3
Addressing security in third party agreements
A.15.1.2
Addressing security within supplier agreements
A.7      Asset management
A.8      Asset management
A.7.1   Responsibility for assets
Objective: To achieve and maintain appropriate protection of organizational assets
A.8.1   Responsibility for assets
Objective: To identify organizational assets and define appropriate protection responsibilities.
A.7.1.1
Inventory of assets
A.8.1.1
Inventory of assets
A.7.1.2
Ownership of assets
A.8.1.2
Ownership of assets
A.7.1.3
Acceptable use of assets
A.8.1.3
Acceptable use of assets
A.7.2   Information classification
Objective: To ensure that information receives an appropriate level of protection.
A.8.2 Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.
A.7.2.1
Classification guidelines
A.8.2.1
Classification of information
A.7.2.2
Information labelling and handling
A.8.2.2
Labelling of information
A.8.2.3
Handling of assets
A.8      Human resources security
A.7      Human resource security
A.8.1   Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
A.7.1   Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
A.8.1.1
Roles and responsibilities
xxx
 
A.8.1.2
Screening
A.7.1.1
Screening
A.8.1.3
Terms and conditions of employment
A.7.1.2
Terms and conditions of employment
A.8.2   During employment
Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
A.7.2   During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
A.8.2.1
Management responsibilities
A.7.2.1
Management responsibilities
A.8.2.2
Information security awareness, education and training
A.7.2.2
Information security awareness, education and training
A.8.2.3
Disciplinary process
A.7.2.3
Disciplinary process
A.8.3   Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
A.7.3   Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing or terminating employment.
A.8.3.1
Termination responsibilities
A.7.3.1
Termination or change of employment responsibilities
A.8.3.2
Return of assets
A.8.1.4
Return of assets
A.8.3.3
Removal of access rights
A.9.2.6
Removal or adjustment of access rights
A.9         Physical and environmental security
A.11    Physical and environmental security
A. 9.1  Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information.
A.11.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
A.9.1.1
Physical security perimeter
A.11.1.1
Physical security perimeter
A.9.1.2
Physical entry controls
A.11.1.2
Physical entry controls
A.9.1.3
Securing offices, rooms and facilities
A.11.1.3
Securing offices, rooms and facilities
A.9.1.4
Protecting against external and environmental threats
A.11.1.4
Protecting against external and environmental threats
A.9.1.5
Working in secure areas
A.11.1.5
Working in secure areas
A.9.1.6
Public access, delivery and loading areas
A.11.1.6
Delivery and loading areas
A. 9.2  Eqipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption of the organization’s activities.
A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
A.9.2.1
Equipment siting and protection
A.11.2.1
Equipment siting andprotection
A.9.2.2
Supporting utilities
A.11.2.2
Supporting utilities
A.9.2.3
Cabling security
A.11.2.3
Cabling security
A.9.2.4
Equipment maintenance
A.11.2.4
Equipment maintenance
A.9.2.5
Security of equipment off-premises
A.11.2.6
Security of equipmentand assets off-premises
A.9.2.6
Secure disposal or reuse of equipment
A.11.2.7
Secure disposal or reuse of equipment
A.9.2.7
Removal of property
A.11.2.5
Removal of assets
A.10    Communications and operations management
A.12    Operations security
A.10.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.
A.12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
A.10.1.1
Documented operating procedures
A.12.1.1
Documented operating procedures
A.10.1.2
Change management
A.12.1.2
Change management
A.10.1.3
Segregation of duties
A.6.1.2
Segregation of duties
A.10.1.4
Separation of development, test and operational facilities
A.12.1.4
Separation of development, testing and operational environments
A.10.2 Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
A.15.1 Information security in supplier relationships
Objective: To ensure protection of the organization’s assets that is accessible by suppliers.
A.10.2.1
Service delivery
A.15.1.1
Information securitypolicy for supplier relationships
A.15.1.2
Addressing security within supplier agreements
A.15.1.3
Information and communication technology supply chain
A.10.2.2
Monitoring and review of third party services
A.15.2.1
Monitoring and review of supplier services
A.10.2.3
Managing changes to third party services
A.15.2.2
Managing changes to supplier services
A.10.3 Systern planning and acceptance
Objective: To minimize the risk of systems failures.
ххх
A.10.3.1
Capacity management
A.12.1.3
Capacity management
A.10.3.2
System acceptance
A.14.2.9
System acceptance testing
A.10.4             Protection against malicious and mobile code
Objective: To protect the integrity of software and information
A.12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
A.10.4.1
Controls against malicious code
A.12.2.1
Controls against malware
A. 10.4.2
Controls against mobile code
A.12.2.1
Controls against malware
A.10.5 Back-up
Objective: To maintain the integrity and availability of information and information processing facilities.
A.12.3 Backup
Objective: To protect against loss of data.
A.10.5.1
Information back-up
A.12.3.1
Information backup
A.10.6 Network security management
Objective: To ensure the protection of information in n#fworks and the protection of the supporting infrastructure.
A.13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.
A.10.6.1
Network controls
A.13.1.1
Network controls
A. 10.6.2
Security of network services
A.13.1.2
Security of network services
A.10.7 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.
A.8.3   Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
A.10.7.1
Management of removable media
A.8.3.1
Management of removable media
A.10.7.2
Disposal of media
A.8.3.2
Disposal of media
A.10.7.3
Information handling procedures
xxx
 
A.10.7.4
Security of system documentation
xxx
 
A.10.8 Exchange of information
Objective: To maintain the security of information and software exchanged within an organization and with any external entity.
A.13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
A.10.8.1
Information exchange policies and procedures
A.13.2.1
Information transfer policies and procedures
A.10.8.2
Exchange agreements
A.13.2.2
Agreements on information transfer
A.10.8.3
Physical media in transit
A.8.3.3
Physical media transfer
A.10.8.4
Electronic messaging
A.13.2.3
Electronic messaging
A.10.8.5
Business information systems
ххх
 
A.10.9 Electronic commerce services
Objective: To ensure the security of electronic commerce services, and their secure use.
xxx
 
A.10.9.1
Electronic commerce
A.14.1.2
Securing application services on public networks
A.10.9.2
On-line transactions
A.14.1.3
Protecting application services transactions
A.10.9.3
Publicly available information
xxx
 
A.10.10           Monitoring
Objective: To detect unauthorized information processing activities.
A.12.4 Logging and monitoring
Objective: To record events and generate evidence.
A.10.10.1
Audit logging
А.12.4.1
 
A.10.10.2
Monitoring system use
А.12.4.1
 
A.10.10.3
Protection of log information
A.12.4.2
Protection of log information
A.10.10.4
Administrator and operator logs
A.12.4.3
Administrator and operator logs
A.10.10.5
Fault logging
А.12.4.1
 
A.10.10.6
Clock synchronization
A.12.4.4
Clock synchronisation
A.11    Access control
A.9      Access control
A.11.1 Business requirement for access control
Objective: To control access to information.
A.9.1   Business requirement for access control
Objective: To limit access to information and information processing facilities.
A.11.1.1
Access control policy
A.9.1.1
Access control policy
A.11.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to information systems.
A.9.2   User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services.
A.11.2.1
User registration
A.9.2.1
User registration and de-registration
A.11.2.2
Privilege management
A.9.2.3
Management of privileged access rights
A.11.2.3
User password management
xxx
 
A.11.2.4
Review of user access rights
A.9.2.5
Review of user access rights
A.11.3 User responsibilities
Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.
A.9.3   User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
A.11.3.1
Password use
xxx
 
A.11.3.2
Unattended user equipment
A.11.2.8
Unattended user equipment
A.11.3.3
Clear desk and clear screen policy
A.11.2.9
Clear desk and clear screen policy
A.11.4 Network access control
Objective: To prevent unauthorized access to networked services.
xxx
A.11.4.1
Policy on use of network services
A.9.1.2
Access to networks and network services
A.11.4.2
User authentication for external connections
xxx
 
A.11.4.3
Equipment identification in networks
xxx
 
A.11.4.4
Remote diagnostic and configuration port protection
xxx
 
A.11.4.5
Segregation in networks
A.13.1.3
Segregation in networks
A.11.4.6
Network connection control
xxx
 
A.11.4.7
Network routing control
 
xxx
 
A.11.5 Operating system access control
Objective: To prevent unauthorized access to operating systems.
A.9.4   System and application access control
Objective: To prevent unauthorized access to systems and applications.
A.11.5.1
Secure log-on procedures
A.9.4.2
Secure log-on procedures
A.11.5.2
User identification and authentication
xxx
 
A.11.5.3
Password management system
A.9.4.3
Password management system
A.11.5.4
Use of system utilities
A.9.4.4
Use of privileged utility programs
A.11.5.5
Session time-out
xxx
 
A.11.5.6
Limitation of connection time
xxx
 
A.11.6 Application and information access control
Objective: To prevent unauthorized access to information held in application systems.
xxx
A.11.6.1
Information access restriction
A.9.4.1
Information access restriction
A. 11.6.2
Sensitive system isolation
xxx
 
A.11.7 Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworking facilities.
A.6.2   Mobile devices and teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
A.11.7.1
Mobile computing and communications
A.6.2.1
Mobile device policy
A.11.7.2
Teleworking
A.6.2.2
Teleworking
A.12    Information systems acquisition, development and maintenance
A.14    System acquisition, development and maintenance
A.12.1 Security requirements of information systems
Objective: To ensure that security is an integral part of information systems.
A.14.1 Security requirements of information systems
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
A.12.1.1
Security requirements analysis and specification
A.14.1.1
Information security requirements analysis and specification
A.12.2 Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications.
xxx
A.12.2.1
Input data validation
xxx
 
A. 12.2.2
Control of internal processing
xxx
 
A.12.2.3
Message integrity
xxx
 
A.12.2.4
Output data validation
xxx
 
A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
A.10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
A.12.3.1
Policy on the use of cryptographic controls
A.10.1.1
Policy on the use of cryptographic controls
A.12.3.2
Key management
A.10.1.2
Key management
A.12.4 Security of system files
Objective: To ensure the security of system files.
A.14.3 Test data
Objective: To ensure the protection of data used for testing.
A.12.4.1
Control of operational software
A.12.5.1
Installation of software on operational systems
A.12.4.2
Protection of system test data
A.14.3.1
Protection of test data
A.12.4.3
Access control to program source code
A.9.4.5
Access control to program source code
A.12.5 Security in development and support processes
Objective: To maintain the security of application system software and information.
A.14.2 Security in development and support processes
Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.
A.12.5.1
Change control procedures
A.14.2.2
System change control procedures
A. 12.5.2
Technical review of applications after operating system changes
A.14.2.3
Technical review of applications after operating platform changes
A. 12.5.3
Restrictions on changes to software packages
A.14.2.4
Restrictions on changes to software packages
A.12.5.4
Information leakage
xxx
 
A.12.5.5
Outsourced software development
A.14.2.7
Outsourced development
A.12.6 Technical vulnerability management
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.1
Control of technical vulnerabilities
A.12.6.1
Management of technical vulnerabilities
A.13 Information security incident management
A.16    Information security incident management
A.13.1 Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
A.13.1.1
Reporting information security events
A.16.1.2
Reporting information security events
A.13.1.2
Reporting security weaknesses
A.16.1.3
Reporting information security weaknesses
A.13.2 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.
xxx
A.13.2.1
Responsibilities and procedures
A.16.1.1
Responsibilities and procedures
A.16.1.5
Response to information security incidents
A.13.2.2
Learning from information security incidents
A.16.1.6
Learning from information security incidents
A.13.2.3
Collection of evidence
A.16.1.7
Collection of evidence
A.14    Business continuity management
A.17    Information security aspects of business continuity management
A.14.1 Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
A.17.1 Information security continuity
Objective: Information security continuity shall be embedded in the organization’s business continuity management systems.
A.14.1.1
Including inf. sec. in the business continuity management process
A.17.1.2
Implementing information security continuity
A.14.1.2
Business continuity and risk assessment
xxx
 
A.14.1.3
Developing and implementing continuity plans incl. inf. sec.
A.17.1.1
Planning information security continuity
A.14.1.4
Business continuity planning framework
xxx
 
A.14.1.5
Testing, maintaining and reassessing business continuity plans
A.17.1.3
Verify, review and evaluate information security continuity
A.15    Compliance
A.18    Compliance
A.15.1 Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
A.18.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
A.15.1.1
Identification of applicable legislation
A.18.1.1
Identification of applicable legislation and contractual requirements
A.15.1.2
Intellectual property rights (IPR)
A.18.1.2
Intellectual property rights
A.15.1.3
Protection of organizational records
A.18.1.3
Protection of records
A.15.1.4
Data protection and privacy of personal information
A.18.1.4
Privacy and protection of personally identifiable information
A.15.1.5
Prevention of misuse of information processing facilities
xxx
 
A.15.1.6
Regulation of cryptographic controls
A.18.1.5
Regulation of cryptographic controls
A.15.2 Compliance with security policies and standards, and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
xxx
A.15.2.1
Compliance with security policies and standards
A.18.2.2
Compliance with security policies and standards
A.15.2.2
Technical compliance checking
A.18.2.3
Technical compliance review
A.15.3 Information systems audit considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.
A.12.7 Information systems audit considerations
Objective: To minimise the impact of audit activities on operational systems.
A.15.3.1
Information systems audit controls
A.12.7.1
Information systems audit controls
A.15.3.2
Protection of information systems audit tools
xxx
 
 
 
A.6.1.5
Information security in project management
 
 
A.9.2.2
User access provisioning
 
 
A.9.2.4
Management of secret authentication information of users
 
 
A.9.3.1
Use of secret authentication information
 
 
A.12.4.1
Event logging
 
 
A.12.6.2
Restrictions on software installation
 
 
A.14.2.1
Secure development policy
 
 
A.14.2.5
Secure system engineering principles
 
 
A.14.2.6
Secure development environment
 
 
A.14.2.8
System security testing
 
 
A.16.1.4
Assessment of and decision on information security events
 
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
 
 
A.17.2.1
Availability of information processing facilities
 
A.18.2 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
A.6.1.8
Independent review of information security
A.18.2.1
Independent review of information security