Това засяга Декларацията за приложимост в система, базирана на версия 2005.
Може да се наложи такова сравнение при редактиране и на други документи на СУСИ.
Уточнения
1. Сравнението е показано на равнище "наименование на контроли".
Не е показано съдържанието на самите контроли.
При работа над система трябва да се анализира и съдържанието на контролите!
2. Показани са както точни съответствия, така и приблизителни.
Възможно е да има някои неточности. Моля, ако някой забележи, да коментира!
3. С ххх са маркирани местата, където не е намерено съответствие или преценката
изисква по-задълбочен анализ
ANNEX A/ISO/IEC 27001:2005 | ANNEX A/ISO/IEC 27001:2013 | |||
A.5 Security policy | A.5 Information security policies | |||
A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. | A.5.1 Management direction for information security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. | |||
A.5.1.1 | Information security policy document | A.5.1.1 | Policies for information security | |
A.5.1.2 | Review of the information security policy | А.5.1.2 | Review of the policies for information security | |
A.6 Organization of information security | A.6 Organization of information security | |||
A.6.1 Internal organization Objective: To manage information security within the organization. | A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. | |||
A.6.1.1 | Management commitment to information security | ххх | ||
A.6.1.2 | Information security co-ordination | ххх | ||
A.6.1.3 | Allocation of information security responsibilities | A.6.1.1 | Information security roles and responsibilities | |
A.6.1.4 | Authorization process for information processing facilities | ххх | ||
A.6.1.5 | Confidentiality agreements | A.13.2.4 | Confidentiality or nondisclosure agreements | |
A.6.1.6 | Contact with authorities | A.6.1.3 | Contact with authorities | |
A.6.1.7 | Contact with special interest groups | A.6.1.4 | Contact with special interest groups | |
A.6.1.8 | Independent review of information security | A.18.2.1 | Independent review of information security | |
A.6.2 External parties Objective: To maintain the security of the organization's information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. | ххх | |||
A.6.2.1 | Identification of risks related to external parties | ххх | ||
A.6.2.2 | Addressing security when dealing with customers | ххх | ||
A.6.2.3 | Addressing security in third party agreements | A.15.1.2 | Addressing security within supplier agreements | |
A.7 Asset management | A.8 Asset management | |||
A.7.1 Responsibility for assets Objective: To achieve and maintain appropriate protection of organizational assets | A.8.1 Responsibility for assets Objective: To identify organizational assets and define appropriate protection responsibilities. | |||
A.7.1.1 | Inventory of assets | A.8.1.1 | Inventory of assets | |
A.7.1.2 | Ownership of assets | A.8.1.2 | Ownership of assets | |
A.7.1.3 | Acceptable use of assets | A.8.1.3 | Acceptable use of assets | |
A.7.2 Information classification Objective: To ensure that information receives an appropriate level of protection. | A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. | |||
A.7.2.1 | Classification guidelines | A.8.2.1 | Classification of information | |
A.7.2.2 | Information labelling and handling | A.8.2.2 | Labelling of information | |
A.8.2.3 | Handling of assets | |||
A.8 Human resources security | A.7 Human resource security | |||
A.8.1 Prior to employment Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. | A.7.1 Prior to employment Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. | |||
A.8.1.1 | Roles and responsibilities | xxx | ||
A.8.1.2 | Screening | A.7.1.1 | Screening | |
A.8.1.3 | Terms and conditions of employment | A.7.1.2 | Terms and conditions of employment | |
A.8.2 During employment Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. | A.7.2 During employment Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities. | |||
A.8.2.1 | Management responsibilities | A.7.2.1 | Management responsibilities | |
A.8.2.2 | Information security awareness, education and training | A.7.2.2 | Information security awareness, education and training | |
A.8.2.3 | Disciplinary process | A.7.2.3 | Disciplinary process | |
A.8.3 Termination or change of employment Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. | A.7.3 Termination and change of employment Objective: To protect the organization’s interests as part of the process of changing or terminating employment. | |||
A.8.3.1 | Termination responsibilities | A.7.3.1 | Termination or change of employment responsibilities | |
A.8.3.2 | Return of assets | A.8.1.4 | Return of assets | |
A.8.3.3 | Removal of access rights | A.9.2.6 | Removal or adjustment of access rights | |
A.9 Physical and environmental security | A.11 Physical and environmental security | |||
A. 9.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information. | A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. | |||
A.9.1.1 | Physical security perimeter | A.11.1.1 | Physical security perimeter | |
A.9.1.2 | Physical entry controls | A.11.1.2 | Physical entry controls | |
A.9.1.3 | Securing offices, rooms and facilities | A.11.1.3 | Securing offices, rooms and facilities | |
A.9.1.4 | Protecting against external and environmental threats | A.11.1.4 | Protecting against external and environmental threats | |
A.9.1.5 | Working in secure areas | A.11.1.5 | Working in secure areas | |
A.9.1.6 | Public access, delivery and loading areas | A.11.1.6 | Delivery and loading areas | |
A. 9.2 Eqipment security Objective: To prevent loss, damage, theft or compromise of assets and interruption of the organization’s activities. | A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. | |||
A.9.2.1 | Equipment siting and protection | A.11.2.1 | Equipment siting andprotection | |
A.9.2.2 | Supporting utilities | A.11.2.2 | Supporting utilities | |
A.9.2.3 | Cabling security | A.11.2.3 | Cabling security | |
A.9.2.4 | Equipment maintenance | A.11.2.4 | Equipment maintenance | |
A.9.2.5 | Security of equipment off-premises | A.11.2.6 | Security of equipmentand assets off-premises | |
A.9.2.6 | Secure disposal or reuse of equipment | A.11.2.7 | Secure disposal or reuse of equipment | |
A.9.2.7 | Removal of property | A.11.2.5 | Removal of assets | |
A.10 Communications and operations management | A.12 Operations security | |||
A.10.1 Operational procedures and responsibilities Objective: To ensure the correct and secure operation of information processing facilities. | A.12.1 Operational procedures and responsibilities Objective: To ensure correct and secure operations of information processing facilities. | |||
A.10.1.1 | Documented operating procedures | A.12.1.1 | Documented operating procedures | |
A.10.1.2 | Change management | A.12.1.2 | Change management | |
A.10.1.3 | Segregation of duties | A.6.1.2 | Segregation of duties | |
A.10.1.4 | Separation of development, test and operational facilities | A.12.1.4 | Separation of development, testing and operational environments | |
A.10.2 Third party service delivery management Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements. | A.15.1 Information security in supplier relationships Objective: To ensure protection of the organization’s assets that is accessible by suppliers. | |||
A.10.2.1 | Service delivery | A.15.1.1 | Information securitypolicy for supplier relationships | |
A.15.1.2 | Addressing security within supplier agreements | |||
A.15.1.3 | Information and communication technology supply chain | |||
A.10.2.2 | Monitoring and review of third party services | A.15.2.1 | Monitoring and review of supplier services | |
A.10.2.3 | Managing changes to third party services | A.15.2.2 | Managing changes to supplier services | |
A.10.3 Systern planning and acceptance Objective: To minimize the risk of systems failures. | ххх | |||
A.10.3.1 | Capacity management | A.12.1.3 | Capacity management | |
A.10.3.2 | System acceptance | A.14.2.9 | System acceptance testing | |
A.10.4 Protection against malicious and mobile code Objective: To protect the integrity of software and information | A.12.2 Protection from malware Objective: To ensure that information and information processing facilities are protected against malware. | |||
A.10.4.1 | Controls against malicious code | A.12.2.1 | Controls against malware | |
A. 10.4.2 | Controls against mobile code | A.12.2.1 | Controls against malware | |
A.10.5 Back-up Objective: To maintain the integrity and availability of information and information processing facilities. | A.12.3 Backup Objective: To protect against loss of data. | |||
A.10.5.1 | Information back-up | A.12.3.1 | Information backup | |
A.10.6 Network security management Objective: To ensure the protection of information in n#fworks and the protection of the supporting infrastructure. | A.13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. | |||
A.10.6.1 | Network controls | A.13.1.1 | Network controls | |
A. 10.6.2 | Security of network services | A.13.1.2 | Security of network services | |
A.10.7 Media handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities. | A.8.3 Media handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. | |||
A.10.7.1 | Management of removable media | A.8.3.1 | Management of removable media | |
A.10.7.2 | Disposal of media | A.8.3.2 | Disposal of media | |
A.10.7.3 | Information handling procedures | xxx | ||
A.10.7.4 | Security of system documentation | xxx | ||
A.10.8 Exchange of information Objective: To maintain the security of information and software exchanged within an organization and with any external entity. | A.13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. | |||
A.10.8.1 | Information exchange policies and procedures | A.13.2.1 | Information transfer policies and procedures | |
A.10.8.2 | Exchange agreements | A.13.2.2 | Agreements on information transfer | |
A.10.8.3 | Physical media in transit | A.8.3.3 | Physical media transfer | |
A.10.8.4 | Electronic messaging | A.13.2.3 | Electronic messaging | |
A.10.8.5 | Business information systems | ххх | ||
A.10.9 Electronic commerce services Objective: To ensure the security of electronic commerce services, and their secure use. | xxx | |||
A.10.9.1 | Electronic commerce | A.14.1.2 | Securing application services on public networks | |
A.10.9.2 | On-line transactions | A.14.1.3 | Protecting application services transactions | |
A.10.9.3 | Publicly available information | xxx | ||
A.10.10 Monitoring Objective: To detect unauthorized information processing activities. | A.12.4 Logging and monitoring Objective: To record events and generate evidence. | |||
A.10.10.1 | Audit logging | А.12.4.1 | ||
A.10.10.2 | Monitoring system use | А.12.4.1 | ||
A.10.10.3 | Protection of log information | A.12.4.2 | Protection of log information | |
A.10.10.4 | Administrator and operator logs | A.12.4.3 | Administrator and operator logs | |
A.10.10.5 | Fault logging | А.12.4.1 | ||
A.10.10.6 | Clock synchronization | A.12.4.4 | Clock synchronisation | |
A.11 Access control | A.9 Access control | |||
A.11.1 Business requirement for access control Objective: To control access to information. | A.9.1 Business requirement for access control Objective: To limit access to information and information processing facilities. | |||
A.11.1.1 | Access control policy | A.9.1.1 | Access control policy | |
A.11.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to information systems. | A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. | |||
A.11.2.1 | User registration | A.9.2.1 | User registration and de-registration | |
A.11.2.2 | Privilege management | A.9.2.3 | Management of privileged access rights | |
A.11.2.3 | User password management | xxx | ||
A.11.2.4 | Review of user access rights | A.9.2.5 | Review of user access rights | |
A.11.3 User responsibilities Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities. | A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. | |||
A.11.3.1 | Password use | xxx | ||
A.11.3.2 | Unattended user equipment | A.11.2.8 | Unattended user equipment | |
A.11.3.3 | Clear desk and clear screen policy | A.11.2.9 | Clear desk and clear screen policy | |
A.11.4 Network access control Objective: To prevent unauthorized access to networked services. | xxx | |||
A.11.4.1 | Policy on use of network services | A.9.1.2 | Access to networks and network services | |
A.11.4.2 | User authentication for external connections | xxx | ||
A.11.4.3 | Equipment identification in networks | xxx | ||
A.11.4.4 | Remote diagnostic and configuration port protection | xxx | ||
A.11.4.5 | Segregation in networks | A.13.1.3 | Segregation in networks | |
A.11.4.6 | Network connection control | xxx | ||
A.11.4.7 | Network routing control | xxx | ||
A.11.5 Operating system access control Objective: To prevent unauthorized access to operating systems. | A.9.4 System and application access control Objective: To prevent unauthorized access to systems and applications. | |||
A.11.5.1 | Secure log-on procedures | A.9.4.2 | Secure log-on procedures | |
A.11.5.2 | User identification and authentication | xxx | ||
A.11.5.3 | Password management system | A.9.4.3 | Password management system | |
A.11.5.4 | Use of system utilities | A.9.4.4 | Use of privileged utility programs | |
A.11.5.5 | Session time-out | xxx | ||
A.11.5.6 | Limitation of connection time | xxx | ||
A.11.6 Application and information access control Objective: To prevent unauthorized access to information held in application systems. | xxx | |||
A.11.6.1 | Information access restriction | A.9.4.1 | Information access restriction | |
A. 11.6.2 | Sensitive system isolation | xxx | ||
A.11.7 Mobile computing and teleworking Objective: To ensure information security when using mobile computing and teleworking facilities. | A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. | |||
A.11.7.1 | Mobile computing and communications | A.6.2.1 | Mobile device policy | |
A.11.7.2 | Teleworking | A.6.2.2 | Teleworking | |
A.12 Information systems acquisition, development and maintenance | A.14 System acquisition, development and maintenance | |||
A.12.1 Security requirements of information systems Objective: To ensure that security is an integral part of information systems. | A.14.1 Security requirements of information systems Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. | |||
A.12.1.1 | Security requirements analysis and specification | A.14.1.1 | Information security requirements analysis and specification | |
A.12.2 Correct processing in applications Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications. | xxx | |||
A.12.2.1 | Input data validation | xxx | ||
A. 12.2.2 | Control of internal processing | xxx | ||
A.12.2.3 | Message integrity | xxx | ||
A.12.2.4 | Output data validation | xxx | ||
A.12.3 Cryptographic controls Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means. | A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | |||
A.12.3.1 | Policy on the use of cryptographic controls | A.10.1.1 | Policy on the use of cryptographic controls | |
A.12.3.2 | Key management | A.10.1.2 | Key management | |
A.12.4 Security of system files Objective: To ensure the security of system files. | A.14.3 Test data Objective: To ensure the protection of data used for testing. | |||
A.12.4.1 | Control of operational software | A.12.5.1 | Installation of software on operational systems | |
A.12.4.2 | Protection of system test data | A.14.3.1 | Protection of test data | |
A.12.4.3 | Access control to program source code | A.9.4.5 | Access control to program source code | |
A.12.5 Security in development and support processes Objective: To maintain the security of application system software and information. | A.14.2 Security in development and support processes Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. | |||
A.12.5.1 | Change control procedures | A.14.2.2 | System change control procedures | |
A. 12.5.2 | Technical review of applications after operating system changes | A.14.2.3 | Technical review of applications after operating platform changes | |
A. 12.5.3 | Restrictions on changes to software packages | A.14.2.4 | Restrictions on changes to software packages | |
A.12.5.4 | Information leakage | xxx | ||
A.12.5.5 | Outsourced software development | A.14.2.7 | Outsourced development | |
A.12.6 Technical vulnerability management Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. | A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. | |||
A.12.6.1 | Control of technical vulnerabilities | A.12.6.1 | Management of technical vulnerabilities | |
A.13 Information security incident management | A.16 Information security incident management | |||
A.13.1 Reporting information security events and weaknesses Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. | A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. | |||
A.13.1.1 | Reporting information security events | A.16.1.2 | Reporting information security events | |
A.13.1.2 | Reporting security weaknesses | A.16.1.3 | Reporting information security weaknesses | |
A.13.2 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach is applied to the management of information security incidents. | xxx | |||
A.13.2.1 | Responsibilities and procedures | A.16.1.1 | Responsibilities and procedures | |
A.16.1.5 | Response to information security incidents | |||
A.13.2.2 | Learning from information security incidents | A.16.1.6 | Learning from information security incidents | |
A.13.2.3 | Collection of evidence | A.16.1.7 | Collection of evidence | |
A.14 Business continuity management | A.17 Information security aspects of business continuity management | |||
A.14.1 Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. | A.17.1 Information security continuity Objective: Information security continuity shall be embedded in the organization’s business continuity management systems. | |||
A.14.1.1 | Including inf. sec. in the business continuity management process | A.17.1.2 | Implementing information security continuity | |
A.14.1.2 | Business continuity and risk assessment | xxx | ||
A.14.1.3 | Developing and implementing continuity plans incl. inf. sec. | A.17.1.1 | Planning information security continuity | |
A.14.1.4 | Business continuity planning framework | xxx | ||
A.14.1.5 | Testing, maintaining and reassessing business continuity plans | A.17.1.3 | Verify, review and evaluate information security continuity | |
A.15 Compliance | A.18 Compliance | |||
A.15.1 Compliance with legal requirements Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. | A.18.1 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. | |||
A.15.1.1 | Identification of applicable legislation | A.18.1.1 | Identification of applicable legislation and contractual requirements | |
A.15.1.2 | Intellectual property rights (IPR) | A.18.1.2 | Intellectual property rights | |
A.15.1.3 | Protection of organizational records | A.18.1.3 | Protection of records | |
A.15.1.4 | Data protection and privacy of personal information | A.18.1.4 | Privacy and protection of personally identifiable information | |
A.15.1.5 | Prevention of misuse of information processing facilities | xxx | ||
A.15.1.6 | Regulation of cryptographic controls | A.18.1.5 | Regulation of cryptographic controls | |
A.15.2 Compliance with security policies and standards, and technical compliance Objective: To ensure compliance of systems with organizational security policies and standards. | xxx | |||
A.15.2.1 | Compliance with security policies and standards | A.18.2.2 | Compliance with security policies and standards | |
A.15.2.2 | Technical compliance checking | A.18.2.3 | Technical compliance review | |
A.15.3 Information systems audit considerations Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process. | A.12.7 Information systems audit considerations Objective: To minimise the impact of audit activities on operational systems. | |||
A.15.3.1 | Information systems audit controls | A.12.7.1 | Information systems audit controls | |
A.15.3.2 | Protection of information systems audit tools | xxx | ||
A.6.1.5 | Information security in project management | |||
A.9.2.2 | User access provisioning | |||
A.9.2.4 | Management of secret authentication information of users | |||
A.9.3.1 | Use of secret authentication information | |||
A.12.4.1 | Event logging | |||
A.12.6.2 | Restrictions on software installation | |||
A.14.2.1 | Secure development policy | |||
A.14.2.5 | Secure system engineering principles | |||
A.14.2.6 | Secure development environment | |||
A.14.2.8 | System security testing | |||
A.16.1.4 | Assessment of and decision on information security events | |||
A.17.2 Redundancies Objective: To ensure availability of information processing facilities. | ||||
A.17.2.1 | Availability of information processing facilities | |||
A.18.2 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. | ||||
A.6.1.8 | Independent review of information security | A.18.2.1 | Independent review of information security | |
