evaluating the effectiveness of the iso 27001:2013 based ... · pdf fileevaluating the...
TRANSCRIPT
![Page 1: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/1.jpg)
1 1
Evaluating the Effectiveness of the ISO 27001:2013 based on the Annex A
Bahareh Shojaie · Hannes Federrath · Iman Saberi University of Hamburg, Germany http://svs.informatik.uni-hamburg.de
9th International Workshop on Frontiers in Availability, Reliability and Security (FARES 2014), University of Fribourg, Swizerland, Sep 11, 2014
![Page 2: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/2.jpg)
2 2
Introduction
• ISMS (Information Security Management System) • ISO/IEC 27001
![Page 3: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/3.jpg)
3 3
ISO 27001 History
BS 7799-1
BS 7799-2 Developed to
support certification
ISO 17799:2000 ISO17799:2005
ISMS specification
ISO 27001:2005 BS 7799-2:2002
1995 – 1998 2000 2005 2007 2013
ISO27002:2007
Code of practice
ISO27002:2013
ISO27001:2013
t
![Page 4: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/4.jpg)
4 4
ISO 27001:2013 Looks Different..
• Annex SL • ISO 27000:2013 • Terms & Definitions • 114 controls in 14 groups vs. 133 controls in 11 groups • Annex A
![Page 5: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/5.jpg)
5 5
Transition to ISO 27001:2013
• Minimal Changes
• Rethink
• Updating
![Page 6: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/6.jpg)
6 6
Our 5 Categories of the Annex A controls
• Data
• Hardware
• Software
• People
• Network
e.g. A.8.1.1: Inventory of assets
e.g. A.8.3.1: Management of removable media
e.g. A.9.2.5: Review of user access rights
e.g. A.9.2.2: User access provisioning
e.g. A.9.1.2: Access to networks services
The assignment of the controls to our five categories can be found at https://svs.informatik.uni-hamburg.de/annexApaper/.
![Page 7: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/7.jpg)
7 7
Our 5 Categories of the Annex A controls
• Data
• Hardware
• Software
• People
• Network 30
31
61
39
92
45
56
51
56
87
42
47
43
60
91
0 20 40 60 80 100 Number of Controls
2013
2005
BS7799
![Page 8: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/8.jpg)
8 8
Comparison between Inserted & Deleted Controls
• Data
• Hardware
• Software
• People
• Network 1
4
6
6
8
9
8
9
6
11
0 2 4 6 8 10 12 Number of Controls
Deleted Controls
Inserted Controls
![Page 9: Evaluating the Effectiveness of the ISO 27001:2013 based ... · PDF fileEvaluating the Effectiveness of the ISO 27001:2013 based on the Annex A ... • ISO/IEC 27001 . 3 ... Transition](https://reader031.vdocuments.us/reader031/viewer/2022012403/5ab03c207f8b9a190d8e5c58/html5/thumbnails/9.jpg)
9 9
Conclusion
• Contact: [email protected]
May Require Improvement
Acceptable Security
• People • Network
• Data • Hardware • Software