SLIDE 1
1 1
2 2
Introduction
- ISMS (Information Security Management System)
- ISO/IEC 27001
Evaluating the Effectiveness of the ISO 27001:2013 based on the - - PowerPoint PPT Presentation
Evaluating the Effectiveness of the ISO 27001:2013 based on the - - PowerPoint PPT Presentation
Evaluating the Effectiveness of the ISO 27001:2013 based on the Annex A Bahareh Shojaie Hannes Federrath Iman Saberi University of Hamburg, Germany http://svs.informatik.uni-hamburg.de 9th International Workshop on Frontiers in
SLIDE 2
SLIDE 3
3 3
ISO 27001 History
BS 7799-1 BS 7799-2
Developed to support certification
ISO 17799:2000 ISO17799:2005
ISMS specification
ISO 27001:2005 BS 7799-2:2002 1995 – 1998 2000 2005 2007 2013 ISO27002:2007
Code of practice
ISO27002:2013 ISO27001:2013
t
SLIDE 4
4 4
ISO 27001:2013 Looks Different..
- Annex SL
- ISO 27000:2013
- Terms & Definitions
- 114 controls in 14 groups vs. 133 controls in 11 groups
- Annex A
SLIDE 5
5 5
Transition to ISO 27001:2013
- Minimal Changes
- Rethink
- Updating
SLIDE 6
6 6
Our 5 Categories of the Annex A controls
- Data
- Hardware
- Software
- People
- Network
e.g. A.8.1.1: Inventory of assets e.g. A.8.3.1: Management of removable media e.g. A.9.2.5: Review of user access rights e.g. A.9.2.2: User access provisioning e.g. A.9.1.2: Access to networks services
The assignment of the controls to our five categories can be found at https://svs.informatik.uni-hamburg.de/annexApaper/.
SLIDE 7
7 7
Our 5 Categories of the Annex A controls
- Data
- Hardware
- Software
- People
- Network
30 31 61 39 92 45 56 51 56 87 42 47 43 60 91
20 40 60 80 100 Number of Controls 2013 2005 BS7799
SLIDE 8
8 8
Comparison between Inserted & Deleted Controls
- Data
- Hardware
- Software
- People
- Network
1 4 6 6 8 9 8 9 6 11 2 4 6 8 10 12 Number of Controls
Deleted Controls Inserted Controls
SLIDE 9
9 9
Conclusion
- Contact: shojaie@informatik.uni-hamburg.de
May Require Improvement Acceptable Security
- People
- Network
- Data
- Hardware
- Software