Evaluating the Effectiveness of the ISO 27001:2013 based on the Annex A Bahareh Shojaie · Hannes Federrath · Iman Saberi University of Hamburg, Germany http://svs.informatik.uni-hamburg.de 9th International Workshop on Frontiers in Availability, Reliability and Security (FARES 2014), University of Fribourg, Swizerland, Sep 11, 2014 1 1
Introduction • ISMS (Information Security Management System) • ISO/IEC 27001 2 2
ISO 27001 History Code of practice BS 7799-1 ISO 17799:2000 ISO17799:2005 ISO27002:2007 ISO27002:2013 ISMS specification BS 7799-2:2002 ISO 27001:2005 ISO27001:2013 BS 7799-2 Developed to support certification 1995 – 1998 2000 2005 2007 2013 t 3 3
ISO 27001:2013 Looks Different.. • Annex SL • ISO 27000:2013 • Terms & Definitions • 114 controls in 14 groups vs. 133 controls in 11 groups • Annex A 4 4
Transition to ISO 27001:2013 • Minimal Changes • Rethink • Updating 5 5
Our 5 Categories of the Annex A controls • Data e.g. A.8.1.1: Inventory of assets e.g. A.8.3.1: • Hardware Management of removable media e.g. A.9.2.5: • Software Review of user access rights e.g. A.9.2.2: • People User access provisioning e.g. A.9.1.2: Access to networks services • Network The assignment of the controls to our five categories can be found at https://svs.informatik.uni-hamburg.de/annexApaper/. 6 6
Our 5 Categories of the Annex A controls 91 87 • Data 92 60 56 • Hardware 39 43 51 • Software 61 2013 47 56 • People 2005 31 BS7799 42 45 • Network 30 0 20 40 60 80 100 Number of Controls 7 7
Comparison between Inserted & Deleted Controls 11 • Data 8 Deleted Controls 6 • Hardware 6 Inserted Controls 9 • Software 6 8 • People 4 9 1 • Network 0 2 4 6 8 10 12 Number of Controls 8 8
Conclusion May Require Improvement • People • Network Acceptable Security • Data • Hardware • Software • Contact: shojaie@informatik.uni-hamburg.de 9 9
Recommend
More recommend
