Aftrap ISMS werkgroep
Aftrap ISMS werkgroep
NEN, afspraken voor een betere wereld 1
Over NEN
Het Nederlands Normalisatie Instituut NEN verbindt nationaal en internationaal belanghebbende partijen, helpt hen te komen tot breed gedragen afspraken, en begeleidt de implementatie daarvan.
‘NEN, afspraken voor een betere wereld’
Over normalisatie
Normalisatie is een strategisch instrument om te komen tot breed gedragen afspraken die innovatie, duurzaamheid, veiligheid, efficiëntie en internationale handel mogelijk maken.
‘De wereld op één lijn’
Programma
11.00 Welkom
11.10 Herziening ISO/IEC 27002
Beer Franken
11.40 Consequenties van vernieuwing ISO/IEC 27002
Xxxxx Xxxxxxx
11.55 Vragen/Discussie
12.05 Interactie & sneak preview
Xxx Xxxxxxxxxx & Xxxxx Xxxxxxxxx
12.20 Afsluiting
Beer Franken
Zelfstandig adviseur voor gegevensbescherming en informatiebeveiliging
xxxx.xxxxxxx@xxxxxx.xx — 06 5534 7977
NEN, afspraken voor een betere wereld 1
• Vijf jaar zelfstandig, daarvoor 8½ CISO en FG bij AMC; verder gewerkt bij/voor VWS, EZK, BZK, VUmc, ZonMw, Brocacef, Wolters Kluwer e.a.
• Lid van drie à vijf normcommissies (information security, ISMS, privacy, cloud, informatievoorziening in de zorg)
• Betrokken geweest bij ontwikkeling/herziening van
NEN 7510, 7512, 7513, 7524, NTA 7516 en meer
• Co-auteur van praktijkgids NEN 7510 (incl 7512 en 7513)
• Examinator bij de opleiding Certified Data Protection Officer
en meer
Voor elke norm/standaard moet elke vijf jaar worden vastgesteld:
• intrekking
• ongewijzigde voortzetting
• voortzetting met aanpassingen (oftewel herziening)
De huidige 27002 is uit 2013 en in 2018 is besloten tot herziening Los van technische ontwikkelingen was het bezwaar dat de huidige
27002 te veel werd gebruikt als checklist en het te weinig uitnodigde tot
zelf nadenken
• This document is designed to be used by organizations … or developing their own information security management guidelines.
• The organization can use attributes to create different views which are different categorizations of controls as seen from a different perspective to the themes.
Control types #Preventive #Detective #Corrective
Information security properties
#Confidentiality #Integrity #Availability
Cybersecurity concepts
#Identify #Protect #Detect #Respond #Recover
Operational capabilities
#Governance
#Asset management #Information protection #Human resource security #Physical security
#System and network security
#Application security
#Secure configuration
#Identity and access management #Threat and vulnerability management #Continuity
#Supplier relationships security
#Legal and compliance
#Information security event management #Security assurance
Control Short name of the control
Attributes A table with the value(s) of each attribute Control Description of the control
Purpose Text explaining the purpose of the control Guidance Implementation guidance for the control
Other information Explanatory text/references to related docs
voorbeeld
Operational capabilities komen dichtst in de buurt van hoofdstukken 5-18 Er blijven nu vier themes over:
People | if they concern individual people | clause 6 |
Physical | if they concern physical objects | clause 7 |
Technological | if they concern technology | clause 8 |
Organizational | otherwise | clause 5 |
0 Introduction
1 Scope
2 Normative references
3 Terms, definitions and abbreviated terms
4 Structure of this document
5 Organizational controls
6 People controls
7 Physical controls
8 Technological controls
A Using attributes
B Correspondence with 27002:2013
5.1 Policies for information security
5.2 Information security roles and responsibilities
5.3 Segregation of duties
5.4 Management responsibilities
5.5 Contact with authorities
5.6 Contact with special interest groups
5.7 Threat Intelligence
5.8 Information security in project management
5.9 Inventory of information and associated assets
5.10 Use of information and associated assets
5.11 Return of assets
5.12 Classification of information
5.13 Labelling of information
5.14 Information transfer
5.15 Access control
5.16 Identity management
5.17 Authentication information
5.18 Access rights
5.19 Information security in supplier relationships
5.20 Addressing information security within supplier agreements
5.21 Managing information security in the ICT supply chain
5.22 Monitoring, review and change management of supplier services
5.23 Information security for use of cloud services
5.24 Information security incidents responsibilities and procedures
5.25 Assessment and decision on information security events
5.26 Response to information security incidents
5.27 Learning from information security incidents
5.28 Collection of evidence
5.29 Information security during disruption
5.30 ICT readiness for business continuity
5.31 Identification of legal, statutory, regulatory and contractual requirements
5.32 Intellectual property rights
5.33 Protection of records
5.34 Privacy and protection of personally identifiable information
5.35 Independent review of information security
5.36 Compliance with information security policies and standards
5.37 Documented operating procedures
6.1 Screening
6.2 Terms and conditions of employment
6.3 Information security awareness, education and training
6.4 Disciplinary process
6.5 Responsibilities after termination or change of employment
responsibilities
6.6 Confidentiality or non-disclosure agreements
6.7 Remote working
6.8 Information security event reporting
7.1 Physical security perimeter
7.2 Physical entry controls
7.3 Securing offices, rooms and facilities
7.4 Physical security monitoring
7.5 Protecting against physical and environmental threats
7.6 Working in secure areas
7.7 Clear desk and clear screen
7.8 Equipment siting and protection
7.9 Security of assets off-premises
7.10 Storage media
7.11 Supporting utilities
7.12 Cabling security
7.13 Equipment maintenance
7.14 Secure disposal or re-use of equipment
Clause 8 Technological controls
8.1 Endpoint devices
8.2 Privileged access rights
8.3 Information access restriction
8.4 Access control to source code
8.5 Secure authentication
8.6 Capacity management
8.7 Malware protection
8.8 Management of technical vulnerabilities
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.13 Information protection using digital rights technologies
8.14 Information backup
8.15 Redundancy of information processing facilities
8.16 Logging
8.17 Monitoring activities
8.18 Clock synchronization
8.19 Use of privileged utility programs
8.20 Installation of software on operational systems
8.21 Vulnerability disclosure and handling in delivering ICT products and services
8.22 Network controls
8.23 Security of network services
8.24 Web filtering
8.25 Segregation in networks
8.26 Use of cryptography
8.27 Secure development lifecycle
8.28 Application security requirements
8.29 Secure system architecture and engineering principles
8.30 Secure coding
8.31 Security testing in development and acceptance
8.32 Outsourced development
8.33 Separation of development, test and production environments
8.34 Change management
8.35 Protection of test information
8.36 Protection of information systems during audit and testing
Een paar getallen en wat is nieuw
27002:2013 kent 110 maatregelen,
27002:2021(?) kent er 96
In 24 gevallen zijn er samenvoegingen
van tot wel 4 maatregelen
Bijlage B bevat een mapping tussen de twee versies heen en terug.
In 13 gevallen is er sprake van een nieuwe control →
5.7 Threat Intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.13 Information protection using digital rights technologies
8.17 Monitoring activities
8.21 Vulnerability disclosure and handling in delivering ICT products and services
8.24 Web filtering
8.30 Secure coding
Vragen?
Of neem na afloop contact met me op:
Beer Franken xxxx.xxxxxxx@xxxxxx.xx 06 5534 7977
ISO/IEC 27002
Xxxxx Xxxxxxx | TNO | 29 Januari 2020
1
• Historisch perspectief
• Consequenties van nieuwe structuur ISO/IEC 27002
– voor organisaties (die al ISO/IEC 27002 gebruiken?)
– voor standaardisatie
• Hoe verhoudt de nieuwe structuur zich tot andere standaarden?
ISO/IEC
27002
:2007
ISO/IEC
17799
:2005
History of ISO/IEC 27002
UK Department of Trade and Industry
Code of practice for information security management
BS 7799
:1995
Code of Practice
BS 7799-1
:1999
Code of Practice
ISO/IEC 17799
:2000
ISO/IEC 27002
:2013
ISO/IEC
2nd CD 27002
:202x
Time
1995 1999 2003 0000 0000 0000
changes
new structure
new structure
new structure
new structure
ISO/IEC
27002
:2007
ISO/IEC
17799
:2005
History of ISO/IEC 27002
UK Department of Trade and Industry
Code of practice for information security management
BS 7799
:1995
Code of Practice
BS 7799-1
:1999
Code of Practice
ISO/IEC 17799
:2000
ISO/IEC 27002
:2013
ISO/IEC
2nd CD 27002
:202x
Time
1995 1999 2003 0000 0000 0000
changes
new structure
new structure
new structure
new structure
ISO/IEC
27002
:2007
ISO/IEC ISO/IEC ISO/IEC
17799 27002 2nd CD
:2005 :2013 27002
:202x
Time
History of ISO/IEC 27002
rtment of
d Industry
BS 7799 BS 7799-1 ISO/IEC
practice :1995 :1999 17799
rmation Code of Practice Code of Practice 2000
urity
ement
1995 1999 2003
UK Depa Trade an
Code of for info
sec
manag
0000 0000 0000
changes
new structure
new structure
new structure
new structure
• Historisch perspectief
• Consequenties van nieuwe structuur ISO/IEC 27002
– voor organisaties (die al ISO/IEC 27002 gebruiken?)
– voor standaardisatie
• Hoe verhoudt de nieuwe structuur zich tot andere standaarden?
• Afhankelijk van hoe ISO/IEC 27002:2013 wordt gebruikt …
– Structuur van 27002 = structuur van security policy?
– Controls (nummering) uit 27002 komen overeen met de Beheersmaatregelen?
Policy
Information Security Policy
8.
Asset managmnt
Standards
Guidelines & Procedures
11.
Physical and environ. security
11.2.9
Clear desk and clear screen policy
8.3
Media
handling
Consequenties van vernieuwing ISO/IEC 27002 7
• Afhankelijk van hoe ISO/IEC 27002:2013 wordt gebruikt …
– Structuur van 27002 = structuur van security policy?
Information Security Policy
– Controls (nummering) uit 27002 komen overeen met de Beheersmaatregelen?
Policy
Standards
Guidelines & Procedures
8.
Asset managmnt
11.
Physical and environ. security
11.2.9
Clear desk and clear screen policy
8.3
Media
handling
Consequenties van vernieuwing ISO/IEC 27002 8
Consequenties van vernieuwing ISO/IEC 27002 9
ISO/IEC 27001:2013(E
9 Performance evaluation
…
9.3 Management review
Top management shall review the organization’s information security management system at planned
intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
…
f) opportunities for continual improvement.
10 Improvement
…
10.2 Continual improvement
The organization shall continually improve the suitability, adequacy and effectiveness of the information
security management system.
• Aanleiding / kans voor verbetering!
9 Evaluatie van de prestaties
…
9.3 Directiebeoordeling
NEN-ISO/IEC 27001:2013 )
De directie moet met geplande tussenpozen het managementsysteem voor informatiebeveiliging van de organisatie beoordelen, om de continue geschiktheid, adequaatheid en doeltreffendheid te bewerkstelligen. Bij de directiebeoordeling moet onder andere in overweging worden genomen:
…
f) kansen voor continue verbetering.
10 Verbetering
…
10.2 Continue verbetering
De organisatie moet continu de geschiktheid, adequaatheid en doeltreffendheid van het
managementsysteem voor informatiebeveiliging verbeteren.
Consequenties van vernieuwing ISO/IEC 27002 10
• Aanleiding / voor verbetering!
• Kans voor nieuwe beheersmaatregelen
– moderne & zeer relevante maatregelen!
Nieuwe beheersmaatregelen ISO/IEC 27002:202x
5.7 Threat Intelligence
5.23 Information security for use of cloud services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.13 Information protection using digital rights technologies
8.17 Monitoring activities
8.21 Vulnerability disclosure and handling in delivering ICT products and services
8.24 Web filtering
8.30 Secure coding
Consequenties voor standaardisatie
• Veel standaarden zijn gebaseerd op ISO/IEC 27002 en …
moeten worden aangepast
– Bijlage A van ISO/IEC 27001
– ISO/IEC 27701 - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
– ISO/IEC TR 27023:2015 - Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002
– … standaarden die refereren naar specifieke maateregelen uit ISO/IEC 27002
Sector-specific guidelines based on ISO/IEC 27002
• ISO/IEC 27010 - Information security management for inter-sector and inter-organizational communications
• ISO/IEC 27011 - Code of practice for information security controls based on ISO/IEC 27002 for
telecommunications organizations
• ISO/IEC 27017 - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
• ISO/IEC 27018 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
• ISO/IEC 27019 - Information security controls for the energy utility industry
• ISO 27799 - Information security management in health using ISO/IEC 27002
• Historisch perspectief
• Consequenties van nieuwe structuur ISO/IEC 27002
– voor organisaties (die al ISO/IEC 27002 gebruiken?)
– voor standaardisatie
• Hoe verhoudt de nieuwe structuur zich tot andere standaarden?
• Framework for Improving
Critical Infrastructure Cybersecurity
ISO/IEC27002:202x Attribute:
Cybersecurity concepts (#Identify, #Protect, #Detect, #Respond, #Recover)
• Framework for Improving
Critical Infrastructure Cybersecurity
ISO/IEC27002:202x Attribute:
Cybersecurity concepts (#Identify, #Protect, #Detect, #Respond, #Recover)
Consequenties van vernieuwing ISO/IEC 27002
15
xxxxx://xxx.xxxx.xxx/xxxxxxxxxxxxxx
• Security and Privacy Controls for Information Systems and Organizations
– 465 pagina’s
• Industrial communication networks - IT security for networks and systems
• OT / ICS domain Controls
• IEC 62443-2-1:2010
• IEC 62443-3-3:2013
• Industrial communication networks - IT security for networks and systems
• OT / ICS domain
Controls
• IEC 62443-2-1:2010
Foundational requirements (FR)
FR 1 Identification and authentication control
• IEC 62443-3-3:2013
FR 2 Use control
FR 4 Data confidentiality
FR 5 Restricted data flow
s
FR 6 Timely response to event FR 7 Resource availability
System requirements (FR)
SR 5.1 Network segmentation SR 5.2 Zone boundary protection
SR 5.3 General purpose person-to-person communication restrictions
SR 5.4 Application partitioning
• Historisch perspectief
• Consequenties van nieuwe structuur ISO/IEC 27002
– voor organisaties (die al ISO/IEC 27002 gebruiken?)
– voor standaardisatie
• Hoe verhoudt de nieuwe structuur zich tot andere standaarden?
• Samenvatting
• Structuur verandering van ISO/IEC 27002 is van alle tijden
• Zie het als kans om
– Security Management te herzien ⇒ risico gebaseerd beheersmaatregelen selecteren
– Nieuwe beheersmaatregelen te introduceren
Gebruik daarbij de nieuw #attributen
• Ook andere “standaarden” veranderen
– NIST Cybersecurity Framework Version 1.1
– NIST Special Publication 800-53 revision 5
– CIS Controls V7
– IEC 62443-2-1:2010
– IEC 62443-3-3:2013 …
Consequenties van vernieuwing ISO/IEC 27002 21
22
Ontwikkelingen binnen de standaardisatie
Xxx Xxxxxxxxxx
• Perspectief
• Thema’s binnen NEN Cybersecurity
• Publicaties nieuwe projecten en werkzaamheden
• Werkgroep ISMS programma
• Voortgang & Vertaling ISO 27002
CEN-CLC/JTC 13
Cybersecurity and data protection
ISO-IEC/JTC 1/SC 27
Information security, cybersecurity
and privacy protection
NEN Normcommissie 381 027 Informatiebeveiliging, cybersecurity en privacy
…
Veilige Mail buiten de Zorg
Cryptography and security mechanisms
Security evaluation, testing and specification
Security controls and services
Privacy & data protection
Information Security Management System
Thema’s
Publicaties ISO normen 2020
27006
ISMS
27007
27009
27014
27050
Security controls
20547-4
27035-3
NCS 27701
Privacy & data protection
29184
19989-1
Security evaluation, …
19989-2
19989-3
20897-1
20085-2
13888-1
Cryptografie..
13888-3
18032
19772
9797-3
18033-4
11770-5
27561
Privacy guidelines for fintech services
27031
Privacy operationalization model
and method for engineering (POMME)
5188
Guidelines for network virtualization security (NVS)
Opgestarte projecten in 2020
ISO 5189 |
ISO 20009-3 (ed2) |
ISO 4983 |
ISO 23532-1 |
ISO 23532-2 |
ISO 4922-2 |
ISO 18033-7 |
ISO 4922-1 |
ISO 4924-2 |
ISO 20008-3 |
ISO 14888-4 |
ISO 27560 |
ISO 27558 |
ISMS publicaties en werkzaamheden
27000
27001
27002
27003
27004
27005
27006
27007
27008
27009
27010
27011
27013
27014
27016
27017
27019
27021
27022
27023
27100
& 27101
ISO 27002
Information security controls
ISO-IEC/JTC 1/SC 27
Information security, cybersecurity
and privacy protection
NEN Normcommissie 381 027 Informatiebeveiliging, cybersecurity en privacy
DIS STEMMING
Startdatum:
2021-02-02
Sluitdatum:
2021-03-28
Vertaling ISO 27002
ISO 27002
Information security controls
ISO 27002
Vertaling
SPICE
Projectteam
Vertaalbureau
NEN Normcommissie 381 027 Informatiebeveiliging, cybersecurity en privacy
Xxx Xxxxxxxxxx
Afdeling ICT standaardisatie
NEN Normcommissie 381 027
Informatiebeveiliging, cybersecurity en privacy