1 1

Evaluating the Effectiveness of the ISO 27001:2013 based on the Annex A

Bahareh Shojaie · Hannes Federrath · Iman Saberi University of Hamburg, Germany http://svs.informatik.uni-hamburg.de

9th International Workshop on Frontiers in Availability, Reliability and Security (FARES 2014), University of Fribourg, Swizerland, Sep 11, 2014

2 2

Introduction

•  ISMS (Information Security Management System) •  ISO/IEC 27001

3 3

ISO 27001 History

BS 7799-1

BS 7799-2 Developed to

support certification

ISO 17799:2000 ISO17799:2005

ISMS specification

ISO 27001:2005 BS 7799-2:2002

1995 – 1998 2000 2005 2007 2013

ISO27002:2007

Code of practice

ISO27002:2013

ISO27001:2013

t

4 4

ISO 27001:2013 Looks Different..

•  Annex SL •  ISO 27000:2013 •  Terms & Definitions •  114 controls in 14 groups vs. 133 controls in 11 groups •  Annex A

5 5

Transition to ISO 27001:2013

•  Minimal Changes

•  Rethink

•  Updating

6 6

Our 5 Categories of the Annex A controls

•  Data

•  Hardware

•  Software

•  People

•  Network

e.g. A.8.1.1: Inventory of assets

e.g. A.8.3.1: Management of removable media

e.g. A.9.2.5: Review of user access rights

e.g. A.9.2.2: User access provisioning

e.g. A.9.1.2: Access to networks services

The assignment of the controls to our five categories can be found at https://svs.informatik.uni-hamburg.de/annexApaper/.

7 7

Our 5 Categories of the Annex A controls

•  Data

•  Hardware

•  Software

•  People

•  Network 30

31

61

39

92

45

56

51

56

87

42

47

43

60

91

0 20 40 60 80 100 Number of Controls

2013

2005

BS7799

8 8

Comparison between Inserted & Deleted Controls

•  Data

•  Hardware

•  Software

•  People

•  Network 1

4

6

6

8

9

8

9

6

11

0 2 4 6 8 10 12 Number of Controls

Deleted Controls

Inserted Controls

9 9

Conclusion

•  Contact: shojaie@informatik.uni-hamburg.de

May Require Improvement

Acceptable Security

•  People •  Network

•  Data •  Hardware •  Software