1 1
Evaluating the Effectiveness of the ISO 27001:2013 based on the Annex A
Bahareh Shojaie · Hannes Federrath · Iman Saberi University of Hamburg, Germany http://svs.informatik.uni-hamburg.de
9th International Workshop on Frontiers in Availability, Reliability and Security (FARES 2014), University of Fribourg, Swizerland, Sep 11, 2014
2 2
Introduction
• ISMS (Information Security Management System) • ISO/IEC 27001
3 3
ISO 27001 History
BS 7799-1
BS 7799-2 Developed to
support certification
ISO 17799:2000 ISO17799:2005
ISMS specification
ISO 27001:2005 BS 7799-2:2002
1995 – 1998 2000 2005 2007 2013
ISO27002:2007
Code of practice
ISO27002:2013
ISO27001:2013
t
4 4
ISO 27001:2013 Looks Different..
• Annex SL • ISO 27000:2013 • Terms & Definitions • 114 controls in 14 groups vs. 133 controls in 11 groups • Annex A
5 5
Transition to ISO 27001:2013
• Minimal Changes
• Rethink
• Updating
6 6
Our 5 Categories of the Annex A controls
• Data
• Hardware
• Software
• People
• Network
e.g. A.8.1.1: Inventory of assets
e.g. A.8.3.1: Management of removable media
e.g. A.9.2.5: Review of user access rights
e.g. A.9.2.2: User access provisioning
e.g. A.9.1.2: Access to networks services
The assignment of the controls to our five categories can be found at https://svs.informatik.uni-hamburg.de/annexApaper/.
7 7
Our 5 Categories of the Annex A controls
• Data
• Hardware
• Software
• People
• Network 30
31
61
39
92
45
56
51
56
87
42
47
43
60
91
0 20 40 60 80 100 Number of Controls
2013
2005
BS7799
8 8
Comparison between Inserted & Deleted Controls
• Data
• Hardware
• Software
• People
• Network 1
4
6
6
8
9
8
9
6
11
0 2 4 6 8 10 12 Number of Controls
Deleted Controls
Inserted Controls
9 9
Conclusion
• Contact: [email protected]
May Require Improvement
Acceptable Security
• People • Network
• Data • Hardware • Software
Top Related