top of page

Remote learning support

Public·2 members
David Nguyen
David Nguyen

ISO IEC 27002:2013



The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.




ISO IEC 27002:2013



This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002:2013, and provides additional controls to address cloud-specific information security threats and risks as detailed in clauses 5-18 in ISO/IEC 27002:2013 for controls, implementation guidance, and other information. Specifically, this standard provides guidance on 37 controls in ISO/IEC 27002:2013, and it also features seven new controls that aren't duplicated in ISO/IEC 27002:2013. These new controls address the following important areas:


With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.


ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).


Data security is a critical issue in an organization; a proper information security management (ISM) is an ongoing process that seeks to build and maintain programs, policies, and controls for protecting information. A hospital is one of the most complex organizations, where patient information has not only legal and economic implications but, more importantly, an impact on the patient's health. Imaging studies include medical images, patient identification data, and proprietary information of the study; these data are contained in the storage device of a PACS. This system must preserve the confidentiality, integrity, and availability of patient information. There are techniques such as firewalls, encryption, and data encapsulation that contribute to the protection of information. In addition, the Digital Imaging and Communications in Medicine (DICOM) standard and the requirements of the Health Insurance Portability and Accountability Act (HIPAA) regulations are also used to protect the patient clinical data. However, these techniques are not systematically applied to the picture and archiving and communication system (PACS) in most cases and are not sufficient to ensure the integrity of the images and associated data during transmission. The ISO/IEC 27001:2013 standard has been developed to improve the ISM. Currently, health institutions lack effective ISM processes that enable reliable interorganizational activities. In this paper, we present a business model that accomplishes the controls of ISO/IEC 27002:2013 standard and criteria of security and privacy from DICOM and HIPAA to improve the ISM of a large-scale PACS. The methodology associated with the model can monitor the flow of data in a PACS, facilitating the detection of unauthorized access to images and other abnormal activities.


ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It is designed to be used by organizations that intend to:\r\n select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;\r\n implement commonly accepted information security controls;\r\n develop their own information security management guidelines.


Jacksonville, FL, April 7, 2022 - Emtec, Inc., a global IT consultancy, is pleased to announce the successful renewal of its ISO/IEC 27001:2013 and ISO/IEC 27002:2013 designations following an extensive independent audit by IRCLASS Systems and Solutions. The audits validate that Emtec has complied to all applicable requirements within these frameworks for the effective management of information systems, data assets, and information security operations and controls.


According to the International Organization for Standardization (ISO), ISO/IEC 27001:2013 and ISO/IEC 27002:2013 provides organizations with internationally recognized requirements and guidelines for establishing, implementing, maintaining, and continually improving an information security management system (ISMS); as well as standards and best practices for information security management including the selection, implementation, and management of controls. The standards set forth enable organizations to effectively manage security of systems and data assets such as financial information, intellectual property, employee details, or information entrusted by third parties.


And a re-think of the structure and controls has led to some controls being merged, some deleted, and several new controls have been introduced. A handy Annex B has been added to the revised standard to provide a correspondence table between the control in 27002:2013 and the revised 27002:2022.


In the meantime, you may want to review your existing 27002:2013 based controls and undertake a gap analysis using Annex B to the revised 2022 standard and start revision of your own Information Security Management System ahead of the deadline for transition.


For this first comparison, we took the "control type" attribute provided along with each of the controls in ISO/IEC 27002:2022 and ran a comparison against the equivalent attribute in our archives from ISO/IEC 27002:2013.


As already mentioned, ISO/IEC 27002 specifies the requirements for the measures listed in Annex A of ISO/IEC 27001 for higher information security. It is therefore often additionally used as a kind of guide when setting up an ISMS. But with the publication of the new ISO/IEC 27002:2022, there is no reason for companies that have already implemented and certified an ISMS to rush or panic. This is because the current ISO/IEC 27001:2013 continues to form the standard for certification. In the catalog of measures in Annex A, it refers to the previous version of ISO 27002:2013.


In essence, the most important update is a complete reorganization of the controls main categories. A brief overview: the ISO/IEC 27002:2013 standard contains 14 security control clauses, 35 subcategories with 114 controls. The 2022 version contains 4 main clauses with 93 controls. Essentially, the 2013 version has the controls organized on operational functions, the 2022 version is based on PPT (people, process and technology).


ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).It is designed to be used by organizations that intend to:select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;implement commonly accepted information security controls;develop their own information security management guidelines.


  • ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).It is designed to be used by organizations that intend to:select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;

  • implement commonly accepted information security controls;

  • develop their own information security management guidelines.



In the newly published standard, we can see that the requirements of ISO/IEDC 27002:2013 are still valid in this new version, and what has been improved is its focus, since it now meets the strategic needs that organizations currently have with the interaction between cybersecurity, information security, and data protection.


Every five years, the International Organization for Standards (ISO) and the International Electrotechnical Commission (IEC) review standards to confirm they are up to date. In February 2022, they reviewed and revised ISO/IEC 27002:2013 and released its successor in ISO/IEC 27002:2022. 041b061a72


About

Welcome to the group! You can connect with other members, ge...

Members

bottom of page