Sua versão do navegador está desatualizado. Recomendamos que você atualize seu navegador para uma versão mais recente.

ISO 27001:2013 (Gestão da segurança da informação)

publicado pelo International Organization for Standardization e pelo International Electrotechnical Commision.

A nova estrutura 27001:2013 respeito a versão 2005.

  • 5 Security Policies
  • 6 Organization of information security
  • 7 Human resource security
  • 8 Asset management
  • 9 Access control
  • 10 Cryptography
  • 11 Physical and environmental security
  • 12 Operations security
  • 13 Communications security
  • 14 System acquisition, development and maintenance
  • 15 Supplier relationships
  • 16 Information security incident management
  • 17 Information security aspects of business continuity
  • 18 Compliance
  • Novos controles:
    • 14.2.1 Secure development policy – rules for development of software and information systems
    • 14.2.5 System development procedures – principles for system engineering
    • 14.2.6 Secure development environment – establishing and protecting development environment
    • 14.2.8 System security testing – tests of security functionality
    • 16.1.4 Assessment and decision of information security events – this is part of incident management
    • 17.2.1 Availability of information processing facilities – achieving redundancy
  • Controles Excluídos:
    • 6.2.2 Addressing security when dealing with customers
    • 10.4.2 Controls against mobile code
    • 10.7.3 Information handling procedures
    • 10.7.4 Security of system documentation
    • 10.8.5 Business information systems
    • 10.9.3 Publicly available information
    • 11.4.2 User authentication for external connections
    • 11.4.3 Equipment identification in networks
    • 11.4.4 Remote diagnostic and configuration port protection
    • 11.4.6 Network connection control
    • 11.4.7 Network routing control
    • 12.2.1 Input data validation
    • 12.2.2 Control of internal processing
    • 12.2.3 Message integrity
    • 12.2.4 Output data validation
    • 11.5.5 Session time out
    • 11.5.6 Limitation of connection time
    • 11.6.2 Sensitive system isolation
    • 12.5.4 Information leakage
    • 14.1.2 Business continuity and risk assessment
    • 14.1.3 Developing and implementing business continuity plans
    • 14.1.4 Business continuity planning framework
    • 15.1.5 Prevention of misuse of information processing facilities
    • 15.3.2 Protection of information systems audit tools

Documentos obrigatórios

 Documentos:

    • Scope of the ISMS (clause 4.3)
    • Information security policy and objectives (clauses 5.2 and 6.2)
    • Risk assessment and risk treatment methodology (clause 6.1.2)
    • Statement of Applicability (clause 6.1.3 d)
    • Risk treatment plan (clauses 6.1.3 e and 6.2)
    • Risk assessment report (clause 8.2)
    • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
    • Inventory of assets (clause A.8.1.1)
    • Acceptable use of assets (clause A.8.1.3)
    • Access control policy (clause A.9.1.1)
    • Operating procedures for IT management (clause A.12.1.1)
    • Secure system engineering principles (clause A.14.2.5)
    • Supplier security policy (clause A.15.1.1)
    • Incident management procedure (clause A.16.1.5)
    • Business continuity procedures (clause A.17.1.2)
    • Statutory, regulatory, and contractual requirements (clause A.18.1.1)

 Registros:

    • Records of training, skills, experience and qualifications (clause 7.2)
    • Monitoring and measurement results (clause 9.1)
    • Internal audit program (clause 9.2)
    • Results of internal audits (clause 9.2)
    • Results of the management review (clause 9.3)
    • Results of corrective actions (clause 10.1)
    • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)