ISO/IEC27001&27002の改版の概要 と最新情報

1 ISO/IEC27001&27002 / 2013 ISMS 3 Information Security Management System 27001/27002 (JSA) 27001 Family 27001 Vocabulary and Principle Supporting Guides Sector Specific Guidelines Economics and Governance Certification and Audit 27000 27002 27003 27004 27005 27009 27010-27011 27014-27015 27017-27019 27006 27007 27008 27014 27016 Certification of ISM Professionals (ISO/IEC 27021) 27001 Family- ISO/IEC 27002 (2013) Code of Practice for Information Security Controls ISO/IEC 27003 (2010) Information Security Management System- Implementation Guidance ISO/IEC 27004 (2009) Information Security Management System- Measurements ISO/IEC 27005 (2011) Information Security Risk Management 27001 27001 Family- ISO/IEC 27009 The Use and Application of ISO/IEC 27001 for Sector/Service-Specific third party accredited Certifications ISO/IEC 27010 (2012) Information Security Management for inter-sector and inter-organizational communications ISO/IEC 27011 (2008) Information Security Management for telecommunications ISO/IEC 27013 (2012) Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 27001 Family- (2) ISO/IEC 27015 (2012)

2 Information Security Management Guidelines for Financial Services ISO/IEC 27017 Code of Practice for Cloud Security Control based on ISO/IEC 27002 ISO/IEC 27018 Code of Practice for PII Protection in Public Cloud acting as PII Processors ISO/IEC 27019 (2013) Information Security Management Guidelines based on ISO/IEC 27002 for process control system specific to the Energy Utility Industry ISO/IEC 27018 SC27/WG5 27001 Family- ISO/IEC 27000 (2013) Information Security Management Systems Overview and Vocabulary ISO/IEC 27015 (2013) Governance of Information Security ISO/IEC 27016 (2013) Information Security Management Organizational Economics 27001 Family- ISO/IEC 27006 (2011) Requirements for Bodies providing Audit or Certification of Information Security Management Systems ISO/IEC 27007 (2011) Guidelines for Information Security Management Systems Auditing ISO/IEC 27008 (2011) Guidelines for Auditors on ISMS Controls 10 Accreditation)

3 Certification ISMS ISO/IEC 17011 JIS Q 17011 Conformity assessment - General requirements for accreditation bodies accrediting conformity assessment bodies ISO/IEC 27006 JIS Q 27006 ISMS Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27001(JIS Q 27001) Information technology-Security techniques-Information security management systems- Requirements Information Security Management System 27001/27002 (JSA) ISO/IEC 27000 (11 2013 27001 ISO/IEC 27001 (10 1 2013 ISO/IEC 27002 (10 1 2013 27001 Family 2013 Information technology-Security techniques-Information security management systems-Overview and vocabulary JIS JIS Q27000 Future version development of ISO/IEC 27000 27001 Family ISO/IEC 27000 ISO/IEC 27001 ISO/IEC 27001, 27002 SC27meeting WG1 WG5 of SC27 50+ 150+ Editing meeting (Resolutions Te x t 2012 2013 5 10 4 10 Sophia Antipolis, France Incheon.))))

4 Korea Stockholm, Sweden Rome, Italy 27001,27002 10 1 27001,27002 FDIS 27001,27002 DIS 27001CD3 27002CD1 14 2008 27001/27002 (JSA) 15 ISMS 2005 ISO/IEC 27001:2013 1. Scope 2. 2005 (1) (2) 27001 27001/27002 (JSA) 1. Scope 2005 This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

5 ISMS 27001:2005 establishing, implementing, operating, monitoring, reviewing, maintain and improving 1. ISO/IEC 27001:2013 Scope : - 2005 - 16 27001/27002 (JSA) ISO MSS ISO 9001:2008 ISO 14001:2004 ISO/IEC 27001:2005 IT ISO/IEC 20000-1 ISO 22301:2012 2. 2005 (1) 17 27001/27002 (JSA) ISO/IEC Directives, Part 1, Consolidated ISO Supplement Procedures specific to ISO, Third edition, 2012 annex SL ( normative ) Proposals for management system standards Appendix 2 ( normative ) High level structure, identical core text and common terms and core definitions for use in Management Systems Standards 27001.

6 2013 18 (1) 27001/27002 (JSA) ISMS 19 ISO/IEC 27001 0 1 2 3 4 5 6 7 8 9 10 A ISO/IEC 27001:2005 0 1 2 3 4 5 6 ISMS 7 ISMS 8 ISMS A (1) 27001/27002 (JSA) MSS XXX 4. ISMS a) b) c) ISMS XXX 20 27001/27002 (JSA) ISO/IEC27000 family of standards 21 annex SL ISO Guide73, ISO31000 27000 ISO/IEC27000 (1) 27001/27002 (JSA)

7 ISO ISMS, QMS, EMS organization risk objective policy top management process outsource measurement audit corrective action 22 Terms related to plan risk organization policy top management Concept diagram (1) 27001/27002 (JSA) ISO 31000 ISMS 2005 23 (2) 27001/27002 (JSA) 24 ISO/IEC27001 SC 27/WG 1 Japan, 2013 SC27/WG1 Resolutions 2013 10 Resolution 14:Document for Publication ISO/IEC JTC1/SC27/WG1 instructs the SC27 Secretariat to take the necessary action to publish the revised Text of WG1 SD3 Mapping Old --to-New Editions of ISO/IEC 27001 and ISO/IEC 27002 contained within SC27 N13143 as a freely available document on the SC 27 and other appropriate websites.

8 1. WG1 SD3 was published on 25th October, 2013, and this document is also freely accessible from the public SC 27 web site at: 25 WG1 SD3 27001/27002 (JSA) WG1/SD3 4. (Context of the organization) ISO/IEC 27001:2013 ISO/IEC 27001:2005 the organization and its context Preventive action a) Understanding the needs and expectations of interested parties New requirement b) Understanding the needs and expectations of interested parties c) Provision of resources c) 4) Review output c) 5) Review output Determining the scope of the information security management system a) Establish the ISMS a) Determining the scope of the information security management system a) Establish the ISMS f) Monitor and review the ISMS b) Determining the scope of the information security management system f) Monitor and review the ISMS c)

9 Determining the scope of the information security management system New requirement Determining the scope of the information security management system Last sentence b) General f) Control of documents Information security management system General requirements a) Provision of resources 26 27001/27002 (JSA) PDCA MSS SL MSS(Management System Standard)_ Plan-Do-Check-Act (managing) 2006 0 PDCA 27 MSS PDCA 27001 0.

10 27001/27002 (JSA) ISMS ISMS a) b) 1) 2) ISO/IEC 27001:2013 0. ISMS 28 ISO/IEC 27001:2013 ISMS ISMS 0. 27001/27002 (JSA) ISMS ISO31000 4. (Context of the organization) -1 29 ( ) ISMS ISMS 2005 PDCA ISMS ( a) 27001/27002 (JSA) c) 2005 MSS ISMS c)