Konsultan ISO Training Pelatihan ISO Integrasi ISO Download ISO Sertifikasi ISO 9001 14001 OHSAS 18001 20000 22000 26000 27001 28000 29001 31000 50001

Perubahan Standar ISO 27001:2005 menjadi ISO 27001:2013

Standar keamanan informasi ISO 27001 versi 2013 telah dipublikasikan pada tanggal 25 September 2013 oleh International Organization for Standardization (ISO). Standar ini disingkat dengan sebutan ISO 27001:2013, berisi spesifikasi bagi sistem manajemen keamanan informasi (information security management system). Dengan demikian standar ini membatalkan dan menggantikan standar versi sebelumnya yaitu ISO 27001:2005. Secara umum standar ISO 27001:2013 dikembangkan agar lebih selaras dengan standar sistem manajemen lainnya seperti ISO 9001 dan ISO 20000.

Perbedaan ISO 27001:2013 vs  ISO 27001:2005

Standar internasional ISO 27001:2013 menampilkan 114 kendali (control) dalam 14 kelompok domain, dibandingkan standar sebelumnya yang terdiri dari 133 kendali dalam 11 kelompok domain. Perubahan pada persyaratan revisi 2013 ini merefleksikan perubahan teknologi yang banyak berdampak pada kelangsungan bisnis saat ini, misalnya perkembangan teknologi komputasi awan (cloud computing).

Susunan kendali keamanan pada Annex A telah berubah menjadi:

  • A.5: Information security policies
  • A.6: Information security organisation
  • A.7: Human resources security
  • A.8: Asset management
  • A.9: Access controls and managing user access
  • A.10: Cryptographic technology
  • A.11: Physical security
  • A.12: Operational security
  • A.13: Secure communications and data transfer
  • A.14: Secure acquisition, development, and support of information systems
  • A.15: Security for suppliers and third parties
  • A.16: Incident management
  • A.17: Business continuity/disaster recovery
  • A.18: Compliance

Beberapa kendali keamanan baru (new security controls) yang ditambahkan pada ISO 27001:2013 ini di antaranya:

  • A.6.1.5 Information security in project management
  • A.12.6.2 Restrictions on software installation
  • A.14.2.1 Secure development policy
  • A.14.2.5 Secure system engineering principles
  • A.14.2.6 Secure development environment
  • A.14.2.8 System security testing
  • A.15.1.1 Information security policy for supplier relationships
  • A.15.1.3 Information and communication technology supply chain
  • A.16.1.4 Assessment of and decision on information security events
  • A.16.1.5 Response to information security incidents
  • A.17.2.1 Availability of information processing facilities

 Struktur standar ISO 27001:2013

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system’s performance
10. Corrective action
Annex A: List of controls and their objectives.