SlideShare ist ein Scribd-Unternehmen logo

27001 2013 iso geek

Als PPT, PDF herunterladen
O
officialmanager

27001 transition

Internet
1 von 24
LOGO Transition to ISO/IEC 27001:2013 Varinder Kumar Principal Consultant CEHv5, ITIL V3, LA27001, LA9001, CISA, MEPTM
Questions What has changed? What you need to know? Transition timeline? Any other questions?
What has changed?
Structural change Context of the Organization Leadership Planning OperationImprovement Performance Evaluation Support ISO/IEC 27001:2013 Management Responsibility Management Review Establish ISMS Implement ISMS Improve ISMS Monitor ISMS Doc. Req. Internal Audit ISMS Improve ISO/IEC 27001:2005 Mgmt. Review Structure simplified
Highlights of Changes • Structure change is part of harmonization effort from ISO • Annex SL – 10 Mandatory Clauses introduced – no exclusions from Cl 4 to 10 • Better alignment with business objectives • More emphasis on: – Risk management – Planning – Measurement – Communication • The word “documented procedure” is replaced with “documented information” in the body of the standard (4- 10)
Summary of Changes ISO/IEC 27001:2005 •132 “shall” statements (section 4-8) •Annexure A – 11 clauses – 39 categories – 133 controls ISO/IEC 27001:2013 •125 “shall” statements (section 4-10) •Annexure A – 14 clauses – 35 categories – 114 controls Number of requirements reduced
What you need to know?
4.0 Context of the organization 4.3 Determine scope of the ISMS • Internal and external issues • Requirements of interested parties • Interface between organizations 4.4 ISMS 4.1 Understanding the organization and its context • Determine external and internal issues to its purpose and relevant to ISMS • May refer to ISO 31000 Business risks, opportunities 4.2 Understanding the need and expectation of interested parties • Interested parties relevant to ISMS • Requirements relevant to ISMS • Regulatory requirements Interested parties - Customers, Shareholders, Regulatory agencies, Social groups, employees ISMS requirements
Grouping of controls # Clauses A.5 Information security policies A.6 Organization of information security A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
New and changed controls A.6 Organization of information security A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. A.6.1.5 Information security in project management Control Information security shall be addressed in project management, regardless of the type of the project. A.6.2 Mobile device and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy Control A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. New Objective expanded Changed Old control A.11.7.1
New and changed controls A.9 Access control A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration Control A formal user registration and de-registration process shall be implemented to enable assignment of access rights. A.9.2.2 User access provisioning Control A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. A.9.2.6 Removal or adjustment of access rights Control The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Changed Old control A.11.2.1 New Changed Old control A. 8.3.3
New and changed controls A.12 Operations security A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems Control Procedures shall be implemented to control the installation of software on operational systems. A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.2 Restrictions on software installation Control Rules governing the installation of software by users shall be established and implemented. New New New
New and changed controls A.14 System acquisition, development and maintenance A.14.1 Security requirements of information system Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. A.14.1.2 Securing application services on public networks Control Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. A.14.1.3 Protecting application services transactions Control Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Objective expanded Changed Old control A.10.9.1 Changed Old control A.10.9.2
New and changed controls A.14 System acquisition, development and maintenance A.14.2 Security in development and support process Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy Control Rules for the development of software and systems shall be established and applied to developments within the organization. A.14.2.5 Secure system engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. A.14.2.6 Secure development environment Control Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. New New New Objective expanded
New and changed controls A.14 System acquisition, development and maintenance A.14.2.8 System security testing Control Testing of security functionality shall be carried out during development. A.14.2.9 System acceptance testing Control Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. New Changed Old control A.10.3.2
16 New and changed controls A.15 Supplier relationship A.15.1 Information security in supplier relationship Objective: To ensure protection of the organization’s assets that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships Control Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. A.15.1.3 Information and communication Technology supply chain Control Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. New New New
New and changed controls A.16 Information security incident management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.4 Assessment of and decision on information security events Control Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.5 Response to information security incidents Control Information security incidents shall be responded to in accordance with the documented procedures. New New Combined A13.1, A13.2
New and changed controls A.17 Information security aspects of business continuity management A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information Processing facilities Control Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. New
Helpful guidelines • ISO/IEC 27002:2013- Code of practice for information security controls • ISO/IEC 27000:2014 – Information security management system overview and vocabulary • ISO 31000:2009 – Risk management principles and guidelines
Transition timeline?
Transition Timeline 1-10-2013 01-01-2014 01-05-2015 30-09-15 ISO/IEC 27001:2013 Released ISO/IEC 27001:2005 Sunset – no new applications accepted Completion of migration to ISO/IEC 27001:2013 Scope extension for 27001:2005 not permitted
Audit Days required for transition • Stage 1 review is required to review readiness. • Audit days required for re-certification audit (per ISO 27006) shall be used. • Organization can upgrade to the new standard during their surveillance audit cycle. • Organizations must plan for their transition audit before August 2015.
Any Questions ?
27001 2013 iso geek

Empfohlen

ISO27001
ISO27001ISO27001
ISO27001Ruchit Ahuja
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
Aureon Proactive Care
Aureon Proactive CareAureon Proactive Care
Aureon Proactive CareMike Wallen
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Computer system overview
Computer system overviewComputer system overview
Computer system overviewVikrant Singh Parmar
 
Electronic batch manufacturing record
Electronic batch manufacturing recordElectronic batch manufacturing record
Electronic batch manufacturing recordRatan Agarwal
 

Empfohlen

ISO27001
ISO27001ISO27001
ISO27001Ruchit Ahuja
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
Aureon Proactive Care
Aureon Proactive CareAureon Proactive Care
Aureon Proactive CareMike Wallen
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicestschraider
 
Computer system overview
Computer system overviewComputer system overview
Computer system overviewVikrant Singh Parmar
 
Electronic batch manufacturing record
Electronic batch manufacturing recordElectronic batch manufacturing record
Electronic batch manufacturing recordRatan Agarwal
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
Corporate Overview (1)
Corporate Overview (1)Corporate Overview (1)
Corporate Overview (1)Tim Chambers
 
Chapter008
Chapter008Chapter008
Chapter008Jeanie Delos Arcos
 
Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
 
Chapter005
Chapter005Chapter005
Chapter005Jeanie Delos Arcos
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaireNicholas Kaptingei
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistUnvired Inc.
 
Security
SecuritySecurity
Securitya1aass
 
Itauditcl
ItauditclItauditcl
Itauditclankukgoyal
 
Secured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsSecured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsYokogawa
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Anand Pandya
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Utilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airUtilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airMrs.Shanaz Akter
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasyHelpSystems
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information Systemijsrd.com
 
Ensuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comEnsuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comSonia Singh
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014DQS Inc.
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 

Weitere ähnliche Inhalte

Was ist angesagt?

CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentNicole Gaehle, MSIST
 
Corporate Overview (1)
Corporate Overview (1)Corporate Overview (1)
Corporate Overview (1)Tim Chambers
 
Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityA. V. Rajabahadur
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistUnvired Inc.
 
Security
SecuritySecurity
Securitya1aass
 
Secured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsSecured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsYokogawa
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Anand Pandya
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Utilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airUtilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airMrs.Shanaz Akter
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasyHelpSystems
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information Systemijsrd.com
 
Ensuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comEnsuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comSonia Singh
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 

Was ist angesagt? (20)

CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
DIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements DocumentDIACAP IA CONTROLS Requirements Document
DIACAP IA CONTROLS Requirements Document
 
Corporate Overview (1)
Corporate Overview (1)Corporate Overview (1)
Corporate Overview (1)
 
Chapter008
Chapter008Chapter008
Chapter008
 
Reports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber SecurityReports on Industrial Control Systems’ Cyber Security
Reports on Industrial Control Systems’ Cyber Security
 
Chapter005
Chapter005Chapter005
Chapter005
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
System audit questionnaire
System audit questionnaireSystem audit questionnaire
System audit questionnaire
 
Enterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness ChecklistEnterprise Asset Management- Mobility Readiness Checklist
Enterprise Asset Management- Mobility Readiness Checklist
 
Security
SecuritySecurity
Security
 
Itauditcl
ItauditclItauditcl
Itauditcl
 
Secured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant AssetsSecured Remote Solutions for Critical Plant Assets
Secured Remote Solutions for Critical Plant Assets
 
Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .Management of e-SOP in GxP environment .
Management of e-SOP in GxP environment .
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Utilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed airUtilities Monitoring System - energy, water, gas, compressed air
Utilities Monitoring System - energy, water, gas, compressed air
 
Security and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made EasySecurity and Audit Report Sign-Off—Made Easy
Security and Audit Report Sign-Off—Made Easy
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information System
 
Ensuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.comEnsuring sustainable competitiveness - Chemarc.com
Ensuring sustainable competitiveness - Chemarc.com
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal Presentation
 

Ähnlich wie 27001 2013 iso geek

Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014DQS Inc.
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wpketanaagja
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Yasmin AbdelAziz
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfJhonGIg
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Integrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyIntegrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyCovance
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Jerimi Soma
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Cybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfCybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfDaveNjoga1
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013SAIGlobalAssurance
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013SAIGlobalAssurance
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRobert Kloots
 

Ähnlich wie 27001 2013 iso geek (20)

Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014Iso 27001 transition to 2013 03202014
Iso 27001 transition to 2013 03202014
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
 
Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1Riskmitigationwhitepaperweb 1
Riskmitigationwhitepaperweb 1
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Integrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug SafetyIntegrated Technology Solutions for Drug Safety
Integrated Technology Solutions for Drug Safety
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Cybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfCybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdf
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdf
 
WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013WEBINAR: Transitioning to ISO/IEC 27001: 2013
WEBINAR: Transitioning to ISO/IEC 27001: 2013
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
 
Rob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcmRob kloots auditingforscyandbcm
Rob kloots auditingforscyandbcm
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 ChecklistISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
 

Kürzlich hochgeladen

SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistKHM Anwar
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goahorny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goasexy call girls service in goa
 
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...sonatiwari757
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 

Kürzlich hochgeladen (20)

SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization Specialist
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Call Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goahorny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
horny (9316020077 ) Goa Call Girls Service by VIP Call Girls in Goa
 
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
Call Girls in Mayur Vihar ✔️ 9711199171 ✔️ Delhi ✔️ Enjoy Call Girls With Our...
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 

27001 2013 iso geek

  • 1. LOGO Transition to ISO/IEC 27001:2013 Varinder Kumar Principal Consultant CEHv5, ITIL V3, LA27001, LA9001, CISA, MEPTM
  • 2. Questions What has changed? What you need to know? Transition timeline? Any other questions?
  • 4. Structural change Context of the Organization Leadership Planning OperationImprovement Performance Evaluation Support ISO/IEC 27001:2013 Management Responsibility Management Review Establish ISMS Implement ISMS Improve ISMS Monitor ISMS Doc. Req. Internal Audit ISMS Improve ISO/IEC 27001:2005 Mgmt. Review Structure simplified
  • 5. Highlights of Changes • Structure change is part of harmonization effort from ISO • Annex SL – 10 Mandatory Clauses introduced – no exclusions from Cl 4 to 10 • Better alignment with business objectives • More emphasis on: – Risk management – Planning – Measurement – Communication • The word “documented procedure” is replaced with “documented information” in the body of the standard (4- 10)
  • 6. Summary of Changes ISO/IEC 27001:2005 •132 “shall” statements (section 4-8) •Annexure A – 11 clauses – 39 categories – 133 controls ISO/IEC 27001:2013 •125 “shall” statements (section 4-10) •Annexure A – 14 clauses – 35 categories – 114 controls Number of requirements reduced
  • 7. What you need to know?
  • 8. 4.0 Context of the organization 4.3 Determine scope of the ISMS • Internal and external issues • Requirements of interested parties • Interface between organizations 4.4 ISMS 4.1 Understanding the organization and its context • Determine external and internal issues to its purpose and relevant to ISMS • May refer to ISO 31000 Business risks, opportunities 4.2 Understanding the need and expectation of interested parties • Interested parties relevant to ISMS • Requirements relevant to ISMS • Regulatory requirements Interested parties - Customers, Shareholders, Regulatory agencies, Social groups, employees ISMS requirements
  • 9. Grouping of controls # Clauses A.5 Information security policies A.6 Organization of information security A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance
  • 10. New and changed controls A.6 Organization of information security A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. A.6.1.5 Information security in project management Control Information security shall be addressed in project management, regardless of the type of the project. A.6.2 Mobile device and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A.6.2.1 Mobile device policy Control A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. New Objective expanded Changed Old control A.11.7.1
  • 11. New and changed controls A.9 Access control A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A.9.2.1 User registration and de-registration Control A formal user registration and de-registration process shall be implemented to enable assignment of access rights. A.9.2.2 User access provisioning Control A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. A.9.2.6 Removal or adjustment of access rights Control The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Changed Old control A.11.2.1 New Changed Old control A. 8.3.3
  • 12. New and changed controls A.12 Operations security A.12.5 Control of operational software Objective: To ensure the integrity of operational systems. A.12.5.1 Installation of software on operational systems Control Procedures shall be implemented to control the installation of software on operational systems. A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. A.12.6.2 Restrictions on software installation Control Rules governing the installation of software by users shall be established and implemented. New New New
  • 13. New and changed controls A.14 System acquisition, development and maintenance A.14.1 Security requirements of information system Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. A.14.1.2 Securing application services on public networks Control Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. A.14.1.3 Protecting application services transactions Control Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Objective expanded Changed Old control A.10.9.1 Changed Old control A.10.9.2
  • 14. New and changed controls A.14 System acquisition, development and maintenance A.14.2 Security in development and support process Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. A.14.2.1 Secure development policy Control Rules for the development of software and systems shall be established and applied to developments within the organization. A.14.2.5 Secure system engineering principles Control Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. A.14.2.6 Secure development environment Control Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. New New New Objective expanded
  • 15. New and changed controls A.14 System acquisition, development and maintenance A.14.2.8 System security testing Control Testing of security functionality shall be carried out during development. A.14.2.9 System acceptance testing Control Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. New Changed Old control A.10.3.2
  • 16. 16 New and changed controls A.15 Supplier relationship A.15.1 Information security in supplier relationship Objective: To ensure protection of the organization’s assets that is accessible by suppliers. A.15.1.1 Information security policy for supplier relationships Control Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. A.15.1.3 Information and communication Technology supply chain Control Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. New New New
  • 17. New and changed controls A.16 Information security incident management A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A.16.1.4 Assessment of and decision on information security events Control Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. A.16.1.5 Response to information security incidents Control Information security incidents shall be responded to in accordance with the documented procedures. New New Combined A13.1, A13.2
  • 18. New and changed controls A.17 Information security aspects of business continuity management A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A.17.2.1 Availability of information Processing facilities Control Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. New
  • 19. Helpful guidelines • ISO/IEC 27002:2013- Code of practice for information security controls • ISO/IEC 27000:2014 – Information security management system overview and vocabulary • ISO 31000:2009 – Risk management principles and guidelines
  • 21. Transition Timeline 1-10-2013 01-01-2014 01-05-2015 30-09-15 ISO/IEC 27001:2013 Released ISO/IEC 27001:2005 Sunset – no new applications accepted Completion of migration to ISO/IEC 27001:2013 Scope extension for 27001:2005 not permitted
  • 22. Audit Days required for transition • Stage 1 review is required to review readiness. • Audit days required for re-certification audit (per ISO 27006) shall be used. • Organization can upgrade to the new standard during their surveillance audit cycle. • Organizations must plan for their transition audit before August 2015.