ISO/IEC 27001:2013 : Insight on Operations Security & Communications Security Domain

 

The most popular standard for information security management system, ISO/IEC 27001: 2005 is revised after eight years and officially released on October 1st 2013, replacing it with ISO/IEC 27001: 2013.

All the readers who have gone through the revised standard must be aware of the change in structure and the changes made to Annexure A of the standard. In this blog, I would like to provide insights on couple of controls in Annexure A of the revised standard.

To begin with, domain ‘A.10 Communications and operations management’ which was there in the earlier version of the standard has been divided into two separate domains in the 2013 version of the standard i.e. ‘A.12.Operations Security & A.13.Communications Security’. This separation of domains helps the organization to concentrate on & implement specific controls which are applicable to respective domains.

Now let us try to understand this intend for separation of domains:

A.12 Operations Security

 

A.13 Communications Security

A.12.1 Operational procedures and responsibilities

 

A.13.1 Network security management

A.12.2 Protection from malware

 

A.13.2 Information transfer

A.12.3 Backup

 

 

A.12.4 Logging and monitoring

 

 

A.12.5 Control of operational software

 

 

A.12.6 Technical vulnerability management

 

 

A.12.7 Information systems audit considerations

 

 

 

The objective of ‘A.12.Operations Security’ domain is to help the organizations to put in place appropriate controls to ensure that day to day operations of an organization are carried out in a controlled and a secure manner, which includes documenting operating procedures, ensuring changes to information assets are carried out efficiently, the information assets are protected from malware and other threats & vulnerabilities, controls to ensure backup is performed effectively to ensure timely availability of information, logging and monitoring of user activities and ensuring continuous improvement through Information systems audit & mitigations.

‘A.13.Communications Security’ domain stresses on security of the network and network services through controls such as segregation of networks, network service level agreements and other network controls which are applicable to the environment. Along with ensuring network security, the domain also guides the organization in safeguarding the information in transit through controls such as policies and procedures for information transfer, agreements to ensure secure transfer of information between the parties involved, controls specific to electronic messaging etc.

In a nutshell, A.12.Operations Security helps the organization to put in place those controls which are specific to Operations of an organization. A.13.Communications Security helps the organization to put in place the controls to ensure security of network and the information which is in transit.

The above abstract is documented as per my understanding of the revised standard, Request the readers to provide their inputs and views on the subject.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s