1、BSI Standards Publication PD ISO/IEC TR 27023:2015 Information technology Security techniques Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002PD ISO/IEC TR 27023:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC TR 27023:2015. The UK par
2、ticipation in its preparation was entrusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are r
3、esponsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 87610 3 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the S
4、tandards Policy and Strategy Committee on 31 July 2015. Amendments issued since publication Date Text affectedPD ISO/IEC TR 27023:2015 Information technology Security techniques Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002 Technologies de linformation Techniques de scurit Mappage
5、des dtions rvises de lISO/IEC 27001 et de lISO/IEC 27002 TECHNICAL REPORT ISO/IEC TR 27023 First edition 2015-07-01 Reference number ISO/IEC TR 27023:2015(E) ISO/IEC 2015 PD ISO/IEC TR 27023:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland A
6、ll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested
7、from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC TR 27023:2015(E)PD ISO/IEC TR 27023:2015ISO/I
8、EC TR 27023:2015(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Comparison between revised editions of ISO/IEC 27001 1 5 Comparison between revised editions of ISO/IEC 27002 8 5.1 Comparison between ISO/IEC 27002:2005 and ISO/IEC 27002:2013 . 8 5.2 C
9、omparison between ISO/IEC 27002:2013 and ISO/IEC 27002:2005 14 ISO/IEC 2015 All rights reserved iii Contents PagePD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the special
10、ized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical comm
11、ittees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedu
12、res used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules
13、 of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights
14、 identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an expla
15、nation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information. The committee responsible for this docu
16、ment is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques.iv ISO/IEC 2015 All rights reservedPD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) Introduction Both standards, ISO/IEC 27001 and ISO/IEC 27002, have been revised as part of the normal standards maintenance process, and th
17、e results of this revision process are contained in ISO/IEC 27001:2013 and ISO/IEC 27002:2013. This Technical Report contains the following tables: Clause 4, Table 1 Comparison between ISO/IEC 27001:2013 and ISO/IEC 27001:2005; Clause 5, Table 2 Comparison between ISO/IEC 27002:2005 and ISO/IEC 2700
18、2:2013; Clause 5, Table 3 Comparison between ISO/IEC 27002:2013 and ISO/IEC 27002:2005. These tables can be used to determine where requirements or controls in the old standards went, or where requirements or controls in the new standards have come from. Where a relationship is stated, it does not m
19、ean that the content is identical. This Technical Report is designed to provide a factual correspondence between the old and new editions of ISO/IEC 27001 and ISO/IEC 27002 respectively, and so by intention it does not provide any explanatory commentary on why a change has been made or the significa
20、nce of the change. Users of this Technical Report need to evaluate the significance of the changes in context with regard to their particular application and implementation of the revised editions of these standards. For ISO/IEC 27002, the comparison was based on control objectives, controls, and im
21、plementation guidance. ISO/IEC 2015 All rights reserved vPD ISO/IEC TR 27023:2015PD ISO/IEC TR 27023:2015Information technology Security techniques Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002 1 Scope The purpose of this Technical Report is to show the corresponding relationship b
22、etween the revised versions of ISO/IEC 27001 and ISO/IEC 27002. This Technical Report will be useful to all users migrating from the 2005 to the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002. 2 Normative references The following referenced documents are indispensable for the application of this d
23、ocument. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 27000:2014, Information technology Security techniques Information security management systems Overview and vocabulary ISO/
24、IEC 27001:2013, Information technology Security techniques Information security management systems Requirements ISO/IEC 27002:2013, Information technology Security techniques Code of practice for information security controls 3 T erms a nd definiti ons For the purposes of this document, the terms an
25、d definitions contained in ISO/IEC 27000:2014 apply. 4 Comparison between revised editions of ISO/IEC 27001 Table 1 Comparison between ISO/IEC 27001:2013 and ISO/IEC 27001:2005 ISO/IEC 27001:2013 ISO/IEC 27001:2005 4.1 Understanding the organization and its context 8.3 Preventive action 4.2 a) Under
26、standing the needs and expecta- tions of interested parties New requirement 4.2 b) Understanding the needs and expecta- tions of interested parties 5.2.1 c) Provision of resources 7.3 c) 4) Review output 7.3 c) 5) Review output 4.3 Determining the scope of the informa- tion security management syste
27、m 4.2.1 a) Establish the ISMS 4.3 a) Determining the scope of the informa- tion security management system 4.2.1 a) Establish the ISMS 4.2.3 f) Monitor and review the ISMS 4.3 b) Determining the scope of the informa- tion security management system 4.2.3 f) Monitor and review the ISMS TECHNICAL REPO
28、RT ISO/IEC TR 27023:2015(E) ISO/IEC 2015 All rights reserved 1PD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27001:2005 4.3 c) Determining the scope of the informa- tion security management system New requirement 4.3 Determining the scope of the infor- mation security ma
29、nagement system Last sentence 4.3.1 b) General 4.3.2 f) Control of documents 4.4 Information security management system 4.1 General requirements 5.2.1 a) Provision of resources 5.1 a) Leadership and commitment 4.2.1 b) 3) Establish the ISMS 5.1 a), b) Management commitment 5.1 b) Leadership and comm
30、itment New requirement 5.1 c) Leadership and commitment 5.1 e) Management commitment 5.1 d) Leadership and commitment 5.1 d) Management commitment 5.1 e) Leadership and commitment 5.1 b), g), h) Management commitment 5.1 f) Leadership and commitment 5.1 b), g), h) Management commitment 5.1 g) Leader
31、ship and commitment 5.1 a), d), g), h) Management commitment 5.1 h) Leadership and commitment 5.1 Management commitment 5.2 Policy First sentence 4.2.1 b) 5) Establish the ISMS 5.1 a) Management commitment 5.2 a) Policy 4.2.1 b) Establish the ISMS 5.2 b) Policy 4.2.1 b) 1) Establish the ISMS 5.2 c)
32、Policy 4.2.1 b) 2) Establish the ISMS Policy 4.3.3 Control of records 5.2 d) Policy 5.1 d) Management commitment 5.2 e) Policy 4.3.1 a) General 5.2 f) Policy 5.1 d) Management commitment 5.2 g) Policy 4.3.2 f) Control of documents 5.3 Organizational roles, responsibilities and authorities First sent
33、ence 5.1 c) Management commitment 6 Internal ISMS audits 5.3 a) Organizational roles, responsibilities and authorities 4.3.3 Control of records 5.1 c) Management commitment 6 Internal ISMS audits 5.3 b) Organizational roles, responsibilities and authorities 4.3.3 Control of records 5.1 c) Management
34、 commitment 6 Internal ISMS audits 6.1.1 Actions to address risks and opportu- nities General 4.2.1 d) Establish the ISMS 8.3 a) Preventive action 6.1.1 a) Actions to address risks and opportu- nities General New requirementTable 1 (continued) 2 ISO/IEC 2015 All rights reservedPD ISO/IEC TR 27023:20
35、15ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27001:2005 6.1.1 b) Actions to address risks and opportu- nities General New requirement 6.1.1 c) Actions to address risks and opportu- nities General New requirement 6.1.1 d) Actions to address risks and opportu- nities General 4.2.1 e) 4) Estab
36、lish the ISMS Actions to address risks and opportu- nities General 8.3 b), c) Preventive action 6.1.1 e) 1) Actions to address risks and opportu- nities General 4.2.2 a) Implement and operate the ISMS Actions to address risks and opportu- nities General 8.3 c) Preventive action 6.1.1 e) 2) Actions t
37、o address risks and opportu- nities General 8.3 e) Preventive action 6.1.2 Information security risk assessment First sentence 4.2.1 c) 1) Establish the ISMS 6.1.2 a) Information security risk assessment New requirement 6.1.2 a) 1) Information security risk assessment 4.2.1 b) 4), c) 2 Establish the
38、 ISMS Information security risk assessment 5.1 f) Management commitment 6.1.2 a) 2) Information security risk assessment New requirement 6.1.2 b) Information security risk assessment 4.2.1 c) Establish the ISMS 6.1.2 c) Information security risk assessment 4.2.1 d) Establish the ISMS 6.1.2 c) 1) Inf
39、ormation security risk assessment 4.2.1 d) 1), 2), 3), 4) Establish the ISMS 6.1.2 c) 2) Information security risk assessment 4.2.1 d) 1) Establish the ISMS 6.1.2 d) 1) Information security risk assessment 4.2.1 e) 1) Establish the ISMS 6.1.2 d) 2) Information security risk assessment 4.2.1 e) 2) Es
40、tablish the ISMS 6.1.2 d) 3) Information security risk assessment 4.2.1 e) 3) Establish the ISMS 6.1.2 e) 1) Information security risk assessment 4.2.1 e) 4) Establish the ISMS 6.1.2 e) 2) Information security risk assessment 4.2.1 e) 4) Establish the ISMS 6.1.2 Information security risk assessment-
41、 Last sentence 4.3.1 d), e) General 6.1.3 Information security risk treatment 4.2.1 f) Establish the ISMS 6.1.3 a) Information security risk treatment 4.2.1 f) 1), 2), 3), 4) Establish the ISMS 6.1.3 b) Information security risk treatment 4.2.1 g) Establish the ISMS 6.1.3 c) Information security ris
42、k treatment New requirement 6.1.3 d) Information security risk treatment 4.2.1 j) 1), 2), 3) Establish the ISMS Information security risk treatment 4.3.1 i) General 6.1.3 e) Information security risk treatment 4.2.2 a) Implement and operate the ISMS 6.1.3 f) Information security risk treatment 4.2.1
43、 h) Establish the ISMSTable 1 (continued) ISO/IEC 2015 All rights reserved 3PD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27001:2005 6.1.3 Information security risk treatment- Last sentence 4.3.1 f) General 6.2 Information security objectives and plans to achieve them-F
44、irst sentence 5.1 b) Management commitment 6.2 a) Information security objectives and plans to achieve them 5.1 d) Management commitment 6.2 b) Information security objectives and plans to achieve them New requirement 6.2 c) Information security objectives and plans to achieve them New requirement 6
45、.2 d) Information security objectives and plans to achieve them 5.1 d) Management commitment 6.2 e) Information security objectives and plans to achieve them 4.2.3 b) Monitor and review the ISMS 6.2 Information security objectives and plans to achieve them-Last sentence 4.3.1 a) General 6.2 f) Infor
46、mation security objectives and plans to achieve them New requirement 6.2 g) Information security objectives and plans to achieve them New requirement 6.2 h) Information security objectives and plans to achieve them New requirement 6.2 i) Information security objectives and plans to achieve them New
47、requirement 6.2 j) Information security objectives and plans to achieve them 4.2.3 b) Monitor and review the ISMS 7.1 Resources 4.2.2 b), g) Implement and operate the ISMS 5.2.1 Provision of resources 7.2 a) Competence 5.2.2 a) Training, awareness and competence 7.2 b) Competence 5.2.2 Training, awa
48、reness and competence 7.2 c) Competence 5.2.2 b), c) Training, awareness and competence 7.2 d) Competence 5.2.2 d) Training, awareness and competence 7.3 a) Awareness New requirement 7.3 b) Awareness 4.2.2 e) Implement and operate the ISMS 5.2.2 Training, awareness and competence 7.3 c) Awareness 4.
49、2.2 e) Implement and operate the ISMS 5.2.2 Training, awareness and competence 7.4 Communication-First sentence 4.2.4 c) Maintain and improve the ISMS 5.1 d) Management commitment 7.4 a) Communication 4.2.4 c) Maintain and improve the ISMS 5.1 d) Management commitment 7.4 b) Communication New requirementTable 1 (continued) 4 ISO/IEC 2015 All rights reservedPD ISO/IEC TR 27023:2015ISO/IEC TR 27023:2015(E) ISO/IEC 27001:2013 ISO/IEC 27
