Changes in New_ISO_27001_2022 Lead Auditor.pdf
NaimUzZaman2
130 views
26 slides
Jun 28, 2024
Slide 1 of 26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
About This Presentation
Changes in New ISO 27001-2022
Slide Content
ISO 27001:2022.
What has changed?
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov
1.0, 25.10.2022
What has changed?
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov
1.0, 25.10.2022
Agenda
2
1.Purchasing
2.Life cycle
3.New Name
4.Abstract
5.Number of pages
6.New terminology databases
7.New relevant requirements, 4.2
8.More focus on processses, 4.4 ISMS
9.New requirements for 6.2 IS objectives
10.Planning for changes (NEW)
11.New requirements for 7.4 Communication
12.New requirements for 8.1 Planning
13.New requirements for 9.1 Monitoring
14.New structure of 9.2 and 9.3, and a new input for
Management Review
15.New structure of 10 Improvement
16.NEW Annex A. IS Controls
17.IS Control list and Mapping
18.ISO 27002:2022. Example of Attributes
19.If you have the ISMS, you will need to do
20.Contacts
2
1.Purchasing
2.Life cycle
3.New Name
4.Abstract
5.Number of pages
6.New terminology databases
7.New relevant requirements, 4.2
8.More focus on processses, 4.4 ISMS
9.New requirements for 6.2 IS objectives
10.Planning for changes (NEW)
11.New requirements for 7.4 Communication
12.New requirements for 8.1 Planning
13.New requirements for 9.1 Monitoring
14.New structure of 9.2 and 9.3, and a new input for
Management Review
15.New structure of 10 Improvement
16.NEW Annex A. IS Controls
17.IS Control list and Mapping
18.ISO 27002:2022. Example of Attributes
19.If you have the ISMS, you will need to do
20.Contacts
3
www.iso.org/standard/82875.html
≈119 Euro
www.iso.org/standard/82875.html
≈119 Euro
Life cycle
4
4
1. New Name
5
ISO/IEC 27001:2013ISO/IEC 27001:2022
Information technology —
Security techniques —
Information security management
systems —Requirements
Information security, cybersecurity
and privacy protection —
Information security management
systems —Requirements
5
ISO/IEC 27001:2013ISO/IEC 27001:2022
Information technology —
Security techniques —
Information security management
systems —Requirements
Information security, cybersecurity
and privacy protection —
Information security management
systems —Requirements
Thisdocumentspecifiestherequirementsforestablishing,
implementing,maintainingandcontinuallyimprovingan
informationsecuritymanagementsystemwithinthecontext
oftheorganization.
Thisdocumentalsoincludesrequirementsfortheassessment
andtreatmentofinformationsecurityriskstailoredtothe
needsoftheorganization.
Therequirementssetoutinthisdocumentaregenericand
areintendedtobeapplicabletoallorganizations,regardless
oftype,sizeornature.
ExcludinganyoftherequirementsspecifiedinClauses4to10
isnotacceptablewhenanorganizationclaimsconformityto
thisdocument.[New2022]
6
2. Abstract
implementing,maintainingandcontinuallyimprovingan
informationsecuritymanagementsystemwithinthecontext
oftheorganization.
Thisdocumentalsoincludesrequirementsfortheassessment
andtreatmentofinformationsecurityriskstailoredtothe
needsoftheorganization.
Therequirementssetoutinthisdocumentaregenericand
areintendedtobeapplicabletoallorganizations,regardless
oftype,sizeornature.
ExcludinganyoftherequirementsspecifiedinClauses4to10
isnotacceptablewhenanorganizationclaimsconformityto
thisdocument.[New2022]
6
2. Abstract
3. Number of pages
7
ISO/IEC 27001:2013ISO/IEC 27001:2022
2319
7
ISO/IEC 27001:2013ISO/IEC 27001:2022
2319
4. New terminology databases
8
ISO/IEC 27001:2013ISO/IEC 27001:2022
3 Terms and definitions
For the purposes of this document, the
terms and definitions given in ISO/IEC
27000 apply.
3 Terms and definitions
Forthepurposesofthisdocument,the
termsanddefinitionsgiveninISO/IEC
27000apply.
ISOandIECmaintainterminologydatabases
foruseinstandardizationatthefollowing
addresses:
—ISO Online browsing platform: available
at https://www.iso.org/obp
—IEC Electropedia: available at
https://www.electropedia.org
8
ISO/IEC 27001:2013ISO/IEC 27001:2022
3 Terms and definitions
For the purposes of this document, the
terms and definitions given in ISO/IEC
27000 apply.
3 Terms and definitions
Forthepurposesofthisdocument,the
termsanddefinitionsgiveninISO/IEC
27000apply.
ISOandIECmaintainterminologydatabases
foruseinstandardizationatthefollowing
addresses:
—ISO Online browsing platform: available
at https://www.iso.org/obp
—IEC Electropedia: available at
https://www.electropedia.org
5. New relevant requirements, 4.2
9
ISO/IEC 27001:2013ISO/IEC 27001:2022
4.2Understandingtheneedsand
expectationsofinterestedparties
Theorganizationshalldetermine:
a)interestedpartiesthatarerelevanttothe
informationsecuritymanagementsystem;
and
b)therequirementsoftheseinterested
partiesrelevanttoinformationsecurity.
4.2Understandingtheneedsand
expectationsofinterestedparties
Theorganizationshalldetermine:
a)interestedpartiesthatarerelevanttothe
informationsecuritymanagementsystem;
b)therelevantrequirementsofthese
interestedparties;
c)whichoftheserequirementswillbe
addressedthroughtheinformation
securitymanagementsystem.
9
ISO/IEC 27001:2013ISO/IEC 27001:2022
4.2Understandingtheneedsand
expectationsofinterestedparties
Theorganizationshalldetermine:
a)interestedpartiesthatarerelevanttothe
informationsecuritymanagementsystem;
and
b)therequirementsoftheseinterested
partiesrelevanttoinformationsecurity.
4.2Understandingtheneedsand
expectationsofinterestedparties
Theorganizationshalldetermine:
a)interestedpartiesthatarerelevanttothe
informationsecuritymanagementsystem;
b)therelevantrequirementsofthese
interestedparties;
c)whichoftheserequirementswillbe
addressedthroughtheinformation
securitymanagementsystem.
6. More focus on processses, 4.4 ISMS
10
ISO/IEC 27001:2013ISO/IEC 27001:2022
4.4Informationsecuritymanagement
system
Theorganizationshallestablish,implement,
maintainandcontinuallyimprovean
informationsecuritymanagementsystem,in
accordancewiththerequirementsofthis
InternationalStandard.
4.4Informationsecuritymanagement
system
Theorganizationshallestablish,implement,
maintainandcontinuallyimprovean
informationsecuritymanagementsystem,
includingtheprocessesneededand
theirinteractions,inaccordancewiththe
requirementsofthisdocument.
10
ISO/IEC 27001:2013ISO/IEC 27001:2022
4.4Informationsecuritymanagement
system
Theorganizationshallestablish,implement,
maintainandcontinuallyimprovean
informationsecuritymanagementsystem,in
accordancewiththerequirementsofthis
InternationalStandard.
4.4Informationsecuritymanagement
system
Theorganizationshallestablish,implement,
maintainandcontinuallyimprovean
informationsecuritymanagementsystem,
includingtheprocessesneededand
theirinteractions,inaccordancewiththe
requirementsofthisdocument.
7. New requirements for 6.2 IS objectives
11
ISO/IEC 27001:2013ISO/IEC 27001:2022
6.2Informationsecurityobjectivesand
planningtoachievethem
Theorganizationshallestablishinformation
securityobjectivesatrelevantfunctionsand
levels.
Theinformationsecurityobjectivesshall:
a)beconsistentwiththeinformationsecurity
policy;
b)bemeasurable(ifpracticable);
c)takeintoaccountapplicableinformation
securityrequirements,andresultsfromrisk
assessmentandrisktreatment;
d)becommunicated;and
e)beupdatedasappropriate.
6.2Informationsecurityobjectivesand
planningtoachievethem
Theorganizationshallestablishinformation
securityobjectivesatrelevantfunctionsand
levels.
Theinformationsecurityobjectivesshall:
a)beconsistentwiththeinformationsecurity
policy;
b)bemeasurable(ifpracticable);
c)takeintoaccountapplicableinformation
securityrequirements,andresultsfromrisk
assessmentandrisktreatment;
d)bemonitored;
e)becommunicated;
f)beupdatedasappropriate;
g)beavailableasdocumentedinformation.
11
ISO/IEC 27001:2013ISO/IEC 27001:2022
6.2Informationsecurityobjectivesand
planningtoachievethem
Theorganizationshallestablishinformation
securityobjectivesatrelevantfunctionsand
levels.
Theinformationsecurityobjectivesshall:
a)beconsistentwiththeinformationsecurity
policy;
b)bemeasurable(ifpracticable);
c)takeintoaccountapplicableinformation
securityrequirements,andresultsfromrisk
assessmentandrisktreatment;
d)becommunicated;and
e)beupdatedasappropriate.
6.2Informationsecurityobjectivesand
planningtoachievethem
Theorganizationshallestablishinformation
securityobjectivesatrelevantfunctionsand
levels.
Theinformationsecurityobjectivesshall:
a)beconsistentwiththeinformationsecurity
policy;
b)bemeasurable(ifpracticable);
c)takeintoaccountapplicableinformation
securityrequirements,andresultsfromrisk
assessmentandrisktreatment;
d)bemonitored;
e)becommunicated;
f)beupdatedasappropriate;
g)beavailableasdocumentedinformation.
8. Planning for changes (NEW)
12
ISO/IEC 27001:2013ISO/IEC 27001:2022
-
6.3 Planning of changes
Whentheorganizationdeterminestheneed
forchangestotheinformationsecurity
managementsystem,thechangesshallbe
carriedoutinaplannedmanner.
12
ISO/IEC 27001:2013ISO/IEC 27001:2022
-
6.3 Planning of changes
Whentheorganizationdeterminestheneed
forchangestotheinformationsecurity
managementsystem,thechangesshallbe
carriedoutinaplannedmanner.
9. New requirements for 7.4 Communication
13
ISO/IEC 27001:2013ISO/IEC 27001:2022
7.4Communication
Theorganizationshalldeterminetheneed
forinternalandexternalcommunications
relevanttotheinformationsecurity
managementsystemincluding:
a)onwhattocommunicate;
b)whentocommunicate;
c)withwhomtocommunicate;
d)whoshallcommunicate;and
e)theprocessesbywhichcommunication
shallbeeffected.
7.4Communication
Theorganizationshalldeterminetheneed
forinternalandexternalcommunications
relevanttotheinformationsecurity
managementsystemincluding:
a)onwhattocommunicate;
b)whentocommunicate;
c)withwhomtocommunicate;
d)howtocommunicate.
13
ISO/IEC 27001:2013ISO/IEC 27001:2022
7.4Communication
Theorganizationshalldeterminetheneed
forinternalandexternalcommunications
relevanttotheinformationsecurity
managementsystemincluding:
a)onwhattocommunicate;
b)whentocommunicate;
c)withwhomtocommunicate;
d)whoshallcommunicate;and
e)theprocessesbywhichcommunication
shallbeeffected.
7.4Communication
Theorganizationshalldeterminetheneed
forinternalandexternalcommunications
relevanttotheinformationsecurity
managementsystemincluding:
a)onwhattocommunicate;
b)whentocommunicate;
c)withwhomtocommunicate;
d)howtocommunicate.
10. New requirements for 8.1 Planning
14
ISO/IEC 27001:2013ISO/IEC 27001:2022
8.1Operationalplanningandcontrol
Theorganizationshallplan,implementandcontrol
theprocessesneededtomeetinformationsecurity
requirements,andtoimplementtheactions
determinedin6.1.Theorganizationshallalso
implementplanstoachieveinformationsecurity
objectivesdeterminedin6.2.
Theorganizationshallkeepdocumentedinformation
totheextentnecessarytohaveconfidencethatthe
processeshavebeencarriedoutasplanned.
Theorganizationshallcontrolplannedchangesand
reviewtheconsequencesofunintendedchanges,
takingactiontomitigateanyadverseeffects,as
necessary.
Theorganizationshallensurethatoutsourced
processesaredeterminedandcontrolled.
8.1Operationalplanningandcontrol
Theorganizationshallplan,implementandcontrol
theprocessesneededtomeetrequirements,andto
implementtheactionsdeterminedinClause6,by:
—establishingcriteriafortheprocesses;
—implementingcontroloftheprocessesin
accordancewiththecriteria.
Documentedinformationshallbeavailabletothe
extentnecessarytohaveconfidencethatthe
processeshavebeencarriedoutasplanned.
Theorganizationshallcontrolplannedchangesand
reviewtheconsequencesofunintendedchanges,
takingactiontomitigateanyadverseeffects,as
necessary.
Theorganizationshallensurethatexternallyprovided
processes,productsorservicesthatarerelevantto
theinformationsecuritymanagementsystemare
controlled.
14
ISO/IEC 27001:2013ISO/IEC 27001:2022
8.1Operationalplanningandcontrol
Theorganizationshallplan,implementandcontrol
theprocessesneededtomeetinformationsecurity
requirements,andtoimplementtheactions
determinedin6.1.Theorganizationshallalso
implementplanstoachieveinformationsecurity
objectivesdeterminedin6.2.
Theorganizationshallkeepdocumentedinformation
totheextentnecessarytohaveconfidencethatthe
processeshavebeencarriedoutasplanned.
Theorganizationshallcontrolplannedchangesand
reviewtheconsequencesofunintendedchanges,
takingactiontomitigateanyadverseeffects,as
necessary.
Theorganizationshallensurethatoutsourced
processesaredeterminedandcontrolled.
8.1Operationalplanningandcontrol
Theorganizationshallplan,implementandcontrol
theprocessesneededtomeetrequirements,andto
implementtheactionsdeterminedinClause6,by:
—establishingcriteriafortheprocesses;
—implementingcontroloftheprocessesin
accordancewiththecriteria.
Documentedinformationshallbeavailabletothe
extentnecessarytohaveconfidencethatthe
processeshavebeencarriedoutasplanned.
Theorganizationshallcontrolplannedchangesand
reviewtheconsequencesofunintendedchanges,
takingactiontomitigateanyadverseeffects,as
necessary.
Theorganizationshallensurethatexternallyprovided
processes,productsorservicesthatarerelevantto
theinformationsecuritymanagementsystemare
controlled.
11. New requirements for 9.1 Monitoring
15
ISO/IEC 27001:2013ISO/IEC 27001:2022
9.1Monitoring,measurement,analysis
andevaluation
…
Theorganizationshallretainappropriate
documentedinformationasevidenceofthe
monitoringandmeasurementresults.
9.1Monitoring,measurement,analysis
andevaluation
…
Documentedinformationshallbeavailable
asevidenceoftheresults.
Theorganizationshallevaluatethe
informationsecurityperformanceandthe
effectivenessoftheinformationsecurity
managementsystem.
15
ISO/IEC 27001:2013ISO/IEC 27001:2022
9.1Monitoring,measurement,analysis
andevaluation
…
Theorganizationshallretainappropriate
documentedinformationasevidenceofthe
monitoringandmeasurementresults.
9.1Monitoring,measurement,analysis
andevaluation
…
Documentedinformationshallbeavailable
asevidenceoftheresults.
Theorganizationshallevaluatethe
informationsecurityperformanceandthe
effectivenessoftheinformationsecurity
managementsystem.
12. New structure of 9.2 and 9.3
16
ISO/IEC 27001:2013ISO/IEC 27001:2022
9.2 Internal audit
9.3 Management review
9.2Internalaudit
9.2.1General
9.2.2Internalauditprogramme
9.3Managementreview
9.3.1General
9.3.2Managementreviewinputs
9.3.3Managementreviewresults
+newinputforManagementreview:
c)changesinneedsandexpectationsof
interestedpartiesthatarerelevanttothe
informationsecuritymanagementsystem
16
ISO/IEC 27001:2013ISO/IEC 27001:2022
9.2 Internal audit
9.3 Management review
9.2Internalaudit
9.2.1General
9.2.2Internalauditprogramme
9.3Managementreview
9.3.1General
9.3.2Managementreviewinputs
9.3.3Managementreviewresults
+newinputforManagementreview:
c)changesinneedsandexpectationsof
interestedpartiesthatarerelevanttothe
informationsecuritymanagementsystem
13. New structure of 10 Improvement
17
ISO/IEC 27001:2013ISO/IEC 27001:2022
10.1 Nonconformity and corrective action
10.2 Continual improvement
10.1 Continual improvement
10.2 Nonconformity and corrective action
17
ISO/IEC 27001:2013ISO/IEC 27001:2022
10.1 Nonconformity and corrective action
10.2 Continual improvement
10.1 Continual improvement
10.2 Nonconformity and corrective action
14. NEW Annex A. IS Controls
18
18
Information security controls reference (Annex A)
19
ISO/IEC 27001:2013ISO/IEC 27001:2022
Total number of controls –114Total number of controls –93, 11 new
Domains:
A.5Informationsecuritypolicies
A.6Organisationofinformationsecurity
A.7Humanresourcesecurity
A.8Assetmanagement
A.9Accesscontrol
A.10Cryptography
A.11Physicalandenvironmentalsecurity
A.12Operationssecurity
A.13Communicationssecurity
A.14Systemacquisition,development,andmaintenance
A.15Supplierrelationships
A.16Informationsecurityincidentmanagement
A.17Informationsecurityaspectsofbusinesscontinuity
management
A.18Compliance
Controls are categorized as:
a) People, if they concern individual people
b) Physical, if they concern physical objects
c) Technological, if they concern technology
d) otherwise they are categorized as Organizational
Five attributes only in ISO 27002:2022 (#):
1.Control type (Preventive, Detective, Corrective)
2.Information security properties (CIA)
3.Cybersecurity concepts (Identify, Protect, Detect,
Respond and Recover)
4.Operational capabilities
5.Security domains
19
ISO/IEC 27001:2013ISO/IEC 27001:2022
Total number of controls –114Total number of controls –93, 11 new
Domains:
A.5Informationsecuritypolicies
A.6Organisationofinformationsecurity
A.7Humanresourcesecurity
A.8Assetmanagement
A.9Accesscontrol
A.10Cryptography
A.11Physicalandenvironmentalsecurity
A.12Operationssecurity
A.13Communicationssecurity
A.14Systemacquisition,development,andmaintenance
A.15Supplierrelationships
A.16Informationsecurityincidentmanagement
A.17Informationsecurityaspectsofbusinesscontinuity
management
A.18Compliance
Controls are categorized as:
a) People, if they concern individual people
b) Physical, if they concern physical objects
c) Technological, if they concern technology
d) otherwise they are categorized as Organizational
Five attributes only in ISO 27002:2022 (#):
1.Control type (Preventive, Detective, Corrective)
2.Information security properties (CIA)
3.Cybersecurity concepts (Identify, Protect, Detect,
Respond and Recover)
4.Operational capabilities
5.Security domains
20
21
NEW 2022:
A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
www.patreon.com/posts/iso-27001-2013-73584456
NEW 2022:
A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
www.patreon.com/posts/iso-27001-2013-73584456
ISO 27002:2022. Example of Attributes
22
22
If you have the ISMS, you will need to do:
1.ReviewtheRiskTreatmentPlan(RTP),alignitwiththenewstructureandnumberingof
controls.
2.ReviewandupdatetheStatementofApplicability(SoA).Irecommendusing2spreadsheets
(2013and2022)inthenext1-2years.
3.ReviewandupdatetheISMSManagementreviewprocedure(inputs).
4.ReviewandupdateISobjectivesandtheMonitoring,measurement,analysisandevaluation
procedure.
5.ReviewandupdatetheISMSCommunicationPlan.
6.Reviewandupdateotherpolicies,standardsandprocedures(ifnecessary).
7.Reviewandupdatechecklistsandquestionnairesusedforaudits(internalandexternal).
8.Evaluateandpossiblyadaptthird-partysecuritytools(e.g.,GRC,SIEM,VM)toensurethe
recordsyouareusingtodemonstratecompliancesupportthenewrequirements.
23
1.ReviewtheRiskTreatmentPlan(RTP),alignitwiththenewstructureandnumberingof
controls.
2.ReviewandupdatetheStatementofApplicability(SoA).Irecommendusing2spreadsheets
(2013and2022)inthenext1-2years.
3.ReviewandupdatetheISMSManagementreviewprocedure(inputs).
4.ReviewandupdateISobjectivesandtheMonitoring,measurement,analysisandevaluation
procedure.
5.ReviewandupdatetheISMSCommunicationPlan.
6.Reviewandupdateotherpolicies,standardsandprocedures(ifnecessary).
7.Reviewandupdatechecklistsandquestionnairesusedforaudits(internalandexternal).
8.Evaluateandpossiblyadaptthird-partysecuritytools(e.g.,GRC,SIEM,VM)toensurethe
recordsyouareusingtodemonstratecompliancesupportthenewrequirements.
23
Thanks!
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
24
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
24
My ISMS Implementation Toolkit (ISO 27001)
25www.patreon.com/posts/47806655
25www.patreon.com/posts/47806655
My ISMS Implemantation Plan
26
26
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 130
- Slides 26
- Age 523 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views