issg-iso27002-standard-270422 ppt slides
silverfoxofs
184 views
23 slides
Sep 08, 2024
Slide 1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Presentation
ISO 27002.
Slide Content
ISO/IEC27002:2022WHATDOESTHEREVISED
STANDARDMEANTOYOU?
BCS–ISSG:27April2022
VernonPoole–CRISC,CISM&CGEIT
STANDARDMEANTOYOU?
BCS–ISSG:27April2022
VernonPoole–CRISC,CISM&CGEIT
SAPPHIRESPEAKER
-VERNON POOLE
•RecognisedtrainerinInformationSecurityManagement.
•Memberof UK/InternationalISOUserGroups&presenter
atthefirstInternational27001Day–January2022.
•ISO27001/2Expertwithover30yearsexperience.
•HeadofBusinessConsultancyatSapphire.
-VERNON POOLE
•RecognisedtrainerinInformationSecurityManagement.
•Memberof UK/InternationalISOUserGroups&presenter
atthefirstInternational27001Day–January2022.
•ISO27001/2Expertwithover30yearsexperience.
•HeadofBusinessConsultancyatSapphire.
AGENDA
TherevisedISO/IEC27002standard(setofcontrols).
Changestotheguidingprinciples.
Newandrevisedcontrols.
Newperspectives/attributesaddedtoeachcontrol.
Whyyoushouldadoptthechanges.
StandardBenefits
TherevisedISO/IEC27002standard(setofcontrols).
Changestotheguidingprinciples.
Newandrevisedcontrols.
Newperspectives/attributesaddedtoeachcontrol.
Whyyoushouldadoptthechanges.
StandardBenefits
ISO27002REVISION2022STATUS
•New&enhancedtitle–ISO/IEC27002standard(Information
security,cybersecurity,andprivacyprotection–information
securitycontrols).
•Thepublicationdatewas15February2022.
•Certifiedorganisationswillhaveupto2yearstotransitiontothe
revisedstandardonceISO27001hasbeenupdated-an
AdvisoryGuideforexternalauditorsisbeingprovided.
•New&enhancedtitle–ISO/IEC27002standard(Information
security,cybersecurity,andprivacyprotection–information
securitycontrols).
•Thepublicationdatewas15February2022.
•Certifiedorganisationswillhaveupto2yearstotransitiontothe
revisedstandardonceISO27001hasbeenupdated-an
AdvisoryGuideforexternalauditorsisbeingprovided.
ISO/IEC27002&ISO/IEC27001
•ISO/IEC27002isthesetofcontrolsdeployedbyISO/IEC27001
–CertificationProcesswhichwilloutlinethe‘themes’&controls
inAnnexA.
•TimewillberequiredtoamendISO27001withtherevised
AnnexA(potentially a2022amendmenttothe2013version) –
estimatedtobeinlate2022soitisnotanticipatedthat
organisationscouldgetcertifiedtothechangesuntilearly2023.
Forcertifiedorganisations, thetransitionperiodisestimatedto
endinmid2024.
•Whatisclearisthatthechangesproposedarehighlysignificant
forallorganisations(large&smallorinthepublicorprivate
sector)-astandardthataddressesinformationsecurity,cyber
securityandprivacyisagamechanger.
•ISO/IEC27002isthesetofcontrolsdeployedbyISO/IEC27001
–CertificationProcesswhichwilloutlinethe‘themes’&controls
inAnnexA.
•TimewillberequiredtoamendISO27001withtherevised
AnnexA(potentially a2022amendmenttothe2013version) –
estimatedtobeinlate2022soitisnotanticipatedthat
organisationscouldgetcertifiedtothechangesuntilearly2023.
Forcertifiedorganisations, thetransitionperiodisestimatedto
endinmid2024.
•Whatisclearisthatthechangesproposedarehighlysignificant
forallorganisations(large&smallorinthepublicorprivate
sector)-astandardthataddressesinformationsecurity,cyber
securityandprivacyisagamechanger.
ISO/IEC27002Revision:ASimplifiedApproach
14guidingprincipleswillbecome4‘themes’.
1.ISPolicy
2.OrganisingIS
3.AssetManagement
4.HumanResourcesSecurity
5.Physical/EnvironmentalSecurity
6.OperationsSecurity
7.CommunicationsSecurity
8.AccessControl
9.Cryptography
10.InformationSystemsAcquisition&Development
11.SupplierRelationships
12.ISIncidentManagement
13.ISaspectsofBCM
14.Compliance
1.OrganisationalControls
2.PeopleControls
3.PhysicalControls
4.TechnologicalControls
14guidingprincipleswillbecome4‘themes’.
1.ISPolicy
2.OrganisingIS
3.AssetManagement
4.HumanResourcesSecurity
5.Physical/EnvironmentalSecurity
6.OperationsSecurity
7.CommunicationsSecurity
8.AccessControl
9.Cryptography
10.InformationSystemsAcquisition&Development
11.SupplierRelationships
12.ISIncidentManagement
13.ISaspectsofBCM
14.Compliance
1.OrganisationalControls
2.PeopleControls
3.PhysicalControls
4.TechnologicalControls
ISO/IEC27002Revision:NewControlStructure(Modernised)
114controlswillnowbe93controls:
•58areupdated
•24mergedcontrols
•11newcontrolsadded
Note:35remainthesameasthecurrentversion
Wherethegroupingofcontrolsareasfollows:
1.OrganisationalControls(37)including3newcontrols.
2.PeopleControls(8)–nonewcontrols.
3.PhysicalControls(14)including1newcontrol.
4.TechnologicalControls(34)including7newcontrols.
114controlswillnowbe93controls:
•58areupdated
•24mergedcontrols
•11newcontrolsadded
Note:35remainthesameasthecurrentversion
Wherethegroupingofcontrolsareasfollows:
1.OrganisationalControls(37)including3newcontrols.
2.PeopleControls(8)–nonewcontrols.
3.PhysicalControls(14)including1newcontrol.
4.TechnologicalControls(34)including7newcontrols.
ISO/IEC27002Revision:UpdatedControls(Examples)
•‘Teleworking’becomes‘Remoteworking’.
•‘Userregistration/de-registration’becomes‘Identitymanagement’.
•‘Securelog-on procedures’becomes‘Secureauthentication’.
•‘Controlsagainstmalware’becomes‘Protectionagainstmalware’.
Suchrenamingwill provideeasierunderstandingindevelopingthe
organisation’sInformationSecurityManagementSystem(ISMS).
•‘Teleworking’becomes‘Remoteworking’.
•‘Userregistration/de-registration’becomes‘Identitymanagement’.
•‘Securelog-on procedures’becomes‘Secureauthentication’.
•‘Controlsagainstmalware’becomes‘Protectionagainstmalware’.
Suchrenamingwill provideeasierunderstandingindevelopingthe
organisation’sInformationSecurityManagementSystem(ISMS).
ISO/IEC27002Revision:MergedControls(Examples)
•‘Managementofremovablemedia,disposalofmedia,physical
mediatransferandremovalofassets’ismergedinto‘Storage
Media’
•‘Useraccessprovisioning,reviewofuseraccessrights,removalor
adjustmentofaccessrights’ismergedinto‘AccessRights’
•‘Changemanagement,systemchangecontrolprocedures,
technicalreviewofapplicationsafteroperationsplatformchanges,
restrictionsonchangestosoftwarepackages’ismergedinto
‘ChangeManagement’
Suchmergingmakesitssimplertofollowandismoreefficient.
•‘Managementofremovablemedia,disposalofmedia,physical
mediatransferandremovalofassets’ismergedinto‘Storage
Media’
•‘Useraccessprovisioning,reviewofuseraccessrights,removalor
adjustmentofaccessrights’ismergedinto‘AccessRights’
•‘Changemanagement,systemchangecontrolprocedures,
technicalreviewofapplicationsafteroperationsplatformchanges,
restrictionsonchangestosoftwarepackages’ismergedinto
‘ChangeManagement’
Suchmergingmakesitssimplertofollowandismoreefficient.
ISO/IEC27002Revision:NewControls(11)
1.ThreatIntelligence(O)
2.Informationsecurityforcloudservices(O)
3.ICTreadinessforbusinesscontinuity(O)
4.Physicalsecuritymonitoring(P)
5.Configurationmanagement(T)
6.Informationdeletion(T)
7.Datamasking(T)
8.Data leakageprevention(T)
9.Monitoringactivities(T)
10.Webfiltering(T)
11.Securecodingprinciples(T)
Where:-
O=Organisational
P=Physical
T=Technological
1.ThreatIntelligence(O)
2.Informationsecurityforcloudservices(O)
3.ICTreadinessforbusinesscontinuity(O)
4.Physicalsecuritymonitoring(P)
5.Configurationmanagement(T)
6.Informationdeletion(T)
7.Datamasking(T)
8.Data leakageprevention(T)
9.Monitoringactivities(T)
10.Webfiltering(T)
11.Securecodingprinciples(T)
Where:-
O=Organisational
P=Physical
T=Technological
ISO/IEC27002Revision:1.OrganisationalControls(ISForum)
•Policy
•OrganisingSecurity–roles/responsibilities;identity&access
management,etc.
•AssetManagementinc.threatintelligence.
•SupplierRelationshipsinc.ISforuseofcloudservices(ISO27017:2021
controls).
•IncidentManagement.
•BCPinc.ICTcontinuityplanning.
•Compliance.
•Policy
•OrganisingSecurity–roles/responsibilities;identity&access
management,etc.
•AssetManagementinc.threatintelligence.
•SupplierRelationshipsinc.ISforuseofcloudservices(ISO27017:2021
controls).
•IncidentManagement.
•BCPinc.ICTcontinuityplanning.
•Compliance.
ISO/IEC27002Revision;2.PeopleControls(HR)
•Screening.
•Termsandconditionsofemployment.
•Informationsecurityawareness,educationandtraining.
•Disciplinaryprocess.
•Responsibilitiesafterterminationorchangeofemployment.
•Confidentialityornon-disclosureagreements.
•Remoteworking.
•Informationsecurityeventreporting.
•Screening.
•Termsandconditionsofemployment.
•Informationsecurityawareness,educationandtraining.
•Disciplinaryprocess.
•Responsibilitiesafterterminationorchangeofemployment.
•Confidentialityornon-disclosureagreements.
•Remoteworking.
•Informationsecurityeventreporting.
ISO/IEC27002Revision:3.PhysicalControls(FacilitiesManagement)
•Physicalsecurityperimeter.
•Physicalentrycontrols.
•Securingoffices,rooms&facilities.
•Physicalsecuritymonitoring.
•Protectingagainstphysical&environmentalthreats.
•Workinginsecureareas.
•Cleardeskandclearscreen.
•Equipmentsitingandprotection.
•Securityofassetsoff-premises.
•Storagemedia.
•Supportingutilities.
•Cablingsecurity.
•Equipmentmaintenance.
•Securedisposalorre-useofequipment.
•Physicalsecurityperimeter.
•Physicalentrycontrols.
•Securingoffices,rooms&facilities.
•Physicalsecuritymonitoring.
•Protectingagainstphysical&environmentalthreats.
•Workinginsecureareas.
•Cleardeskandclearscreen.
•Equipmentsitingandprotection.
•Securityofassetsoff-premises.
•Storagemedia.
•Supportingutilities.
•Cablingsecurity.
•Equipmentmaintenance.
•Securedisposalorre-useofequipment.
ISO/IEC27002Revision:4.TechnologicalControls(IT/IS)
•Endpointdevices.
•Controlsonprivilegedaccess&secureauthentication.
•CryptographicControls.
•OperationsSecurityinc.configurationmanagement;information
deletion;datamasking;dataleakageprevention;andmonitoring
activities.
•CommunicationsSecurityinc.webfiltering.
•DevelopmentSecurityinc.securecodingprinciples.
•Endpointdevices.
•Controlsonprivilegedaccess&secureauthentication.
•CryptographicControls.
•OperationsSecurityinc.configurationmanagement;information
deletion;datamasking;dataleakageprevention;andmonitoring
activities.
•CommunicationsSecurityinc.webfiltering.
•DevelopmentSecurityinc.securecodingprinciples.
ISO/IEC27002Revision:AdditionofAttributesforeachControl
Eachcontrolcanbeviewedfromseveralperspectives(attributes)-notmandatory:
1.ControlType(preventive;detectiveorcorrective).
2.ISProperties(C,IorA).
3.CyberSecurityConcepts(Identify;Protect;Detect;RespondorRecover).
4.OperationalCapabilities-15(Governance;Assetmanagement;Information
protection;HRsecurity;Physicalsecurity;System&networksecurity;
Applicationsecurity;Secureconfiguration;Identity&accessmanagement;
Threat&vulnerabilitymanagement;Continuity;SupplierRelationshipssecurity;
Legal&compliance;ISeventmanagement;andSecurityassurance).
5.SecurityDomains(Governance&Ecosystem,Protection,Defence,Resilience).
Youcansetupyourownattributegroupingse.g.,GDPRorspecificregulatory
requirements.
Eachcontrolcanbeviewedfromseveralperspectives(attributes)-notmandatory:
1.ControlType(preventive;detectiveorcorrective).
2.ISProperties(C,IorA).
3.CyberSecurityConcepts(Identify;Protect;Detect;RespondorRecover).
4.OperationalCapabilities-15(Governance;Assetmanagement;Information
protection;HRsecurity;Physicalsecurity;System&networksecurity;
Applicationsecurity;Secureconfiguration;Identity&accessmanagement;
Threat&vulnerabilitymanagement;Continuity;SupplierRelationshipssecurity;
Legal&compliance;ISeventmanagement;andSecurityassurance).
5.SecurityDomains(Governance&Ecosystem,Protection,Defence,Resilience).
Youcansetupyourownattributegroupingse.g.,GDPRorspecificregulatory
requirements.
ISO/IEC27002Revision:ControlFormat
Eachcontrolwillhaveanew‘Purpose’outlinedandrevised
‘Guidance’(withsub-headingswhererequired)&‘Other
Information’where:
•Purposeistherationaleforapplyingthecontrol.
•Guidanceisdetailedexplanationsonhowthecontrolshouldbe
implemented.
•OtherInformationisfurtherguidancetounderstandthecontrol
withreferencestootherdocumentsforconsultation.
Theseimprovementsmakeiteasierinchoosingandjustifyingthe
useofappropriatecontrols.
Eachcontrolwillhaveanew‘Purpose’outlinedandrevised
‘Guidance’(withsub-headingswhererequired)&‘Other
Information’where:
•Purposeistherationaleforapplyingthecontrol.
•Guidanceisdetailedexplanationsonhowthecontrolshouldbe
implemented.
•OtherInformationisfurtherguidancetounderstandthecontrol
withreferencestootherdocumentsforconsultation.
Theseimprovementsmakeiteasierinchoosingandjustifyingthe
useofappropriatecontrols.
ISO/IEC27002Revision:ControlFormatExample
Control
Policiesforinformationsecurityshouldbedefined,approvedby…
Purpose(NewSection)
Toensurecontinuingsuitability,adequacy,andeffect…
Guidance(withsubheadingswhereappropriate)
Atthehighestlevel,organizationsshoulddefinean“informationsecuritypolicy”…
OtherInformation–seethefollowingreferencematerial….
CONTROL IS CYBERSECURITY OPERATIONAL
CAPABILITIES
SECURITY
DOMAINS
Preventative C,I, A Identify Governance Governance&
Ecosystem;
Resilience
5.1Policiesforinformationsecurity
Control
Policiesforinformationsecurityshouldbedefined,approvedby…
Purpose(NewSection)
Toensurecontinuingsuitability,adequacy,andeffect…
Guidance(withsubheadingswhereappropriate)
Atthehighestlevel,organizationsshoulddefinean“informationsecuritypolicy”…
OtherInformation–seethefollowingreferencematerial….
CONTROL IS CYBERSECURITY OPERATIONAL
CAPABILITIES
SECURITY
DOMAINS
Preventative C,I, A Identify Governance Governance&
Ecosystem;
Resilience
5.1Policiesforinformationsecurity
ISO/IEC27002Revision:StandardAnnexes
TherearetwoexcellentAnnexes:
AnnexA–matrixoutliningtheattributesfor eachcontrol
Thisannexhasacomprehensivecoverageofeachattribute
valueforeachcontrol-usefulinRiskAssessmentand
allocatingCIAtoeachthreat.
AnnexB–matrixcomparisonwiththeISO27002:2013
Thisannexallowsorganisationstoseewherecurrent
controlshavebeenreallocatedor merged,plusthe
additionofnewcontrols.
TherearetwoexcellentAnnexes:
AnnexA–matrixoutliningtheattributesfor eachcontrol
Thisannexhasacomprehensivecoverageofeachattribute
valueforeachcontrol-usefulinRiskAssessmentand
allocatingCIAtoeachthreat.
AnnexB–matrixcomparisonwiththeISO27002:2013
Thisannexallowsorganisationstoseewherecurrent
controlshavebeenreallocatedor merged,plusthe
additionofnewcontrols.
WhyyoushouldadopttheISO/IEC27002Revision.
•Organisationsareundertakingdigitaltransformation,utilisingcloud
services,andadjustingtohybridworkingasaresultofCOVID.
•Atthesametime,cybercriminalsare continuingtofindwaysto
exploitvulnerabilitiesasthethreatlandscapegrows.
•Thisstandardwillassistintheidentification,implementationand
managementofup-to-dateinformationsecuritycontrols. These
controlscoverprocesses,policies,procedures,andmanagement
structurestoaddressthegrowingcyberthreatsandrisks.
•Adoptingthisstandardwillenableyoutoidentifyappropriateand
proportionatecontrolsthataresustainableandworktoincreasethe
overallappropriatenessofyourISMS-helpingtocreatean‘security
culture’thatisvitaltoprotectyourinformationandstaff.
•Organisationsareundertakingdigitaltransformation,utilisingcloud
services,andadjustingtohybridworkingasaresultofCOVID.
•Atthesametime,cybercriminalsare continuingtofindwaysto
exploitvulnerabilitiesasthethreatlandscapegrows.
•Thisstandardwillassistintheidentification,implementationand
managementofup-to-dateinformationsecuritycontrols. These
controlscoverprocesses,policies,procedures,andmanagement
structurestoaddressthegrowingcyberthreatsandrisks.
•Adoptingthisstandardwillenableyoutoidentifyappropriateand
proportionatecontrolsthataresustainableandworktoincreasethe
overallappropriatenessofyourISMS-helpingtocreatean‘security
culture’thatisvitaltoprotectyourinformationandstaff.
WhatchangesarerequiredtoadopttheISO/IEC27002Revision.
•Organisationscanstillutilisetheexistingpolicies/procedures–therewill
betailoringrequiredtoadjusttotherevisedfocus/amendments.
•Thecalibrationtothenewattributetypesenablesorganisationstopresent
theISMSfromdifferentperspectives–informationsecurity,cybersecurity
and/orprivacy–veryusefuldependinghowyourorganisationissetupor
needstoreportbasedondifferentstakeholders.
•Thenewcontrolswillneedtobeaccommodated/adheredtoandthe
structureoftheISMSrefinedaccordingly.
•RiskAssessmentProcess(StatementofApplicability)&InternalAudit
Checklistswillneedtorecalibratedtotherevisedarrangements.
•Allorganisationswillneedtoeducatetheirstaff(management&users)
intotherevisedwayofaddressingtheISMSinreadinessforexternal audit.
•Organisationscanstillutilisetheexistingpolicies/procedures–therewill
betailoringrequiredtoadjusttotherevisedfocus/amendments.
•Thecalibrationtothenewattributetypesenablesorganisationstopresent
theISMSfromdifferentperspectives–informationsecurity,cybersecurity
and/orprivacy–veryusefuldependinghowyourorganisationissetupor
needstoreportbasedondifferentstakeholders.
•Thenewcontrolswillneedtobeaccommodated/adheredtoandthe
structureoftheISMSrefinedaccordingly.
•RiskAssessmentProcess(StatementofApplicability)&InternalAudit
Checklistswillneedtorecalibratedtotherevisedarrangements.
•Allorganisationswillneedtoeducatetheirstaff(management&users)
intotherevisedwayofaddressingtheISMSinreadinessforexternal audit.
ISO/IEC27002Revision:EnhancedBenefitsfortheOrganisation
•Providesyouwithcompetitiveedge.
•Protectsandenhancesyourreputation.
•Reducesfinancialpenalties/lossesassociatedwithdatabreaches.
•Ensurescompliancewithbusiness,legal,contractual®ulatory
requirements.
•Providesyouwithcompetitiveedge.
•Protectsandenhancesyourreputation.
•Reducesfinancialpenalties/lossesassociatedwithdatabreaches.
•Ensurescompliancewithbusiness,legal,contractual®ulatory
requirements.
The ISO/IEC27002canhelpyoutoachievethefollowingbenefits
Compliancewiththerevisedrequirements.
ImprovedCommunication&Awareness.
EnhancedStaffSkills.
IncreasedProductivity/ServiceDelivery.
IncreasedOperationalEfficiency.
ReducedLegalCosts
ReducedRisktoyourbusiness.
IncreasedTrustinyourbusiness.
Compliancewiththerevisedrequirements.
ImprovedCommunication&Awareness.
EnhancedStaffSkills.
IncreasedProductivity/ServiceDelivery.
IncreasedOperationalEfficiency.
ReducedLegalCosts
ReducedRisktoyourbusiness.
IncreasedTrustinyourbusiness.
THANKYOU
ISO/IEC27001/2canhelpyoutoprotectyourdatafrompryingeyes.
QUESTIONS?
ContactDetails:[email protected]
ISO/IEC27001/2canhelpyoutoprotectyourdatafrompryingeyes.
QUESTIONS?
ContactDetails:[email protected]
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 184
- Slides 23
- Age 467 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
43 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
46 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
42 views
14
Fertility awareness methods for women in the society
Isaiah47
40 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
38 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
41 views