SlideShare a Scribd company logo

Cybersecurity Frameworks for DMZCON23 230905.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

Cybersecurity Frameworks: Lists, Links, How to Choose, Key Considerations, and Mappings

Technology
1 of 22
Download to read offline
Cybersecurity Frameworks By Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 DMZCON 09.2023
Speaker: Andrey Prozorov Cybersecurity and Privacy Expert, ISMS PRO CISM, CIPP/E, CDPSE, LA 27001 Helsinki, Finland • www.linkedin.com/in/andreyprozorov • www.patreon.com/AndreyProzorov
01 What is a Framework? Types and examples 02 03 How to choose frameworks? Mappings and SoA 04 CONTENTS Cybersecurity Frameworks: Lists, Links, How to Choose, Key Considerations, and Mappings 100+ frameworks are mentioned in this presentation
Framework and related terms 01 A framework is a basic conceptual structure used to solve or address complex issues Regulation: Rules or laws defined and enforced by an authority to regulate conduct. ISACA (e.g., GDPR, NIS2) Standard: A mandatory requirement, code of practice or specification approved by a recognized external standards organization (such as ISO). ISACA (e.g.., ISO 27001) Guideline: Non-mandatory information leading to a compliant solution for the related requirement. ISO (e.g., "State of the art" in IT security Gudeline, TeleTrust) ISACA
Why do we love frameworks? 01 Main Benefits Comprehensive approach / Security Baseline Measurement and Benchmarking Demonstration of maturity Certification (proof of compliance) Common language for cybersecurity pros and business We don't need to reinvent the wheel!
1. ISO 27001 (ISMS) - https://www.iso.org/standard/27001 2. ISO 27002 (IS Controls) - https://www.iso.org/standard/75652.html 3. ISO 27005 (IS Risks) - https://www.iso.org/standard/80585.html 4. ISO 27701 (PIMS) - https://www.iso.org/standard/71670.html 5. NIST Cybersecurity Framework (NIST CSF) - https://www.nist.gov/cyberframework 6. NIST SP 800-53 (Security and Privacy Controls) - https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final 7. CIS Critical Security Controls - https://www.cisecurity.org/controls 8. MITRE ATT&CK - https://attack.mitre.org 9. PCI DSS - https://www.pcisecuritystandards.org 10. CSA Cloud Controls Matrix (CCM) - https://cloudsecurityalliance.org/research/cloud-controls-matrix 11. COBIT - https://www.isaca.org/resources/cobit 12. SOC 2 (for service organisations) - https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement 12 Most Popular Frameworks 02
More Frameworks 02
Types of Frameworks ISMS / Program Frameworks 2. Control Frameworks 3. Risk Frameworks ISO 27001, NIST CSF, ACSC ISM, ISF SoGP, C2M2... ISO 27002, CIS Critical Security Controls, NIST 800-53, NSA ECC, Equifax Security Controls Framework... ISO 27005, EBIOS RM, ISACA Risk IT Framework... Use to: • Assess the state of the overall IS program • Build a comprehensive IS program • Measure maturity and compare with other companies • Simplify communication with Interested parties (stakeholders) • Align the IS program with business needs Use to: • Identify a baseline set of controls • Identify gaps • Prioritise implementation of controls • Develop an initial roadmap Use to: • Define key steps for assessing and managing risks • Structure risk management program • Identify, assess and evaluate risks • Prioritise security activities • Integrate IS risks with enterprise risks 02
How to choose frameworks? 03
1. Do you have any mandatory requirements to comply with, such as GDPR, NIS2 Directive, FISMA, PCI DSS, HIPAA, or others? Any requirements for critical infrastructure? 2. What are the cybersecurity standards and frameworks adopted in your country? Which are mentioned by your cybersecurity and data protection authorities? 3. Which cybersecurity standards and frameworks are used in your industry? (e.g., IEC 62443 (cybersecurity for operational technology), IAEA Nuclear Security Series, SOC 2, CSA STAR, ISO 27017/ISO 27018…). Are there any expectations from partners and customers? 4. Is any certification needed? (e.g., ISO 27001, Cyber Essentials Plus, Europrivacy Certification) 5. Is your company an SME or an Enterprise in terms of size? 6. What is the maturity level of your information security processes? 7. Do you have a budget for purchasing standards and best practices? And training? How to choose frameworks? 03 Interested Parties (1-3) Capabilities (4-6)
Country Framework USA NIST SP 800-53 / NIST SP 800-171 HIPAA UK Cyber Essentials: Requirements for IT infrastructure Cyber Assessment Framework (CAF) Germany IT-Grundschutz Finland Katakri 2020. Information security auditing tool for authorities Saudi Arabia Essential Cybersecurity Controls (NSA ECC) SAMA Cyber Security Framework Australia Information Security Manual (ISM) Essential Eight New Zeland New Zealand Information Security Manual (NZISM) Japan Cybersecurity Management Guidelines for Japanese Enterprise Executives International ISO 27001 / ISO 27002 NIST Cybersecurity Framework (NIST CSF) Standard of Good Practice for Information Security (ISF SoGP) COBIT Focus Area: Information Security CIS Critical Security Controls 03
Simple Moderate Complex • Cyber Essentials (UK) • Essential Eight (Australia) • Cyberfundamentals Framework (Belgium) • NSA ECC (Saudi Arabia) + all Guidelines for SME • ISO 27001 / ISO 27002 • NIST CSF • CIS Critical Security Controls • HITRUST Common Security Framework (CSF) • Secure Controls Framework (SCF) • Cybersecurity Capability Maturity Model (C2M2) • MITRE ATT&CK • IEC 62443 • COBIT 03 Implementation complexity
Cybersecurity Series (Families): • ISO 27k • NIST Publications • IEC 62443 • IAEA Nuclear Security Series • IT-Grundschutz (BSI Standards) • COBIT • ISF Publications • ETSI TC Cybersecurity • NSA ECC • … 03
Relationship of terms. Glossaries 03 1. ISACA (cybersecurity) - https://www.isaca.org/resources/glossary 2. NIST (cybersecurity) - https://csrc.nist.gov/glossary 3. ISO - https://www.iso.org/obp/ui 4. IEC - https://www.electropedia.org 5. SANS (cybersecurity) – https://www.sans.org/security-resources/glossary-of-terms 6. PCI (cybersecurity) - https://www.pcisecuritystandards.org/glossary 7. ACSC (Australian cybersecurity) – https://www.cyber.gov.au/acsc/view-all-content/glossary 8. NCSC (UK cybersecurity) – https://www.ncsc.gov.uk/information/ncsc-glossary 9. IAPP (privacy) - https://iapp.org/resources/glossary 10. EDPS (privacy) - https://edps.europa.eu/data-protection/data- protection/glossary_en 11. AXELOS (ITIL v4) – https://www.axelos.com/resource-hub/glossary/ITIL-4-glossaries-of-terms 12. IAEA (Nuclear Safety and Security, 2022) - https://www.iaea.org/publications/15236/iaea-nuclear-safety-and-security- glossary 13. OCEG (GRC) - https://www.oceg.org/glossary/en 14. Gartner (IT and other) - https://www.gartner.com/en/glossary 15. Forrester - https://www.forrester.com/staticassets/glossary.html
Five Important Assumptions for the Mapping 1. The intended users of the mapping 2. Why someone would want to use this mapping 3. The types of concepts to be mapped 4. The direction of the mapping 5. How exhaustive the mapping will be Mapping 04 https://csrc.nist.gov/pubs/ir/8477/ipd [Concept] Mapping - An indication that one concept is related to another concept. The main question: How does conforming to one standard help the organization conform to another standard?
https://csrc.nist.gov/files/pubs/sp/800/53/r5/upd1/final/docs/sp800-53r5-to-iso-27001- mapping.docx https://www.cisecurity.org/controls/v8 04
04 Mapping of KATAKRI to ISO 27001/27002
Statement of applicability (SoA): Documented explanation of the relevant and applicable information security controls in the organization’s ISMS. ISO 27002:2022, Control: Measure that maintains and/or modifies risk. Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice or other conditions and/or actions which maintain and/or modify risk. Statement of applicability (SoA) 04
1. General requirements (cl.4-10) + Maturity Level 2. SoA: 2 lists of controls, 2013 and 2022 3. Additional columns: Description, Documents and Records, Responsible (Owners), #Attributes, Comments and Links SoA Template (ISO 27001) 04 www.patreon.com/posts/62806755
Attributes of IS Controls (ISO 27002) 04 Control type Information security properties (CIA) Cybersecurity concepts Operational capabilities Security domains #Preventive #Detective #Corrective #Confidentiality #Integrity #Availability #Identify #Protect #Detect #Respond #Recover #Governance #Asset_management #Information_protection #Human_resource_security #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability_management #Continuity #Supplier_relationships_security #Legal_and_ compliance #Information_security_event_management #Information_security_assurance #Governance_and_ Ecosystem #Protection #Defence #Resilience
05
Questions? Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 • www.linkedin.com/in/andreyprozorov • www.patreon.com/AndreyProzorov May the Cybersecurity Frameworks Force be with you!

Recommended

Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 

Recommended

Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
Solution Architecture And Solution Security
Solution Architecture And Solution SecuritySolution Architecture And Solution Security
Solution Architecture And Solution Security
Alan McSweeney
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST CSF Overview
NIST CSF OverviewNIST CSF Overview
NIST CSF Overview
Priyanka Aash
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
Sounil Yu
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
Conferencias FIST
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - Guasconi
BL4CKSWAN Srl
 

More Related Content

What's hot

Solution Architecture And Solution Security
Solution Architecture And Solution SecuritySolution Architecture And Solution Security
Solution Architecture And Solution Security
Alan McSweeney
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
Uppala Anand
 

What's hot (20)

ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
Solution Architecture And Solution Security
Solution Architecture And Solution SecuritySolution Architecture And Solution Security
Solution Architecture And Solution Security
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
NIST CSF Overview
NIST CSF OverviewNIST CSF Overview
NIST CSF Overview
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 

Similar to Cybersecurity Frameworks for DMZCON23 230905.pdf

Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
Conferencias FIST
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
PECB
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
Steve Arnold
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
PECB
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 

Similar to Cybersecurity Frameworks for DMZCON23 230905.pdf (20)

Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - Guasconi
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC Process
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Eric hibbard storage-security_the-standard
Eric hibbard storage-security_the-standardEric hibbard storage-security_the-standard
Eric hibbard storage-security_the-standard
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
I Syed, Sr. Consultant - Enterprise Information Security Governance, Risk, Co...
I Syed, Sr. Consultant - Enterprise Information Security Governance, Risk, Co...I Syed, Sr. Consultant - Enterprise Information Security Governance, Risk, Co...
I Syed, Sr. Consultant - Enterprise Information Security Governance, Risk, Co...
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
EuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the skyEuroCACS 2016 There are giants in the sky
EuroCACS 2016 There are giants in the sky
 
MEDS
MEDSMEDS
MEDS
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdfGDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdf
 
Data protection RU vs EU
Data protection RU vs EUData protection RU vs EU
Data protection RU vs EU
 
IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10
 
Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Cybersecurity Frameworks for DMZCON23 230905.pdf

  • 1. Cybersecurity Frameworks By Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 DMZCON 09.2023
  • 2. Speaker: Andrey Prozorov Cybersecurity and Privacy Expert, ISMS PRO CISM, CIPP/E, CDPSE, LA 27001 Helsinki, Finland • www.linkedin.com/in/andreyprozorov • www.patreon.com/AndreyProzorov
  • 3. 01 What is a Framework? Types and examples 02 03 How to choose frameworks? Mappings and SoA 04 CONTENTS Cybersecurity Frameworks: Lists, Links, How to Choose, Key Considerations, and Mappings 100+ frameworks are mentioned in this presentation
  • 4. Framework and related terms 01 A framework is a basic conceptual structure used to solve or address complex issues Regulation: Rules or laws defined and enforced by an authority to regulate conduct. ISACA (e.g., GDPR, NIS2) Standard: A mandatory requirement, code of practice or specification approved by a recognized external standards organization (such as ISO). ISACA (e.g.., ISO 27001) Guideline: Non-mandatory information leading to a compliant solution for the related requirement. ISO (e.g., "State of the art" in IT security Gudeline, TeleTrust) ISACA
  • 5. Why do we love frameworks? 01 Main Benefits Comprehensive approach / Security Baseline Measurement and Benchmarking Demonstration of maturity Certification (proof of compliance) Common language for cybersecurity pros and business We don't need to reinvent the wheel!
  • 6. 1. ISO 27001 (ISMS) - https://www.iso.org/standard/27001 2. ISO 27002 (IS Controls) - https://www.iso.org/standard/75652.html 3. ISO 27005 (IS Risks) - https://www.iso.org/standard/80585.html 4. ISO 27701 (PIMS) - https://www.iso.org/standard/71670.html 5. NIST Cybersecurity Framework (NIST CSF) - https://www.nist.gov/cyberframework 6. NIST SP 800-53 (Security and Privacy Controls) - https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final 7. CIS Critical Security Controls - https://www.cisecurity.org/controls 8. MITRE ATT&CK - https://attack.mitre.org 9. PCI DSS - https://www.pcisecuritystandards.org 10. CSA Cloud Controls Matrix (CCM) - https://cloudsecurityalliance.org/research/cloud-controls-matrix 11. COBIT - https://www.isaca.org/resources/cobit 12. SOC 2 (for service organisations) - https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement 12 Most Popular Frameworks 02
  • 8. Types of Frameworks ISMS / Program Frameworks 2. Control Frameworks 3. Risk Frameworks ISO 27001, NIST CSF, ACSC ISM, ISF SoGP, C2M2... ISO 27002, CIS Critical Security Controls, NIST 800-53, NSA ECC, Equifax Security Controls Framework... ISO 27005, EBIOS RM, ISACA Risk IT Framework... Use to: • Assess the state of the overall IS program • Build a comprehensive IS program • Measure maturity and compare with other companies • Simplify communication with Interested parties (stakeholders) • Align the IS program with business needs Use to: • Identify a baseline set of controls • Identify gaps • Prioritise implementation of controls • Develop an initial roadmap Use to: • Define key steps for assessing and managing risks • Structure risk management program • Identify, assess and evaluate risks • Prioritise security activities • Integrate IS risks with enterprise risks 02
  • 9. How to choose frameworks? 03
  • 10. 1. Do you have any mandatory requirements to comply with, such as GDPR, NIS2 Directive, FISMA, PCI DSS, HIPAA, or others? Any requirements for critical infrastructure? 2. What are the cybersecurity standards and frameworks adopted in your country? Which are mentioned by your cybersecurity and data protection authorities? 3. Which cybersecurity standards and frameworks are used in your industry? (e.g., IEC 62443 (cybersecurity for operational technology), IAEA Nuclear Security Series, SOC 2, CSA STAR, ISO 27017/ISO 27018…). Are there any expectations from partners and customers? 4. Is any certification needed? (e.g., ISO 27001, Cyber Essentials Plus, Europrivacy Certification) 5. Is your company an SME or an Enterprise in terms of size? 6. What is the maturity level of your information security processes? 7. Do you have a budget for purchasing standards and best practices? And training? How to choose frameworks? 03 Interested Parties (1-3) Capabilities (4-6)
  • 11. Country Framework USA NIST SP 800-53 / NIST SP 800-171 HIPAA UK Cyber Essentials: Requirements for IT infrastructure Cyber Assessment Framework (CAF) Germany IT-Grundschutz Finland Katakri 2020. Information security auditing tool for authorities Saudi Arabia Essential Cybersecurity Controls (NSA ECC) SAMA Cyber Security Framework Australia Information Security Manual (ISM) Essential Eight New Zeland New Zealand Information Security Manual (NZISM) Japan Cybersecurity Management Guidelines for Japanese Enterprise Executives International ISO 27001 / ISO 27002 NIST Cybersecurity Framework (NIST CSF) Standard of Good Practice for Information Security (ISF SoGP) COBIT Focus Area: Information Security CIS Critical Security Controls 03
  • 12. Simple Moderate Complex • Cyber Essentials (UK) • Essential Eight (Australia) • Cyberfundamentals Framework (Belgium) • NSA ECC (Saudi Arabia) + all Guidelines for SME • ISO 27001 / ISO 27002 • NIST CSF • CIS Critical Security Controls • HITRUST Common Security Framework (CSF) • Secure Controls Framework (SCF) • Cybersecurity Capability Maturity Model (C2M2) • MITRE ATT&CK • IEC 62443 • COBIT 03 Implementation complexity
  • 13. Cybersecurity Series (Families): • ISO 27k • NIST Publications • IEC 62443 • IAEA Nuclear Security Series • IT-Grundschutz (BSI Standards) • COBIT • ISF Publications • ETSI TC Cybersecurity • NSA ECC • … 03
  • 14. Relationship of terms. Glossaries 03 1. ISACA (cybersecurity) - https://www.isaca.org/resources/glossary 2. NIST (cybersecurity) - https://csrc.nist.gov/glossary 3. ISO - https://www.iso.org/obp/ui 4. IEC - https://www.electropedia.org 5. SANS (cybersecurity) – https://www.sans.org/security-resources/glossary-of-terms 6. PCI (cybersecurity) - https://www.pcisecuritystandards.org/glossary 7. ACSC (Australian cybersecurity) – https://www.cyber.gov.au/acsc/view-all-content/glossary 8. NCSC (UK cybersecurity) – https://www.ncsc.gov.uk/information/ncsc-glossary 9. IAPP (privacy) - https://iapp.org/resources/glossary 10. EDPS (privacy) - https://edps.europa.eu/data-protection/data- protection/glossary_en 11. AXELOS (ITIL v4) – https://www.axelos.com/resource-hub/glossary/ITIL-4-glossaries-of-terms 12. IAEA (Nuclear Safety and Security, 2022) - https://www.iaea.org/publications/15236/iaea-nuclear-safety-and-security- glossary 13. OCEG (GRC) - https://www.oceg.org/glossary/en 14. Gartner (IT and other) - https://www.gartner.com/en/glossary 15. Forrester - https://www.forrester.com/staticassets/glossary.html
  • 15. Five Important Assumptions for the Mapping 1. The intended users of the mapping 2. Why someone would want to use this mapping 3. The types of concepts to be mapped 4. The direction of the mapping 5. How exhaustive the mapping will be Mapping 04 https://csrc.nist.gov/pubs/ir/8477/ipd [Concept] Mapping - An indication that one concept is related to another concept. The main question: How does conforming to one standard help the organization conform to another standard?
  • 17. 04 Mapping of KATAKRI to ISO 27001/27002
  • 18. Statement of applicability (SoA): Documented explanation of the relevant and applicable information security controls in the organization’s ISMS. ISO 27002:2022, Control: Measure that maintains and/or modifies risk. Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice or other conditions and/or actions which maintain and/or modify risk. Statement of applicability (SoA) 04
  • 19. 1. General requirements (cl.4-10) + Maturity Level 2. SoA: 2 lists of controls, 2013 and 2022 3. Additional columns: Description, Documents and Records, Responsible (Owners), #Attributes, Comments and Links SoA Template (ISO 27001) 04 www.patreon.com/posts/62806755
  • 20. Attributes of IS Controls (ISO 27002) 04 Control type Information security properties (CIA) Cybersecurity concepts Operational capabilities Security domains #Preventive #Detective #Corrective #Confidentiality #Integrity #Availability #Identify #Protect #Detect #Respond #Recover #Governance #Asset_management #Information_protection #Human_resource_security #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability_management #Continuity #Supplier_relationships_security #Legal_and_ compliance #Information_security_event_management #Information_security_assurance #Governance_and_ Ecosystem #Protection #Defence #Resilience
  • 21. 05
  • 22. Questions? Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 • www.linkedin.com/in/andreyprozorov • www.patreon.com/AndreyProzorov May the Cybersecurity Frameworks Force be with you!