2. About K2A Training Academy
K2A ISO Training Academy is training division
of K2A Management Co., Ltd established in
2016 in Cambodia to provide ISO trainings
and personal certifications. Our ISO trainings
emphasizes on practical learning under our
tutors’ guidance to enable you to apply new
knowledge and skills that you can use in your
own organization after the training.
2
3. Course Objectives
ISMS Objectives & Scope
Learn about the objectives and scope of ISO
27001 Standard in respect of Information
Security Management System (ISMS)
ISMS SIGNIFICANCE
Understand the significance of safeguarding
organizational data and information in the light
of possible threats – external and internal
ISMS Risks
Acquire greater awareness of the underlying risks and receive exposure to typical measures to mitigate
the risks within one’s own organization
3
4. Key Topics
▪ Information Security Background
▪ Information Assets
▪ ISMS Benefits
▪ ISMS Requirements
▪ Risks & Annex – A Controls
▪ Annex-A Changes
4
5. 1. What is Information Security
The protection of information against
unauthorized disclosure, transfer,
modification, or destruction, whether
accidental or intentional.
6. Information Security
• Organization must determine which assets can materially
affect the delivery of product/service by their absence or
degradation
• Information Security Management relates to all types of
information, be it paper-based, electronic or other.
• It determines how information is processed, stored,
transferred, archived and destroyed.
• A secure information is one which ensures Confidentiality,
Integrity, and Availability.
• It is all about protecting information assets from potential
security breaches.
7. “Asset is something that has
“value to the organization”
7
Information Assets
8. Information Assets
▪ Business Data ………( Stored in Computers)
▪ E-mail data……( Transmitted across Networks)
▪ Employee information ( Stored in Software or
Hard Files)
▪ Research records…(Stored on Disc or Paper)
▪ Cost of Product….....(Stored on Disc or Paper)
▪ Tender documents..( Stored on computers)
▪ Spoken in conversations over the
telephone…(Held on Micro sim)
8
9. Consideration
▪ Are the systems responsible for delivering, storing
and processing information accessible when
needed?
▪ Are the systems accessible to only those who
need them?
9
10. Core Values
10
Confidentiality
Ensures the data is private &
confidential and protected
againist unauthorised
access
Integrity
Protection of data against
unauthorized modification or
substitution
Information or systems
accessible to only those who
need them
Avaliability
Risks during delivering,
storing and processing
information
THREATS
I
11. Needs of ISMS
Protection of Entire
organization
Framework for
Managing Information
Security Risks
Regulatory & Legal
protection
11
13. ISO 27001
13
Protect confidentiality
and integrity of data
resilience to
cyber attacks
Secure your information
Respond to evolving security
threats
Centerally Managed Framework
Reduce costs
secure information through use of security
controls
a centrally managed framework for an
organization to establish, implement, operate,
monitor, review
reduces the threat of continually evolving risks
information security costs by establishing a set
of standardised procedures and controls
ISMS protects the confidentiality, availability
and integrity of information by implementing
controls and processes
increase resilience to cyber attacks by
increasing awareness of potential threats,
15. 27000 Series of Standards
15
27799
27011
27008
27007
27006
27005
27004
27003
27002
27001
27000
Vocabulary Code of Practices
Information
technology – Security
techniques –
Information security
management –
Measurement
Requirements for
bodies providing audit
and certification of
information security
management systems
Guidelines for auditors
on information
security controls
Information security
management in health
using ISO/IEC 27002
Information Security
Management System
Requirements
Information
technology – Security
techniques –
Information security
management system
implementation
guidance
Information
technology — Security
techniques —
Information security
risk management
Guidelines for auditors
on information
security controls
management
guidelines for
telecommunications
organizations based
on ISO/IEC 27002
16. 27001 Revisions
16
1 3 5
6
4
2
1992
Code of Practies for A
security Management
2000
ISO/IEC 17799
2013
ISO/IEC 27001:2013
1995
Brtish Standard BSI
BS7799
2005
ISO/IEC 27001:2005
2022
Newer Version October
2022
ISO/IEC 27001:2022
17. ISO 27001:2022
Context and scope
You must now identify
the “relevant”
requirements of
interested parties and
determine which will
be addressed through
the ISMS.
Planning
Information security
objectives must now
be monitored and
made “available as
documented
information”.
Support
The requirements to
define who will
communicate and the
processes for effecting
communication have
been replaced by a
requirement to define
“how to communicate”.
17
18. ISO 27001:2022
Operation
The requirement to plan
how to achieve
information security
objectives has been
replaced by a requirement
to establish criteria for
processes to implement
actions identified in Clause
6, and to control those
processes in line with the
criteria.
Performance and
evaluation
Methods of monitoring,
measuring, analysing and
evaluating the
effectiveness of the ISMS
now need to be
comparable and
reproducible.
The management review
must now also consider
changes in the needs and
expectations of interested
parties.
Annex A
Annex A has been
revised to align it with
ISO 27002:2022.
lists 93 controls rather
than ISO 27002:2013’s
114.
18
20. ISO 27001:2022 Clause Structure
20
MANDATORY
PROCESS
4. Context of
Org
5. Leadership
6. Planning
7. Support
8. Operation
9.Performance
Evaluation
10.
Improvement
Annexure
A:
Control
Objectives
4 Themes
5 types of
‘attribute’
93 Controls
21. Supporting Standards
ISO 27018 -
Code of practice for
protection of
personally
identifiable
information (PII) in
public clouds acting
as PII processors
ISO 27017 -
Code of practice
for information
security controls
for cloud services
ISO 27032 -
Guidelines for
cyber
security
21
23. ISO 27001:2013 Certified Companies
2022 or Early 2023
Conduct Readiness
Assessment to
understand the
changes that will be
required
2023
▪ Review and Modify
ISMS policies and
supporting
documentation
▪ Implement new
controls or modify
existing controls.
Late 2023 or 2024
Start to get certify
against new release.
23
24. Companies Seeking First Certification
Readiness
Assessment—
Conduct Readiness
Assessment to
understand the
changes that will be
required
Gap Remediation—
Review, create and
implement policies,
procedures, and
documentation based
on readiness
assessment results.
Control
Implementation—
Implement new
controls or modify
existing controls.
24
Internal Audit—
Schedule and conduct
an internal audit.
Get Ready for External Audit—Two-part (e.g., Stage 1 and Stage 2) external audit.
25. Requirements?
specifies the requirements
for establishing,
implementing, maintaining
and continually improving
an information security
management system
within the context of the
organization. .
25
26. Major Changes
Clause 4.2 Understanding the Needs and Expectations of Interested Parties:
A new subclause was added requiring an analysis of which of the interested party requirements are going to
be addressed through the ISMS. .
Clause 4.4 Information Security Management System:
New language was added, which requires organizations to identify necessary processes and their
interactions within the ISMS.
26
27. Major Changes
Clause 6.2 Information Security Objectives and Planning to Achieve Them:
Now includes additional guidance on the information security objectives. This gives more clarity about how
objectives should be monitored regularly and formally documented.
Clause 6.3 Planning of Changes:
This clause was added to set a standard around planning for changes. It states that if changes are
needed to the ISMS, they shall be adequately planned for
27
Clause 8.1 Operational Planning and Control:
Additional guidance was added for operational planning and control. The ISMS now needs to establish
criteria for actions identified in Clause 6 and control those actions in accordance with the criteria.
28. Additional Major Changes
Clause 5.3 Organizational Roles, Responsibilities, and Authorities:
A minor update to the language clarified that communication of roles relevant to information security are to
be communicated within the organization.
Clause 7.4 Communication:
Subclauses a-c remain the same. But subclauses d (who should communicate) and e (the process by
which communication should be affected) have been simplified and combined into a newly renamed
subclause d (how to communicate).
28
29. Additional Major Changes
Clause 9.2 Internal Audit:
This clause was changed, but not materially. It essentially just combined what already existed between
Clause 9.2.1 and 9.2.2 into one section.
Clause 9.3 Management Review:
A new item was added to clarify that the organization’s management review shall include consideration
of any changes to the needs and expectations of interested parties. It’s important to note any changes,
as they are instrumental to the scope of the ISMS that’s determined in Clause 4 (and based on those
needs and expectations). For example, if an organization’s Board of Directors wants to go public,
organizations must consider how the change in priorities would impact the ISMS.
29
30. Additional Major Changes
Clause 10 Improvement:
Structural changes to this clause now list Continual Improvement (10.1) first, and Nonconformity and
Corrective Action (10.2) second.
30
31. Changes to Annex-A
In ISO 27001:2022 structural changes were made to the Annex A controls.
Control groups have been reorganized and the overall number of controls has
decreased
31
32. Changes to Annex-A
11 new controls were introduced
57 controls were merged
23 controls were renamed
3 controls were removed
32
High Level Changes
33. Changes to Annex-A
People controls (8 controls)
Organizational controls (37 controls)
Technological controls (34 controls)
Physical controls (14 controls)
33
In ISO 27001:2013, controls were organized into 14 different domains. In the new
update, controls are placed into the following four themes instead:
34. New Controls within
ISO 27001:2022
Annex A
The largest change within Annex A is
around the 11 new controls which
were introduced.
Organizations that are currently
certified under ISO 27001:2013 will
need to ensure proper processes are in
place to meet these new requirements
or will need to create new processes
to incorporate these controls into their
existing ISMS.
34
36. Additional new controls within ISO
27001:2022 include:
A.5.7 Threat Intelligence:
This control requires organizations to gather and analyze information about
threats, so they can take action to mitigate risk.
A.5.23 Information Security for Use of Cloud Services:
This control emphasizes the need for better information security in the cloud and
requires organizations to set security standards for cloud services and have
processes and procedures specifically for cloud services.
36
37. Additional new controls within ISO
27001:2022 include:
A.5.30 ICT Readiness for Business Continuity:
This control requires organizations to ensure information and communication
technology can be recovered/used when disruptions occur.
A.7.4 Physical Security Monitoring:
This control requires organizations to monitor sensitive physical areas (data
centers, production facilities, etc.) to ensure only authorized people can access
them — so the organization is aware in the event of a breach. .
37
38. Additional new controls within ISO
27001:2022 include:
A.8.9 Configuration Management:
This control requires an organization to manage the configuration of its
technology, to ensure it remains secure and to avoid unauthorized changes.
A.8.10 Information Deletion:
This control requires the deletion of data when it’s no longer required, to avoid
leaks of sensitive information and to comply with privacy requirements. .
38
39. Additional new controls within ISO
27001:2022 include:
A.8.11 Data Masking:
This control requires organizations to use data masking in accordance with the
organization’s access control policy to protect sensitive information.
A.8.12 Data Leakage Prevention:
This control requires organizations to implement measures to prevent data
leakage and disclosure of sensitive information from systems, networks, and
other devices.
39
40. Additional new controls within ISO
27001:2022 include:
A.8.16 Monitoring Activities:
This control requires organizations to monitor systems for unusual activities and
implement appropriate incident response procedures.
A.8.23 Web Filtering:
This control requires organizations to manage which websites users access, to
protect IT systems.
A.8.28 Secure Coding:
This control requires secure coding principles to be established within an
organization’s software development process, to reduce security vulnerabilities.
40
43. What Should I do Next?
It’s important to note that this new update does not impact your existing
certification. Certification against ISO 27001:2013 is still allowed until
October 31, 2023.
But companies should begin to update controls and processes, as to comply
with the requirements in this new revision as soon as possible.
43