In today's digital age, cybersecurity is more critical than ever. Hence, it is crucial to stay informed and prepared. Amongst others, the webinar covers: • ISO/IEC 27032:2023 and ISO/IEC 27701 and their key components • The standard’s alignment • Emerging Cybersecurity Threats • What is new to the ISO/IEC 27032:2023 Presenters: Madhu Maganti Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes. Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting. Jeffrey Crump Mr. Jeffrey Crump is the Principal Consultant at Arizona-based Cyber Security Training and Consulting LLC and a graduate of the Certified NIS 2 Directive Lead Implementer course. He is a Certified CMMC Assessor, Certified CMMC Professional, and Instructor. Mr. Crump is also the author of Cyber Crisis Management Planning: How to reduce cyber risk and increase organizational resilience. His book has been expanded into a triad of certification courses on cyber crisis planning, exercises, and leadership. Date: October 25, 2023 ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032 Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/a21uasr8aLs

2. Agenda
 Introduction
 Recent events
 ISO27032:2023
 ISO27071:2019
 Alignment
 Emerging Cyber Threats
 Q&A

3. Jeffrey CRUMP
Principal Consultant
Cyber Security Training and Consulting LLC
JCrump@CyberSecurityTrainingCo.com
+1.602.821.5131

4. Madhu Maganti
Partner, Risk Advisory
Baker Tilly US LLP
Madhu.Maganti@bakertilly.com
+1.346.201.6024
• 20+ years of experience helping companies
with implementing Cybersecurity and
Compliance Programs
• Partner-in-charge on risk-based engagements,
including cybersecurity risk assessments,
HIPAA compliance, GDPR/CCPA compliance,
SOX compliance, business process
improvement, SOC-2 attestation and other
information security related services
• Managed end-to-end NIST/ISO assessments for
clients across various industries
• Initiated the SOX IT program for a Fortune 50
organization while developing strong audit
tools for increased productivity and efficiency
• Designed patent-pending tools that have saved
a Fortune 50 organization over $100 million
year over year

5. MGM Resorts
Threat actors were able to
exfiltrate information,
including names, phone
numbers, addresses,
Social Security numbers,
driver's license numbers,
and passport numbers.
Data Points
Operational Impact 10-day Outage
Financial Impact US$ 100M
Attack
Sophistication
Low

6. CaaS
The illegal marketplace
‘RaidForums’ has been
shut down and its
infrastructure seized as a
result of OPERATION
TOURNIQUET, a complex
law enforcement effort
coordinated by Europol to
support independent
investigations of the
United States, United
Kingdom, Sweden,
Portugal, and Romania.
The forum’s administrator
and two of his
accomplices have also
been arrested.

7. How 27032 and 27701 and their supporting controls align
High-Level Relationships
ISO/IEC
27032
ISO/IEC
27701
Partial
ISO/IEC 27002

8. What’s the Difference?
ISO 27032 and ISO 27701
ISO/IEC 27032:2023 (Internet Security) and
ISO/IEC 27701:2019 (Privacy Information
Management) are two unique frameworks
designed to expand an organization’s risk-
based management approach beyond what is
defined in ISO/IEC 27001.
ISO/IEC
27032:2023
ISO/IEC
27701:2019
Certification Available? ✘ ✔
Compliance Driven? ✘ ~
Expands on 27001? ✔ ✔
Coverage areas:
IS Management ✘ ✘
Data Privacy ✘ ✔
Internet Security ✔ ✘
Risk Assessment ~ ~

9. Purpose:
• To enhance security at organizations who use the internet
to conduct business
Coverage:
• Cites 50 controls from ISO 27002, including 25
organizational controls, 2 people-related controls, and 23
technological controls.
• Controls are broken into the following categories: Secure
Coding, Network Monitoring and Response, Server-level,
Application-level, Endpoint-level.
Risk Assessment:
• Provides information and refers to ISO 27005.
Purpose:
• To provide guidance on creating a Privacy Information
Management System (PIMS)
Coverage:
• 135 controls which extend or modify controls defined in
ISO 27001, and 49 new controls pertaining to PII.
• Controls are broken into the following 5 subcategories:
Security Management, Information Security Risk
Management, Information Security, Information Security
Incident Management, and Business Continuity
Management
Risk Assessment:
• References ISO 27001 and GDPR, but does not contain
additional information.
Key Components
ISO 27032 and ISO 27701
ISO/IEC
27032:2023
ISO/IEC
27701:2019

10. Key Changes from 2012 to 2023
What’s New in ISO 27032?
The scope of the standard has been
restricted to primarily cover Internet
Security.
Subject matter has been updated to
reflect the current threat landscape.
Additional guidance on conducting
risk assessments and mitigating
risks has been included.
Included controls have been
mapped back to ISO 27002 in Annex
A.
Significant change in document structure, condensing the framework from 54 distinct
sections to 41

11. July 2022 till June 2023
Incidents by Threat Type
Source: ENISA Threat Landscape 2023

12. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC
27032:2023
Controls for Internet Security ISO/IEC 27002 Controls
Policies for Internet security Policies for information security | Management responsibilities
Access control Access control | Identity management | Access rights | Privileged access rights |
Use of privileged utility programs
Education, awareness and training Information security awareness, education and training
Security incident management Threat intelligence | Information security incident management planning and
preparation | Assessment and decision on information security events | Response
to information security incidents | Learning from information security incidents |
Collection of evidence | Information security event reporting
Asset management Inventory of information and other associated assets | Acceptable use of
information and other associated assets | Return of assets | Classification of
information

13. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC
27032:2023
Controls for Internet Security ISO/IEC 27002 Controls
Supplier management Information security in supplier relationships | Addressing information security
within supplier agreements | Managing information security in the ICT supply chain
| Monitoring, review, and change management of supplier services | Information
security for use of cloud services
Business continuity over the Internet Information security during disruption | ICT readiness for business continuity |
Information backup | Redundancy of information processing facilities
Privacy protection over the Internet Privacy and protection of PII | Data masking
Vulnerability management Management of technical vulnerabilities | Configuration management | Installation
of software on operational systems
Network management Monitoring activities | Network security | Security of network services | Segregation
of networks
Protection against malware Protection against malware

14. New US Department of Defense supply chain security program
Supplier/Supply Chain Spotlight: CMMC
Single use animation rights
granted to PECB by Cyber
Security Training and
Consulting LLC

15. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC
27032:2023
Controls for Internet Security ISO/IEC 27002 Controls
Change management Change management
Identification of applicable legislation and
compliance requirements
Collection of evidence | Legal, statutory, regulatory and contractual requirements |
Protection of records
Use of cryptography Use of cryptography
Application security for Internet-facing
applications
Web filtering | Use of cryptography | Secure development life cycle | Application
security requirements | Secure system architecture and engineering principles |
Secure coding | Security testing in development and acceptance
Endpoint device management User endpoint devices | Configuration management
Monitoring Logging | Monitoring activities

16. Endpoint
Risk
Pre-installed systems on
Chinese Android
smartphones have raised
concerns due to
dangerous privileges
granted to vendor and
third-party applications.
Criminal enterprises have
also infected millions of
devices worldwide, turning
them into mobile proxies
for fraudulent activities
and generating illicit
revenue.

17. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC 27001 Controls Remarks
Context of the organization Additional PIMS-specific requirements
Leadership No additional PIMS-specific requirements
Planning Additional PIMS-specific requirements
Support No additional PIMS-specific requirements
Operation No additional PIMS-specific requirements
Performance evaluation No additional PIMS-specific requirements
Improvement No additional PIMS-specific requirements
ISO/IEC
27701:2019
NOTE: The requirements of ISO/IEC 27001:2013 mentioning “information security” shall be extended to the protection of privacy as
potentially affected by the processing of PII.
NOTE: In practice, where “information security” is used in ISO/IEC 27001:2013, “information security and privacy” applies instead.

18. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC 27002 Controls Remarks
Information security policies Additional guidance
Organization of information security Additional guidance
Human resource security Additional guidance
Asset management Additional guidance
Access control Additional guidance
Cryptography Additional guidance
Physical and environmental security Additional guidance
Operations security Additional guidance
ISO/IEC
27701:2019

19. Identify lowest common denominator
Standards Alignment: Step 1
ISO/IEC 27002 Controls Remarks
System acquisition, development and
maintenance
Additional guidance
Supplier relationships Additional guidance
Information security incident management Additional guidance
Information security aspects of business
continuity management
No PIMS-specific guidance
Compliance Additional guidance
ISO/IEC
27701:2019

20. Control commonalities and differences
Standards Alignment: Step 2
ISO/IEC 27002 Controls:
 Policies for Internet security
 Access control
 Security incident management
 Asset management
 Supplier management
 Business continuity over the Internet
 Identification of applicable legislation and compliance requirements
 Use of cryptography
• Education, awareness and training
• Privacy protection over the Internet
• Vulnerability management
• Network management
• Protection against malware
• Application security for Internet-facing applications
• Endpoint device management
• Monitoring
• Change management
ISO/IEC 27002 Controls:
 Information security policies
 Access control
 Information security incident management
 Asset management
 Supplier relationships
 Information security aspects of business continuity management
 Compliance
 Cryptography
• Organization of information security
• Human resource security
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
ISO/IEC
27032:2023
ISO/IEC
27701:2019

21. Harmonized
Approach
• Know your
requirements
• Identify opportunities
for harmonization,
reciprocity and non-
duplication
• Security objectives: CIA
triad
• Operational elements:
people, process and
technology

22. What to look out for
Emerging Cybersecurity Threats
Ransomware:
Attackers are transitioning towards stealing your data instead of just encrypting it,
threatening to leak sensitive information if payment is not received.
Supply Chain Vulnerabilities:
Attackers are focusing additional effort on compromising vendors used for day-
to-day activities as a way of breaching multiple organizations in one fell swoop.
Increased Reliance on Cloud Computing
As cloud computing and SaaS platforms continue to grow in popularity, many
users are just “transferring” risks as opposed to truly mitigating them.

23. THANK YOU
Q&A
Madhu.maganti@bakertilly.com madhumaganticpa
jcrump@cybersecuritytrainingco.com crumponcyber