Successfully reported this slideshow.
Your SlideShare is downloading. ×

ISO/IEC 27001 and ISO 22301: How do they map?

Ad

Agenda
 Introductions
 ISO27001 ‘Information Security Management System’
Overview
 ISO22301 ‘Business Continuity Manage...

Ad

Introductions
Rudy Shoushany
Strategist in Governance of
Cybersecurity & Digital Transformation
Rod Crowder
Author, Speake...

Ad

ISO/IEC 27001 Information Security
Management System
Overview

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 30 Ad
1 of 30 Ad

ISO/IEC 27001 and ISO 22301: How do they map?

Download to read offline

An organization should enable continual operation of its information security after each incident. That means that information security and business continuity have one thing in common, which is the protection of the availability of information.

Amongst others, the webinar covers:

• ISO27001 ‘Information Security Management System’ Overview
• ISO22301 ‘Business Continuity Management System’ Overview
• Improving an ISO27001 Continuity Plan with ISO22301


Presenters:

Rod Crowder

Rod is the Founder, Managing Director & Principal Consultant of OpsCentre, a boutique provider of: Risk Management, Crisis and Business Continuity, IT Disaster Recovery, Information Security and IT
Service Management Consultancy & Training. He is the Australia and New Zealand Country Representative & the Lead Instructor for Disaster Recovery Institute International, the
oldest and largest NFP organization serving resilience professionals. He has over 25 years experience in Risk, Resilience, BCP, ITDRP & Information Security projects across Asia Pacific, for 140+ clients and
over 420 client consultancy projects.

He chairs the Adaptive Business Continuity Advisory Group; an international think-tank committed to developing new resilience and business continuity methodologies and practices.

Rudy Shoushany

Rudy is a motivational digital leader and Keynote speaker. He has a wide experience in Digital transformation in the financial sector Field, with over 22 years of experience in assisting organizations.

His specialty ICT Strategies in Digital Transformation, Governance, Compliance, Blockchain, and CyberSecurity. Rudy is a Certified professional with many achievements and awards skilled in executive leadership & Coaching by PWC. Graduated from University of South Africa, with Certification from Stanford in Cybersecurity Strategies and Boston University in Digital Transformation.
Rudy has been lately selected to be on the Forbes Technology Council and selected as top 25 Global Thought leader and Influencer in Technology and Top 100 Leaders in Governance in the digital transformation innovations. He serves as Board Member, coach, Judge and mentor for different Organizations and startups.

Date: September 14, 2022

Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/business-continuity-management-advice-for-employers--covid-19-coronavirus-outbreak
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars

An organization should enable continual operation of its information security after each incident. That means that information security and business continuity have one thing in common, which is the protection of the availability of information.

Amongst others, the webinar covers:

• ISO27001 ‘Information Security Management System’ Overview
• ISO22301 ‘Business Continuity Management System’ Overview
• Improving an ISO27001 Continuity Plan with ISO22301


Presenters:

Rod Crowder

Rod is the Founder, Managing Director & Principal Consultant of OpsCentre, a boutique provider of: Risk Management, Crisis and Business Continuity, IT Disaster Recovery, Information Security and IT
Service Management Consultancy & Training. He is the Australia and New Zealand Country Representative & the Lead Instructor for Disaster Recovery Institute International, the
oldest and largest NFP organization serving resilience professionals. He has over 25 years experience in Risk, Resilience, BCP, ITDRP & Information Security projects across Asia Pacific, for 140+ clients and
over 420 client consultancy projects.

He chairs the Adaptive Business Continuity Advisory Group; an international think-tank committed to developing new resilience and business continuity methodologies and practices.

Rudy Shoushany

Rudy is a motivational digital leader and Keynote speaker. He has a wide experience in Digital transformation in the financial sector Field, with over 22 years of experience in assisting organizations.

His specialty ICT Strategies in Digital Transformation, Governance, Compliance, Blockchain, and CyberSecurity. Rudy is a Certified professional with many achievements and awards skilled in executive leadership & Coaching by PWC. Graduated from University of South Africa, with Certification from Stanford in Cybersecurity Strategies and Boston University in Digital Transformation.
Rudy has been lately selected to be on the Forbes Technology Council and selected as top 25 Global Thought leader and Influencer in Technology and Top 100 Leaders in Governance in the digital transformation innovations. He serves as Board Member, coach, Judge and mentor for different Organizations and startups.

Date: September 14, 2022

Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/business-continuity-management-advice-for-employers--covid-19-coronavirus-outbreak
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars

More Related Content

More from PECB (20)

ISO/IEC 27001 and ISO 22301: How do they map?

  1. 1. Agenda  Introductions  ISO27001 ‘Information Security Management System’ Overview  ISO22301 ‘Business Continuity Management System’ Overview  Improving an ISO27001 Continuity Plan with ISO22301  Case Studies, Implementation examples and Challenges
  2. 2. Introductions Rudy Shoushany Strategist in Governance of Cybersecurity & Digital Transformation Rod Crowder Author, Speaker, and Managing Director at OpsCentre
  3. 3. ISO/IEC 27001 Information Security Management System Overview
  4. 4. What is ISO/IEC 27001 ISMS? • ISO 27001 is the international standard for information security • It sets out the specification for an Information Security Management System (ISMS) • ISO27001 helps organizations manage information security via people, process and technology • Certification to ISO27001 is recognised worldwide
  5. 5. Four Key Benefits of ISO/IEC 27001 Compliance Reduced Expenses Marketing Edge Place you organisation in order
  6. 6. ISO/IEC 27001: A Global Standard on ISMS ISO/IEC 27001 has: • 14 Control Areas (or ‘Domains’) • 34 Control Objectives • 114 Individual Control Points
  7. 7. ISO/IEC 27001 Control Areas
  8. 8. ISO/IEC 27001 Compliance Steps 8 Steps to Compliance: • Organization Context • Scope • Leadership • Planning • Organization Context • Operations • Performance • Improvement
  9. 9. ISO/IEC 27001 describes the structure of the framework and uses the Plan-Do-Check- Act cycle (PDCA-cycle). ISO/IEC 27001 PDCA Cycle
  10. 10. HOW WILL 2022 CHANGES AFFECT MY CURRENT ISO/IEC 27001 CERTIFICATE? In our opinion, the best way to comply with these changes is: 1.To update your risk treatment process with new controls 2.To update your Statement of Applicability 3.To adapt certain sections in your existing policies and procedures. 2022 Changes to ISO/IEC 27001
  11. 11. ISO/IEC 27001 New Controls introduced in 2022
  12. 12. ISO 22301 Business Continuity Management System Overview
  13. 13. What is Business Continuity Management? Business Continuity Management assists an organization to continue its critical business operations in the event of a significant incident or business disruption. A Business Continuity Framework provides a structured response to an incident, minimizing the overall impact to the organsation and it’s key internal and external stakeholders
  14. 14. Scope of ISO 22301 “The ISO 22301 International Standard for business continuity management specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system The goal is to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”
  15. 15. Business Disruption Incidents Business Continuity Plans focus on what resources are impacted rather than what incident has happened Loss of, or impact to Premises • Fire • Flood • Utility Loss • Denial of Access • Civil disturbance Loss of, or impact to People • Pandemic or Epidemic • Unexpected loss or absence of key Personnel • Large scale of people impacted • Travel/transport incident Loss of, or impact to ICT • Local/external network • Data centre outage • Communications • Hardware software failure • Cyber security incident Loss of, or impact to Key Suppliers • Key suppliers experience an event/disaster • Product supply impact • Industry-wide impact
  16. 16. Similar to ISO/IEC 27001, ISO 2230 specifies the requirements for setting up and managing a BCMS ISO 22301 Structure Requirements (Sections 4 to 10) • Section 4 Context of the Organisation • Section 5 Leadership • Section 6 Planning • Section 7 Support • Section 8 Operations • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish and Implement Business Continuity Procedures • 8.5 Exercising & Testing • Section 9 Performance Evaluation • Section 10 Improvement • Section 7 Support • Section 8 Operations • Section 9 Performance Evaluation • Section 10 Improvement
  17. 17. Similar to ISO/IEC 27001, ISO 22301 specifies the requirements for setting up and managing a BCMS ISO 22301 Structure Requirements (Sections 4 to 10) • Section 4 Context of the Organisation • Section 5 Leadership • Section 6 Planning • Section 7 Support • Section 8 Operations • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish and Implement Business Continuity Procedures • 8.5 Exercising & Testing • Section 9 Performance Evaluation • Section 10 Improvement • Section 7 Support • Section 8 Operations • Section 9 Performance Evaluation • Section 10 Improvement Key Business Continuity Content ‘Section 8:Operations’ • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish/Implement Business Continuity Procedures • 8.5 Exercising & Testing
  18. 18. ISO 22301 & ISO/IEC 27001 Mapping Source: https://www.isaca.org/resources/isaca-journal/issues/2015/volume-2/simultaneous-implementation-of-an-integrated-isms-and-a-bcms 1. Both ISO's protect Availability - but ISO 27001 also focuses on Confidentiality and Integrity 2. Both are based on Plan Do Check Act (PDCA) Cycle 3. Both work towards Risk Management with different objectives, but similar goals
  19. 19. ISO 22301 & ISO/IEC 27001 Differences Focuses on preserving the CIA (Confidentiality, Integrity and Availability) of Information Focuses on recovery and restoration of critical business functions and processes after a disaster/incident Technology/Information focus Business-wide focus (People, Technology, Premises & 3rd Parties) Protection / Pre-Incident focus Response / Post-Incident focus ISO22301 Business Continuity ISO27001 Information Security Common Management System 4 – Context of the Organisation 5 – Leadership 6 – Planning 7 -Support 8 – Operation 9 – Performance Evaluation 10 – Improvement Domain A.17 Information Security Continuity ISO22301 Provides implementation to guidance for ISO27001 A.17
  20. 20. Improving an ISO/IEC 27001 Continuity Plan with ISO 22301
  21. 21. How ISO 22301 supports ISO/IEC 27001 A.17.1.1 Determine its requirements for information security and the continuity of information security management in adverse situations ISO 22301 Supporting Guidance ISO/IEC 27001 Information Security Requirements A.17.1.2 Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation;’ A.17.1.3 Verify the established and implemented information security controls at regular intervals in order to ensure that they are valid and effective during adverse situations’ 8.2.2 – Business Impact Analysis 8.2.3 – Business Continuity Strategy 8.3.2 – Establishing Resource Requirements 8.4.1 – Establish & Implement BC Procedures 8.4.2 – Incident Response Structure 8.4.4 – Business Continuity Plans 8.5 – Exercising & Testing 9.1 – Performance Evaluation 10.0 – Improvement
  22. 22. A.17.1.1 Determine Requirements 8.2.2 – Business Impact Analysis 8.3.1 – Business Continuity Strategy 8.3.2 – Establish Resource Requirements ‘A.17.1.1. Determine requirements for information security and the continuity of information security management in adverse situations’ ISO 22301 Guidance Determine Key Activities by time and their criticality, including peak periods and time variables Key Resources People, IT Systems & Applications, information, records, and supply chains to achieve objectives Inter-dependencies and how they may be affected by a disruption Possible impacts (i.e. financial, customer, legal, reputation, compliance, staffing) Risk Assessment identify and analyse disruption-related risks that need treatment Determine Strategies to protect activities, respond to incidents, prioritise resumption timeframes Determine Resources needed (people, information, data, premises, IT systems and applications, finance, 3rd party partners and suppliers) Consider Proactive Measures to reduce the likelihood, shorten the disruption and limit the impact Business Impact Assessment Business Continuity Strategies Business Continuity Resource Requirements
  23. 23. A.17.1.2 Establish Plans 8.4.1 – Establish Process & Procedures 8.4.2 – Incident Response Structure 8.4.4 – Business Continuity Plans ISO 22301 Guidance ‘A.17.1.2 Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation’ Establish Processes & Procedures • Establish Communications • Determine Immediate Steps • Respond to unanticipated threats • Focus on disruptive events • Minimise consequences Incident Response Structure • Identify incident thresholds • Activate BC Response • Define processes and procedures • Ensure resources are available • Communicate with stakeholders Business Continuity Plans • Define Roles & Responsibilities • Response activation • Manage immediate incident consequences • Recover prioritised activities • Define Communications Strategy • Post incident stand-down ISO22301 provides guidance to: • Establish Processes and Procedures • Define an Incident Response Structure • Develop business Continuity Plans
  24. 24. A.17.1.3 Verify Controls ‘A.17.1.3 Verify the information security controls at regular intervals to ensure that they are valid and effective during adverse situations’’ 8.5 – Exercising & Testing 9.1 – Performance Evaluation 10.0 – Improvement ISO 22301 Guidance Exercise & Test Appropriate Scenarios Validate BCMS requirements minimise risk of disruption Develop post- exercise reports Review for Continual Improvement Conduct at planned intervals Performance Evaluation What should be monitored? Monitoring Methods Monitoring Frequency Analysis of Results Improvement Identify Nonconformities React to Nonconformities Eliminate Nonconformity causes Implement corrective actions Review effectiveness of corrective actions Update BCMS if needed ISO22301 provides guidance for : • Exercising & Testing • Evaluating Performance • Continual Improvement
  25. 25. • Pitfalls & Implementation Challenges
  26. 26. Pitfalls in ISO/IEC 27001 & ISO 22301
  27. 27. Culture of the company Top Management commitment Scope effort ( Time and Resources) Risk assessment and Treatment ISO/IEC 27001 Implementation Challenges
  28. 28. THANK YOU Q&A rod.crowder@opscentre.com https://www.linkedin.com/in/rodcrowder/ https://www.linkedin.com/in/rudyshoushany/ rudy@dxtalks.com

Editor's Notes

  • Webinar Invite

    How can we make an ISO/IEC 27001 business continuity plan smother and easier with ISO 22301?
    For an organization to have a proper information security management system in place and to ensure that the business runs the same, even after incidents, it should be able to have a business continuity plan implemented as well.
    Register for our upcoming webinar and learn more on the mapping of ISO/IEC 27001 and ISO 22301.
  • 15 mins Rudy (ISO27001)
    15 mins Rod (22301)
    15 mins Focused Discussion - How can we make an ISO/IEC 27001 business continuity plan smother and easier with ISO 22301
    Audience Questions

    Case studies, implementation examples, implementation challenges etc ?
  • Rudy Shoushany Strategist in Governance of Cybersecurity & Digital Transformation
    Rod Crowder Author, Speaker, and Managing Director at OpsCentre
  • ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of:
    understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives,
    implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents,
    monitoring and reviewing the performance and effectiveness of the BCMS, and
    continual improvement based on objective measurement.

    ISO27001 specifies the requirements for setting up and managing an effective Information Security Management System (ISMS); which preserves the Confidentiality, Integrity and Availability (CIA) of information by applying a Risk Management process and gives confidence to interested parties that risks are adequately managed.
  • What is ISO 27001? 
    Originally published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 makes up the core framework for the ISO 27000 series—a collection of documents outlining standards for information security management. ISO 27001, also known as ISO/IEC 27001, is the central set of certification standards for planning, implementing, operating, monitoring, and improving an information security management system (ISMS).  The goal of ISO 27001 certification is the effective establishment and management of an ISMS Information Security Management Systems (ISMS) An ISMS is a holistic approach to securing the confidentiality, integrity, and availability (CIA) of corporate information assets.
    An ISO 27001 ISMS consists of policies, procedures and other controls involving people, processes, and technology.
    Informed by regular information security risk assessments, an ISMS is an efficient, risk-based, and technology-neutral approach to keeping your information assets secure.

    many use ISO 27001 as a guiding framework for developing and implementing information security best practices.

    It is built around
    v14 domains 
    114 controls
  • Four Key Benefits of ISO 27001
    In today’s market, competition is more, and it is challenging to find something that protect your organization’s information and data from your customers.
    ISO 27001 is a unique certification and could be indeed selling point, especially if the organization required to handle customer’s database and information.
    Compliance: The first benefit of ISO 27001, is compliance, it might seem odd to list this as the top benefit, but it often shows the fastest “Return on Investment (ROI)” — if any of the organization must comply to various regulations regarding Data privacy, data protection, and IT governance (particularly for such industries like health, banking, and government agencies), then ISO 27001 can bring in the methodology which allows to do it most efficient way
    Marketing Edge: and business opportunities In today’s market, the competition is more; it is challenging to find something that protects your organization’s information and data of your customers. ISO 27001 is a unique certification and could be indeed selling point, especially if the organization required to handle customer database and sensitive information
    Reduce the expenses: EGS offers a broad range of network infrastructure, web applications, and mobile application security assessment services designed to detect and gauge security vulnerabilities. Take the FREE VAPT for up to 10 external IPs, worth $5,000 and get a customized report!
    Placing your organization in order: Many of the companies which have been growing sharply for the last few years, you might experience problems like — who is responsible for certain information assets, who has to decide what, who has to authorize access to infosec, etc. Here, ISO 27001 is and excellent service to soring these things out — it will force you to define both roles and responsibilities very accurately, and therefore, strengthen your internal organization.
  • How to Implement ISMS in your organization?
    Following is a generic process for implementing a ISO 27001 based ISMS in your organization:
    STEP 1:Build a team responsible for ISMS. It should be from all relevant departments.
    STEP 2: Identify all assets. Assign a valus to each asset – The value to asset can be acquisition value or loss value. Identify owner of each asset. Assets can be of many kinds such as
    Information Assets
    Hardware Assets
    People Assets
    Building Assets
    Software Assets
    STEP 3 : identify and finalize a risk analysis technique. Train your ISMS team in this risk analysis technique.
    STEP4: Conduct a risk analysis and evaluate risks to all assets
    STEP 5: Select controls and apply them
    STEP6 : conduct Internal Audit
    STEP 7 Conduct management review

  • 14 domains  114 controls
    A5 Information Security Policy (2 controls)
    Management needs to provide direction and support for information security in accordance with business requirements and relevant laws and regulations. In essence, your InfoSec team needs to create an information security policy. This document defines how your organization will set up your ISMS. It should contain a set of policies for management to communicate with employees and external parties (such suppliers, customers).
    A6 Organizing information security (7 controls)
    Setting up a management framework to initiate, control the and operation of information security within the organization. Your organization should think about the roles and responsibilities as well as the segregation of duties. Who and how should you communicate with special interest groups and authorities? What about the security during teleworking and the use of mobile devices?
    A7 Human resource security (6 controls)
    Information security within Human Resources is defined under section A7 of ISO 27001. It is divided into different stages: before, during, and termination or change of employment. All these requirements make sense within HR related processes, including prospective employee screening, communicating the terms and conditions of employment, disciplinary processes, and information and security awareness training.
    A8 Asset management (10 controls)
    Your company needs to create an inventory of all assets associated with information (including non-digital assets) and assigned ownership. You also should think about the acceptable use, return, labelling, handling, and classification of those assets. Your organization will have to implement controls for media removal and define how to transfer or dispose of media.
    A9 Access control (14 controls)
    This set of controls handles access control to systems, documents, and software of users. Your organization will need to write an access control policy, manage user access through registration, review and adjust access rights on a regular base. This topic also includes password management, source code restrictions, and the use of secret authentication information.
    A10 Cryptography (2 controls)
    The cryptographic controls are needed to ensure the protection of the confidentiality, authenticity, and the integrity of the information. Make sure you think about a mature encryption solution for hard disks and review your external information sharing solution(s). Encrypting (personal) information is also an obligation of the GDPR regulation.
    A11 Physical and environmental security (15 controls)
    The goals of the implementation of these controls is to prevent unauthorised access, damage and interference to information and facilities (buildings, IT rooms, development environment, etc.). It covers secure areas and equipment of the organization. These controls include physical access controls, such as issuing key(s) (badges) or access codes to authorised personnel, and protection against natural disasters, malicious attacks and accidents.
    Another set of controls in this section covers how to handle equipment issues such as regularly scheduled maintenance, clean desk and screen policies, delivery of equipment. It also asks for guidelines on how to ensure appropriate protection for unattended equipment.
    A12 Operations security (14 controls)
    The Operations control of ISO 27001 covers the securing of all operational matters of the processes within the scope of the ISMS. From documentation of procedures and event logging to protection against malware and management of technical vulnerabilities. Change and capacity management also deserve the necessary attention here. Taking and maintaining backups of information and software are also part of these controls.
    As an organization, you have a lot of work to do!
    A13 Communications security (7 controls)
    Within this chapter, a high-level network topology is an added value. Starting from this high-level map, you can dive more in depth to check the settings on firewalls, switches, access point, VLANs. Think also about network architecture and data flow diagrams.  In a clear policy you should define how information can be transferred between parties depending on their information classification. Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.
    A14 System acquisition, development, and maintenance (13 controls)
    A14 aims to build security into the infrastructure of information systems. This includes requirements for information systems throughout the entire lifecycle, including design, testing, implementation, and analysis. Controls under A14 include securing applications used on public networks (A14.1.2) and protecting application services transactions (A14.1.3).
    This is also where the agreements and principles are drawn up about the safe development of software. Most of these checks apply to your developers and system engineers.
    A15 Supplier relationships (5 controls)
    With these 5 controls on supplier relationships, you must address security within supplier agreements, regularly monitor and assess supplier services, and manage supplier (service) changes to mitigate risk. Here lies the cause of the famous long Information Security Questionnaires you receive.
    A16 Information security incident management (7 controls)
    A16 is all about management of information security incidents, events and weaknesses. The objective in this Annex A area is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses. First of all, you should have the proper procedures for handling security incidents, including incidents where personal information is involved. (GDPR art 33 & 34) in place. In practice you should be able to demonstrate your reporting on security incidents. When it happened; what was the impact; what was the quick fix you put in place to eliminate the incident? What was the corrective action you implemented after a Root Cause Analysis?
    A17 Information security aspects of business continuity management (4 controls) This is where we will see with Rod more on the BC side and the mapping
    One of the main reasons for implementing ISO 27001 is to guarantee the availability of the information (systems). A good business continuity plan, inclusive regular tests are key to achieve a level of peace of mind. Redundant equipment where appropriate also always contributes to the availability of information.
    A18 Compliance (8 controls)
    Follow your own rules! These controls ask your organization to avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security. Basically, it asks that the organization makes sure that it complies with the policies and procedures laid out in the above requirements. A (yearly) penetration testing contributes also to the latest technical compliance.
    Pitfalls

  • The goal of the ISO 27001 Certification includes the following:
    Develop a security culture in an Organization
    Protect the company’s brand reputation
    Minimize information security risks
    Protect the company personnel information and data
    Ensure Confidentiality, Integrity and Availability
    Preserve the integrity of data
    Promote the availability of data for an authorized user
    Preserve the integrity of data
    Promote the availability of data for an authorized user
    Promote the availability of data for an authorized user
    Secure exchange of information between interested parties
    Save time and money.

    The ISO 27001 standard focused on the requirements for an information security framework that relies on confidentiality (information is only available to authorized users); integrity (information is accurate and complete) and availability (authorized users have access to information when they need it).

    Technology/Information focus
    Protection / Pre-Incident focus
  • What is ISO 27002?
    ISO 27002, or ISO/IEC 27002:2022, provides guidance on the selection, implementation, and management of security controls based on an organization's information security risk environment.  In other words, it is a supplementary standard supporting ISO 27001 that goes into greater detail about the information security controls an organization may apply from the ISO 27001 list. ISO 27002 organizes the controls into 14 main groups, described under clauses 5-18: 
    A.5 Information security policies
    A.6 Organization of information security 
    A.7 Human resource security
    A.8 Asset management
    A.9 Access control
    A.10 Cryptography
    A.11 Physical and environmental security
    A.12 Operations security
    A.13 Communications security
    A.14 System acquisition, development, and maintenance
    A.15 Supplier relationships
    A.16 Information security incident management
    A.17 Information security aspects of business continuity management
    A.18 Compliance
    According to the International Organization for Standardization, ISO 27002 is designed to be used by organizations that intend to:
    Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
    Implement commonly accepted information security controls;
    Develop their own information security management guidelines.
    What is ISO 27003?
    ISO 27003, also called ISO/IEC 27003:2017, provides guidance for implementing an ISMS based on ISO 27001. ISO 27003 covers the process of ISMS specification and design from inception to planning. It describes how to:
    obtain management approval to implement an ISMS 
    define an ISMS implementation project 
    plan the ISMS project 
    As a result, organizations that follow ISO 27003 will produce a final ISMS project implementation plan. Clauses 4 through 10 mirror the organization of ISO 27001, making them easy to compare and reference. The descriptions follow the same structure throughout:
    Required activity: Outlines key activities required in the corresponding subclause of ISO/IEC 27001.
    Explanation: Explains what the requirements of ISO/IEC 27001 imply.
    Guidance: Provides additional details and supporting information to implement the “required activity,” with examples.
    Other information: Supplies further information that can be considered.
    ISO 27001 vs. ISO 27002 
    The main difference between ISO 27001 and ISO 27002 is that ISO 27002 is a detailed supplementary guide to the security controls in the ISO 27001 framework. ISO 27002 provides best-practices guidance on selecting and implementing the controls listed in ISO 27001. These controls are referenced in ISO 27001 documentation in Appendix A, which includes 114 security controls divided into 14 control sets.  But where ISO 27001 provides a brief outline of key information security controls, ISO 27002 describes them in depth, explaining how each control works, its purpose and objectives, and how it can be implemented. In other words, ISO 27002 is a supporting document and should be read alongside ISO 27001. 
    ISO 27001 vs. ISO 27003 
    ISO 27003 provides basic but comprehensive guidance for all the requirements of an information security management system described under ISO 27001. This includes recommendations (‘should’), possibilities (‘can’), and permissions (‘may’) related to those requirements.  However, ISO 27003 is not a certification standard like ISO 27001—organizations are under no obligation to follow the guidance in ISO 27003.
  • HOW WILL 2022 CHANGES AFFECT MY CURRENT ISO 27001 CERTIFICATE?
    The new updates do not impact your existing certification against ISO 27001 standard. Instead, the accreditation bodies will jointly work with the certification companies on a transition period to allow organisations with ISO 27001 certification to shift to the newer version efficiently. Still, until the updated version of ISO 27001 is officially released, your Statement of Applicability (SoA) should refer to the controls contained in Annex A of ISO 27001:2013. ISO 27002:2022 should only be used as a reference to other controls.
  • The updated iso This has been restructured Will be having 93 controls
  • Business Continuity Management is a program that assists an organisation to continue its critical business operations in the event of a significant incident or business disruption. This is achieved by identifying the critical business functions, processes and resources to build a Business Continuity Plan that provides response and recovery strategies.
    A Business Continuity Framework provides a structured response to an incident, minimising the overall impact to the organsation and it’s key internal and external stakeholders (employees, clients, community, public, government, suppliers and other stakeholders).

    ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of:
    understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives,
    implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents,
    monitoring and reviewing the performance and effectiveness of the BCMS, and
    continual improvement based on objective measurement.

  • Business Continuity Management is a program that assists an organisation to continue its critical business operations in the event of a significant incident or business disruption. This is achieved by identifying the critical business functions, processes and resources to build a Business Continuity Plan that provides response and recovery strategies.
    A Business Continuity Framework provides a structured response to an incident, minimising the overall impact to the organsation and it’s key internal and external stakeholders (employees, clients, community, public, government, suppliers and other stakeholders).

    ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of:
    understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives,
    implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents,
    monitoring and reviewing the performance and effectiveness of the BCMS, and
    continual improvement based on objective measurement.


  • Requirements (Sections 4 to 10)
    Section 4 Context of the Organisation
    Section 5 Leadership
    Section 6 Planning
    Section 7 Support
    Section 8 Operations
    8.1 Operational Planning & Control
    8.2 Business Impact Analysis and Risk Assessment
    8.3 Business Continuity Strategy
    8.4 Establish and Implement Business Continuity Procedures
    8.5 Exercising & Testing
    Section 9 Performance Evaluation
    Section 10 Improvement
    Section 7 Support
    Section 8 Operations
    Section 9 Performance Evaluation
    Section 10 Improvement

  • A.17 defines Information Security Continuity but does not provide any details of how to achieve it. This is where 22301 supports 27001.

    ISO22301:
    Business Focus, not just Information/Technology Focus
    Responds to multiple types of Events – People, Technology, Presmises and Third-Parties
    Can be used to support implementation of IS27001 ISMS Control A.17
  • Workarounds and/or preventative countermeasures that can be implemented in the event of a major business disruption


  • 1 – Establish Processes, Procedures & Controls
    TBA
    TBA
    2 – Establish Incident Response Structure
    TBA
    TBA
    3 – Develop Business Continuity Plans
    TBA
    TBA
  • 1 – Exercise and Test Security Controls
    2 – Undertake Management Reviews
    3 – Implement Continual Improvement
  • Pitfalls
    ISO 27001 documentation can be the biggest “chunk” of the implementation. Because the management system requires more procedural documents such as policies, the focus on writing those policies takes up a lot of time. But setting up the infrastructure for regularly scheduled reviews, such as access control, also requires time and commitment from all involved within the company.
    To avoid writing this documentation (policies, procedures, work instructions) all by yourself, you can work with a consultant who provides templates and guidelines to mature your organization’s awareness quickly.
    Bear in mind that an audit is sample-based, but your controls need to continue to operate between annual audits. Otherwise, it’s likely that your organization will risk non-compliance and create more work when the time comes to be audited again. ISMS is a story of continuous improvement!

×