In today's rapidly evolving digital landscape, the integration of artificial intelligence (AI) in business processes is becoming increasingly essential. Hence, it is crucial to stay informed and prepared. Amongst others, the webinar covers: • ISO/IEC 27005 and ISO/IEC 27001 and their key components • The standard’s alignment • Identifying AI risks and vulnerabilities • Implementing effective risk management strategies Presenters: Sabrina Feddal With more than 16 years of background in operational security, telco as engineer and project manager for major international companies. I have founded Probe I.T in 2016 to provide my customers (both national and international) with GRC services. Winner of the 2020 award, the CEFCYS – Main French Women in cybersecurity association - jury's favorite, she remains committed on a daily basis to maintaining diversity and gender diversity in her teams. Passionate about Law, History & Cybersecurity. She has several professional certifications acquired over the course of her career: Prince2, CISSP, Lead Implementer ISO27001, Risk Manager, University degree in Cybercrime and Digital Investigation. Her values: excellence, discretion, professionalism. Mike Boutwell Mike Boutwell is a Senior Information Security Specialist with over 15 years of experience in security and 10 years of risk management experience, primarily focused on financial services. He excels in collaborating with CISOs and other executive leadership to build and implement security frameworks aligned with business objectives and developing enterprise-wide security requirements. Mike has a strong track record of securing assets worth over $1 quadrillion and delivering $100M+ projects. Mike is a certified CISSP, CISA, CGEIT, ISO 27001 Senior Lead Implementer, ISO 27001 Senior Lead Auditor, ISO 38500 Senior Lead IT Governance Manager, ISO 27032 Senior Lead Cyber Security Manager, and Certified Non-Executive Director. Date: November 22, 2023 Tags: ISO, ISO/IEC 27001, ISO/IEC 27005, Cybersecurity, Information Security ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 ISO/IEC 27005 Information Security Risk Management - EN | PECB Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/TtnY1vzHzns

2. Agenda
▪ A.I Use Cases
▪ ISO/IEC ISO27001 and ISO27005
approach to manage risks
▪ Focus on A.I Threat Model
▪ ISO/IEC 27001 Relevant controls to
manage A.I Risks
▪ Q&A

3. Technology impacting a wide range of sectors of society
Artificial Intelligence – General use cases
Healthcare
and medecine
Finance
Automotive
and
transportation
Retail and e-
commerce
Manufacturing
and
Production
Education
Entertainment
and Media
Customer
Service
Agriculture Cybersecurity
Legal and Law
Enforcement
Space
Exploration

4. ▪ Application Development
▪ Developers building AI applications
▪ Office automation / shadow it
▪ Employees using AI SaaS application to perform and/or help achieving their activities – document creation
and manipulation - shadow it, dataleakage, output prompt
▪ Cyber Weapons
▪ Attackers using AI capabilities to build cyberweapons – vulnerabilities detection and exploitation, deepfake
capability – side effects on school, blackmailing people, social engineering,
AI Use Cases
Day-to-day examples

5. ▪ AI Based OCRs/ Document Readers
▪ Automating data extraction from scanned documents
▪ Manipulated inputs leading to incorrect data
▪ Lack of controls on extracted data, leading to a data breach
▪ AI-Powered Assistants (MS Copilot/ Chat GPT)
▪ Base workstation compromised
▪ Hierarchical access control problems, lack of adequacy in security controls in file systems
▪ No assurance the MS and others do what they claim
▪ AI in Cybersecurity Tools
▪ Generation of false positives – waste of resources or ignored real threats
AI Use Cases
Practical examples

6. Agenda
▪ A.I Use Cases
▪ ISO/IEC ISO27001 and ISO27005
approach to manage risks
▪ Focus on A.I Threat Model
▪ ISO/IEC 27001 Relevant controls to
manage A.I Risks
▪ Q&A

7. Key Benefits to manage A.I Risks
ISO/IEC 27001
▪ Enhance Data Security
▪ Improve Compliance and legal Assurance
▪ Systematic Risk Assessment and Tailored risk
mitigation
▪ Stakeholders confidence
▪ Business Continuity and Resilience
▪ Continuously monitor and improve

8. Key Benefits to manage A.I Risks
ISO/IEC 27005
▪ Proactive Approach for Emerging Risks
▪ Systematic and Comprehensive Risk Assessment
▪ Alignment with best practices and standards
▪ Enhance Stakeholder confidence
▪ Improved Decision-Making and Governance

9. Agenda
▪ A.I Use Cases
▪ ISO/IEC ISO27001 and ISO27005
approach to manage risks
▪ Focus on A.I Threat Model
▪ ISO/IEC 27001 Relevant controls to
manage A.I Risks
▪ Q&A

10. Threat Modeling is Increasingly Important
▪ Use of a risk assessment and treatment (ISO 27005, Clause 6.1
& 6.8)
▪ Use cases are fundamentally important
▪ Foundational security controls more important than ever

11. Example of threat model
A.I Threat model
Threats
using A.I
Threats to
A.I
Threats from
A.I
Legal and
regulatory
threats
▪ Data poisoining and model
manipulation
▪ Adversarial attacks
▪ AI-Powered Cyber Attacks
▪ Exploitation of AI System
Vulnerabilities
▪ Privacy Violations
▪ AI Model Theft
▪ Lack of transparency and
explainability
▪ Dependency and Overreliance
• * OWASP Top 10 for Large Language Model Applications
• * OWASP Machine Learning Security Top Ten

12. Examples
Threats Model
Threats using A.I models
• LLMO1 : Prompt Injection
• LLM02 : Insecure Output Handing
• LLM03: Trained Data Poisoning
• LLMO05 : Supply chain attack
• LLM06: Sensitive information
disclosure
• LLM07: Insecure Plugin Design
• LLM08 : Excessive Agency
• LLM09 : Overreliance
• Indirect prompt injection
• Fake Ressources
• Copyright infrangement
Threats To A.I models
• LLM04 : Denial of Service
• LLM10 : Model Theft
• ML03 : Model inversion attack
• ML07: Transfer learning attack
• ML08 : Model Stewing Attack
• ML10: Model Poisoning
• Inadequate A.I alignment
• Improper error handling
• Robust multi-prompt and multi-
models attacks
• Traditional attacks
Threats From A.I Models
• Misidentification (wrongful
arrest)
• False Information
• Misinformation influence
elections
• Private information used in
training
• Deepfake
• Attack Acceleration
• Hallucination squatting
• Artificial consciousness
• Honey or Poisoned Characters
Legal and regulatory threats
• Failure to meet regulatory
compliance :
• EU AI Act
• GDPR
• Canada GenAI Guardtrails
• China GEnAI Measures
• Peru Law six core principles
• Spain AESIA
• South Korea Digital bill of Rights
• US State Law Privacy (10)
• US State law Biometrics (3)
• US law against AI Profiling (8)
• US Federal – DOJ, CFPD, FTC,
EEOC
• Legal : Privacy, legal obligations
• * OWASP Top 10 for Large Language Model Applications
• * OWASP Machine Learning Security Top Ten

13. Key points
Mitigation strategies
▪ Secure AI Development
▪ Favor always trusted vendors – example Microsoft for their OpenIA.
▪ Regular Auditing
▪ Data Protection
▪ Human Oversight
▪ Transparency and Explainability
▪ Awareness
▪ Business Continuity Plan and Crisis management
▪ Policies, roles and responsibilities

14. Agenda
▪ A.I Use Cases
▪ ISO/IEC ISO27001 and ISO27005
approach to manage risks
▪ Focus on A.I Threat Model
▪ ISO/IEC 27001 Relevant controls to
manage A.I Risks
▪ Q&A

15. AI Use Cases – AI Development
Potential Applicable Remediation – ISO27002:2022
Improvement ISO27002:2022 controls
Data Management 5 Information Security Policies (Organizational)
7 Information Security in Project Management (Organizational)
Secure Development lifecycle 8 Information Security in Relationship Management (Organizational)
18 System Acquisition, Development and Maintenance (Technological).
Bias and Fairness checks 7 Information Security in Project Management (Organizational)
18 System Acquisition, Development and Maintenance (Technological)
Explainability and Transparency 5 Information Security Policies (Organizational)
18 System Acquisition, Development and Maintenance (Technological)
Testing and Validation 18 System Acquisition, Development and Maintenance (Technological)
19 Information Security Event and Weakness Management (Organizational)
Ethical AI Practical 5 Information Security Policies (Organizational)
6 Organization of Information Security (Organizational)
Incident Response and Monitoring 19 Information Security Event and Weakness Management (Organizational)
20 Information Security Continuity (Organizational)
On going Monitoring and maintenance 18 System Acquisition, Development and Maintenance (Technological)
19 Information Security Event and Weakness Management (Organizational)
Regulatory and Compliance 5 Information Security Policies (Organizational)
6 Organization of Information Security (Organizational)
User training and awareness 9 Human Resource Security (People)
17 Awareness, Training and Education (People)

16. ISO/IEC 27001 Strategies for AI Risk Management
▪ AI Based OCRs/Document Readers
▪ Information Security Policies (Clause 5.2): Develop policies specifically for the management of OCR
data to maintain data integrity.
▪ Organizational Controls (Clauses 5.3 & 7.3): Define roles and responsibilities clearly to prevent
unauthorized data access or leaks.
▪ AI-Powered Assistants (Chat GPT/MS Copilot)
▪ Human Resource Security (Clause 7.2): Ensure secure management of personnel who have access to AI
assistants to mitigate insider threats.
▪ Technical Controls (Clause 8.1): Implement secure development practices for AI assistant software to
address potential exploitation.
▪ AI In Cybersecurity Tools
▪ Operational Security (Clause 8.2): Apply strict controls on the operation of AI tools to manage the
generation and handling of false positives.
▪ Compliance (Clause 8.3): Regularly review compliance with legal and technical requirements to prevent
ignored real threats.

17. Agenda
▪ A.I Use Cases
▪ ISO/IEC ISO27001 and ISO27005
approach to manage risks
▪ Focus on A.I Threat Model
▪ ISO/IEC 27001 Relevant controls to
manage A.I Risks
▪ Q&A

18. THANK YOU
Q&A
boutwell.mike@icloud.com
sabrina.feddal@probe-it.fr sabrina-feddal-941960103
mikeboutwell