ISO/IEC 27001 is the main standard that aims to enhance an organization’s information security.
Amongst others, the webinar covers:
• ISO/IEC 27001 & ISO/IEC 27002, catching up with history
• Quick recap on the ISO/IEC 27002:2022
• From ISO/IEC 27002 to the ISO/IEC 27001 updates
• Some considerations & consequences of the update
• What's up next with ISO/IEC 27001, in practice?
Presenters:
Peter Geelen
Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more.
Stefan Mathuvis
Stefan Mathuvis, is owner & senior consultant at Quality Management & Auditing BV, Zonhoven, Belgium. With over 20 years of experience, Stefan built strong experience in quality management systems, Information Security management systems, GDPR, data privacy & data protection. Stefan is accredited ISO/IEC 27001 Lead Auditor and operates as a third party auditor for DQS Belgium. Dividing his time between consultancy, training & third party auditing on an international scale, Stefan remains in touch with the issues of today allowing him to assist clients in their needs for Information Security and Data Privacy.
Date: November 9, 2022
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/article/isoiec-27001---what-are-the-main-changes-in-2022
https://pecb.com/article/investing-in-information-security-awareness
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
ISO/IEC 27001:2022 – What are the changes?
1.
2. Agenda
• ISO/IEC 27001 & ISO/IEC 27002, catching
up with history
• Quick recap on the ISO/IEC 27002:2022
• From ISO/IEC 27002 to the ISO/IEC
27001 updates
• Some considerations & consequences of
the update
• Hints & tips
• What's up next with ISO/IEC 27001, in
practice?
• Q & A
4. Peter Geelen (CyberMinute)
• 20+ years experience in security
• Enterprise Security & IAM
• Cybersecurity
• Data Protection & Privacy
• Incident management, Disaster Recovery
• Trainer, coach, auditor
• ISO27001 Master & Lead ISO27002
• ISO27701 Master
• Certified DPO & Fellow In Privacy
• Lead Incident Mgr & Disaster Recovery
• ISO27032 Sr. Lead Cybersecurity Mgr
• Lead ISO27005 (Risk Mgmt)
• Accredited Lead auditor
ISMS/PIMS/QMS/BCMS
• Accredited Security Trainer
My experience Certification Accreditation
http://www.cyberminute.com
https://ffwd2.me/pgeelen
More info (LinkedIn):
peter@cyberminute.com
5. Stefan Mathuvis (QMA)
• 20 years experience in security,
• Quality Management & Auditing
• DPO as a Service
• Cybersecurity
• Security, Data Protection & Privacy
• Trainer, coach, auditor
• ISO27001 Lead Auditor
• ISO9001 Lead Auditor
• Lead auditor Tisax
• Lead auditor GQS
• CDPO
• PECB trainer
• Accredited ISO27001 lead
auditor
• Accredited 9001 Lead
auditor
My experience Certification Accreditation
http://www.qma.be
https://ffwd2.me/stefan
More info (LinkedIn):
Stefan@qma.be
7. The standard
• Certifiable international standard for information security best practices
• Main version 2013, with updates 2014, 2015 & 2017
(https://www.iso.org/standard/82875.html)
Consists of
• Management Clauses
• Normative controls Annex
ISO/IEC 27001
8. Management Clauses
• Based on Harmonized Structure (HS) / High Level Structure (HLS)
• Core principles of ISO 9001:2015
• PDCA Cycle
ISO/IEC 27001
10. Management Clauses
• Principle of continual improvement
• PDCA Cycle
ISO/IEC 27001
Act Plan
Do
Check
Act Plan
Do
Check
Security
Improvement
Time
11. Annex A (normative)
• "Normative" = part of requirements (ref. certification track)
• From the ISO/IEC 27001:2022 (ref. 2013)
"The information security controls listed in Table A.1 are directly derived from and aligned with those
listed in ISO/IEC 27002:2022[1], Clauses 5 to 8 and shall be used in context with 6.1.3. "
ISO/IEC 27001
13. Annex A (normative)
• "Normative" = part of requirements (ref. certification track)
• From the ISO/IEC 27001:2022 (ref. 2013)
"The information security controls listed in Table A.1 are directly derived from and aligned with those
listed in ISO/IEC 27002:2022[1], Clauses 5 to 8 and shall be used in context with 6.1.3. "
ISO/IEC 27001
14. Annex A (normative)
• Annex = Security measures
• Security measures
• Security = PPT : People, Process & Technology
• In fact : (P)PPT -> Physical, People, Process & Technology
• Based on, extract from ISO/IEC 27002
• So, ISO first updated 27002:2013 to 2022…
ISO/IEC 27001
16. More info
• PECB Webinar: ISO/IEC 27001 & ISO/IEC 27002:2022: What you
need to know:
https://pecb.com/past-webinars/isoiec-27001--isoiec-270022022-what-
you-need-to-know
• PECB Magazine: How Does the New Revision of ISO/IEC 27002
Affect ISO/IEC 27001
https://insights.pecb.com/how-does-the-new-revision-of-iso-iec-27002-
affect-iso-iec-27001/
ISO/IEC 27002:2022
17. Most important changes (*)
• Main structure change
• From: operational security, functional organization
(Meaning A.5 > A.18)
• To: PPPT (3PT)
• Process & Policies (organizational) (A.5)
• People (A.6)
• Physical (A.7)
• Technological (A.8)
ISO/IEC 27002:2022
18. Important to know
• From 114 (v2013) to 93 (v2022) controls
• But no controls removed
• Consolidation & updates of controls
• ISO/IEC 27002:2022 Annex B
• Table B.1 mapping 2022>2013
• Table B.2 mapping 2013>2022
• 11 new controls
ISO/IEC 27002:2022
19. New controls
• A.5.7 Threat intelligence (cyber/cloud/DP)
• A.5.23: Information security for cloud services (cloud)
• A.5.30: ICT readiness for business continuity (A.17)
• A.7.4: physical security monitoring (physical)
• A.8.9: Configuration management (alignment ISO 20000)
• A.8.10: Information deletion (Data protection)
• A.8.11: Data masking (DP)
• A.8.12: Data leakage prevention (DP/Cyber)
• A.8.16: Monitoring activities (general)
• A.8.23: Web filtering (cyber)
• A.8.28: Secure coding (Cyber & Application security)
ISO/IEC 27002:2022
20. Did you notice…
• the change of language (more active language)
• the change in focus of audience (employee > staff)
• the broader approach & interpretation
• Not only information security but also more focus on
• Cyber & cloud security
• Data protection
• physical security
ISO/IEC 27002:2022
27. Foreword
• Alignment with ISO directive
• Cancels and replaces previous version (2nd edition) including all Technical
corrigenda
• 2014
• 2015
• 2017 (wrap up of previous corrigenda)
• Alignment with harmonized structure
Ref: 2021-05_Annex SL_Appendix_2_rev1.pdf
ISO/IEC 27001:2022
28. Scope
"Excluding any of the requirements specified in Clauses 4 to 10 is not
acceptable when an organization claims conformity to this
document."
ISO/IEC 27001:2022
29. Terms and definitions
• 2013:
• Only reference to ISO27000
• For your information: free download of ISO27000 (v2018):
https://standards.iso.org/ittf/PubliclyAvailableStandards/
• 2022: addition
• ISO and IEC maintain terminology databases for use in standardization at the
following addresses:
• ISO Online browsing platform: available at https://www.iso.org/obp
• IEC Electropedia: available at https://www.electropedia.org
ISO/IEC 27001:2022
30. Context of organisation
• Updated reference to ISO31000:2018
• 4.2 Interested parties (new)
• c) which of these requirements will be addressed through the information security
management system.
• 4.4 ISMS - increased focus on processes
• The organization shall establish, implement, maintain and continually improve an
information security management system, including the processes needed and
their interactions, in accordance with the requirements of this document
ISO/IEC 27001:2022 clause 4
31. Planning (Risk management)
• 6.2 Information security objectives
• 2 new sub items
• d) be monitored;
• g) be available as documented information.
• (NEW) 6.3: Planning of changes
• When the organization determines the need for changes to the information
security management system, the changes shall be carried out in a planned
manner.
ISO/IEC 27001:2022 clause 6 (Planning)
34. Operation
8.1 Operational planning and control
• 2013: The organisation shall ensure that outsourced
processes are determined and controlled
• 2022: The organization shall ensure that externally
provided processes, products or services that are
relevant to the information security management
system are controlled
ISO/IEC 27001:2022 clause 8 (Operation)
35. Operation
9.1 Monitoring, measurement, analysis and evaluation
• 2013:
• The organization shall retain appropriate documented information
as evidence of the monitoring and measurement results.
• 2022:
• Documented information shall be available as evidence of the
results.
• The organization shall evaluate the information security
performance and the effectiveness of the information security
management system.
ISO/IEC 27001:2022 clause 9 (Performance evaluation)
40. Some considerations & consequences of the update
• More operational language (less passive)
• More focus on effective results & evidence
• Trying to minimize the "Compliance check list"
approach…
ISO/IEC 27001:2022
41. Some considerations & consequences of the update
• New structure of Annex / ISO/IEC 27002:2022
• From 14 control groups and 114 controls (2013)
• Logical / functional organisation matches most business
organisation
• To 5 control groups and 93 controls (2022)
• Large groups
• Disconnect from functional organisation
Solution: ISO/IEC 27002:2022 - Annex A (informative)
• Using attributes (to group the new controls the old way)
• Tagging (Table A.1)
ISO/IEC 27001:2022
42. Using attributes (suggestions from the standard)
• Control types
• #Preventive, #Detective, #Corrective
• Information security properties
• #Confidentiality, #Integrity, #Availability
• Cybersecurity concepts (NIST)
• #Identify, #Protect, #Detect, #Respond, #Recover)
ISO/IEC 27001:2022 Attributes (p1/3)
47. Hints & tips
• Most of the new control items should be in place already
• Cloud
• Cyber
• Data protection (GDPR driver)
• (Physical)
• Remap your existing SoA (using the table)
• Control mapping tables in ISO27002
ISO/IEC 27001:2022
50. What's up next?
• Updates on audit procedures
• Certification bodies
• Updates on related standards
• ISO 27006 (Audit)
• ISO 27032 (Cyber)
• ISO 27701 (PIMS)
• ISO 27035 (Incident management)
• …
ISO/IEC 27001:2022
52. Reference material
PECB Webinars
• PECB Webinar: ISO/IEC 27001 & ISO/IEC 27002:2022: What you
need to know:
• https://pecb.com/past-webinars/isoiec-27001--isoiec-270022022-
what-you-need-to-know
• PECB Magazine: How Does the New Revision of ISO/IEC 27002
Affect ISO/IEC 27001
• https://insights.pecb.com/how-does-the-new-revision-of-iso-iec-
27002-affect-iso-iec-27001/
53. Reference material
PECB Webinars
• General link: https://pecb.com/en/webinars
• https://pecb.com/past-webinars
• Search for
• ISO/IEC 27001
• ISO/IEC 27002
54. Reference material
PECB Webinars - ISO27005
• 16th November 2022 - What's new in ISO27005:2022
• General link: https://pecb.com/en/webinars
• https://pecb.com/past-webinars
• Search for
• 27001
• 27002
• 27005
55. Reference material
Other reference , see Linkedin page:
https://www.linkedin.com/pulse/pecb-event-collaterals-isoiec-
270012022-what-changes-peter-geelen/
60. Relevant Training
PECB ISO/IEC 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
61. Relevant Training
PECB ISO/IEC 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
62. Relevant Training
PECB ISO/IEC 27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
63. Relevant Training
PECB ISO/IEC 27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager