SlideShare a Scribd company logo

The significance of the Shift to Risk Management from Threat & Vulnerability Assessment in ISMS

PECB
PECB

The essence of the ISMS (ISO-27001) is the protection / security of information. This webinar attempts to show the shift in the focus of the standard between the two editions 2005 & 2013 and how the 2013 edition can be more effective in Information Security, where the management system prescribes a risk based approach. The approach in the risk management process can and would vary from implementer to implementer or organization to organization. Main points covered: • The erstwhile focus of the 2005 edition on Vulnerabilities • The current focus of 2013 edition on risk management • The significance of the shift for Security implementer's / Risk practitioners Presenter: This webinar was presented by Sesha Prakash. Ms. Prakash is Vice President of PromaSecure – consultants for Information Security & Risk management. She has an overall experience of 35 years with the past 8 years devoted to the domains of Information Assurance and Information Security. Link of the recorded session published on YouTube: https://youtu.be/hZ94-oelnUE

Education
1 of 23
Sesha Prakash S Kusuma Vice President of PromaSecure Sesha Prakash is Vice President of PromaSecure – consultants for Information Security & Risk management. He has an overall experience of 35 years with the past 8 years devoted to the domains of Information Assurance and Information Security. (968)-9387 2036 seshaprakash@promasecure.com www.promasecure.com https://in.linkedin.com/in/seshaprakash-kusuma-sreenivasa-b863108
Introduction I am named Sesha Prakash S Kusuma. Vice President-Consulting with PromaSecure Consulting, which is a strategic business unit of a larger organization – M/s. Project Management Technology & Services LLC, based out of Muscat, Oman. Provide consultancy & Implementation services in several Management Systems aligned to the ISO standards, like the ISMS & BCMS, including internal audits. www.promasecure.com3www.pecb.org
Certifications I hold the following PECB certifications, besides being certified trainer for PECB ISO-27001 Lead Auditor (Information Security) ISO-31000 Lead Risk Manager, ISO-38500 IT Governance Manager, ISO-55000 Lead Auditor (Asset Management) ISO-27019 Prov. SCADA Security Professional Besides the ISO certifications, the certifications are From ISACA – CISA, CISM, CGEIT, CRISC, COBIT5(F) From Axelos – ITIL, PRINCE2 From ISC2 – CISSP From EC-Council – C|CISO www.promasecure.comwww.pecb.org 3
Disclaimer My presentation is the opinion or conclusions drawn by me based on my work with my clients. Others Information Security practitioners or ISMS implementers may differ with my view and may have a good reason for it. I do not claim to be subject matter expert, nor are my observations sacrosanct. Acknowledgements Source for the GIF images is generally taken from the internet, I do not claim any ownership or copyright Much of the information is distillation of the information based on the standards itself, articles from magazines or newsletters or public information available on various website and not able to attribute to a specific source. My acknowledgement and thanks for all the anonymous authors and writers. www.promasecure.comwww.pecb.org 4
Coverage The webinar covers ISMS-ISO:27001 basics of: • The erstwhile focus of the 2005 edition on Assets, its Vulnerabilities & Treats • The current focus of 2013 edition on risk based approach to information risk • The significance of the shift for Security implementer's / Risk practitioners www.promasecure.comwww.pecb.org 5
Introduction Dive into Evolution of today’s ISMS The building blocks of Information security – the well known triad - ‘Confidentiality’, ‘Integrity’ & ‘Availability’ was probably born The checklist covered above aspects of the information systems Recognition by the UK government in 1990’s New BS Standard is born, on popular acceptance, adapted globally as ISO standard www.promasecure.comwww.pecb.org 6
Erstwhile Focus of 27001:2005 Edition On Assets, its Vulnerabilities & threats The ISO: 27001:2005 clause 4.2.d emphasizes on: Identification of an asset and its owner Vulnerabilities within the assets & its identification Threats to such assets thro’ Threat Agents The Confidentiality, Integrity & Availability linked to these assets. www.promasecure.comwww.pecb.org 7
Tangible asset Own but Outside the Enterprise Intangible Asset Virtual Asset BYOD Within Enterprise External Asset - Within Enterprise Cloud Asset types & possible locations www.promasecure.comwww.pecb.org 8
Asset Vulnerabilities Threats Impact / Severity Probability/Likelihood Risk Assessment Asset / Asset Group Owner Multiple Assets Ownership Overlap or multiple ownership Need to cover all asset in Scope Limitation on overall view of risks associated Flow of the risk assessment derived from 27001:2005 Edition ISMS SCOPE – discovery of the assets in the scope www.promasecure.comwww.pecb.org 9
Asset v • Thief Threat v v v v v v v • hacking Threat • Floods Threat • Fire Threat Asset Owner May not know all the vulnerabilities OR vulnerabilities limited to the asset May not be able to identify all Threats OR May not be able to identify cascading threats Flow of the risk assessment Cont….. www.promasecure.comwww.pecb.org 10
The ISO: 27002:2005 Flow of the risk assessment Cont….. ISO: 27002:2005, The code of practice, emphasizes on risk management www.promasecure.comwww.pecb.org 11
The ISO: 27005:2011 clause 8.2 Flow of the risk assessment Cont….. Clause 8.2.2: Identification of asset Clause 8.2.3: Identification of threats Clause 8.2.5: Identification of Vulnerabilities www.promasecure.comwww.pecb.org 12
Erstwhile Focus of 27001:2005 Edition On Assets, its Vulnerabilities & threats The downside, in my opinion, of the asset focus and thereby the threat and vulnerability assessment upon these assets, lacked emphasize on several aspects such as: • Business processes beyond the assets within the process • Growth of the physical perimeters • Virtual growth & porosity of network perimeters • Growing dependency on the internet based networking • Advancement in social engineering aspects • Effect of Moore’s law on hardware technology • Advent of new attacks vectors like BYOD / Internet penetration / reduced technology cost / downloadable tools www.promasecure.comwww.pecb.org 13 The degree of Information security based on 2005 Edition, depended upon the experience & competence of the implementer or consultant. It was not explicit or pervasive as is the current 2013 edition
The Current Focus Of The 27001:2013 Edition On Risk Management The very first important clause of ISO 27001:2013 edition, it starts with a requirement to understand the organization, its context and setting the expectations of interested parties: Clause 4.1 – understanding the organization and its context (external & Internal) Clause 4.2 – Understanding the needs and expectations of interested parties (external & Internal) www.promasecure.comwww.pecb.org 14
Assets that are impacted Impact / Severity Probability/Likelihood Risk Identification Business Objective Risk Analysis Accountable for objectives Risk Owner – Broad View of the process The Current Focus Of The 27001:2013 Edition On Risk Management www.promasecure.comwww.pecb.org 15 Assets that are impacted Assets that are impacted Assets that are impacted Assets that are impacted Assets that are impacted ISMS Objective Risk Treatment & Control Identification Risk acceptance criteria
The Current Focus Of The 27001:2013 Edition On Risk Management Reference to generic Risk frameworks like • ISO 31000 • Clusif’s Mehari – 2010 revised for ISO:27001 – 2013 • Other methodologies (next slide) www.promasecure.comwww.pecb.org 17
The Current Focus Of The 27001:2013 Edition On Risk Management www.promasecure.comwww.pecb.org 16
The Significance Of This Shift For Security Implementers And Risk Practitioners • Potential for integrated management systems enlarged • Simplified language commonality between various verticals within the organization • Security implementers can take a wholesome and organization wide view of the controls • Periodic risk assessments by risk practitioners with possibilities to relate to enterprise as a whole, where possible • Broader adaptation of ISMS with seamless Risk Management 19 www.promasecure.comwww.pecb.org
The Significance Of This Shift For Security Implementers And Risk Practitioners Allowing integration of management systems all-encompassing risk assessment or risk management framework www.promasecure.comwww.pecb.org 19
Conclusion www.promasecure.comwww.pecb.org 20 2005 Edition 2013 Edition Commences with Asset discovery and inventory Business process & its objective Valuation of the Asset ISMS Objective and process Asset vulnerabilities & associated threats Issues affecting the objectives – Risks A & T Assessment Stage concludes with Risk assessment & treatment Assets impacted Control identification and implementation Control identification and implementation
Conclusion A Risk based assessment approach would be more inclusive of all the required assets (as is the intention of the 2013 edition) as against an Asset based approach to risk assessment which may not emphasize or not actively consider other prevalent risks within the system. www.promasecure.comwww.pecb.org 20
? QUESTIONS THANK YOU (968)-9387 2036 seshaprakash@promasecure.com www.promasecure.com https://in.linkedin.com/in/seshaprakash-kusuma-sreenivasa-b863108

Recommended

PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk management
Michael Francis
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour Consultancy
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk Management
Lars Neupart
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
PECB
 

Recommended

PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005PECB Webinar: Risk Treatment according to ISO 27005
PECB Webinar: Risk Treatment according to ISO 27005
PECB
 
The importance of information security risk management
The importance of information security risk managementThe importance of information security risk management
The importance of information security risk management
Michael Francis
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in indiaIso 27001 2013 clause 6 - planning - by Software development company in india
Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour Consultancy
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk Management
Lars Neupart
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Segregation of Duties
Segregation of DutiesSegregation of Duties
Segregation of Duties
PECB
 
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
Lars Neupart
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 
Business Continuity requires a Security Architecture to reduce risk and cost
Business Continuity requires a Security Architecture to reduce risk and costBusiness Continuity requires a Security Architecture to reduce risk and cost
Business Continuity requires a Security Architecture to reduce risk and cost
PECB
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
Reza Teynia ISMS, ITSM, MSc
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
360factors
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
pgpmikey
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
NQA
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
Rahul Neel Mani
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
PECB
 
Iso 27001 audits_guide
Iso 27001 audits_guideIso 27001 audits_guide
Iso 27001 audits_guide
Rico Firmansyah
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
Priyanka Aash
 
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 

More Related Content

What's hot

ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
PECB
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
pgpmikey
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 

What's hot (20)

How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
 
Business Continuity requires a Security Architecture to reduce risk and cost
Business Continuity requires a Security Architecture to reduce risk and costBusiness Continuity requires a Security Architecture to reduce risk and cost
Business Continuity requires a Security Architecture to reduce risk and cost
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
 
Cyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its AnalysisCyber Security in the Digital Age: A Survey and its Analysis
Cyber Security in the Digital Age: A Survey and its Analysis
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
 
Iso 27001 audits_guide
Iso 27001 audits_guideIso 27001 audits_guide
Iso 27001 audits_guide
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 

Viewers also liked

Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
PECB
 

Viewers also liked (10)

PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspectivePECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Risk management
Risk managementRisk management
Risk management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 

Similar to The significance of the Shift to Risk Management from Threat & Vulnerability Assessment in ISMS

Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRisk
Vigilant Software
 
The Importance of Risk Management
The Importance of Risk ManagementThe Importance of Risk Management
The Importance of Risk Management
Vigilant Software
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
Ishita Kundu
 
Vijay Amarnath - Updated
Vijay Amarnath - UpdatedVijay Amarnath - Updated
Vijay Amarnath - Updated
Vijay Amarnath
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docx
lanagore871
 

Similar to The significance of the Shift to Risk Management from Threat & Vulnerability Assessment in ISMS (20)

Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRisk
 
The Importance of Risk Management
The Importance of Risk ManagementThe Importance of Risk Management
The Importance of Risk Management
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Maintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRiskMaintaining and updating your risk assessment using vsRisk
Maintaining and updating your risk assessment using vsRisk
 
Why ISO27001/ISO27005 for my organisation
Why ISO27001/ISO27005 for my organisationWhy ISO27001/ISO27005 for my organisation
Why ISO27001/ISO27005 for my organisation
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
Cyber Security Management
Cyber Security ManagementCyber Security Management
Cyber Security Management
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Using vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessmentUsing vsRisk to carry out a risk assessment
Using vsRisk to carry out a risk assessment
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Resume_IshitaKundu_CISA
Resume_IshitaKundu_CISAResume_IshitaKundu_CISA
Resume_IshitaKundu_CISA
 
Vijay Amarnath - Updated
Vijay Amarnath - UpdatedVijay Amarnath - Updated
Vijay Amarnath - Updated
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docx
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 

More from PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
PECB
 

More from PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Recently uploaded

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
EADTU
 

Recently uploaded (20)

REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17Model Attribute _rec_name in the Odoo 17
Model Attribute _rec_name in the Odoo 17
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learning
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 

The significance of the Shift to Risk Management from Threat & Vulnerability Assessment in ISMS

  • 1.
  • 2. Sesha Prakash S Kusuma Vice President of PromaSecure Sesha Prakash is Vice President of PromaSecure – consultants for Information Security & Risk management. He has an overall experience of 35 years with the past 8 years devoted to the domains of Information Assurance and Information Security. (968)-9387 2036 seshaprakash@promasecure.com www.promasecure.com https://in.linkedin.com/in/seshaprakash-kusuma-sreenivasa-b863108
  • 3. Introduction I am named Sesha Prakash S Kusuma. Vice President-Consulting with PromaSecure Consulting, which is a strategic business unit of a larger organization – M/s. Project Management Technology & Services LLC, based out of Muscat, Oman. Provide consultancy & Implementation services in several Management Systems aligned to the ISO standards, like the ISMS & BCMS, including internal audits. www.promasecure.com3www.pecb.org
  • 4. Certifications I hold the following PECB certifications, besides being certified trainer for PECB ISO-27001 Lead Auditor (Information Security) ISO-31000 Lead Risk Manager, ISO-38500 IT Governance Manager, ISO-55000 Lead Auditor (Asset Management) ISO-27019 Prov. SCADA Security Professional Besides the ISO certifications, the certifications are From ISACA – CISA, CISM, CGEIT, CRISC, COBIT5(F) From Axelos – ITIL, PRINCE2 From ISC2 – CISSP From EC-Council – C|CISO www.promasecure.comwww.pecb.org 3
  • 5. Disclaimer My presentation is the opinion or conclusions drawn by me based on my work with my clients. Others Information Security practitioners or ISMS implementers may differ with my view and may have a good reason for it. I do not claim to be subject matter expert, nor are my observations sacrosanct. Acknowledgements Source for the GIF images is generally taken from the internet, I do not claim any ownership or copyright Much of the information is distillation of the information based on the standards itself, articles from magazines or newsletters or public information available on various website and not able to attribute to a specific source. My acknowledgement and thanks for all the anonymous authors and writers. www.promasecure.comwww.pecb.org 4
  • 6. Coverage The webinar covers ISMS-ISO:27001 basics of: • The erstwhile focus of the 2005 edition on Assets, its Vulnerabilities & Treats • The current focus of 2013 edition on risk based approach to information risk • The significance of the shift for Security implementer's / Risk practitioners www.promasecure.comwww.pecb.org 5
  • 7. Introduction Dive into Evolution of today’s ISMS The building blocks of Information security – the well known triad - ‘Confidentiality’, ‘Integrity’ & ‘Availability’ was probably born The checklist covered above aspects of the information systems Recognition by the UK government in 1990’s New BS Standard is born, on popular acceptance, adapted globally as ISO standard www.promasecure.comwww.pecb.org 6
  • 8. Erstwhile Focus of 27001:2005 Edition On Assets, its Vulnerabilities & threats The ISO: 27001:2005 clause 4.2.d emphasizes on: Identification of an asset and its owner Vulnerabilities within the assets & its identification Threats to such assets thro’ Threat Agents The Confidentiality, Integrity & Availability linked to these assets. www.promasecure.comwww.pecb.org 7
  • 10. Asset Vulnerabilities Threats Impact / Severity Probability/Likelihood Risk Assessment Asset / Asset Group Owner Multiple Assets Ownership Overlap or multiple ownership Need to cover all asset in Scope Limitation on overall view of risks associated Flow of the risk assessment derived from 27001:2005 Edition ISMS SCOPE – discovery of the assets in the scope www.promasecure.comwww.pecb.org 9
  • 11. Asset v • Thief Threat v v v v v v v • hacking Threat • Floods Threat • Fire Threat Asset Owner May not know all the vulnerabilities OR vulnerabilities limited to the asset May not be able to identify all Threats OR May not be able to identify cascading threats Flow of the risk assessment Cont….. www.promasecure.comwww.pecb.org 10
  • 12. The ISO: 27002:2005 Flow of the risk assessment Cont….. ISO: 27002:2005, The code of practice, emphasizes on risk management www.promasecure.comwww.pecb.org 11
  • 13. The ISO: 27005:2011 clause 8.2 Flow of the risk assessment Cont….. Clause 8.2.2: Identification of asset Clause 8.2.3: Identification of threats Clause 8.2.5: Identification of Vulnerabilities www.promasecure.comwww.pecb.org 12
  • 14. Erstwhile Focus of 27001:2005 Edition On Assets, its Vulnerabilities & threats The downside, in my opinion, of the asset focus and thereby the threat and vulnerability assessment upon these assets, lacked emphasize on several aspects such as: • Business processes beyond the assets within the process • Growth of the physical perimeters • Virtual growth & porosity of network perimeters • Growing dependency on the internet based networking • Advancement in social engineering aspects • Effect of Moore’s law on hardware technology • Advent of new attacks vectors like BYOD / Internet penetration / reduced technology cost / downloadable tools www.promasecure.comwww.pecb.org 13 The degree of Information security based on 2005 Edition, depended upon the experience & competence of the implementer or consultant. It was not explicit or pervasive as is the current 2013 edition
  • 15. The Current Focus Of The 27001:2013 Edition On Risk Management The very first important clause of ISO 27001:2013 edition, it starts with a requirement to understand the organization, its context and setting the expectations of interested parties: Clause 4.1 – understanding the organization and its context (external & Internal) Clause 4.2 – Understanding the needs and expectations of interested parties (external & Internal) www.promasecure.comwww.pecb.org 14
  • 16. Assets that are impacted Impact / Severity Probability/Likelihood Risk Identification Business Objective Risk Analysis Accountable for objectives Risk Owner – Broad View of the process The Current Focus Of The 27001:2013 Edition On Risk Management www.promasecure.comwww.pecb.org 15 Assets that are impacted Assets that are impacted Assets that are impacted Assets that are impacted Assets that are impacted ISMS Objective Risk Treatment & Control Identification Risk acceptance criteria
  • 17. The Current Focus Of The 27001:2013 Edition On Risk Management Reference to generic Risk frameworks like • ISO 31000 • Clusif’s Mehari – 2010 revised for ISO:27001 – 2013 • Other methodologies (next slide) www.promasecure.comwww.pecb.org 17
  • 18. The Current Focus Of The 27001:2013 Edition On Risk Management www.promasecure.comwww.pecb.org 16
  • 19. The Significance Of This Shift For Security Implementers And Risk Practitioners • Potential for integrated management systems enlarged • Simplified language commonality between various verticals within the organization • Security implementers can take a wholesome and organization wide view of the controls • Periodic risk assessments by risk practitioners with possibilities to relate to enterprise as a whole, where possible • Broader adaptation of ISMS with seamless Risk Management 19 www.promasecure.comwww.pecb.org
  • 20. The Significance Of This Shift For Security Implementers And Risk Practitioners Allowing integration of management systems all-encompassing risk assessment or risk management framework www.promasecure.comwww.pecb.org 19
  • 21. Conclusion www.promasecure.comwww.pecb.org 20 2005 Edition 2013 Edition Commences with Asset discovery and inventory Business process & its objective Valuation of the Asset ISMS Objective and process Asset vulnerabilities & associated threats Issues affecting the objectives – Risks A & T Assessment Stage concludes with Risk assessment & treatment Assets impacted Control identification and implementation Control identification and implementation
  • 22. Conclusion A Risk based assessment approach would be more inclusive of all the required assets (as is the intention of the 2013 edition) as against an Asset based approach to risk assessment which may not emphasize or not actively consider other prevalent risks within the system. www.promasecure.comwww.pecb.org 20

Editor's Notes

  1. Treat pairs
  2. Freedom to implementers Liberty of – Lapses Explecit pervasive
  3. Risk criteria Appoved by mgmt.