SlideShare a Scribd company logo

ISMS Requirements

Download as PPT, PDF
H
humanus2

ISMS Requirements. An awareness training on ISO 27001:2013.

Education
1 of 30
http://www.svamindia.com/ "Information technology— Security techniques — Information security management systems — Requirements". 6/27/2023 Official Title of ISO 27001:2013 An Awareness Training on ISO 27001:2013
What is Information Security The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional Information Assets • Asset is something that has “value to the organization” • Information assets of an organization can be: • business data • E-mail data • Employee information • Research records • Price lists • Tender documents • Spoken in conversations over the telephone Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation Information Security Management relates to all types of information, be it paper-based, electronic or other. It determines how information is processed, stored, transferred, archived and destroyed. A secure information is one which ensures Confidentiality, Integrity, and Availability. It is all about protecting information assets from potential security breaches. 6/27/2023 – Data stored on computers – Transmitted across networks – Printed out – Written on a paper, sent by fax – Stored on disks – Held on microfilm
What is Information Security 6/27/2023 • Confidentiality • Is my communication private? • Ensuring that the data is read only by the intended person • Protection of data against unauthorized access or disclosure • Possible through access control and encryption • Integrity • Has my communication been altered? • Protection of data against unauthorized modification or substitution • If integrity is compromised, no point in protecting data • A transparent envelope that is tamper evident • Availability • Are the systems responsible for delivering, storing and processing information accessible when needed • Are the above systems accessible to only those who need them
Management Concerns • Market reputation • Business continuity • Disaster recovery • Business loss • Loss of confidential data • Loss of customer confidence • Legal liability • Cost of security Security Measures/Controls • Technical • Procedural • Physical • Logical • Personnel • Management 6/27/2023 4 Need for ISMS All these can be addressed effectively and efficiently only by establishing a proper Information Security Management System (ISMS)
Structure The specification is spread across 5 clauses, which approach the ISMS from a managerial perspective. 4. Information security management system 5. Management responsibility 6. Internal ISMS audits 7. Management review of the ISMS 8. ISMS improvement Structure The specification is spread across 7 clauses, which do not have to be followed in the order they are listed. 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013
Process The standard clearly states that it follows the PDCA (Plan-Do-Check-Act) model Process The standard does not specify any particular process model. The standard requires that a process of continual improvement is used 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Governance and management Management roles are described as ‘management’ and ‘top management’, removing reference to the board. The organization is that part of the business that falls within the scope, and not necessarily the legal entity. The board initiates the ISMS; management oversees the implementation of the ISMS Governance and management Senior management plays a major role. Management and board engagement is high but the separation between board and management is not clear.
Risk assessments The definition of risk is the “combination of the probability of an event and its consequences”. The organization identifies risks against assets. The asset owner determines how to treat the risk, accepting residual risk. Controls are drawn from Annex A. Annex A is not exhaustive, so additional controls can be drawn from other sources. The Statement of Applicability records whether a control from Annex A is selected and why. Risk assessments The definition of risk is the “effect of uncertainty on objectives”, which may be positive or negative. Baseline controls based on regulatory, business and contractual obligations may be identified and implemented before the risk assessment is conducted. The organization identifies risks to the organization's information the assessment does not have to be asset-based. The risk owner determines how to treat the risk, accepting residual risk. Controls are drawn from any source or control Set Selected controls are compared to those in Annex A. The Statement of Applicability records whether a control from Annex A is selected and why 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013
Controls Annex A contains 133 controls across 11 control categories. Controls from other sources are used to ‘plug gaps’ not covered by Annex A controls Controls Annex A contains 114 controls across 14 control categories Controls (from any source) are identified before referring to Annex A 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Documentation The standard makes no distinction between documents and records. Documents and records are subject to the same control requirements. Documentation The standard recognizes two forms: documents and records. Documents include policies, procedures, process diagrams, etc. Records track work completed, audit schedules, etc.
ISO27001 Structure 9 ISO27001 ISO/IEC 27001:2013 Auditable Standard Clauses: Mandatory Processes Annex A: Control Objectives 4 Context of the organisation 5 Leadership 6 Planning 7 Support 14 Domains 35 Control Objectives 114 controls 8 Operation 9 Performance evaluation 10 ISMS Improvement
Number of Domains and Controls Domains Control Obj. Controls A5. Information Security policies 1 2 A6. Organization of information security 2 7 A7. Human resources security 3 6 A8. Asset management 3 10 A.9 Access control 4 14 A.10 Cryptography 1 2 A.11 Physical and environmental security 2 15 A.12. Operations Security 7 14 A.13 Communications Security 2 7 A.14 Systems acquisition, development & Maint. 3 13 A.15 Supplier Relationship 2 5 A.16 Information security incident management 1 7 A.17 Information Security aspect of Business continuity management 2 4 A.18 Compliance 2 8 Total - 14 35 114 10
ISO 27001 Main Clauses • Clause 4: Context of the organization • Understanding the organization and its context • Understanding the needs and expectation of interested parties. • Determining the scope of the information security management system • Information security management system • Clause 5: Leadership • Leadership and Commitment • Policy • Organization, roles, responsibilities and authorties • Clause 6: Planning • Action to address Risk and Opportunities • Information security objectives and Planning to achieve them • Clause 7: Support • Resource • Competence • Awareness • Communication • Documented Information 6/27/2023 11
ISO 27001 Main Clauses • Clause 8: Operation • Operation planning and control • Information security Risk assessment • Information security Risk Treatment • Clause 9: Performance evaluation • Monitoring, measurement, analysis and evaluation • Internal Audit • Management Review • Clause 10: Improvement • Non conformity and corrective action • Continual improvement 6/27/2023 12
ISMS Scope 6/27/2023 13 The Information Security Management Systems covering all business functions and processes associated with information assets to provide customers, employees and business partners benefits and services in the organization.
Quality & Security Policy : NST is committed to maintain high quality standards in delivering timely and cost effective solutions to our customers by continual improvement of our processes, instilling quality consciousness amongst all employees and recognizing the confidentiality, integrity and availability of information assets to relevant stakeholders including our customers. Business Objectives Key Objective 1: Provide high quality services to our clients. Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and stabilize employee attrition. Key Objective 3: Continual improvement of services to our internal & external customers. Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain confidentiality, integrity and availability of all information assets. Key Objective 5: To have year on year revenue increase while maintaining profitability. Quality Policy & Business Objectives
6/27/2023 15 ISMS Documentation Procedure Work Instructions, checklists, forms, etc. Records ISMS Manual (Apex document) Policy, scope Risk Assessment, statement of applicability Describes processes who, what, when, where Describes how tasks and specific activities are done Provides objective evidence of compliance to ISMS requirements Management framework policies Level 2 Level 3 Level 4 Level 1
Risk Assessment and Management • Risk Assessment • Identify all Stakeholders • Identify Business Process • Identify Operation Process • Identify Assets • Identify Risk on the basis of all Stakeholders • Identify Threats and Vulnerabilities • Evaluate Probability and Impact • Calculate Risk Value • Risk treatment • Mitigate/Reduce risk • Avoid risk • Transfer risk • Accept risk • Risk Management • Mitigate the risk by appropriate controls • Evaluate controls periodically 6/27/2023 16
ISO 27001:2013 Main Clauses-10 • Clause 4: Context of the Organization • Clause 5: Leadership • Clause 6: Planning • Clause 7: Support • Clause 8: Operation • Clause 9: Performance Evaluation • Clause 10: Improvement • Clause 11: Domain, Control Objective & Controls There are 14 domains 35 control objectives and 114 detail controls
Structure of ISO 27001:2013 Controls A.5 Information security policies – controls on how the policies are written and reviewed A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking A.7 Human resources security – controls prior to employment, during, and after the employment A.8 Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling A.9 Access control – controls for Access control policy, user access management, system and application access control, and user Responsibilities A.10 Cryptography – controls related to encryption and key management A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc. A.13 Communications security – controls related to network security, segregation, Network services, transfer of information, messaging, etc. 14 Domains comprising 35 Control Objectives and 114 Controls
Structure of ISO 27001:2013 Controls 19 A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
6/27/2023 Guidelines for using the Risk Register Sheet-13 Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact, to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis guidelines can be used: Probability Vulnerability (Impact)value The likelihood of occurrence can be categorized as: The vulnerability of each risk are attributed to a characterization value as follows: Rating Description Score Rating Description Score Near certaint y Event that has a greater than 75% chance of occurring 5 Showstoppe r The effect is catastrophic; the organization may face significant loss and impact. The project will fail. 4 Highly likely Event that has between a 51 – 75% chance of occurring 4 Critical The impact is serious and the project may be largely affected due to the risk. There could be huge delays and the project could be postponed due to it. 3 Likely Event that has between a 20 – 50% chance of occurring 3 Marginal The risks could affect in small delays in schedule . 2 Unlikely Event that has between a 10 – 20% chance of occurring 2 Negligible The impact of these risks on the project could be minimal. 1 Remote Event that has a 0 – 10% chance of occurring 1 Risk Value = (probability of event) + ( Vulnerability) +(CIA Value) Probability (P) Levels Vulnerability (V) Values CIA Value (C) Risk Values (P+I+C) 1 - (R)emote 1 - (N)egligible 1- Low 3 to 5 - Normal/Trivial 2 - (U)nlikely 2 - (M)arginal 2- Medium 6 to 7 – Low 3 - (L)ikely 3 - (C)ritical 3- High 8 to 10 – Medium 4 - (H)ighly likely 4 - (S)howstopper 11 to 12 - High 5 - (N)ear certainty Risk Level Value definition 3 to 5: No action required 6 to 7: To be reviewed regularly and Organization will accept risk up to this level 8 to 10: Medium level risk, mitigation to be planned in a period of six months 11 to 12: High Level risk, Mitigation immediately required 1 2 3
21 6/27/2023 Understanding the Needs and Expectation from Interested Parties Stake holders Issues Internal Management Governance, Resource availability, organization structure, roles and accountabilities, Policies, objectives, and the strategies Employees Fulfillment of commitments, adherence to organization policies, processes and guidelines and to ensure seamless / uninterrupted operations. Expectation of employees in terms of commitment made by the organization need to be fulfilled. Shareholders Relationship with, and perceptions and values of, internal stakeholder’s Board of Directors Maintaining commitment to customers, goodwill and repute of the organization, and maintaining return on investment committed on the business, in totality Corporate requirements Standards, guidelines and models adopted by the organization Users / Other departments Information technology related requirements to the organization such as access right, IT infra availability to internal users and other departments. HR Resource availability, resource competence, training, background verification etc., Finance Approval of financial commitments Legal Vetting of Legal contracts and protecting the organization from non-compliance of legal, regulatory and contractual requirements External Customers Service delivery Vendors Supply of goods and services to enable the organization to meet the requirement of the customer Users / Public Information technology related requirements to the organization such as access right, IT infra availability to internal users and other departments. Government Submission of desired reports and statements and approvals to carry out the business. Fulfilling the legal, and regulatory requirement. Society and environment Natural and competitive environment, Key drives and trends having impact on the objectives of the organization, Political, financial status of the country.
22 6/27/2023 Communication What to communicate When to communicate With whom to communicate Who shall communicate Processes by which communication shall be effected. Technical matters To seek clarification, communicate execution and discussing options of delivery Customer Delivery Manager / Technical Lead Email / Hard copy/Phone Non-Technical Business Development when communicating upgrades / updates and offers of NST Customer Account Manager Email / Hard copy/Phone Financial Information such as Invoices, Payment reminder, Proposal, upgrade offer etc. As and when the event takes place Customer Accounts Manager Email / Hard copy/Phone Technical matters To get the action initiated on completion of delivery Accounts Manager / Business Head Delivery Manager / Technical Lead Email / Hard copy/Phone Performance report Monthly / quarterly Business Head Account Manager and Delivery Manager PPT / Word / Excel - Email/Phone Technical Matters As and when the event takes place Project Manager Developer/Tester PPT / Word / Excel - Email/Phone Communications provide the statement to the Organization of the Information Security of the business that highlighting the importance of information s protection. Users shall be made aware about the risk of Information Security while exchanging information through Voice, Email, Fax, and Video Communication facility
Statement of Applicability Document describing the control objectives and controls that are relevant and applicable to the organization’s ISMS, based on the results of risk assessment and risk treatment processes. 6/27/2023 23
Exercise Given below are various risks that may faced by an organization. Go through the list of clauses and map them against each risk. 6/27/2023 24 Threat / Concern Threat impact Impact Rating Probability of Happening Probability Rating Unauthorised Access It will/may change the functionality of s/w High Can happen Occasionaly Medium Loss of Source code Sytem breakdown / Competitive access High Occasionally Medium Maintenance support' Lack of customer satisfaction, High Frequently High Training and awareness Wrong / errorneous operation Meium frequently High
Generic Changes from ISO 27001:2005 standard • Puts more emphasis on measuring and evaluating how well an organization's ISMS is performing • New section on Outsourcing • Does not emphasize the Plan-Do-Check-Act cycle. • More attention is paid to the organizational context of information security. • Risk assessment has changed. • Management commitment requirements have a focus on “leadership” • Preventive action has been replaced with “actions to address, risks and opportunities” • SOA requirements are similar, with more clarity on the need to determine controls by the risk treatment process • Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. • Stress on maintaining documented information, rather than information record • Greater emphasis is on setting objectives, monitoring performance and metric 25
Risk assessment and risk treatment • Risk management is the activities to make clear what kind of information security risks may occur, determine the risk treatment and manage the risks. • The activities to make the risks clear are referred to as "risk assessment". • Identify the risk owners • The actions taken for the risks, which are made clear, are referred to as "risk treatment". • Avoiding: Withdrawal of business, etc. • Taking or increasing risk in order to pursue an opportunity: Additional investment, etc. • Changing the likelihood of risks: Performing preventive measures, etc. • Removing the risk sources: Performing preventive measures, etc. • Changing the consequences of risks: Preparing the actions taken for the possible situations, etc. • Sharing the risks with another parties: Insuring the risks, etc. • Retaining the risk as they are: Accepting the risks upon recognition • This is the same as the "management judgment" conventionally conducted by Management.
New controls 14.2.1 Secure development policy – rules for development of software and information systems 14.2.5 Secure system engineering principles – principles for system engineering 14.2.6 Secure development environment – establishing and protecting development environment 14.2.8 System security testing – tests of security functionality 16.1.4 Assessment of and decision on information security events – this is part of incident management 17.2.1 Availability of information processing facilities – achieving redundancy 27
28 Conceptual changes New/Updated Concepts Explanation Context of the organization The environment in which the organization operates Issues, risks and opportunities Replaces preventive action Interested parties Replaces stakeholders Leadership Requirements specific to top management Communication There are explicit requirements for both internal and external communications Information security objectives Information security objectives are now to be set at relevant functions and levels Risk assessment Identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks.(6.1.2 d) – Now emphasis is on impact and Probability Risk owner Replaces asset owner Risk treatment plan The effectiveness of the risk treatment plan is now regarded as being more important than the effectiveness of controls Controls Now determined during the process of risk treatment. Documented information Replaces documents and records Performance evaluation Covers the measurement of ISMS and risk treatment plan effectiveness Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be used
List of controls removed from ISO 27001:2005 64  A.06.01.1 Management commitment to information security  A.11.04.6 Network Connection control  A.06.01.2 Information security coordination  A.11.04.7 Network routing control  A.06.01.4 Authorization process for information processing facilities  A.11.05.2 User identification and authentication  A.06.02.1 Identification of risks related to external parties  A.11.05.5 Session time-out  A.06.02.2 Addressing security when dealing with customers  A.11.05.6 Limitation of connection time  A.10.02.1 Service delivery  A.11.06.2 Sensitive system isolation  A.10.04.2: Controls against Mobile code  A.12.02.1: Input data validation  A.10.07.4 Security of system documentation  A.12.02.2 Control of internal processing  A.10.08.5 Business Information Systems  A.12.02.3 Message integrity  A.10.09.3 Publicly available information  A.12.02.4 Output data validation  A.10.10.2 Monitoring system use  A.12.05.4 Information leakage  A.10.10.4 Administrator and operator logs  A.14.01.1 Including information security in the business continuity management process  A.10.10.5 Fault logging  A.14.01.3 Developing and implementing continuity plans including formation security.  A.11.04.2 User authentication for external connections  A.14.01.4 Business continuity planning framework  A.11.04.3 Equipment identification in networks  A.15.01.5 Prevention of misuse of information processing facilities  A.11.04.4 Remote Diagnostic and configuration port protection  A.15.03.2 Protection of information systems audit tools
Click to edit Master title style Thank you

Recommended

NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Isms
IsmsIsms
Ismspenetration Tester
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013Magda CHELLY, Ph.D, S-CISO, CISSP®
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 

Recommended

NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Isms
IsmsIsms
Ismspenetration Tester
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013Magda CHELLY, Ph.D, S-CISO, CISSP®
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000Ben Kalland
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessEmilyGladstoneCole
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5Laddawan Rattanaruang
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 

More Related Content

What's hot

Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000Ben Kalland
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 

What's hot (20)

ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
What is ISO20000
What is ISO20000What is ISO20000
What is ISO20000
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 

Similar to ISMS Requirements

Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Achieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdfAchieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdfmicroteklearning21
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1sharing notes123
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdfSharudinBoriak1
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 

Similar to ISMS Requirements (20)

Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Achieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdfAchieving ISO 27001 Certification.pdf
Achieving ISO 27001 Certification.pdf
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1
 
Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1Ais Romney 2006 Slides 07 Is Control1
Ais Romney 2006 Slides 07 Is Control1
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
 

Recently uploaded

Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 

Recently uploaded (20)

TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 

ISMS Requirements

  • 1. http://www.svamindia.com/ "Information technology— Security techniques — Information security management systems — Requirements". 6/27/2023 Official Title of ISO 27001:2013 An Awareness Training on ISO 27001:2013
  • 2. What is Information Security The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional Information Assets • Asset is something that has “value to the organization” • Information assets of an organization can be: • business data • E-mail data • Employee information • Research records • Price lists • Tender documents • Spoken in conversations over the telephone Organization must determine which assets can materially affect the delivery of product/service by their absence or degradation Information Security Management relates to all types of information, be it paper-based, electronic or other. It determines how information is processed, stored, transferred, archived and destroyed. A secure information is one which ensures Confidentiality, Integrity, and Availability. It is all about protecting information assets from potential security breaches. 6/27/2023 – Data stored on computers – Transmitted across networks – Printed out – Written on a paper, sent by fax – Stored on disks – Held on microfilm
  • 3. What is Information Security 6/27/2023 • Confidentiality • Is my communication private? • Ensuring that the data is read only by the intended person • Protection of data against unauthorized access or disclosure • Possible through access control and encryption • Integrity • Has my communication been altered? • Protection of data against unauthorized modification or substitution • If integrity is compromised, no point in protecting data • A transparent envelope that is tamper evident • Availability • Are the systems responsible for delivering, storing and processing information accessible when needed • Are the above systems accessible to only those who need them
  • 4. Management Concerns • Market reputation • Business continuity • Disaster recovery • Business loss • Loss of confidential data • Loss of customer confidence • Legal liability • Cost of security Security Measures/Controls • Technical • Procedural • Physical • Logical • Personnel • Management 6/27/2023 4 Need for ISMS All these can be addressed effectively and efficiently only by establishing a proper Information Security Management System (ISMS)
  • 5. Structure The specification is spread across 5 clauses, which approach the ISMS from a managerial perspective. 4. Information security management system 5. Management responsibility 6. Internal ISMS audits 7. Management review of the ISMS 8. ISMS improvement Structure The specification is spread across 7 clauses, which do not have to be followed in the order they are listed. 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013
  • 6. Process The standard clearly states that it follows the PDCA (Plan-Do-Check-Act) model Process The standard does not specify any particular process model. The standard requires that a process of continual improvement is used 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Governance and management Management roles are described as ‘management’ and ‘top management’, removing reference to the board. The organization is that part of the business that falls within the scope, and not necessarily the legal entity. The board initiates the ISMS; management oversees the implementation of the ISMS Governance and management Senior management plays a major role. Management and board engagement is high but the separation between board and management is not clear.
  • 7. Risk assessments The definition of risk is the “combination of the probability of an event and its consequences”. The organization identifies risks against assets. The asset owner determines how to treat the risk, accepting residual risk. Controls are drawn from Annex A. Annex A is not exhaustive, so additional controls can be drawn from other sources. The Statement of Applicability records whether a control from Annex A is selected and why. Risk assessments The definition of risk is the “effect of uncertainty on objectives”, which may be positive or negative. Baseline controls based on regulatory, business and contractual obligations may be identified and implemented before the risk assessment is conducted. The organization identifies risks to the organization's information the assessment does not have to be asset-based. The risk owner determines how to treat the risk, accepting residual risk. Controls are drawn from any source or control Set Selected controls are compared to those in Annex A. The Statement of Applicability records whether a control from Annex A is selected and why 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013
  • 8. Controls Annex A contains 133 controls across 11 control categories. Controls from other sources are used to ‘plug gaps’ not covered by Annex A controls Controls Annex A contains 114 controls across 14 control categories Controls (from any source) are identified before referring to Annex A 6/27/2023 Comparing ISO 27001:2005 to ISO 27001:2013 ISO 27001:2005 ISO 27001:2013 Documentation The standard makes no distinction between documents and records. Documents and records are subject to the same control requirements. Documentation The standard recognizes two forms: documents and records. Documents include policies, procedures, process diagrams, etc. Records track work completed, audit schedules, etc.
  • 9. ISO27001 Structure 9 ISO27001 ISO/IEC 27001:2013 Auditable Standard Clauses: Mandatory Processes Annex A: Control Objectives 4 Context of the organisation 5 Leadership 6 Planning 7 Support 14 Domains 35 Control Objectives 114 controls 8 Operation 9 Performance evaluation 10 ISMS Improvement
  • 10. Number of Domains and Controls Domains Control Obj. Controls A5. Information Security policies 1 2 A6. Organization of information security 2 7 A7. Human resources security 3 6 A8. Asset management 3 10 A.9 Access control 4 14 A.10 Cryptography 1 2 A.11 Physical and environmental security 2 15 A.12. Operations Security 7 14 A.13 Communications Security 2 7 A.14 Systems acquisition, development & Maint. 3 13 A.15 Supplier Relationship 2 5 A.16 Information security incident management 1 7 A.17 Information Security aspect of Business continuity management 2 4 A.18 Compliance 2 8 Total - 14 35 114 10
  • 11. ISO 27001 Main Clauses • Clause 4: Context of the organization • Understanding the organization and its context • Understanding the needs and expectation of interested parties. • Determining the scope of the information security management system • Information security management system • Clause 5: Leadership • Leadership and Commitment • Policy • Organization, roles, responsibilities and authorties • Clause 6: Planning • Action to address Risk and Opportunities • Information security objectives and Planning to achieve them • Clause 7: Support • Resource • Competence • Awareness • Communication • Documented Information 6/27/2023 11
  • 12. ISO 27001 Main Clauses • Clause 8: Operation • Operation planning and control • Information security Risk assessment • Information security Risk Treatment • Clause 9: Performance evaluation • Monitoring, measurement, analysis and evaluation • Internal Audit • Management Review • Clause 10: Improvement • Non conformity and corrective action • Continual improvement 6/27/2023 12
  • 13. ISMS Scope 6/27/2023 13 The Information Security Management Systems covering all business functions and processes associated with information assets to provide customers, employees and business partners benefits and services in the organization.
  • 14. Quality & Security Policy : NST is committed to maintain high quality standards in delivering timely and cost effective solutions to our customers by continual improvement of our processes, instilling quality consciousness amongst all employees and recognizing the confidentiality, integrity and availability of information assets to relevant stakeholders including our customers. Business Objectives Key Objective 1: Provide high quality services to our clients. Key Objective 2: Continuous focus on employee satisfaction and competency development so as to reduce and stabilize employee attrition. Key Objective 3: Continual improvement of services to our internal & external customers. Key Objective 4: To secure its information assets and of its customers, NST shall deploy procedures to maintain confidentiality, integrity and availability of all information assets. Key Objective 5: To have year on year revenue increase while maintaining profitability. Quality Policy & Business Objectives
  • 15. 6/27/2023 15 ISMS Documentation Procedure Work Instructions, checklists, forms, etc. Records ISMS Manual (Apex document) Policy, scope Risk Assessment, statement of applicability Describes processes who, what, when, where Describes how tasks and specific activities are done Provides objective evidence of compliance to ISMS requirements Management framework policies Level 2 Level 3 Level 4 Level 1
  • 16. Risk Assessment and Management • Risk Assessment • Identify all Stakeholders • Identify Business Process • Identify Operation Process • Identify Assets • Identify Risk on the basis of all Stakeholders • Identify Threats and Vulnerabilities • Evaluate Probability and Impact • Calculate Risk Value • Risk treatment • Mitigate/Reduce risk • Avoid risk • Transfer risk • Accept risk • Risk Management • Mitigate the risk by appropriate controls • Evaluate controls periodically 6/27/2023 16
  • 17. ISO 27001:2013 Main Clauses-10 • Clause 4: Context of the Organization • Clause 5: Leadership • Clause 6: Planning • Clause 7: Support • Clause 8: Operation • Clause 9: Performance Evaluation • Clause 10: Improvement • Clause 11: Domain, Control Objective & Controls There are 14 domains 35 control objectives and 114 detail controls
  • 18. Structure of ISO 27001:2013 Controls A.5 Information security policies – controls on how the policies are written and reviewed A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking A.7 Human resources security – controls prior to employment, during, and after the employment A.8 Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling A.9 Access control – controls for Access control policy, user access management, system and application access control, and user Responsibilities A.10 Cryptography – controls related to encryption and key management A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc. A.13 Communications security – controls related to network security, segregation, Network services, transfer of information, messaging, etc. 14 Domains comprising 35 Control Objectives and 114 Controls
  • 19. Structure of ISO 27001:2013 Controls 19 A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
  • 20. 6/27/2023 Guidelines for using the Risk Register Sheet-13 Risk analysis is an evaluation of the identified risk events to determine the likelihood of the events occurring and their impact, to assign a risk rating based on the project criteria and to prioritize the risks. For each risk event, the following risk analysis guidelines can be used: Probability Vulnerability (Impact)value The likelihood of occurrence can be categorized as: The vulnerability of each risk are attributed to a characterization value as follows: Rating Description Score Rating Description Score Near certaint y Event that has a greater than 75% chance of occurring 5 Showstoppe r The effect is catastrophic; the organization may face significant loss and impact. The project will fail. 4 Highly likely Event that has between a 51 – 75% chance of occurring 4 Critical The impact is serious and the project may be largely affected due to the risk. There could be huge delays and the project could be postponed due to it. 3 Likely Event that has between a 20 – 50% chance of occurring 3 Marginal The risks could affect in small delays in schedule . 2 Unlikely Event that has between a 10 – 20% chance of occurring 2 Negligible The impact of these risks on the project could be minimal. 1 Remote Event that has a 0 – 10% chance of occurring 1 Risk Value = (probability of event) + ( Vulnerability) +(CIA Value) Probability (P) Levels Vulnerability (V) Values CIA Value (C) Risk Values (P+I+C) 1 - (R)emote 1 - (N)egligible 1- Low 3 to 5 - Normal/Trivial 2 - (U)nlikely 2 - (M)arginal 2- Medium 6 to 7 – Low 3 - (L)ikely 3 - (C)ritical 3- High 8 to 10 – Medium 4 - (H)ighly likely 4 - (S)howstopper 11 to 12 - High 5 - (N)ear certainty Risk Level Value definition 3 to 5: No action required 6 to 7: To be reviewed regularly and Organization will accept risk up to this level 8 to 10: Medium level risk, mitigation to be planned in a period of six months 11 to 12: High Level risk, Mitigation immediately required 1 2 3
  • 21. 21 6/27/2023 Understanding the Needs and Expectation from Interested Parties Stake holders Issues Internal Management Governance, Resource availability, organization structure, roles and accountabilities, Policies, objectives, and the strategies Employees Fulfillment of commitments, adherence to organization policies, processes and guidelines and to ensure seamless / uninterrupted operations. Expectation of employees in terms of commitment made by the organization need to be fulfilled. Shareholders Relationship with, and perceptions and values of, internal stakeholder’s Board of Directors Maintaining commitment to customers, goodwill and repute of the organization, and maintaining return on investment committed on the business, in totality Corporate requirements Standards, guidelines and models adopted by the organization Users / Other departments Information technology related requirements to the organization such as access right, IT infra availability to internal users and other departments. HR Resource availability, resource competence, training, background verification etc., Finance Approval of financial commitments Legal Vetting of Legal contracts and protecting the organization from non-compliance of legal, regulatory and contractual requirements External Customers Service delivery Vendors Supply of goods and services to enable the organization to meet the requirement of the customer Users / Public Information technology related requirements to the organization such as access right, IT infra availability to internal users and other departments. Government Submission of desired reports and statements and approvals to carry out the business. Fulfilling the legal, and regulatory requirement. Society and environment Natural and competitive environment, Key drives and trends having impact on the objectives of the organization, Political, financial status of the country.
  • 22. 22 6/27/2023 Communication What to communicate When to communicate With whom to communicate Who shall communicate Processes by which communication shall be effected. Technical matters To seek clarification, communicate execution and discussing options of delivery Customer Delivery Manager / Technical Lead Email / Hard copy/Phone Non-Technical Business Development when communicating upgrades / updates and offers of NST Customer Account Manager Email / Hard copy/Phone Financial Information such as Invoices, Payment reminder, Proposal, upgrade offer etc. As and when the event takes place Customer Accounts Manager Email / Hard copy/Phone Technical matters To get the action initiated on completion of delivery Accounts Manager / Business Head Delivery Manager / Technical Lead Email / Hard copy/Phone Performance report Monthly / quarterly Business Head Account Manager and Delivery Manager PPT / Word / Excel - Email/Phone Technical Matters As and when the event takes place Project Manager Developer/Tester PPT / Word / Excel - Email/Phone Communications provide the statement to the Organization of the Information Security of the business that highlighting the importance of information s protection. Users shall be made aware about the risk of Information Security while exchanging information through Voice, Email, Fax, and Video Communication facility
  • 23. Statement of Applicability Document describing the control objectives and controls that are relevant and applicable to the organization’s ISMS, based on the results of risk assessment and risk treatment processes. 6/27/2023 23
  • 24. Exercise Given below are various risks that may faced by an organization. Go through the list of clauses and map them against each risk. 6/27/2023 24 Threat / Concern Threat impact Impact Rating Probability of Happening Probability Rating Unauthorised Access It will/may change the functionality of s/w High Can happen Occasionaly Medium Loss of Source code Sytem breakdown / Competitive access High Occasionally Medium Maintenance support' Lack of customer satisfaction, High Frequently High Training and awareness Wrong / errorneous operation Meium frequently High
  • 25. Generic Changes from ISO 27001:2005 standard • Puts more emphasis on measuring and evaluating how well an organization's ISMS is performing • New section on Outsourcing • Does not emphasize the Plan-Do-Check-Act cycle. • More attention is paid to the organizational context of information security. • Risk assessment has changed. • Management commitment requirements have a focus on “leadership” • Preventive action has been replaced with “actions to address, risks and opportunities” • SOA requirements are similar, with more clarity on the need to determine controls by the risk treatment process • Controls in Annex A have been modified to reflect changing threats, remove duplication and have a more logical grouping. • Stress on maintaining documented information, rather than information record • Greater emphasis is on setting objectives, monitoring performance and metric 25
  • 26. Risk assessment and risk treatment • Risk management is the activities to make clear what kind of information security risks may occur, determine the risk treatment and manage the risks. • The activities to make the risks clear are referred to as "risk assessment". • Identify the risk owners • The actions taken for the risks, which are made clear, are referred to as "risk treatment". • Avoiding: Withdrawal of business, etc. • Taking or increasing risk in order to pursue an opportunity: Additional investment, etc. • Changing the likelihood of risks: Performing preventive measures, etc. • Removing the risk sources: Performing preventive measures, etc. • Changing the consequences of risks: Preparing the actions taken for the possible situations, etc. • Sharing the risks with another parties: Insuring the risks, etc. • Retaining the risk as they are: Accepting the risks upon recognition • This is the same as the "management judgment" conventionally conducted by Management.
  • 27. New controls 14.2.1 Secure development policy – rules for development of software and information systems 14.2.5 Secure system engineering principles – principles for system engineering 14.2.6 Secure development environment – establishing and protecting development environment 14.2.8 System security testing – tests of security functionality 16.1.4 Assessment of and decision on information security events – this is part of incident management 17.2.1 Availability of information processing facilities – achieving redundancy 27
  • 28. 28 Conceptual changes New/Updated Concepts Explanation Context of the organization The environment in which the organization operates Issues, risks and opportunities Replaces preventive action Interested parties Replaces stakeholders Leadership Requirements specific to top management Communication There are explicit requirements for both internal and external communications Information security objectives Information security objectives are now to be set at relevant functions and levels Risk assessment Identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks.(6.1.2 d) – Now emphasis is on impact and Probability Risk owner Replaces asset owner Risk treatment plan The effectiveness of the risk treatment plan is now regarded as being more important than the effectiveness of controls Controls Now determined during the process of risk treatment. Documented information Replaces documents and records Performance evaluation Covers the measurement of ISMS and risk treatment plan effectiveness Continual improvement Methodologies other than Plan-Do-Check-Act (PDCA) may be used
  • 29. List of controls removed from ISO 27001:2005 64  A.06.01.1 Management commitment to information security  A.11.04.6 Network Connection control  A.06.01.2 Information security coordination  A.11.04.7 Network routing control  A.06.01.4 Authorization process for information processing facilities  A.11.05.2 User identification and authentication  A.06.02.1 Identification of risks related to external parties  A.11.05.5 Session time-out  A.06.02.2 Addressing security when dealing with customers  A.11.05.6 Limitation of connection time  A.10.02.1 Service delivery  A.11.06.2 Sensitive system isolation  A.10.04.2: Controls against Mobile code  A.12.02.1: Input data validation  A.10.07.4 Security of system documentation  A.12.02.2 Control of internal processing  A.10.08.5 Business Information Systems  A.12.02.3 Message integrity  A.10.09.3 Publicly available information  A.12.02.4 Output data validation  A.10.10.2 Monitoring system use  A.12.05.4 Information leakage  A.10.10.4 Administrator and operator logs  A.14.01.1 Including information security in the business continuity management process  A.10.10.5 Fault logging  A.14.01.3 Developing and implementing continuity plans including formation security.  A.11.04.2 User authentication for external connections  A.14.01.4 Business continuity planning framework  A.11.04.3 Equipment identification in networks  A.15.01.5 Prevention of misuse of information processing facilities  A.11.04.4 Remote Diagnostic and configuration port protection  A.15.03.2 Protection of information systems audit tools
  • 30. Click to edit Master title style Thank you