SlideShare a Scribd company logo

04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx

Download as PPTX, PDF
K
kashifmajeedjanjua

sdsdasdsadsdsdsdsdsdsdsdsdsdsdsdsdsadsadsdsdsdsdsadsadsa

Career
1 of 27
ISO 27001 Lead Implementor / Auditor Annex : 2022
Annex A:2022 • Annexe A is a list of 93 security controls • Control : Measure that modifies risk • Control Objective : Statement stating what is to be achieved as a result of implementing a control • 4 Control categories
What is ISO 27001:2022 Annex A? Reorganized and refined Better represent current risks Focus on 1. Organizational: Governance, risk, policy, structure. 2. People: Training, awareness, reporting, culture. 3. Physical: Access, environment, surveillance, protection. 4. Technological: Encryption, authentication, detection, defense.
5. Organizational Controls 37 controls Structured approach to managing risks Align policies with business objectives Address legal, regulatory requirements Emphasize human factors in security Manage physical and digital assets Monitor and review supplier services
Organizational Controls (5.1-5.5) 5.1 Policies for Information Security : Define, approve, publish, communicate policies to all. 5.2 Information Security Roles and Responsibilities : Define and allocate the responsibilities for information security. 5.3 Segregation of Duties : Duties and areas of responsibility should be segregated to avoid conflicts. 5.4 Management Responsibilities : Ensure management knows their role in infosec and promotes awareness. 5.5 Contact with Authorities : Encourage proactive security and facilitate timely sharing of critical information.
Organizational Controls (5.6-5.10) 5.6 Contact with Special Interest Groups : Maintain contacts with special interest groups to stay updated regarding information security 5.7 Threat Intelligence : Gathering and analysing information about current and future cyber attacks 5.8 Information Security in Project Management : Addresses information security in project management 5.9 Inventory of Information and Other Associated Assets : Identify Information assets and owners to preserve their security 5.10 Acceptable Use of Information and Other Associated Assets :Define and Document the rules of acceptable use of assets
Organizational Controls (5.11-5.15) 5.11 Return of Assets : Protect assets when changing or terminating employment 5.12 Classification of Information : Identification of protection needs of information in accordance with its importance 5.13 Labeling of Information : To facilitate the communication of information classification 5.14 Information Transfer : Protect information in transfer from interception, copying, modification, mis-routing and destruction 5.15 Access Control : To secure authorized access and prevent unauthorized access to information and assets.
Organizational Controls (5.16-5.20) 5.16 Identity Management : Uniquely identify individuals and systems accessing an organization's information assets and assign appropriate access rights. 5.17 Authentication Information : To ensure proper entity authentication and prevent failures of authentication processes. 5.18 Access Rights : Define and authorise access according to business requirements 5.19 Information Security in Supplier Relationships : Mitigate the risks on information assets accessible by suppliers. 5.20 Addressing Security Within Supplier Agreements : Establish and agree al relevant information security requirements.
Organizational Controls (5.21-5.25) 5.21 Managing Information Security in the ICT Supply Chain: Address risks of the provided information and communication technology services 5.22 Monitoring, Review & Change Management of Supplier Services: Regularly monitor, review and audit supplier service delivery. 5.23 Information Security for Use of Cloud Services : To specify and manage information security for the use of cloud services. 5.24 Information Security Incident Management Planning and Preparation: Ensure effective response to security incidents. 5.25 Assessment and Decision on Information Security Events: Assess events, categorize as security incidents.
Organizational Controls (5.26-5.30) 5.26 Response to Information Security Incidents: To ensure efficient and effective response to information security incidents 5.27 Learning from Information Security Incidents: Reduce the likelihood or consequences of future incidents 5.28 Collection of Evidence: Ensure effective evidence management for legal purposes 5.29 Information Security During Disruption: Protect information and other associated assets during disruption 5.30 ICT Readiness for Business Continuity: Ensure availability of information during disruption
Organizational Controls (5.31-5.35) 5.31 Statutory, Regulatory and Contractual Requirements: Comply with legal, regulatory, and contract requirements. 5.32 Intellectual Property Rights: Comply with legal requirements for intellectual property rights and proprietary products 5.33 Protection of records: Ensure compliance with legal, regulatory, and contractual requirements 5.34 Privacy and Protection of PII: Compliance with legal requirements for PII protection 5.35 Independent Review of Information Security: Ensure ongoing effective information security management
Organizational Controls (5.36-5.37) 5.36 Compliance with Policies, Rules and Standards for Information Security: To ensure information security compliance with policy. 5.37 Documented operating procedures: Ensure secure and correct operation of information facilities.
6. People Controls 8 Controls Remote work Ensure confidentiality Non- disclosure agreements Screen employees
People Control (6.1-6.4) 6.1 Screening: Ensure personnel eligibility and suitability during employment 6.2 Terms and Conditions of Employment: Ensure personnel understand their security responsibilities 6.3 Information Security Awareness, Education and training: Ensure awareness of information security responsibilities. 6.4 Disciplinary Process: Ensure consequences understood, deter and deal with violators
People Control (6.5-6.8) 6.5 Responsibilities After Termination or Change of Employment: Protect org during employment or contract changes/terminations 6.6 Confidentiality or Non-disclosure Agreements: To maintain information confidentiality by all stakeholders 6.7 Remote working: To secure remote work information 6.8 Information Security Event Reporting: To support reporting of security events by personnel.
7. Physical Controls 14 Controls Physical control category aims to prevent unauthorized access Covers a range of controls related to physical security Includes prevention of unauthorized access to facilities Protects equipment and assets from damage or theft Includes management of physical security breaches Measures can include security guards, access control systems, locks, security, cameras Also includes secure storage and transportation of information Annex A recognizes importance of physical security in information security Helps ensure security and integrity of information and assets
Physical Controls (7.1-7.5) 7.1 Physical Security Perimeters: Prevent unauthorized physical access and damage to assets. 7.2 Physical Entry: Authorize physical access to protect organization's information 7.3 Securing Offices, Rooms and Facilities: Prevent unauthorized access and damage to assets. 7.4 Physical security monitoring: Prevent and identify unauthorized physical access 7.5 Protecting Against Physical and Environmental Threat: Prevent damage from physical and environmental threats
Physical Controls (7.6-7.10) 7.6 Working in Secure Areas: Protect secure areas and assets from internal damage and unauthorized access. 7.7 Clear Desk and Clear Screen: Minimize unauthorized access to info on desks/screens during and outside working hours. 7.8 Equipment Siting and Protection: Minimize impact of physical, environmental threats and unauthorized access. 7.9 Security of Assets Off-premises: Protect organization from disruptions & unauthorized access to off-site devices. 7.10 Storage Media: Protect stored information from unauthorized access, modification, or destruction
Physical Controls (7.11-7.14) 7.11 Supporting Utilities: Prevent information loss or disruption due to utility failures 7.12 Cabling Security: Protect information, assets, and operations from cable-related issues 7.13 Equipment maintenance: Prevent damage, theft, compromise of assets and operational interruptions from maintenance neglect. 7.14 Secure Disposal or Reuse of Equipment: To avoid leakage of information when disposing or reusing equipment.
8 Technological Controls 34 Controls Technological controls are security measures for IT systems. These controls are used to prevent unauthorized access. Examples include access controls and encryption. Monitoring and logging are also important controls. These controls help detect and prevent security incidents. Backup and recovery procedures are part of technological controls. Physical security measures also fall under technological controls. These controls are implemented to protect data confidentiality. They are also used to ensure data integrity and availability. Technological controls should be regularly reviewed and updated.
Technological Controls (8.1-8.5) 8.1 User Endpoint Devices: Protect information from user endpoint device threats 8.2 Privileged access rights: Ensure authorized privileged access rights only granted 8.3 Information Access Restriction: To restrict access to authorized users only 8.4 Access To Source Code: Prevent unauthorized changes & maintain intellectual property confidentiality 8.5 Secure Authentication: Ensure secure access via authentication for systems, apps, services
Technological Controls (8.6-8.10) 8.6 Capacity Management: Ensure sufficient resources for information processing and facilities 8.7 Protection Against Malware: Protect information and assets against malware 8.8 Management of Technical Vulnerabilities: To prevent exploitation of technical vulnerabilities 8.9 Configuration Management: To avoid sensitive data exposure and meet legal, regulatory, and contractual obligations 8.10 Information deletion: To ensure compliant information deletion and avoid exposure of sensitive data.
Technological Controls (8.11-8.15) 8.11 Data Masking: Ensure compliance with regulations and protect sensitive data 8.12 Data Leakage Prevention: Prevent unauthorized information disclosure/extraction by individuals or systems 8.13 Information Backup: To enable recovery from loss of data or systems. 8.14 Redundancy of Information Processing Facilities: Ensure the continuous operation of information processing facilities 8.15 Logging: To capture events, maintain log integrity, detect security events, prevent unauthorized access, support investigations.
Technological Controls (8.16-8.20) 8.16 Monitoring Activities: To detect anomalous behaviour and information security incidents 8.17 Clock Synchronization: Support analysis of security events and investigations 8.18 Use of Privileged Utility Programs: Ensure safe use of utility programs for security 8.19 Installation of Software on Operational Systems: Ensure system integrity, prevent vulnerabilities 8.20 Networks Security: Protect network information from compromise
Technological Controls (8.21-8.25) 8.21 Security of Network Services: To ensure security in the use of network services 8.22 Segregation of Networks: Segment network for controlled traffic based on business needs. 8.23 Web Filtering: Protect systems from malware and unauthorized web access. 8.24 Use of Cryptography: Protect information using cryptography that meets legal requirements. 8.25 Secure Development Life Cycle: Ensure secure development life cycle of software and systems.
Technological Controls (8.26-8.30) 8.26 Application Security Requirements: Address all security requirements when developing or acquiring applications. 8.27 Secure System Architecture and Engineering Principles: Securely design, implement, and operate information systems in development life cycle 8.28 Secure Coding: Ensure secure software to reduce vulnerabilities. 8.29 Security Testing in Development and Acceptance: Validate security requirements during code deployment 8.30 Outsourced Development: Ensure infosec measures in outsourced development
Technological Controls (8.31-8.34) 8.31 Separation of Development, Test and Production Environments: Protect production and data from dev/test compromise 8.32 Change Management: To preserve information security when executing changes 8.33 Test Information: Ensure relevant testing & protect operational information used for testing 8.34 Protection of Information Systems During Audit Testing: Prevent unauthorized access and damage to assets.

Recommended

ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASISDermot Clarke
 
Compliance poster
Compliance posterCompliance poster
Compliance posterRui Gomes
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
CS-1,2.pdf
CS-1,2.pdfCS-1,2.pdf
CS-1,2.pdftechuniverso01
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxcomstarndt
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Cisa 2013 ch5
Cisa 2013 ch5Cisa 2013 ch5
Cisa 2013 ch5Aladdin Dandis
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 

Recommended

ISO_27001___2005_OASIS
ISO_27001___2005_OASISISO_27001___2005_OASIS
ISO_27001___2005_OASISDermot Clarke
 
Compliance poster
Compliance posterCompliance poster
Compliance posterRui Gomes
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
CS-1,2.pdf
CS-1,2.pdfCS-1,2.pdf
CS-1,2.pdftechuniverso01
 
ISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxISMS End-User Training Presentation.pptx
ISMS End-User Training Presentation.pptxcomstarndt
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Cisa 2013 ch5
Cisa 2013 ch5Cisa 2013 ch5
Cisa 2013 ch5Aladdin Dandis
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Chap5 2007 Cisa Review Course
Chap5 2007 Cisa Review CourseChap5 2007 Cisa Review Course
Chap5 2007 Cisa Review CourseDesmond Devendran
 
Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breacheskimsrung lov
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfLarisaAlbanians
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
ISO 27701 Essentials: Building a Robust Privacy Management System
ISO 27701 Essentials: Building a Robust Privacy Management SystemISO 27701 Essentials: Building a Robust Privacy Management System
ISO 27701 Essentials: Building a Robust Privacy Management SystemShyamMishra72
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacywardell henley
 
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.pptsikandar girgoukar
 
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...shivangimorya083
 
Production Day 1.pptxjvjbvbcbcb bj bvcbj
Production Day 1.pptxjvjbvbcbcb bj bvcbjProduction Day 1.pptxjvjbvbcbcb bj bvcbj
Production Day 1.pptxjvjbvbcbcb bj bvcbjLewisJB
 

More Related Content

Similar to 04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx

Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
Chap5 2007 Cisa Review Course
Chap5 2007 Cisa Review CourseChap5 2007 Cisa Review Course
Chap5 2007 Cisa Review CourseDesmond Devendran
 
Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breacheskimsrung lov
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehAnne Starr
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfLarisaAlbanians
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
ISO 27701 Essentials: Building a Robust Privacy Management System
ISO 27701 Essentials: Building a Robust Privacy Management SystemISO 27701 Essentials: Building a Robust Privacy Management System
ISO 27701 Essentials: Building a Robust Privacy Management SystemShyamMishra72
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.pptsikandar girgoukar
 

Similar to 04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx (20)

Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 
Chap5 2007 Cisa Review Course
Chap5 2007 Cisa Review CourseChap5 2007 Cisa Review Course
Chap5 2007 Cisa Review Course
 
Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdf
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
ISO 27701 Essentials: Building a Robust Privacy Management System
ISO 27701 Essentials: Building a Robust Privacy Management SystemISO 27701 Essentials: Building a Robust Privacy Management System
ISO 27701 Essentials: Building a Robust Privacy Management System
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
 
Information Security
Information SecurityInformation Security
Information Security
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacy
 
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt
2211-III-IV-Info-Security-061cab6ee6c0fb0-53969879.ppt
 

Recently uploaded

Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...shivangimorya083
 
Production Day 1.pptxjvjbvbcbcb bj bvcbj
Production Day 1.pptxjvjbvbcbcb bj bvcbjProduction Day 1.pptxjvjbvbcbcb bj bvcbj
Production Day 1.pptxjvjbvbcbcb bj bvcbjLewisJB
 
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...Call Girls in Nagpur High Profile
 
Dubai Call Girls Starlet O525547819 Call Girls Dubai Showen Dating
Dubai Call Girls Starlet O525547819 Call Girls Dubai Showen DatingDubai Call Girls Starlet O525547819 Call Girls Dubai Showen Dating
Dubai Call Girls Starlet O525547819 Call Girls Dubai Showen Datingkojalkojal131
 
Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...
Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...
Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...sonalitrivedi431
 
CALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual serviceanilsa9823
 
Résumé (2 pager - 12 ft standard syntax)
Résumé (2 pager - 12 ft standard syntax)Résumé (2 pager - 12 ft standard syntax)
Résumé (2 pager - 12 ft standard syntax)Soham Mondal
 
Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Call Girls in Nagpur High Profile
 
Get To Know About "Lauren Prophet-Bryant''
Get To Know About "Lauren Prophet-Bryant''Get To Know About "Lauren Prophet-Bryant''
Get To Know About "Lauren Prophet-Bryant''Lauren Prophet-Bryant
 
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceanilsa9823
 
Call Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...amitlee9823
 
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...rightmanforbloodline
 
Joshua Minker Brand Exploration Sports Broadcaster .pptx
Joshua Minker Brand Exploration Sports Broadcaster .pptxJoshua Minker Brand Exploration Sports Broadcaster .pptx
Joshua Minker Brand Exploration Sports Broadcaster .pptxsportsworldproductio
 
Bur Dubai Call Girl Service #$# O56521286O Call Girls In Bur Dubai
Bur Dubai Call Girl Service #$# O56521286O Call Girls In Bur DubaiBur Dubai Call Girl Service #$# O56521286O Call Girls In Bur Dubai
Bur Dubai Call Girl Service #$# O56521286O Call Girls In Bur Dubaiparisharma5056
 
Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Zeeman Effect normal and Anomalous zeeman effect
Zeeman Effect normal and Anomalous zeeman effectZeeman Effect normal and Anomalous zeeman effect
Zeeman Effect normal and Anomalous zeeman effectPriyanshuRawat56
 
Resumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying OnlineResumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying OnlineBruce Bennett
 
Motilal Oswal Gift City Fund PPT - Apr 2024.pptx
Motilal Oswal Gift City Fund PPT - Apr 2024.pptxMotilal Oswal Gift City Fund PPT - Apr 2024.pptx
Motilal Oswal Gift City Fund PPT - Apr 2024.pptxMaulikVasani1
 
OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理cowagem
 

Recently uploaded (20)

Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
 
Production Day 1.pptxjvjbvbcbcb bj bvcbj
Production Day 1.pptxjvjbvbcbcb bj bvcbjProduction Day 1.pptxjvjbvbcbcb bj bvcbj
Production Day 1.pptxjvjbvbcbcb bj bvcbj
 
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
 
Dubai Call Girls Starlet O525547819 Call Girls Dubai Showen Dating
Dubai Call Girls Starlet O525547819 Call Girls Dubai Showen DatingDubai Call Girls Starlet O525547819 Call Girls Dubai Showen Dating
Dubai Call Girls Starlet O525547819 Call Girls Dubai Showen Dating
 
Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...
Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...
Hyderabad 💫✅💃 24×7 BEST GENUINE PERSON LOW PRICE CALL GIRL SERVICE FULL SATIS...
 
CALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Nishatganj Lucknow best sexual service
 
Résumé (2 pager - 12 ft standard syntax)
Résumé (2 pager - 12 ft standard syntax)Résumé (2 pager - 12 ft standard syntax)
Résumé (2 pager - 12 ft standard syntax)
 
Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Deccan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
Get To Know About "Lauren Prophet-Bryant''
Get To Know About "Lauren Prophet-Bryant''Get To Know About "Lauren Prophet-Bryant''
Get To Know About "Lauren Prophet-Bryant''
 
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
 
Call Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hoodi Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Btm Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
 
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
TEST BANK For An Introduction to Brain and Behavior, 7th Edition by Bryan Kol...
 
Joshua Minker Brand Exploration Sports Broadcaster .pptx
Joshua Minker Brand Exploration Sports Broadcaster .pptxJoshua Minker Brand Exploration Sports Broadcaster .pptx
Joshua Minker Brand Exploration Sports Broadcaster .pptx
 
Bur Dubai Call Girl Service #$# O56521286O Call Girls In Bur Dubai
Bur Dubai Call Girl Service #$# O56521286O Call Girls In Bur DubaiBur Dubai Call Girl Service #$# O56521286O Call Girls In Bur Dubai
Bur Dubai Call Girl Service #$# O56521286O Call Girls In Bur Dubai
 
Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Warje ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Zeeman Effect normal and Anomalous zeeman effect
Zeeman Effect normal and Anomalous zeeman effectZeeman Effect normal and Anomalous zeeman effect
Zeeman Effect normal and Anomalous zeeman effect
 
Resumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying OnlineResumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying Online
 
Motilal Oswal Gift City Fund PPT - Apr 2024.pptx
Motilal Oswal Gift City Fund PPT - Apr 2024.pptxMotilal Oswal Gift City Fund PPT - Apr 2024.pptx
Motilal Oswal Gift City Fund PPT - Apr 2024.pptx
 
OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理
 

04 - Annexe 20sdsdsdsadsadsdsdsad22.pptx

  • 1. ISO 27001 Lead Implementor / Auditor Annex : 2022
  • 2. Annex A:2022 • Annexe A is a list of 93 security controls • Control : Measure that modifies risk • Control Objective : Statement stating what is to be achieved as a result of implementing a control • 4 Control categories
  • 3. What is ISO 27001:2022 Annex A? Reorganized and refined Better represent current risks Focus on 1. Organizational: Governance, risk, policy, structure. 2. People: Training, awareness, reporting, culture. 3. Physical: Access, environment, surveillance, protection. 4. Technological: Encryption, authentication, detection, defense.
  • 4. 5. Organizational Controls 37 controls Structured approach to managing risks Align policies with business objectives Address legal, regulatory requirements Emphasize human factors in security Manage physical and digital assets Monitor and review supplier services
  • 5. Organizational Controls (5.1-5.5) 5.1 Policies for Information Security : Define, approve, publish, communicate policies to all. 5.2 Information Security Roles and Responsibilities : Define and allocate the responsibilities for information security. 5.3 Segregation of Duties : Duties and areas of responsibility should be segregated to avoid conflicts. 5.4 Management Responsibilities : Ensure management knows their role in infosec and promotes awareness. 5.5 Contact with Authorities : Encourage proactive security and facilitate timely sharing of critical information.
  • 6. Organizational Controls (5.6-5.10) 5.6 Contact with Special Interest Groups : Maintain contacts with special interest groups to stay updated regarding information security 5.7 Threat Intelligence : Gathering and analysing information about current and future cyber attacks 5.8 Information Security in Project Management : Addresses information security in project management 5.9 Inventory of Information and Other Associated Assets : Identify Information assets and owners to preserve their security 5.10 Acceptable Use of Information and Other Associated Assets :Define and Document the rules of acceptable use of assets
  • 7. Organizational Controls (5.11-5.15) 5.11 Return of Assets : Protect assets when changing or terminating employment 5.12 Classification of Information : Identification of protection needs of information in accordance with its importance 5.13 Labeling of Information : To facilitate the communication of information classification 5.14 Information Transfer : Protect information in transfer from interception, copying, modification, mis-routing and destruction 5.15 Access Control : To secure authorized access and prevent unauthorized access to information and assets.
  • 8. Organizational Controls (5.16-5.20) 5.16 Identity Management : Uniquely identify individuals and systems accessing an organization's information assets and assign appropriate access rights. 5.17 Authentication Information : To ensure proper entity authentication and prevent failures of authentication processes. 5.18 Access Rights : Define and authorise access according to business requirements 5.19 Information Security in Supplier Relationships : Mitigate the risks on information assets accessible by suppliers. 5.20 Addressing Security Within Supplier Agreements : Establish and agree al relevant information security requirements.
  • 9. Organizational Controls (5.21-5.25) 5.21 Managing Information Security in the ICT Supply Chain: Address risks of the provided information and communication technology services 5.22 Monitoring, Review & Change Management of Supplier Services: Regularly monitor, review and audit supplier service delivery. 5.23 Information Security for Use of Cloud Services : To specify and manage information security for the use of cloud services. 5.24 Information Security Incident Management Planning and Preparation: Ensure effective response to security incidents. 5.25 Assessment and Decision on Information Security Events: Assess events, categorize as security incidents.
  • 10. Organizational Controls (5.26-5.30) 5.26 Response to Information Security Incidents: To ensure efficient and effective response to information security incidents 5.27 Learning from Information Security Incidents: Reduce the likelihood or consequences of future incidents 5.28 Collection of Evidence: Ensure effective evidence management for legal purposes 5.29 Information Security During Disruption: Protect information and other associated assets during disruption 5.30 ICT Readiness for Business Continuity: Ensure availability of information during disruption
  • 11. Organizational Controls (5.31-5.35) 5.31 Statutory, Regulatory and Contractual Requirements: Comply with legal, regulatory, and contract requirements. 5.32 Intellectual Property Rights: Comply with legal requirements for intellectual property rights and proprietary products 5.33 Protection of records: Ensure compliance with legal, regulatory, and contractual requirements 5.34 Privacy and Protection of PII: Compliance with legal requirements for PII protection 5.35 Independent Review of Information Security: Ensure ongoing effective information security management
  • 12. Organizational Controls (5.36-5.37) 5.36 Compliance with Policies, Rules and Standards for Information Security: To ensure information security compliance with policy. 5.37 Documented operating procedures: Ensure secure and correct operation of information facilities.
  • 13. 6. People Controls 8 Controls Remote work Ensure confidentiality Non- disclosure agreements Screen employees
  • 14. People Control (6.1-6.4) 6.1 Screening: Ensure personnel eligibility and suitability during employment 6.2 Terms and Conditions of Employment: Ensure personnel understand their security responsibilities 6.3 Information Security Awareness, Education and training: Ensure awareness of information security responsibilities. 6.4 Disciplinary Process: Ensure consequences understood, deter and deal with violators
  • 15. People Control (6.5-6.8) 6.5 Responsibilities After Termination or Change of Employment: Protect org during employment or contract changes/terminations 6.6 Confidentiality or Non-disclosure Agreements: To maintain information confidentiality by all stakeholders 6.7 Remote working: To secure remote work information 6.8 Information Security Event Reporting: To support reporting of security events by personnel.
  • 16. 7. Physical Controls 14 Controls Physical control category aims to prevent unauthorized access Covers a range of controls related to physical security Includes prevention of unauthorized access to facilities Protects equipment and assets from damage or theft Includes management of physical security breaches Measures can include security guards, access control systems, locks, security, cameras Also includes secure storage and transportation of information Annex A recognizes importance of physical security in information security Helps ensure security and integrity of information and assets
  • 17. Physical Controls (7.1-7.5) 7.1 Physical Security Perimeters: Prevent unauthorized physical access and damage to assets. 7.2 Physical Entry: Authorize physical access to protect organization's information 7.3 Securing Offices, Rooms and Facilities: Prevent unauthorized access and damage to assets. 7.4 Physical security monitoring: Prevent and identify unauthorized physical access 7.5 Protecting Against Physical and Environmental Threat: Prevent damage from physical and environmental threats
  • 18. Physical Controls (7.6-7.10) 7.6 Working in Secure Areas: Protect secure areas and assets from internal damage and unauthorized access. 7.7 Clear Desk and Clear Screen: Minimize unauthorized access to info on desks/screens during and outside working hours. 7.8 Equipment Siting and Protection: Minimize impact of physical, environmental threats and unauthorized access. 7.9 Security of Assets Off-premises: Protect organization from disruptions & unauthorized access to off-site devices. 7.10 Storage Media: Protect stored information from unauthorized access, modification, or destruction
  • 19. Physical Controls (7.11-7.14) 7.11 Supporting Utilities: Prevent information loss or disruption due to utility failures 7.12 Cabling Security: Protect information, assets, and operations from cable-related issues 7.13 Equipment maintenance: Prevent damage, theft, compromise of assets and operational interruptions from maintenance neglect. 7.14 Secure Disposal or Reuse of Equipment: To avoid leakage of information when disposing or reusing equipment.
  • 20. 8 Technological Controls 34 Controls Technological controls are security measures for IT systems. These controls are used to prevent unauthorized access. Examples include access controls and encryption. Monitoring and logging are also important controls. These controls help detect and prevent security incidents. Backup and recovery procedures are part of technological controls. Physical security measures also fall under technological controls. These controls are implemented to protect data confidentiality. They are also used to ensure data integrity and availability. Technological controls should be regularly reviewed and updated.
  • 21. Technological Controls (8.1-8.5) 8.1 User Endpoint Devices: Protect information from user endpoint device threats 8.2 Privileged access rights: Ensure authorized privileged access rights only granted 8.3 Information Access Restriction: To restrict access to authorized users only 8.4 Access To Source Code: Prevent unauthorized changes & maintain intellectual property confidentiality 8.5 Secure Authentication: Ensure secure access via authentication for systems, apps, services
  • 22. Technological Controls (8.6-8.10) 8.6 Capacity Management: Ensure sufficient resources for information processing and facilities 8.7 Protection Against Malware: Protect information and assets against malware 8.8 Management of Technical Vulnerabilities: To prevent exploitation of technical vulnerabilities 8.9 Configuration Management: To avoid sensitive data exposure and meet legal, regulatory, and contractual obligations 8.10 Information deletion: To ensure compliant information deletion and avoid exposure of sensitive data.
  • 23. Technological Controls (8.11-8.15) 8.11 Data Masking: Ensure compliance with regulations and protect sensitive data 8.12 Data Leakage Prevention: Prevent unauthorized information disclosure/extraction by individuals or systems 8.13 Information Backup: To enable recovery from loss of data or systems. 8.14 Redundancy of Information Processing Facilities: Ensure the continuous operation of information processing facilities 8.15 Logging: To capture events, maintain log integrity, detect security events, prevent unauthorized access, support investigations.
  • 24. Technological Controls (8.16-8.20) 8.16 Monitoring Activities: To detect anomalous behaviour and information security incidents 8.17 Clock Synchronization: Support analysis of security events and investigations 8.18 Use of Privileged Utility Programs: Ensure safe use of utility programs for security 8.19 Installation of Software on Operational Systems: Ensure system integrity, prevent vulnerabilities 8.20 Networks Security: Protect network information from compromise
  • 25. Technological Controls (8.21-8.25) 8.21 Security of Network Services: To ensure security in the use of network services 8.22 Segregation of Networks: Segment network for controlled traffic based on business needs. 8.23 Web Filtering: Protect systems from malware and unauthorized web access. 8.24 Use of Cryptography: Protect information using cryptography that meets legal requirements. 8.25 Secure Development Life Cycle: Ensure secure development life cycle of software and systems.
  • 26. Technological Controls (8.26-8.30) 8.26 Application Security Requirements: Address all security requirements when developing or acquiring applications. 8.27 Secure System Architecture and Engineering Principles: Securely design, implement, and operate information systems in development life cycle 8.28 Secure Coding: Ensure secure software to reduce vulnerabilities. 8.29 Security Testing in Development and Acceptance: Validate security requirements during code deployment 8.30 Outsourced Development: Ensure infosec measures in outsourced development
  • 27. Technological Controls (8.31-8.34) 8.31 Separation of Development, Test and Production Environments: Protect production and data from dev/test compromise 8.32 Change Management: To preserve information security when executing changes 8.33 Test Information: Ensure relevant testing & protect operational information used for testing 8.34 Protection of Information Systems During Audit Testing: Prevent unauthorized access and damage to assets.