Uploaded byAvniJain836319
PPTX, PDF1,743 views

27001.pptx

ISO 27001 is the central standard for information security management systems (ISMS). It provides requirements and implementation guidance for organizations to manage risks to security assets. The standard outlines requirements for establishing the scope of the ISMS, leadership responsibilities, risk assessment and treatment processes, resource management, and continual improvement. It includes an annex that lists 93 controls across organizational, people, physical and technological categories that can be used to demonstrate compliance. The 2022 version updates and restructures some controls to better reflect risk-based approaches.

Servicesโ—ฆ

Embed presentation

Downloaded 95 times
ISO/IEC 27001:2022 1
INTRODUCTION ISO 27001 is the central foundation relating to information security management systems (ISMS). An ISMS is the framework of policies and procedures that include all legal, physical, and technical controls involved in an organizationโ€™s information risk management processes. ISO 27001 controls take an adequate and appropriate risk-based approach in providing ISMS implementation requirements, enabling organizations of any size to comfortably manage security assets. 2
REQUIREMENTS 4. Context of the organization 4.1 Understanding the organization and its context: The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. 4.2 Understanding the needs and expectations of interested parties. 4.3 Determining the scope of the information security management system (Internal and External) 4.4 Information security management system: The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document. 3
5. LEADERSHIP 5.1 Leadership and commitment : a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; b) ensuring the integration of the information security management system requirements into the organizationโ€™s processes; c) ensuring that the resources needed for the information security management system are available; d) communicating the importance of effective information security management and of conforming to the information security management system requirements; e) ensuring that the information security management system achieves its intended outcome(s); f) directing and supporting persons to contribute to the effectiveness of the information security management system; g) promoting continual improvement; and h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. 4
Contโ€™d 5.2 Policy: Top management shall establish an information security policy that is appropriate to the purpose of the organization; 5.3 Organizational roles, responsibilities and authorities : Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: a) ensuring that the information security management system conforms to the requirements of this document; b) reporting on the performance of the information security management system to top management. 5
6. PLANNING 6.1 Actions to address risks and opportunities : The organization shall plan, actions to address the risks and opportunities and also should know how to integrate and implement the actions into its information security management system processes and evaluate the effectiveness of these actions. ๏ƒ˜ 6.1.2 Information security risk assessment: Basic risk assessment involves only three factors: the importance of the assets at risk, how critical the threat is, and how vulnerable the system is to that threat. Using those factors, you can assess the riskโ€”the likelihood of money loss by your organization. The organization shall define and apply an information security risk assessment process. ๏ƒ˜ 6.1.3 Information security risk treatment: a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen; 6
Contโ€™d c) compare the controls determined, and verify that no necessary controls have been omitted; d) produce a Statement of Applicability that contains: โ€” the necessary controls โ€” justification for their inclusion; โ€” whether the necessary controls are implemented or not; and โ€” the justification for excluding any of the Annex A controls. e) formulate an information security risk treatment plan; and f) obtain risk ownersโ€™ approval of the information security risk treatment plan and acceptance of the residual information security risks. 6.2 Information security objectives and planning to achieve them 6.3 Planning of changes: When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner. 7
7. SUPPORT 7.1 Resources - The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. 7.2 Competence - The Organization has to determine the competence of the human resource that work on the ISMS , and could affect its performance. Employees should be competent on the basis of the relevant education, training or experience and the organization should take action where needed. 7.3 Awareness - This requirement is seeking confirmation that the persons doing the work are aware of the information security policy , their contribution to the effectiveness of the ISMS including benefits from its improved performance and what happens when the information security management system does not conform to its requirements. 8
Contโ€™d 7.4 Communication - The organization shall determine the need for internal and external communications relevant to the information security management system including, on what to communicate; when to communicate; with whom to communicate; how to communicate. 7.5 Documented information - The organizationโ€™s information security management system shall include, documented information required by the compliance. The extent of documented information for an information security management system can differ from one organization to another due to: ๏ƒ˜1) the size of organization and its type of activities, processes, products and services; ๏ƒ˜2) the complexity of processes and their interactions; and ๏ƒ˜3) the competence of persons. 9
8. OPERATION 8.1 Operational planning and control - The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined. Documented information shall be available to the extent necessary. The organization shall control planned changes and review the consequences of unintended changes, and shall ensure that externally provided processes, products or services are controlled. 8.2 Information security risk assessment - The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established. 8.3 Information security risk treatment - The organization shall implement the information security risk treatment plan. 10
9. PERFORMANCE EVALUATION 9.1 Monitoring, measurement, analysis and evaluation - The organization shall evaluate the information security performance and the effectiveness of the information security management system. 9.2 Internal audit - The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: ๏ƒ˜a) conforms to : 1) the organizationโ€™s own requirements for its information security management system; 2) the requirements of this document; ๏ƒ˜b) is effectively implemented and maintained. 9.3 Management review - Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. 11
10. IMPROVEMENT 10.1 Continual improvement - The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. 10.2 Nonconformity and corrective action - When a nonconformity occurs, the organization shall: ๏ƒ˜a) react to the nonconformity, ๏ƒ˜b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, ๏ƒ˜c) implement any action needed; ๏ƒ˜d) review the effectiveness of any corrective action taken; and ๏ƒ˜e) make changes to the information security management system, if necessary. ๏ƒ˜f) the nature of the nonconformities and any subsequent actions taken, ๏ƒ˜g) the results of any corrective action. 12
Annex A Information security controls reference Annex A in ISO 27001 is a part of the standard that lists a set of classified security controls) that organizations use to demonstrate compliance with ISO 27001 . ISO 27001:2022 lists 93 controls rather than ISO 27001:2013โ€™s 114. These controls are grouped into 4 โ€˜themesโ€™. They are: ๏ƒ˜Organization controls (chapter 5) ๏ƒ˜People controls (chapter 6) ๏ƒ˜Physical controls (chapter 7) ๏ƒ˜Technological controls (chapter 8) Annex A controls have been both reduced and restructured to reflect the updated ISO/IEC 27001:2022 13
ORGANIZATIONAL CONTROLS 14 ๏ƒ˜There are 37 controls in total under organizational controls. Some of them are (fig.) ,
PEOPLE CONTROLS ๏ƒ˜ These cover the controls required for secure human resources management. There are 8 controls in total some of them are (fig.) : 15
PHYSICAL CONTROLS ๏ƒ˜ There are 14 controls under this category, some of them are (fig.), 16
TECHNOLOGICAL CONTROLS ๏ƒ˜ There are 34 controls under this category , some of them are (fig): 17
COMPARISON BETWEEN 2013 & 2022 18
19
The controls now also have five types of โ€˜attributeโ€™ to make them easier to categories: ๏ƒ˜ Control type (preventive, detective, corrective) ๏ƒ˜ Information security properties (confidentiality, integrity, availability) ๏ƒ˜ Cyber security concepts (identify, protect, detect, respond, recover) ๏ƒ˜ Operational capabilities (governance, asset management, etc.) ๏ƒ˜ Security domains (governance and ecosystem, protection, defense, resilience) 20
21
22

More Related Content

PPTX
ISO_ 27001:2022 Controls & Clauses.pptx
byforam74
ย 
PDF
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
ย 
PPTX
ISO 27001 Awareness/TRansition.pptx
byDr Madhu Aman Sharma
ย 
PDF
ISO 27001 2002 Update Webinar.pdf
byControlCase
ย 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
ย 
PPTX
27001 awareness Training
byDr Madhu Aman Sharma
ย 
PDF
ISO 27001 How to accelerate the implementation.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
ISO_ 27001:2022 Controls & Clauses.pptx
byforam74
ย 
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
ย 
ISO 27001 Awareness/TRansition.pptx
byDr Madhu Aman Sharma
ย 
ISO 27001 2002 Update Webinar.pdf
byControlCase
ย 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
ย 
27001 awareness Training
byDr Madhu Aman Sharma
ย 
ISO 27001 How to accelerate the implementation.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 

What's hot

PDF
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
PPTX
Iso 27001 isms presentation
byMidhun Nirmal
ย 
PDF
ISO27001: Implementation & Certification Process Overview
byShankar Subramaniyan
ย 
PPTX
Basic introduction to iso27001
byImran Ahmed
ย 
PDF
NQA ISO 27001 Implementation Guide
byNQA
ย 
PDF
(Old version) My Gap analysis results between ISO27001: 2022 and 2013 version.
byJS
ย 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
ย 
PDF
Why ISO27001 For My Organisation
byVigilant Software
ย 
PPT
ISO 27001 Benefits
byDejan Kosutic
ย 
PPT
isms-presentation.ppt
byHasnolAhmad2
ย 
PDF
Steps to iso 27001 implementation
byRalf Braga
ย 
PDF
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
ย 
PDF
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
PDF
ISO 27005 Risk Assessment
bySmart Assessment
ย 
PPTX
What is iso 27001 isms
byCraig Willetts ISO Expert
ย 
PPS
ISO 27001 2013 isms final overview
byNaresh Rao
ย 
PDF
Infosec Audit Lecture_4
byObrina Candra, CISA, ISMS-LA
ย 
PDF
ISO 27005:2022 Overview 221028.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
PDF
ISO/IEC 27001:2013
byRamiro Cid
ย 
PDF
Isms awareness presentation
byPranay Kumar
ย 
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
Iso 27001 isms presentation
byMidhun Nirmal
ย 
ISO27001: Implementation & Certification Process Overview
byShankar Subramaniyan
ย 
Basic introduction to iso27001
byImran Ahmed
ย 
NQA ISO 27001 Implementation Guide
byNQA
ย 
(Old version) My Gap analysis results between ISO27001: 2022 and 2013 version.
byJS
ย 
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
ย 
Why ISO27001 For My Organisation
byVigilant Software
ย 
ISO 27001 Benefits
byDejan Kosutic
ย 
isms-presentation.ppt
byHasnolAhmad2
ย 
Steps to iso 27001 implementation
byRalf Braga
ย 
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
ย 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
ISO 27005 Risk Assessment
bySmart Assessment
ย 
What is iso 27001 isms
byCraig Willetts ISO Expert
ย 
ISO 27001 2013 isms final overview
byNaresh Rao
ย 
Infosec Audit Lecture_4
byObrina Candra, CISA, ISMS-LA
ย 
ISO 27005:2022 Overview 221028.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
ISO/IEC 27001:2013
byRamiro Cid
ย 
Isms awareness presentation
byPranay Kumar
ย 

Similar to 27001.pptx

PDF
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
PPTX
Implementing ISO27001 2013
byscttmcvy
ย 
PDF
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
ย 
PDF
NQA-ISO-27001-Implementation-Guide.pdf..
byssuserc911b3
ย 
PDF
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
byLloyd's Register Quality Assurance Nederland
ย 
PPT
ISMS Requirements
byhumanus2
ย 
PDF
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
byJS
ย 
PDF
Bsi iso27001-mapping-guide
byfloora_jj
ย 
PPTX
english_bok_ismp_202306.pptx
byssuser00d6eb
ย 
PDF
Guide on ISO 27001 Controls
byVISTA InfoSec
ย 
PDF
ISO IEC 27001 Clause-Wise Checklist for Implementation.pdf
byinfosec train
ย 
PDF
ISO IEC 27001 Clause wise checklist by infosectrain
bypriyanshamadhwal2
ย 
PDF
ISO 27001 is the commonly used standard for ISMS implementation and certifica
byIbrahim78026
ย 
PDF
NQA-ISO-27001-Implementation-Guide and implementation procedure book
byKrushna Mahapatra
ย 
DOCX
Key features of ISO 27001
byAbhinavSharma309481
ย 
PPTX
Presentaion.pptx
bysanathchandranath69
ย 
PDF
Whitepaper iso 27001_isms | All about ISO 27001
byChandan Singh Ghodela
ย 
PDF
Isms info
byAbhisek Gupta
ย 
PDF
Changes in New_ISO_27001_2022 Lead Auditor.pdf
byNaimUzZaman2
ย 
PDF
ISO 27001 Certification ISO 27001 Course
byJennaMiller56
ย 
ISO 27001:2022 Introduction
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
ย 
Implementing ISO27001 2013
byscttmcvy
ย 
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
ย 
NQA-ISO-27001-Implementation-Guide.pdf..
byssuserc911b3
ย 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
byLloyd's Register Quality Assurance Nederland
ย 
ISMS Requirements
byhumanus2
ย 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
byJS
ย 
Bsi iso27001-mapping-guide
byfloora_jj
ย 
english_bok_ismp_202306.pptx
byssuser00d6eb
ย 
Guide on ISO 27001 Controls
byVISTA InfoSec
ย 
ISO IEC 27001 Clause-Wise Checklist for Implementation.pdf
byinfosec train
ย 
ISO IEC 27001 Clause wise checklist by infosectrain
bypriyanshamadhwal2
ย 
ISO 27001 is the commonly used standard for ISMS implementation and certifica
byIbrahim78026
ย 
NQA-ISO-27001-Implementation-Guide and implementation procedure book
byKrushna Mahapatra
ย 
Key features of ISO 27001
byAbhinavSharma309481
ย 
Presentaion.pptx
bysanathchandranath69
ย 
Whitepaper iso 27001_isms | All about ISO 27001
byChandan Singh Ghodela
ย 
Isms info
byAbhisek Gupta
ย 
Changes in New_ISO_27001_2022 Lead Auditor.pdf
byNaimUzZaman2
ย 
ISO 27001 Certification ISO 27001 Course
byJennaMiller56
ย 

Recently uploaded

PDF
The 17 Best US Retailers for Acquiring Old Gmail Accounts.pdf
byBuy Old Gmail Accounts
ย 
PDF
Top IPTV Streaming Services 2026 โ€“ Watch Live TV, Sports & Movies
byBoo dlamer
ย 
PDF
Overcoming IT Challenges for Small Businesses in Riverside.
byCaptain IT
ย 
PPTX
The Evolution of 3D Printing Chennai by AMUSE 3D.pptx
byAmuse3D
ย 
PPTX
Strategic Advantages of Participating in a Mobile Banking Event for Growth
byWfis Vietnam
ย 
PDF
10 Easy Ways to โญBuy Old โญGmail โญAccounts Smartly In 2025.pdf
byBuy Old Gmail Accounts
ย 
DOCX
Algorithm-Focused Video Growth Strategies.docx
byjenwhite023
ย 
DOCX
Short-Form Video Publishing Strategies.docx
byjenwhite023
ย 
PPTX
Comprehensive Lymphedema Training Courses for Clinical Excellence.pptx
byAmerican Academy of Lymphatic and Wound Management
ย 
DOCX
Smart Video Distribution Frameworks.docx
byjenwhite023
ย 
PDF
Advance Your Clinical Expertise with Wound Management Certification.pdf
byAmerican Academy of Lymphatic and Wound Management
ย 
DOCX
Best Medical Billing Companies in California.docx
byRadianztech
ย 
DOCX
Why You Should Buy Old Gmail Accounts for Your Business.docx
byBuy Old Gmail Accounts
ย 
PPTX
Professional High Dust Removal Services CA for Safer Workspaces
bySDI Quality
ย 
DOCX
Credit Score Your Key to Better Financial Opportunities.docx
byMuthoot Finance
ย 
DOCX
Top 19 Sites To Buy Old Facebook Accounts with Followers โ€“ Instant Proof.docx
byBuy Old Facebook Accounts
ย 
PDF
eaton-rtf-8908ll-transmission-illustrated-parts-list-en-us.pdf
byRafaelDoRego1
ย 
PPT
The startup policy about bihar Idea festival Figure.ppt
byrockykumar43me23gps
ย 
PPTX
Study in Germany From Bangladesh Presentation
bymithon945
ย 
PDF
A Brief Introduction About David Kalish LAPD
byDavid Kalish LAPD
ย 
The 17 Best US Retailers for Acquiring Old Gmail Accounts.pdf
byBuy Old Gmail Accounts
ย 
Top IPTV Streaming Services 2026 โ€“ Watch Live TV, Sports & Movies
byBoo dlamer
ย 
Overcoming IT Challenges for Small Businesses in Riverside.
byCaptain IT
ย 
The Evolution of 3D Printing Chennai by AMUSE 3D.pptx
byAmuse3D
ย 
Strategic Advantages of Participating in a Mobile Banking Event for Growth
byWfis Vietnam
ย 
10 Easy Ways to โญBuy Old โญGmail โญAccounts Smartly In 2025.pdf
byBuy Old Gmail Accounts
ย 
Algorithm-Focused Video Growth Strategies.docx
byjenwhite023
ย 
Short-Form Video Publishing Strategies.docx
byjenwhite023
ย 
Comprehensive Lymphedema Training Courses for Clinical Excellence.pptx
byAmerican Academy of Lymphatic and Wound Management
ย 
Smart Video Distribution Frameworks.docx
byjenwhite023
ย 
Advance Your Clinical Expertise with Wound Management Certification.pdf
byAmerican Academy of Lymphatic and Wound Management
ย 
Best Medical Billing Companies in California.docx
byRadianztech
ย 
Why You Should Buy Old Gmail Accounts for Your Business.docx
byBuy Old Gmail Accounts
ย 
Professional High Dust Removal Services CA for Safer Workspaces
bySDI Quality
ย 
Credit Score Your Key to Better Financial Opportunities.docx
byMuthoot Finance
ย 
Top 19 Sites To Buy Old Facebook Accounts with Followers โ€“ Instant Proof.docx
byBuy Old Facebook Accounts
ย 
eaton-rtf-8908ll-transmission-illustrated-parts-list-en-us.pdf
byRafaelDoRego1
ย 
The startup policy about bihar Idea festival Figure.ppt
byrockykumar43me23gps
ย 
Study in Germany From Bangladesh Presentation
bymithon945
ย 
A Brief Introduction About David Kalish LAPD
byDavid Kalish LAPD
ย 

27001.pptx

  • 1.
  • 2.
    INTRODUCTION ISO 27001 isthe central foundation relating to information security management systems (ISMS). An ISMS is the framework of policies and procedures that include all legal, physical, and technical controls involved in an organizationโ€™s information risk management processes. ISO 27001 controls take an adequate and appropriate risk-based approach in providing ISMS implementation requirements, enabling organizations of any size to comfortably manage security assets. 2
  • 3.
    REQUIREMENTS 4. Context ofthe organization 4.1 Understanding the organization and its context: The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. 4.2 Understanding the needs and expectations of interested parties. 4.3 Determining the scope of the information security management system (Internal and External) 4.4 Information security management system: The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document. 3
  • 4.
    5. LEADERSHIP 5.1 Leadershipand commitment : a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; b) ensuring the integration of the information security management system requirements into the organizationโ€™s processes; c) ensuring that the resources needed for the information security management system are available; d) communicating the importance of effective information security management and of conforming to the information security management system requirements; e) ensuring that the information security management system achieves its intended outcome(s); f) directing and supporting persons to contribute to the effectiveness of the information security management system; g) promoting continual improvement; and h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. 4
  • 5.
    Contโ€™d 5.2 Policy: Topmanagement shall establish an information security policy that is appropriate to the purpose of the organization; 5.3 Organizational roles, responsibilities and authorities : Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated within the organization. Top management shall assign the responsibility and authority for: a) ensuring that the information security management system conforms to the requirements of this document; b) reporting on the performance of the information security management system to top management. 5
  • 6.
    6. PLANNING 6.1 Actionsto address risks and opportunities : The organization shall plan, actions to address the risks and opportunities and also should know how to integrate and implement the actions into its information security management system processes and evaluate the effectiveness of these actions. ๏ƒ˜ 6.1.2 Information security risk assessment: Basic risk assessment involves only three factors: the importance of the assets at risk, how critical the threat is, and how vulnerable the system is to that threat. Using those factors, you can assess the riskโ€”the likelihood of money loss by your organization. The organization shall define and apply an information security risk assessment process. ๏ƒ˜ 6.1.3 Information security risk treatment: a) select appropriate information security risk treatment options, taking account of the risk assessment results; b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen; 6
  • 7.
    Contโ€™d c) compare thecontrols determined, and verify that no necessary controls have been omitted; d) produce a Statement of Applicability that contains: โ€” the necessary controls โ€” justification for their inclusion; โ€” whether the necessary controls are implemented or not; and โ€” the justification for excluding any of the Annex A controls. e) formulate an information security risk treatment plan; and f) obtain risk ownersโ€™ approval of the information security risk treatment plan and acceptance of the residual information security risks. 6.2 Information security objectives and planning to achieve them 6.3 Planning of changes: When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner. 7
  • 8.
    7. SUPPORT 7.1 Resources- The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. 7.2 Competence - The Organization has to determine the competence of the human resource that work on the ISMS , and could affect its performance. Employees should be competent on the basis of the relevant education, training or experience and the organization should take action where needed. 7.3 Awareness - This requirement is seeking confirmation that the persons doing the work are aware of the information security policy , their contribution to the effectiveness of the ISMS including benefits from its improved performance and what happens when the information security management system does not conform to its requirements. 8
  • 9.
    Contโ€™d 7.4 Communication -The organization shall determine the need for internal and external communications relevant to the information security management system including, on what to communicate; when to communicate; with whom to communicate; how to communicate. 7.5 Documented information - The organizationโ€™s information security management system shall include, documented information required by the compliance. The extent of documented information for an information security management system can differ from one organization to another due to: ๏ƒ˜1) the size of organization and its type of activities, processes, products and services; ๏ƒ˜2) the complexity of processes and their interactions; and ๏ƒ˜3) the competence of persons. 9
  • 10.
    8. OPERATION 8.1 Operationalplanning and control - The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined. Documented information shall be available to the extent necessary. The organization shall control planned changes and review the consequences of unintended changes, and shall ensure that externally provided processes, products or services are controlled. 8.2 Information security risk assessment - The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established. 8.3 Information security risk treatment - The organization shall implement the information security risk treatment plan. 10
  • 11.
    9. PERFORMANCE EVALUATION 9.1Monitoring, measurement, analysis and evaluation - The organization shall evaluate the information security performance and the effectiveness of the information security management system. 9.2 Internal audit - The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: ๏ƒ˜a) conforms to : 1) the organizationโ€™s own requirements for its information security management system; 2) the requirements of this document; ๏ƒ˜b) is effectively implemented and maintained. 9.3 Management review - Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. 11
  • 12.
    10. IMPROVEMENT 10.1 Continualimprovement - The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. 10.2 Nonconformity and corrective action - When a nonconformity occurs, the organization shall: ๏ƒ˜a) react to the nonconformity, ๏ƒ˜b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, ๏ƒ˜c) implement any action needed; ๏ƒ˜d) review the effectiveness of any corrective action taken; and ๏ƒ˜e) make changes to the information security management system, if necessary. ๏ƒ˜f) the nature of the nonconformities and any subsequent actions taken, ๏ƒ˜g) the results of any corrective action. 12
  • 13.
    Annex A Information securitycontrols reference Annex A in ISO 27001 is a part of the standard that lists a set of classified security controls) that organizations use to demonstrate compliance with ISO 27001 . ISO 27001:2022 lists 93 controls rather than ISO 27001:2013โ€™s 114. These controls are grouped into 4 โ€˜themesโ€™. They are: ๏ƒ˜Organization controls (chapter 5) ๏ƒ˜People controls (chapter 6) ๏ƒ˜Physical controls (chapter 7) ๏ƒ˜Technological controls (chapter 8) Annex A controls have been both reduced and restructured to reflect the updated ISO/IEC 27001:2022 13
  • 14.
    ORGANIZATIONAL CONTROLS 14 ๏ƒ˜There are37 controls in total under organizational controls. Some of them are (fig.) ,
  • 15.
    PEOPLE CONTROLS ๏ƒ˜ Thesecover the controls required for secure human resources management. There are 8 controls in total some of them are (fig.) : 15
  • 16.
    PHYSICAL CONTROLS ๏ƒ˜ Thereare 14 controls under this category, some of them are (fig.), 16
  • 17.
    TECHNOLOGICAL CONTROLS ๏ƒ˜ Thereare 34 controls under this category , some of them are (fig): 17
  • 18.
  • 19.
  • 20.
    The controls nowalso have five types of โ€˜attributeโ€™ to make them easier to categories: ๏ƒ˜ Control type (preventive, detective, corrective) ๏ƒ˜ Information security properties (confidentiality, integrity, availability) ๏ƒ˜ Cyber security concepts (identify, protect, detect, respond, recover) ๏ƒ˜ Operational capabilities (governance, asset management, etc.) ๏ƒ˜ Security domains (governance and ecosystem, protection, defense, resilience) 20
  • 21.
  • 22.