Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
ISMS_of ISO 27001-2022-awareness training
1. IS, Cybersecurity & Privacy
Protection - ISMS According to ISO
27001-2022 Requirements
PDF created with pdfFactory Pro trial version www.pdffactory.com
2. 2
Course Objectives
At the end of this course you will understand
• The meaning of ISMS
• The requirements of ISO 27001/2022
• The ISMS documents
PDF created with pdfFactory Pro trial version www.pdffactory.com
3. § Quality dimensions ( Product / Service – Organization – Business )
§ Processes / Management System
§ Flow of information / material
Introduction
Suppliers Organization Customers
Other Interested Parties
Upstream Downstream
PDF created with pdfFactory Pro trial version www.pdffactory.com
4. 4
Organizations of all types and sizes:
§ Collect, process, store, and transmit information.
§ Information can be in many forms and may be transmitted / processed by
different means
§ Organizations recognize that information, and related equipment, systems,
networks and people are important assets.
§ Assets face a range of Threats.
§ The term information security is generally based on information being
considered as an asset which has a value requiring appropriate protection by
implementing information security controls
PDF created with pdfFactory Pro trial version www.pdffactory.com
5. 5
Information Security !!!!!!
§ Information Security is the preservation of (CIA)
Confidentiality of information
Property that information is not made available or disclosed to unauthorized
individuals, entities, or process
Integrity of information
Property of accuracy and completeness
Availability of information
Property of being accessible and usable upon demand by an authorized entity
PDF created with pdfFactory Pro trial version www.pdffactory.com
6. 6
§ Information security is achieved through the implementation of an applicable set of
controls including:
1. Policies
2. Processes
3. Procedures
4. Organizational structures
5. Software and Hardware
§ These controls need to be specified, implemented, monitored, reviewed and
improved
PDF created with pdfFactory Pro trial version www.pdffactory.com
7. Common Practice For IS Controls
• Information security policy document
• Allocation of information security responsibilities
• Information security awareness, education, and training
• Correct processing in applications
• Technical vulnerability management
• Business continuity management
• Management of information security incidents and improvements
PDF created with pdfFactory Pro trial version www.pdffactory.com
8. How to Identify the Security Requirements?
1) The risk assessment results -(RMP)
2) The legal and contractual requirements
3) The objectives and business requirements for information processing that an
organization has developed to support its operations.
PDF created with pdfFactory Pro trial version www.pdffactory.com
9. 9
An Information Security Management System (ISMS) consists of the policies,
procedures, guidelines , resources , organizational structures, software
,hardware and activities, collectively managed by an organization, in the pursuit of
protecting its information assets.
What is an ISMS?
PDF created with pdfFactory Pro trial version www.pdffactory.com
10. 10
§ Asset is anything that has value to the organization
§ The Information system related assets to be protected are :
1. Data & information
2. Software application
3. Hardware (equipment – cable- etc.)
4. Services (internet – power-maintenance- etc.)
5. HR
6. Physical location (building – site –etc.)
IT Assets
PDF created with pdfFactory Pro trial version www.pdffactory.com
11. Examples of Typical Threats
§ Threats may be D (Deliberate), A (Accidental), E (Environmental- Natural)
Origin
Threats
A, D, E
Fire
E
Flood
A,D
Failure of air-conditioning or water supply system
A, D, E
Loss of power supply
D
Theft of media or documents
D
Theft of equipment
A
Equipment failure
D
Unauthorized use of Equipment
PDF created with pdfFactory Pro trial version www.pdffactory.com
12. Examples of Vulnerabilities
Examples of Threats
Examples of Vulnerabilities
Type
Error in use
Lack of efficient configuration change control
Hardware
Theft of media or document
Lack of care at disposal
Theft of media or document
Uncontrolled copying
Forging of rights
Poor password management
Software
Software malfunction
Lack of effective change control
Failure of telecommunication
equipment
Poor joint cabling
Network
Error in use
Lack of security training / awareness
Personnel
Theft of equipment
Lack of physical protection
Organization
PDF created with pdfFactory Pro trial version www.pdffactory.com
13. Management
Is a set of activities including planning, organizing, steering, and controlling an
organization’s resources with the aim of achieving organizational goals in an
efficient and effective manner.
13
PDF created with pdfFactory Pro trial version www.pdffactory.com
14. System
1) Structure
2) Procedures/ Processes
3) Resources
14
Structure
Procedures/Processes
Resources
PDF created with pdfFactory Pro trial version www.pdffactory.com
17. 1-2 Job Description
17
Responsibility
• Responsibility about
certain job or process
Authority
• Privilege to do certain job
PDF created with pdfFactory Pro trial version www.pdffactory.com
18. 2- Procedures / Processes
Procedure:
Set of activities connected together to describe the interaction between a set of
processes.
Process:
Detailed steps that describe the method of doing a certain task to convert a certain
I/Ps to a certain O/Ps
18
PDF created with pdfFactory Pro trial version www.pdffactory.com
19. 19
Process Process
I/Ps
Value added Value added
Internal Customer
Feed Back
PDF created with pdfFactory Pro trial version www.pdffactory.com
21. Definition of Standards
Standards are documented agreements contains:
• Technical Specifications
• Management System Requirements
• Guidelines
• Definitions
• Others
21
PDF created with pdfFactory Pro trial version www.pdffactory.com
22. 22
International Organization for Standardization
(ISO)
§ "ISO", derived from the Greek ISOS, meaning "EQUAL".
§ Is the world's largest developer and publisher of International Standards.
§ It is a non-governmental organization.
§ Officially began operations on 23 February 1947 by 25 countries.
§ It is a network of the national standards institutes of 167 countries, one member per
country.
PDF created with pdfFactory Pro trial version www.pdffactory.com
23. Managerial Standards
• ISO 9001/2015 Quality management system requirements
• ISO 14001/2015 Environmental management system requirements
• ISO 27001/2022 ISMS requirements
23
PDF created with pdfFactory Pro trial version www.pdffactory.com
24. Evolution of ISO 27001:2022 Standard
§ It outlines an auditable framework for a robust Information Security Management
System (ISMS)
PDF created with pdfFactory Pro trial version www.pdffactory.com
25. 25
ISMS Family of Standards
§ The ISMS family of standards is intended to assist organizations of all types
and sizes to implement and operate an ISMS
§ The general title “Information technology — Security techniques” indicates that
these standards were prepared by Joint Technical Committee ISO / JTC 1,
Information technology, Subcommittee SC 27, IS Cybersecurity& Privacy
Protection.
PDF created with pdfFactory Pro trial version www.pdffactory.com
26. PDF created with pdfFactory Pro trial version www.pdffactory.com
27. • Agree with the relevant requirements of a contract
• Consistence with the client demand
• Image improvement
• Business problem prevention
• Protect information assets and give confidence to interested parties
Reasons for Implementing ISMS
PDF created with pdfFactory Pro trial version www.pdffactory.com
28. Roadmap Towards ISO 27001 Implementation
Understanding the
Context & Define the
Scope
Gap
Assessment
Create the
Security Team
Identify
Information
Assets
Assets
Evaluation
Risk
Assessment
Risk Treatment:
• Identify & Selection of Security Controls
• Apply Security Controls
Creation of Policies,
Procedures and
Standards
Implementation
Monitor,
Check and Improve
PDF created with pdfFactory Pro trial version www.pdffactory.com
29. IS, Cybersecurity & Privacy Protection - ISMS
According to ISO 27001-2022 Requirements
PDF created with pdfFactory Pro trial version www.pdffactory.com
30. ISO ???? Clauses
30
1) Scope
2) Normative reference
3) Terms & definitions
4) Context of the organization (Plan)
5) Leadership (Plan)
6) Planning (Plan)
7) Support (Plan)
8) Operation (Do)
9) Performance evaluation (Check)
10) Improvement (Act)
PDF created with pdfFactory Pro trial version www.pdffactory.com
31. ISO/TC
176/SC
2/
N1267
31
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
The Structure of ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
32. ISO/TC
176/SC
2/
N1267
32
(Annex A)
Information Security Controls Reference
§ The information security controls listed in Table A.1 are directly derived from and
aligned with those listed in ISO/IEC 27002:2022 - Clauses 5 to 8 and are to be
used in context with Clause 6.1.3.
§ Section 5 – includes 37 (Organizational Controls)
§ Section 6 – includes 8 (People Controls)
§ Section 7 – includes 14 (Physical Controls)
§ Section 8 – includes 34 (Technological Controls)
PDF created with pdfFactory Pro trial version www.pdffactory.com
34. 1- Scope
34
§ This International Standard specifies requirements for ISMS
§ All the requirements of this International Standard are generic and are intended to
be applicable to any organization, regardless of its type or size, or the products and
services it provides.
§ The exclusion of the requirement is not acceptable
PDF created with pdfFactory Pro trial version www.pdffactory.com
35. 2 - Normative references
35
§ For dated references, only the edition cited applies.
§ For undated references, the latest edition of the referenced document (including any
amendments) applies.
§ ISO/IEC 27000, Information Technology — Security Techniques — Information
Security Management Systems — Overview and Vocabulary
PDF created with pdfFactory Pro trial version www.pdffactory.com
36. 3. Terms and Definitions
36
For the purposes of this document, the terms and definitions given in ISO 27000
apply
PDF created with pdfFactory Pro trial version www.pdffactory.com
37. Risk
Effect of uncertainty on objectives
Threat
Potential cause of an unwanted incident, which may result in harm to a system or
organization
Risk assessment
Overall process of risk identification risk analysis and risk evaluation
Risk acceptance
Informed decision to take a particular risk
Risk criteria
Terms of reference against which the significance of risk is evaluated
PDF created with pdfFactory Pro trial version www.pdffactory.com
38. Risk treatment
Process to modify risk
Risk treatment can involve:
• Avoiding the risk by deciding not to start or continue with the activity that gives
rise to the risk;
• Taking or increasing risk in order to pursue an opportunity;
• Removing the risk source;
• Changing the likelihood;
• Changing the consequences;
• Sharing the risk with another party E.g. Insurers, suppliers.
Risk owner
Person or entity with the accountability and authority to manage a risk
PDF created with pdfFactory Pro trial version www.pdffactory.com
39. Vulnerability
Weakness of an asset or control that can be exploited by one or more threats
Residual risk
Risk remaining after risk treatment
Control
Measure that is modifying risk
Controls may include any process, policy, device, practice, or other actions
which modify / maintain the risk.
Control objective
Statement describing what is to be achieved as a result of implementing controls
PDF created with pdfFactory Pro trial version www.pdffactory.com
40. Information Security Incident
a single or a series of unwanted or unexpected information security events that have a
significant probability of compromising business operations and threatening information
security.
Risk Management
Coordinated activities to direct and control an organization with regard to risk.
PDF created with pdfFactory Pro trial version www.pdffactory.com
41. Confidentiality
Property that information is not made available or disclosed to unauthorized individuals,
entities, or process
Availability
Property of being accessible and usable upon demand by an authorized entity
Integrity
Property of accuracy and completeness
PDF created with pdfFactory Pro trial version www.pdffactory.com
42. ISO/TC
176/SC
2/
N1267
42
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
43. ISO/TC
176/SC
2/
N1267
43
Clause 4 Context of the organization
Clause 4.1 Understanding the organization and its context
The organization shall determine external and internal issues
that are relevant to its purpose and its strategic direction and
that affect its ability to achieve the intended result(s) of its
ISMS
4
Context of organization
4.1
Understanding context
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS
PDF created with pdfFactory Pro trial version www.pdffactory.com
44. ISO/TC
176/SC
2/
N1267
44
Clause 4.2 Understanding the needs and expectations of
interested parties
the organization shall determine:
a) the interested parties that are relevant to the ISMS
b) the requirements of these interested parties that are
relevant to the ISMS
4
Context of organization
4.1
Understanding context
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS
The organization shall monitor and review information about these interested parties
and their relevant requirements that may include legal & other requirements /
contractual obligations
PDF created with pdfFactory Pro trial version www.pdffactory.com
45. ISO/TC
176/SC
2/
N1267
45
Clause 4.3 Determining the scope of the ISMS
The organization shall determine the boundaries and applicability of
the ISMS to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements of relevant interested parties referred to in 4.2;
c) The outsourced activities
The scope of the organization’s ISMS shall be available and be
maintained as documented information.
4
Context of organization
4.1
Understanding context
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS
PDF created with pdfFactory Pro trial version www.pdffactory.com
46. ISO/TC
176/SC
2/
N1267
46
Clause 4.4 ISMS
The organization shall establish, implement, maintain and
continually improve an ISMS including the processes
needed and their interactions, in accordance with the
requirements of this International Standard.
4
Context of organization
4.1
Understanding context
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS
PDF created with pdfFactory Pro trial version www.pdffactory.com
47. ISO/TC
176/SC
2/
N1267
47
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
49. ISO/TC
176/SC
2/
N1267
49
5
Leadership
5.1
Leadership and commitment
5.3
Organizational roles,
responsibilities and authorities
5.2
Policy
Clause 5.2 Policy
The IS Policy shall
• Be maintained as documented information;
• Be communicated, understood and applied within the
organization;
• Be available to relevant interested parties, as appropriate.
PDF created with pdfFactory Pro trial version www.pdffactory.com
50. ISO/TC
176/SC
2/
N1267
50
Clause 5.3 Organizational roles, responsibilities &
authorities
Top management shall ensure that the responsibilities and
authorities for relevant roles are assigned, communicated and
understood within the organization.
Top management shall assign the responsibility and authority for:
• Ensuring that the ISMS conforms to the requirements of this
International Standard;
• Reporting on the performance of the ISMS and on
opportunities for improvement
5
Leadership
5.1
Leadership and commitment
5.2
Policy
5.3
Organizational roles,
responsibilities and authorities
PDF created with pdfFactory Pro trial version www.pdffactory.com
51. ISO/TC
176/SC
2/
N1267
51
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
52. ISO/TC
176/SC
2/
N1267
52
Clause 6 Planning
6.1 Actions to Address Risks and Opportunities
6.1.1 General
When planning for the ISMS, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2
and determine the risks and opportunities that need to be
addressed
The organization shall plan:
a) ACTIONS to address these RISKS and OPPORTUNITIES;
b) How to INTEGRATE and IMPLEMENT the actions into its
ISMS , EVALUATE the EFFECTIVENESS of these actions.
6
Planning
6.1
Actions to address risks and
opportunities
6.2
Objectives and planning
6.3 Planning of change
6.3 Planning of change
PDF created with pdfFactory Pro trial version www.pdffactory.com
53. ISO/TC
176/SC
2/
N1267
53
6.1.2 Information Security Risk Assessment
The organization shall define and apply an information security risk
assessment process including :
• Risk acceptance criteria
• Identify risks for CIA
• Identify risk owner
See ISO 31000
6
Planning
6.1
Actions to address risks and
opportunities
6.2
Objectives and planning
6.3 Planning of change
6.3 Planning of change
PDF created with pdfFactory Pro trial version www.pdffactory.com
54. ISO/TC
176/SC
2/
N1267
54
6.1.3 Information Security Risk Treatment
• The organization shall define and apply an information security
risk treatment process
• Annex A and more can be included
• Produce Statement of applicability
• Produce Risk treatment plan
See ISO 31000
6
Planning
6.1
Actions to address risks and
opportunities
6.2
Objectives and planning
6.3 Planning of change
6.3 Planning of change
PDF created with pdfFactory Pro trial version www.pdffactory.com
55. ISO/TC
176/SC
2/
N1267
55
Clause 6.2 IS objectives and planning to achieve
them
The organization shall establish IS objectives at relevant functions,
levels and processes needed for the ISMS
When planning how to achieve its IS objectives, the organization
shall determine:
a) WHAT will be done;
b) WHAT resources will be required;
c) WHO will be responsible;
d) WHEN it will be completed;
e) HOW the results will be evaluated.
6
Planning
6.1
Actions to address risks and
opportunities
6.2
Objectives and planning
6.3 Planning of change
6.3 Planning of change
PDF created with pdfFactory Pro trial version www.pdffactory.com
56. ISO/TC
176/SC
2/
N1267
56
Clause 6.3 Planning of Change
The organization shall plan the changed to the IS MS
6
Planning
6.1
Actions to address risks and
opportunities
6.2
Objectives and planning
6.3 Planning of change
6.3 Planning of change
PDF created with pdfFactory Pro trial version www.pdffactory.com
57. ISO/TC
176/SC
2/
N1267
57
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
61. ISO/TC
176/SC
2/
N1267
61
7.5 Documented information
7.5.1 General
The organization’s ISMS shall include:
a) documented information required by this International
Standard;
b) documented information determined by the organization
as being necessary for the effectiveness of ISMS
The extent of documented information for a ISMS can differ
from one organization to another
7
Support
7.1
Resources
7.1
Resources
7.3
Awareness
7.3
Awareness
7.4
Communication
7.4
Communication
7.5
Documented information
7.2
Competence
7.2
Competence
PDF created with pdfFactory Pro trial version www.pdffactory.com
62. ISO/TC
176/SC
2/
N1267
62
7.5.2 Creating and updating
When creating and updating documented information, the organization shall ensure
appropriate
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper,
electronic);
c) review and approval for suitability and adequacy.
PDF created with pdfFactory Pro trial version www.pdffactory.com
63. ISO/TC
176/SC
2/
N1267
63
7.5.3 Control of documented information
Documented information shall be controlled to ensure:
A) it is available and suitable for use
B) it is adequately protected
C) distribution, access, retrieval and use;
D) storage and preservation, including preservation of legibility;
E) control of changes (e.g. version control);
F) retention and disposition
• Documented information of external origin
• Documented information retained as evidence of conformity shall be protected
from unintended alterations.
PDF created with pdfFactory Pro trial version www.pdffactory.com
64. ISO/TC
176/SC
2/
N1267
64
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
65. ISO/TC
176/SC
2/
N1267
65
Clause 8 Operation
8.1 Operational planning and control
• The organization shall plan, implement and control the processes needed to meet
information security requirements, and to implement the actions determined in 6.1.
• The organization shall also implement plans to achieve information security
objectives determined in 6.2.
• The organization shall keep documented information to the extent necessary to have
confidence that the processes have been carried out as planned.
• The organization shall control planned changes and review the consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary.
• The organization shall ensure that outsourced processes are determined and
controlled.
PDF created with pdfFactory Pro trial version www.pdffactory.com
66. ISO/TC
176/SC
2/
N1267
66
8.2 Information Security Risk Assessment
• The organization shall perform information security risk assessments at planned
intervals or when significant changes are proposed or occur, taking account of the
criteria established in 6.1.2
• Retain documented information
8.3 Information Security Risk Treatment
• The organization shall implement information security risk treatment plan
• Retain documented information
PDF created with pdfFactory Pro trial version www.pdffactory.com
67. ISO/TC
176/SC
2/
N1267
67
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
68. ISO/TC
176/SC
2/
N1267
68
Clause 9 Performance evaluation
9.1 Monitoring, measurement, analysis and
evaluation
§ The organization shall determine:
a) what needs to be monitored and measured;
b) the methods for monitoring, measurement, analysis and
evaluation needed to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the results from monitoring and measurement shall
be analyzed and evaluated.
§ The organization shall evaluate the performance
§ Retain appropriate documented information as evidence of the
results.
9
Performance evaluation
9.2
Internal audit
9.3
Management review
9.1
Monitoring, measurement,
analysis and evaluation
PDF created with pdfFactory Pro trial version www.pdffactory.com
69. ISO/TC
176/SC
2/
N1267
69
9.2 Internal audit
The organization shall conduct internal audits at planned intervals
to provide information on whether the ISMS conforms to:
9
Performance Evaluation
9.1
Monitoring, measurement,
analysis and evaluation
9.2
Internal audit
9.3
Management review
1) the organization’s own requirements for its ISMS
2) the requirements of this International Standard;
3) is effectively implemented and maintained.
PDF created with pdfFactory Pro trial version www.pdffactory.com
70. ISO/TC
176/SC
2/
N1267
70
9
Performance Evaluation
9.1
Monitoring, measurement,
analysis and evaluation
9.2
Internal audit
9.3
Management review
The organization shall:
a) plan, establish, implement and maintain an audit
program(s) including the frequency, methods,
responsibilities, planning requirements and reporting, which
shall take into consideration the importance of the
processes concerned, changes affecting the organization,
and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity
and the impartiality of the audit process;
d) ensure that the results of the audits are reported to
relevant management;
e) take appropriate correction and corrective actions without
undue delay;
f) retain documented information as evidence of the
implementation of the audit program and the audit results.
PDF created with pdfFactory Pro trial version www.pdffactory.com
71. ISO/TC
176/SC
2/
N1267
71
9
Performance Evaluation
9.1
Monitoring, measurement,
analysis and evaluation
9.2
Internal audit
9.3
Management review
9.3 Management review
Top management shall review the organization’s ISMS at planned
intervals, to ensure its continuing suitability, adequacy,
effectiveness and alignment with the strategic direction of the
organization.
PDF created with pdfFactory Pro trial version www.pdffactory.com
72. ISO/TC
176/SC
2/
N1267
72
Management review inputs
The management review shall be planned and carried out taking into consideration:
§ The status of actions from previous management reviews;
§ Changes in external and internal issues that are relevant to the ISMS
§ Feedback from relevant interested parties;
§ The extent to which IS objectives have been met;
§ Nonconformities and corrective actions;
§ Monitoring and measurement results;
§ Audit results;
§ The adequacy of resources;
§ The effectiveness of actions taken to address risks and opportunities
§ Opportunities for improvement.
PDF created with pdfFactory Pro trial version www.pdffactory.com
73. ISO/TC
176/SC
2/
N1267
73
Management review outputs
The outputs of the management review shall include decisions and actions related to:
a) opportunities for improvement;
b) any need for changes to the ISMS;
c) resource needs.
The organization shall retain documented information as evidence of the results of
management reviews.
PDF created with pdfFactory Pro trial version www.pdffactory.com
74. ISO/TC
176/SC
2/
N1267
74
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
6.3 Planning of
change
6.3 Planning of
change
PDF created with pdfFactory Pro trial version www.pdffactory.com
75. ISO/TC
176/SC
2/
N1267
75
10.1 Continual improvement
The organization shall continually improve the suitability, adequacy
and effectiveness of the ISMS.
The organization shall consider the results of analysis and
evaluation, and the outputs from management review, to
determine if there are needs or opportunities that shall be
addressed as part of continual improvement.
10
Improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
76. ISO/TC
176/SC
2/
N1267
76
Clause 10 Improvement
10.2 Nonconformity and corrective action
When a nonconformity occurs, the organization shall:
a) react to the nonconformity and, as applicable:
1) take action to control and correct it;
2) deal with the consequences
b) evaluate the need for action to eliminate the cause(s) of the
nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing and analyzing the nonconformity;
2) determining the causes of the nonconformity; determining if similar
nonconformities exist, or could potentially occur
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) update risks and opportunities determined during planning, if necessary;
f) make changes to the ISMS , if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities
encountered.
10
Improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
PDF created with pdfFactory Pro trial version www.pdffactory.com
77. Management System Documentation
IS Policy Statement /IS Objectives Statement
Manual
Management
Procedures/plans
Work Instruction
Forms / Records
PDF created with pdfFactory Pro trial version www.pdffactory.com
78. Statement of Applicability
A Statement of Applicability shall be prepared that includes the following:
1) The control objectives and controls selected and the reasons for their selection;
2) The control objectives and controls currently implemented and
3) The exclusion of any control objectives and controls in Annex A and the justification for
their exclusion.
NOTES:
• The Statement of Applicability provides a summary of decisions concerning risk treatment.
• Justifying exclusions provides a cross-check that no controls have been inadvertently
omitted.
PDF created with pdfFactory Pro trial version www.pdffactory.com
79. Risk Treatment Plan
The organization shall do the following:
a) Formulate a risk treatment plan that identifies the appropriate management action,
resources, responsibilities and priorities for managing information security risks.
b) Implement the risk treatment plan in order to achieve the identified control objectives,
which includes consideration of funding and allocation of roles and responsibilities.
PDF created with pdfFactory Pro trial version www.pdffactory.com
80. Annex A
Information Security Controls Reference
PDF created with pdfFactory Pro trial version www.pdffactory.com
81. 1) Information Security Policy
Objective:
To provide management direction and support for information security in accordance with business
requirements and relevant laws and regulations.
2) Internal and External Organization of Information Security Within the Organization
Objectives :
1. To manage information security activities within the organization.
2. To maintain the security of the organization’s information and information processing facilities that are
accessed, processed, communicated to, or managed by external parties.
3) Assets Management
Objective:
To achieve and maintain appropriate protection of organizational assets
PDF created with pdfFactory Pro trial version www.pdffactory.com
82. 4) Information Classification
Objective:
To ensure that information receives an appropriate level of protection.
5) Human Resources Security (Prior to Employment)
Objective:
To ensure that employees, contractors and third party users understand their responsibilities to
reduce the risk.
6) Human Resources Security (During Employment)
Objective:
To ensure that all employees, contractors and third party users are aware of information security
threats and their responsibilities.
PDF created with pdfFactory Pro trial version www.pdffactory.com
83. 7) Human Resources Security (Termination or Change of Employment)
Objective:
To ensure that employees, contractors and third party users exit an organization or change
employment in an orderly manner.
8) Physical and Environmental Security (Secure Areas)
Objective:
To prevent unauthorized physical access, damage and interference to the organization’s
premises and information.
9) Physical and Environmental Security (Equipment Security)
Objective:
To prevent loss, damage, or theft of assets and interruption to the organization’s activities.
PDF created with pdfFactory Pro trial version www.pdffactory.com
84. 10) Third Party Service Delivery Management
Objective:
To implement and maintain the appropriate level of information security and service delivery in
line with third party service delivery agreements.
11) System Planning and Acceptance
Objective:
To minimize the risk of system failures.
12) Back-up
Objective:
To maintain the integrity and availability of information and information processing facilities.
PDF created with pdfFactory Pro trial version www.pdffactory.com
85. 13) Network Security Management
Objective:
To ensure the protection of information in networks and the protection of the supporting
infrastructure.
14) Media Handling
Objective:
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption
to business activities.
15) Exchange of Information
Objective:
To maintain the security of information and software exchanged within an organization and with any
external entity.
PDF created with pdfFactory Pro trial version www.pdffactory.com
86. 16) Electronic Commerce Services
Objective:
To ensure the security of electronic commerce services, and their secure use.
17) User Access Management
Objective:
To ensure authorized user access and to prevent unauthorized access to information.
18) Management of Information Security Incidents and Improvements
Objective:
To ensure a consistent and effective approach is applied to the management of information security
incidents
PDF created with pdfFactory Pro trial version www.pdffactory.com
87. 19) Compliance With Legal Requirements
Objective:
To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements.
20) Compliance with Security Policies and Standards, and Technical Compliance
Objective:
To ensure compliance of systems with organizational security policies and standards.
21) Information Systems Audit Considerations
Objective:
To maximize the effectiveness of the information systems audit process
PDF created with pdfFactory Pro trial version www.pdffactory.com