ISMS_of ISO 27001-2022-awareness training

IS, Cybersecurity & Privacy
Protection - ISMS According to ISO
27001-2022 Requirements
PDF created with pdfFactory Pro trial version www.pdffactory.com

2
Course Objectives
At the end of this course you will understand
• The meaning of ISMS
• The requirements of ISO 27001/2022
• The ISMS documents

§ Quality dimensions ( Product / Service – Organization – Business )
§ Processes / Management System
§ Flow of information / material
Introduction
Suppliers Organization Customers
Other Interested Parties
Upstream Downstream

4
Organizations of all types and sizes:
§ Collect, process, store, and transmit information.
§ Information can be in many forms and may be transmitted / processed by
different means
§ Organizations recognize that information, and related equipment, systems,
networks and people are important assets.
§ Assets face a range of Threats.
§ The term information security is generally based on information being
considered as an asset which has a value requiring appropriate protection by
implementing information security controls

5
Information Security !!!!!!
§ Information Security is the preservation of (CIA)
Confidentiality of information
Property that information is not made available or disclosed to unauthorized
individuals, entities, or process
Integrity of information
Property of accuracy and completeness
Availability of information
Property of being accessible and usable upon demand by an authorized entity

6
§ Information security is achieved through the implementation of an applicable set of
controls including:
1. Policies
2. Processes
3. Procedures
4. Organizational structures
5. Software and Hardware
§ These controls need to be specified, implemented, monitored, reviewed and
improved

Common Practice For IS Controls
• Information security policy document
• Allocation of information security responsibilities
• Information security awareness, education, and training
• Correct processing in applications
• Technical vulnerability management
• Business continuity management
• Management of information security incidents and improvements

How to Identify the Security Requirements?
1) The risk assessment results -(RMP)
2) The legal and contractual requirements
3) The objectives and business requirements for information processing that an
organization has developed to support its operations.

9
An Information Security Management System (ISMS) consists of the policies,
procedures, guidelines , resources , organizational structures, software
,hardware and activities, collectively managed by an organization, in the pursuit of
protecting its information assets.
What is an ISMS?

10
§ Asset is anything that has value to the organization
§ The Information system related assets to be protected are :
1. Data & information
2. Software application
3. Hardware (equipment – cable- etc.)
4. Services (internet – power-maintenance- etc.)
5. HR
6. Physical location (building – site –etc.)
IT Assets

Examples of Typical Threats
§ Threats may be D (Deliberate), A (Accidental), E (Environmental- Natural)
Origin
Threats
A, D, E
Fire
E
Flood
A,D
Failure of air-conditioning or water supply system
A, D, E
Loss of power supply
D
Theft of media or documents
D
Theft of equipment
A
Equipment failure
D
Unauthorized use of Equipment

Examples of Vulnerabilities
Examples of Threats
Examples of Vulnerabilities
Type
Error in use
Lack of efficient configuration change control
Hardware
Theft of media or document
Lack of care at disposal
Theft of media or document
Uncontrolled copying
Forging of rights
Poor password management
Software
Software malfunction
Lack of effective change control
Failure of telecommunication
equipment
Poor joint cabling
Network
Error in use
Lack of security training / awareness
Personnel
Theft of equipment
Lack of physical protection
Organization

Management
Is a set of activities including planning, organizing, steering, and controlling an
organization’s resources with the aim of achieving organizational goals in an
efficient and effective manner.
13

System
1) Structure
2) Procedures/ Processes
3) Resources
14
Structure
Procedures/Processes
Resources

1-Structure
15
Organization
Chart
Job
Description
Structure

1-1 Organization Chart
16
Chairman
Sector Head Sector Head Sector Head
Assistant

1-2 Job Description
17
Responsibility
• Responsibility about
certain job or process
Authority
• Privilege to do certain job

2- Procedures / Processes
Procedure:
Set of activities connected together to describe the interaction between a set of
processes.
Process:
Detailed steps that describe the method of doing a certain task to convert a certain
I/Ps to a certain O/Ps
18

19
Process Process
I/Ps
Value added Value added
Internal Customer
Feed Back

3- Resources
20
Resources
Human
Financial Physical
Information

Definition of Standards
Standards are documented agreements contains:
• Technical Specifications
• Management System Requirements
• Guidelines
• Definitions
• Others
21

22
International Organization for Standardization
(ISO)
§ "ISO", derived from the Greek ISOS, meaning "EQUAL".
§ Is the world's largest developer and publisher of International Standards.
§ It is a non-governmental organization.
§ Officially began operations on 23 February 1947 by 25 countries.
§ It is a network of the national standards institutes of 167 countries, one member per
country.

Managerial Standards
• ISO 9001/2015 Quality management system requirements
• ISO 14001/2015 Environmental management system requirements
• ISO 27001/2022 ISMS requirements
23

Evolution of ISO 27001:2022 Standard
§ It outlines an auditable framework for a robust Information Security Management
System (ISMS)

25
ISMS Family of Standards
§ The ISMS family of standards is intended to assist organizations of all types
and sizes to implement and operate an ISMS
§ The general title “Information technology — Security techniques” indicates that
these standards were prepared by Joint Technical Committee ISO / JTC 1,
Information technology, Subcommittee SC 27, IS Cybersecurity& Privacy
Protection.

• Agree with the relevant requirements of a contract
• Consistence with the client demand
• Image improvement
• Business problem prevention
• Protect information assets and give confidence to interested parties
Reasons for Implementing ISMS

Roadmap Towards ISO 27001 Implementation
Understanding the
Context & Define the
Scope
Gap
Assessment
Create the
Security Team
Identify
Information
Assets
Assets
Evaluation
Risk
Assessment
Risk Treatment:
• Identify & Selection of Security Controls
• Apply Security Controls
Creation of Policies,
Procedures and
Standards
Implementation
Monitor,
Check and Improve

IS, Cybersecurity & Privacy Protection - ISMS
According to ISO 27001-2022 Requirements

ISO ???? Clauses
30
1) Scope
2) Normative reference
3) Terms & definitions
4) Context of the organization (Plan)
5) Leadership (Plan)
6) Planning (Plan)
7) Support (Plan)
8) Operation (Do)
9) Performance evaluation (Check)
10) Improvement (Act)

ISO/TC
176/SC
2/
N1267
31
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance
Evaluation
10 Improvement
4.1 Understanding
context
4.2 Interested parties
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
measurement, analysis
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
roles, responsibilities
and authorities
The Structure of ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
10.2 Nonconformity and
corrective action
corrective action

ISO/TC
176/SC
2/
N1267
32
(Annex A)
Information Security Controls Reference
§ The information security controls listed in Table A.1 are directly derived from and
aligned with those listed in ISO/IEC 27002:2022 - Clauses 5 to 8 and are to be
used in context with Clause 6.1.3.
§ Section 5 – includes 37 (Organizational Controls)
§ Section 6 – includes 8 (People Controls)
§ Section 7 – includes 14 (Physical Controls)
§ Section 8 – includes 34 (Technological Controls)

ISO 27001:2022 Requirements

1- Scope
34
§ This International Standard specifies requirements for ISMS
§ All the requirements of this International Standard are generic and are intended to
be applicable to any organization, regardless of its type or size, or the products and
services it provides.
§ The exclusion of the requirement is not acceptable

2 - Normative references
35
§ For dated references, only the edition cited applies.
§ For undated references, the latest edition of the referenced document (including any
amendments) applies.
§ ISO/IEC 27000, Information Technology — Security Techniques — Information
Security Management Systems — Overview and Vocabulary

3. Terms and Definitions
36
For the purposes of this document, the terms and definitions given in ISO 27000
apply

Risk
Effect of uncertainty on objectives
Threat
Potential cause of an unwanted incident, which may result in harm to a system or
organization
Risk assessment
Overall process of risk identification risk analysis and risk evaluation
Risk acceptance
Informed decision to take a particular risk
Risk criteria
Terms of reference against which the significance of risk is evaluated

Risk treatment
Process to modify risk
Risk treatment can involve:
• Avoiding the risk by deciding not to start or continue with the activity that gives
rise to the risk;
• Taking or increasing risk in order to pursue an opportunity;
• Removing the risk source;
• Changing the likelihood;
• Changing the consequences;
• Sharing the risk with another party E.g. Insurers, suppliers.
Risk owner
Person or entity with the accountability and authority to manage a risk

Vulnerability
Weakness of an asset or control that can be exploited by one or more threats
Residual risk
Risk remaining after risk treatment
Control
Measure that is modifying risk
Controls may include any process, policy, device, practice, or other actions
which modify / maintain the risk.
Control objective
Statement describing what is to be achieved as a result of implementing controls

Information Security Incident
a single or a series of unwanted or unexpected information security events that have a
significant probability of compromising business operations and threatening information
security.
Risk Management
Coordinated activities to direct and control an organization with regard to risk.

Confidentiality
Property that information is not made available or disclosed to unauthorized individuals,
entities, or process
Availability
Property of being accessible and usable upon demand by an authorized entity
Integrity
Property of accuracy and completeness

ISO/TC
176/SC
2/
N1267
42
Evaluation
10 Improvement
4.1 Understanding
context
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
corrective action
corrective action

ISO/TC
176/SC
2/
N1267
43
Clause 4 Context of the organization
Clause 4.1 Understanding the organization and its context
The organization shall determine external and internal issues
that are relevant to its purpose and its strategic direction and
that affect its ability to achieve the intended result(s) of its
ISMS
4
Context of organization
4.1
Understanding context
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS

ISO/TC
176/SC
2/
N1267
44
Clause 4.2 Understanding the needs and expectations of
interested parties
the organization shall determine:
a) the interested parties that are relevant to the ISMS
b) the requirements of these interested parties that are
relevant to the ISMS
4
4.1
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS
The organization shall monitor and review information about these interested parties
and their relevant requirements that may include legal & other requirements /
contractual obligations

ISO/TC
176/SC
2/
N1267
45
Clause 4.3 Determining the scope of the ISMS
The organization shall determine the boundaries and applicability of
the ISMS to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
b) the requirements of relevant interested parties referred to in 4.2;
c) The outsourced activities
The scope of the organization’s ISMS shall be available and be
maintained as documented information.
4
4.1
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS

ISO/TC
176/SC
2/
N1267
46
Clause 4.4 ISMS
The organization shall establish, implement, maintain and
continually improve an ISMS including the processes
needed and their interactions, in accordance with the
requirements of this International Standard.
4
4.1
4.2
Interested parties
4.3
Scope
4.3
Scope
4.4
ISMS
4.4
ISMS

ISO/TC
176/SC
2/
N1267
47
Evaluation
10 Improvement
4.1 Understanding
context
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
corrective action
corrective action

ISO/TC
176/SC
2/
N1267
48
5
Leadership
5.1
Leadership and commitment
5.2
Policy
5.3
Organizational roles,
responsibilities and authorities
Clause 5 Leadership
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment
with respect to the ISMS

ISO/TC
176/SC
2/
N1267
49
5
Leadership
5.1
5.3
5.2
Policy
Clause 5.2 Policy
The IS Policy shall
• Be maintained as documented information;
• Be communicated, understood and applied within the
organization;
• Be available to relevant interested parties, as appropriate.

ISO/TC
176/SC
2/
N1267
50
Clause 5.3 Organizational roles, responsibilities &
authorities
Top management shall ensure that the responsibilities and
authorities for relevant roles are assigned, communicated and
understood within the organization.
Top management shall assign the responsibility and authority for:
• Ensuring that the ISMS conforms to the requirements of this
International Standard;
• Reporting on the performance of the ISMS and on
opportunities for improvement
5
Leadership
5.1
5.2
Policy
5.3

ISO/TC
176/SC
2/
N1267
51
Evaluation
10 Improvement
4.1 Understanding
context
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
corrective action
corrective action

ISO/TC
176/SC
2/
N1267
52
Clause 6 Planning
6.1 Actions to Address Risks and Opportunities
6.1.1 General
When planning for the ISMS, the organization shall consider the
issues referred to in 4.1 and the requirements referred to in 4.2
and determine the risks and opportunities that need to be
addressed
The organization shall plan:
a) ACTIONS to address these RISKS and OPPORTUNITIES;
b) How to INTEGRATE and IMPLEMENT the actions into its
ISMS , EVALUATE the EFFECTIVENESS of these actions.
6
Planning
6.1
Actions to address risks and
opportunities
6.2
Objectives and planning
6.3 Planning of change

ISO/TC
176/SC
2/
N1267
53
6.1.2 Information Security Risk Assessment
The organization shall define and apply an information security risk
assessment process including :
• Risk acceptance criteria
• Identify risks for CIA
• Identify risk owner
See ISO 31000
6
Planning
6.1
opportunities
6.2

ISO/TC
176/SC
2/
N1267
54
6.1.3 Information Security Risk Treatment
• The organization shall define and apply an information security
risk treatment process
• Annex A and more can be included
• Produce Statement of applicability
• Produce Risk treatment plan
See ISO 31000
6
Planning
6.1
opportunities
6.2

ISO/TC
176/SC
2/
N1267
55
Clause 6.2 IS objectives and planning to achieve
them
The organization shall establish IS objectives at relevant functions,
levels and processes needed for the ISMS
When planning how to achieve its IS objectives, the organization
shall determine:
a) WHAT will be done;
b) WHAT resources will be required;
c) WHO will be responsible;
d) WHEN it will be completed;
e) HOW the results will be evaluated.
6
Planning
6.1
opportunities
6.2

ISO/TC
176/SC
2/
N1267
56
Clause 6.3 Planning of Change
The organization shall plan the changed to the IS MS
6
Planning
6.1
opportunities
6.2

ISO/TC
176/SC
2/
N1267
57
Evaluation
10 Improvement
4.1 Understanding
context
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
corrective action
corrective action

ISO/TC
176/SC
2/
N1267
58
7.1
Resources
7.1
Resources
7.3
Awareness
7.3
Awareness
7.4
Communication
7.4
Communication
7.5
Documented information
7.2
Competence
7.2
Competence
Clause 7 Support
7.1 Resources
The organization shall DETERMINE and PROVIDE the
RESOURCES needed for the ISMS.
7
Support

ISO/TC
176/SC
2/
N1267
59
7.1
Resources
7.1
Resources
7.3
Awareness
7.3
Awareness
7.4
Communication
7.4
Communication
7.5
7.2
Competence
7.2
Competence
7.2 Competence
The organization shall:
a) determine the necessary competence of person(s) doing
work under its control that affects the performance and
effectiveness of the ISMS
b) ensure that these persons are competent on the basis of
appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary
competence, and evaluate the effectiveness of the actions
taken;
d) retain appropriate documented information as evidence of
competence
7
Support

ISO/TC
176/SC
2/
N1267
60
7.1
Resources
7.1
Resources
7.3
Awareness
7.3
Awareness
7.4
Communication
7.4
Communication
7.5
7.2
Competence
7.2
Competence
7.3 Awareness
The organization shall ensure that persons doing work under the
organization’s control are aware of:
a) the IS policy;
b) relevant IS objectives;
c) their contribution to the effectiveness of the ISMS
d) the implications of not conforming with the ISMS requirements.
7.4 Communication
The organization shall determine the internal and external communications
relevant to the ISMS including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
7
Support

ISO/TC
176/SC
2/
N1267
61
7.5 Documented information
7.5.1 General
The organization’s ISMS shall include:
a) documented information required by this International
Standard;
b) documented information determined by the organization
as being necessary for the effectiveness of ISMS
The extent of documented information for a ISMS can differ
from one organization to another
7
Support
7.1
Resources
7.1
Resources
7.3
Awareness
7.3
Awareness
7.4
Communication
7.4
Communication
7.5
7.2
Competence
7.2
Competence

ISO/TC
176/SC
2/
N1267
62
7.5.2 Creating and updating
When creating and updating documented information, the organization shall ensure
appropriate
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper,
electronic);
c) review and approval for suitability and adequacy.

ISO/TC
176/SC
2/
N1267
63
7.5.3 Control of documented information
Documented information shall be controlled to ensure:
A) it is available and suitable for use
B) it is adequately protected
C) distribution, access, retrieval and use;
D) storage and preservation, including preservation of legibility;
E) control of changes (e.g. version control);
F) retention and disposition
• Documented information of external origin
• Documented information retained as evidence of conformity shall be protected
from unintended alterations.

ISO/TC
176/SC
2/
N1267
64
Evaluation
10 Improvement
4.1 Understanding
context
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
corrective action
corrective action

ISO/TC
176/SC
2/
N1267
65
Clause 8 Operation
8.1 Operational planning and control
• The organization shall plan, implement and control the processes needed to meet
information security requirements, and to implement the actions determined in 6.1.
• The organization shall also implement plans to achieve information security
objectives determined in 6.2.
• The organization shall keep documented information to the extent necessary to have
confidence that the processes have been carried out as planned.
• The organization shall control planned changes and review the consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary.
• The organization shall ensure that outsourced processes are determined and
controlled.

ISO/TC
176/SC
2/
N1267
66
8.2 Information Security Risk Assessment
• The organization shall perform information security risk assessments at planned
intervals or when significant changes are proposed or occur, taking account of the
criteria established in 6.1.2
• Retain documented information
8.3 Information Security Risk Treatment
• The organization shall implement information security risk treatment plan
• Retain documented information

ISO/TC
176/SC
2/
N1267
67
Evaluation
10 Improvement
4.1 Understanding
context
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
6.3 Planning of
change
6.3 Planning of
change
10.1 Continual
improvement
10.1 Continual
improvement
corrective action
corrective action

ISO/TC
176/SC
2/
N1267
68
Clause 9 Performance evaluation
9.1 Monitoring, measurement, analysis and
evaluation
§ The organization shall determine:
a) what needs to be monitored and measured;
b) the methods for monitoring, measurement, analysis and
evaluation needed to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the results from monitoring and measurement shall
be analyzed and evaluated.
§ The organization shall evaluate the performance
§ Retain appropriate documented information as evidence of the
results.
9
Performance evaluation
9.2
Internal audit
9.3
Management review
9.1
Monitoring, measurement,
analysis and evaluation

ISO/TC
176/SC
2/
N1267
69
9.2 Internal audit
The organization shall conduct internal audits at planned intervals
to provide information on whether the ISMS conforms to:
9
Performance Evaluation
9.1
9.2
Internal audit
9.3
Management review
1) the organization’s own requirements for its ISMS
2) the requirements of this International Standard;
3) is effectively implemented and maintained.

ISO/TC
176/SC
2/
N1267
70
9
9.1
9.2
Internal audit
9.3
Management review
The organization shall:
a) plan, establish, implement and maintain an audit
program(s) including the frequency, methods,
responsibilities, planning requirements and reporting, which
shall take into consideration the importance of the
processes concerned, changes affecting the organization,
and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity
and the impartiality of the audit process;
d) ensure that the results of the audits are reported to
relevant management;
e) take appropriate correction and corrective actions without
undue delay;
f) retain documented information as evidence of the
implementation of the audit program and the audit results.

ISO/TC
176/SC
2/
N1267
71
9
9.1
9.2
Internal audit
9.3
Management review
9.3 Management review
Top management shall review the organization’s ISMS at planned
intervals, to ensure its continuing suitability, adequacy,
effectiveness and alignment with the strategic direction of the
organization.

ISO/TC
176/SC
2/
N1267
72
Management review inputs
The management review shall be planned and carried out taking into consideration:
§ The status of actions from previous management reviews;
§ Changes in external and internal issues that are relevant to the ISMS
§ Feedback from relevant interested parties;
§ The extent to which IS objectives have been met;
§ Nonconformities and corrective actions;
§ Monitoring and measurement results;
§ Audit results;
§ The adequacy of resources;
§ The effectiveness of actions taken to address risks and opportunities
§ Opportunities for improvement.

ISO/TC
176/SC
2/
N1267
73
Management review outputs
The outputs of the management review shall include decisions and actions related to:
a) opportunities for improvement;
b) any need for changes to the ISMS;
c) resource needs.
The organization shall retain documented information as evidence of the results of
management reviews.

ISO/TC
176/SC
2/
N1267
74
Evaluation
10 Improvement
4.1 Understanding
context
4.3 Scope
4.4 IS MS
5.1 Leadership and
commitment
6.1 Actions to
address Risks and
opportunities
6.2 IS Objectives
and Planning to
achieve them
7.1
Resources
9.1 Monitoring,
and evaluation
9.1 Monitoring,
and evaluation
7.3
Awareness
7.4
Communication
7.5
Documented
information
7.2
Competence
9.2 Internal
audit
9.3 Management
review
8.1 Operational
control
8.1 Operational
planning and
control
5.2 Policy
5.3 Organizational
and authorities
ISO 27001:2022
8.2 IS risk
assessment
8.3 IS risk
treatment
10.1 Continual
improvement
corrective action
6.3 Planning of
change
6.3 Planning of
change

ISO/TC
176/SC
2/
N1267
75
10.1 Continual improvement
The organization shall continually improve the suitability, adequacy
and effectiveness of the ISMS.
The organization shall consider the results of analysis and
evaluation, and the outputs from management review, to
determine if there are needs or opportunities that shall be
addressed as part of continual improvement.
10
Improvement
10.1 Continual
improvement
corrective action

ISO/TC
176/SC
2/
N1267
76
Clause 10 Improvement
10.2 Nonconformity and corrective action
When a nonconformity occurs, the organization shall:
a) react to the nonconformity and, as applicable:
1) take action to control and correct it;
2) deal with the consequences
b) evaluate the need for action to eliminate the cause(s) of the
nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing and analyzing the nonconformity;
2) determining the causes of the nonconformity; determining if similar
nonconformities exist, or could potentially occur
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) update risks and opportunities determined during planning, if necessary;
f) make changes to the ISMS , if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities
encountered.
10
Improvement
10.1 Continual
improvement
corrective action

Management System Documentation
IS Policy Statement /IS Objectives Statement
Manual
Management
Procedures/plans
Work Instruction
Forms / Records

Statement of Applicability
A Statement of Applicability shall be prepared that includes the following:
1) The control objectives and controls selected and the reasons for their selection;
2) The control objectives and controls currently implemented and
3) The exclusion of any control objectives and controls in Annex A and the justification for
their exclusion.
NOTES:
• The Statement of Applicability provides a summary of decisions concerning risk treatment.
• Justifying exclusions provides a cross-check that no controls have been inadvertently
omitted.

Risk Treatment Plan
The organization shall do the following:
a) Formulate a risk treatment plan that identifies the appropriate management action,
resources, responsibilities and priorities for managing information security risks.
b) Implement the risk treatment plan in order to achieve the identified control objectives,
which includes consideration of funding and allocation of roles and responsibilities.

Annex A
Information Security Controls Reference

1) Information Security Policy
Objective:
To provide management direction and support for information security in accordance with business
requirements and relevant laws and regulations.
2) Internal and External Organization of Information Security Within the Organization
Objectives :
1. To manage information security activities within the organization.
2. To maintain the security of the organization’s information and information processing facilities that are
accessed, processed, communicated to, or managed by external parties.
3) Assets Management
Objective:
To achieve and maintain appropriate protection of organizational assets

4) Information Classification
Objective:
To ensure that information receives an appropriate level of protection.
5) Human Resources Security (Prior to Employment)
Objective:
To ensure that employees, contractors and third party users understand their responsibilities to
reduce the risk.
6) Human Resources Security (During Employment)
Objective:
To ensure that all employees, contractors and third party users are aware of information security
threats and their responsibilities.

7) Human Resources Security (Termination or Change of Employment)
Objective:
To ensure that employees, contractors and third party users exit an organization or change
employment in an orderly manner.
8) Physical and Environmental Security (Secure Areas)
Objective:
To prevent unauthorized physical access, damage and interference to the organization’s
premises and information.
9) Physical and Environmental Security (Equipment Security)
Objective:
To prevent loss, damage, or theft of assets and interruption to the organization’s activities.

10) Third Party Service Delivery Management
Objective:
To implement and maintain the appropriate level of information security and service delivery in
line with third party service delivery agreements.
11) System Planning and Acceptance
Objective:
To minimize the risk of system failures.
12) Back-up
Objective:
To maintain the integrity and availability of information and information processing facilities.

13) Network Security Management
Objective:
To ensure the protection of information in networks and the protection of the supporting
infrastructure.
14) Media Handling
Objective:
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption
to business activities.
15) Exchange of Information
Objective:
To maintain the security of information and software exchanged within an organization and with any
external entity.

16) Electronic Commerce Services
Objective:
To ensure the security of electronic commerce services, and their secure use.
17) User Access Management
Objective:
To ensure authorized user access and to prevent unauthorized access to information.
18) Management of Information Security Incidents and Improvements
Objective:
To ensure a consistent and effective approach is applied to the management of information security
incidents

19) Compliance With Legal Requirements
Objective:
To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements.
20) Compliance with Security Policies and Standards, and Technical Compliance
Objective:
To ensure compliance of systems with organizational security policies and standards.
21) Information Systems Audit Considerations
Objective:
To maximize the effectiveness of the information systems audit process

88

ISMS_of ISO 27001-2022-awareness training

More Related Content

What's hot

Similar to ISMS_of ISO 27001-2022-awareness training

More from HananZayed4

Recently uploaded

ISMS_of ISO 27001-2022-awareness training