SlideShare a Scribd company logo
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and Compliance
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and Compliance
Denis Elvis Omara,
Chief Information Officer ||
DPO ||
Certified Chief Information Security Officer ||
Lead ISO/IEC 27001—Information Security
Management Systems Implementer
AGENDA
1. Introduction to ISO/IEC 27001
2. Annex A (ISO/IEC 27002) – The Controls
3. Implementation Road Map- Step-by-step
Approach
4. Comprehensive Risk Management
5. Implementation of Management Systems
Introduction to ISO/IEC 27001
In addition to meeting Annex A control requirements,
organisations must meet the requirements from clauses 4-10 of
the standard to achieve ISO 27001 certification:
Composition of Clauses (Clauses 4-10)
Clause 4: Context of the organisation
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
The standard is designed to a structured framework (Plan 
Do Check  Act)
Simplicity with underlying complexities
Structured Design
Plan
Context
Leadership
Support
Do
Operations (All Annex A)
Check
Performance and Evaluation
Act
Improvement
Annex A – Objectives and Controls
The 2022 updated Annex has 93 controls divided into 4 categories or themes (Organisational controls,
People controls, physical controls and Technology controls) and 14 Domains.
1. Information Security Policies- A5
2. Organisation of information- A6
3. Human Resources Security -A7
4. Asset Management- A8
5. Access Control – A9
6. Cryptography – A10
7. Physical and Environmental Security – A11
8. Operations Security – A12
9. Communications Security- A13
10.System Acquisition, Development and Maintenance – A14
11.Supplier relationships – A15
12.Information security incident management – A16
13.Business continuity – A17
14.Compliance – A18
Implementation road map- Secure Blueprint
1. Understanding your environment, including the security requirements and internal and external actors,
2. Formulating a step-by-step strategy for implementing ISO/IEC 27001, including management buy-in and
approval,
3. Scope definition includes clearly defining the boundaries and applicability of the ISMS (Information
Security Management System).
4. Comprehensive risk management involves identifying, assessing, and prioritising information security
risks.
5. Produce a statement of Applicability
6. Implement management systems
7. Testing deployments
8. Conduct an Internal Audit
Risk Assessment
1. Define the scope, context, and the risk criteria.
2. Conduct risk assessment – Identify- Analyse-
Evaluate
3. Define risk treatment.
4. Asset Classification
5. Monitor continuously.
6. Involve staff and other stakeholders.
7. Document and keep records in an easily
accessible place.
MUST DOCUMENT Definition of Information and Assets
available.
 Digital – Data stored electronically.
 Physical- Paper-based, desks whiteboards
 Soft or Knowledge- Employees Knowledge and
specialists
Consider the following.
1. Vulnerability
2. Threat
3. Threat Agents
4. Risks
5. Exposure
6. Controls
Implementing Management Systems
1. Have a written Information Security Management Systems Manual, detailing within it the clauses;
i) Context of organisation
ii) Leadership
iii)Planning
iv)Support
v) Operations
vi)Performance and evaluation
vii)Improvements
2. Implement the Manual
3. Conduct Internal Audit
4. Conduct a Management review
Alexandru Gheorghe
Senior Legal Counsel ||
Senior Data Privacy Consultant ||
DPO ||
Cybersecurity Program Implementer (ISO 27032)||
Legal Design Expert ||
Artificial Intelligence Ethics Explainer ||
PhD Student in Applied Ethics at Bucharest Philosophy University ||
Agenda
 AI Act – history to present date
 On ISO42001
 Can we trust AI?
AI ACT – history to present date
April 2019 – Initial Proposal
by the EU Commission (EC) -
focus on ethics, transparency
and accountability of
February 2020 – EC released
a White Paper on AI to outline
policy options
April 2021 – EC officially
presents AI Act proposal
2022 – back and forth
between the EU Parliament
and different EU member
representatives (France,
Czech Republic); general
approach on AI by the EU
Council is adopted *6th Dec
2023 - three versions were
discussed; G 7 countries
agree to an AI Code of
Conduct; Joe Biden Executive
Order on Trustworthy AI
2024 – AI ACT expected to be
signed and finally adopted
with phased implementation
over the next 2 years (around
June 2026)
AI ACT – history to present date
AI
ACT
EU AI Board outlined by
the AI Act
European Data Protection
Board + European Data
Protection Supervisor
AI regulatory bodies of
member states
EU Authorities overseeing AI Compliance
The Race for AI Regulatory (Fragmentation)
On ISO42001
From using AI technology to societal changes
Focus and Objective of ISO42001
“ISO/IEC 42001 is a globally recognized standard that provides
guidelines for the governance and management of AI
technologies. It offers a systematic approach to addressing
the challenges associated with AI implementation in a
recognized management system framework covering areas
such as ethics, accountability, transparency and data privacy.
Designed to oversee the various aspects of artificial
intelligence, it provides an integrated approach to managing AI
projects, from risk assessment to effective treatment of these
risks.”
Read more: https://www.iso.org/artificial-intelligence/ai-management-systems
Ethical
Privacy
Security
Risks
Transparency
ISO42001
Integrates other organizational processes to ensure continuous
improvement and alignment with other (ISO) standards. Ensures
coherence with organizational goals and ethical standards.
A systematic approach to identify and mitigate risks thorough the AI
lifecycle. Provides support on evaluating the consequences and
impact of AI on individuals and societies.
Assistance on compliance efforts with privacy laws and safeguarding
AI systems against threats
Helps organizations build a culture based on transparent decision – making
process to foster trust and accountability. Provides insight of its goals and
standards and that such concepts are integrated into the organization’s
procedures for continuous monitoring and improvement of AI systems.
AI ACT: Personal data processing will be regulated by GDPR”
Intersection of
ISO42001 with GDPR
Data for
development
and
enhancement
of AI system
Acquisition of
data
Quality of data
for AI systems
Data
provenance
Data
preparation
A.7 Data for AI systems – from ISO42001
Can we trust AI?
To TRUST AI, means to KNOW AI
You know AI …
 if you build it
 if you understand it
Annex IV – Technical Documentation, point 2 from the AIA requires “a detailed
description of the elements of the AI system and of the process for its
development, including:
- methods and steps performed by the developer of the AI system, like recourse
to pre-trained systems or tools provided by third parties and how these have
been used, integrated or modified by the provider;
- description of the architecture, design specifications, algorithms and the data
structure, a decomposition of its components and interfaces;
- data requirements -> data sheets describing the training methodologies and
techniques and the training data set used and information about the
provenance of those data sets and main scope and characteristics;
- assessment of the human oversight measures needed (according to art 13 and
14);
- cybersecurity measures put in place;
etc….
Don’t wait to get to 100% !
Start with 60%...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and Compliance
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and Compliance
THANK YOU
Q&A
alexandru.gheorghe@inperspective.ro https://www.linkedin.com/in/alexandru-gheorghe/
omarauxdix@yahoo.com https://www.linkedin.com/in/denis-elvis-omara-12254041/

More Related Content

Similar to ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and Compliance

ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISO27001
ISO27001ISO27001
ISO27001
Ruchit Ahuja
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
Barry Caplin
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
Suman Garai
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
Network Intelligence India
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
khushboo
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
humanus2
 
CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013  Lead Auditor Course CQI-IRCA 27001:2013  Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course
Desmond Muchetu
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
Operational Excellence Consulting
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
PECB
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
Goutama Bachtiar
 

Similar to ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and Compliance (20)

ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
 
ISO27001
ISO27001ISO27001
ISO27001
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013  Lead Auditor Course CQI-IRCA 27001:2013  Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 

More from PECB

AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894
AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894
AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894
PECB
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 

More from PECB (20)

AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894
AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894
AI Risk Management: ISO/IEC 42001, the EU AI Act, and ISO/IEC 23894
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 

Recently uploaded

Open Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdfOpen Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdf
Jessica Zairo
 
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
mansk2
 
2024 Winter SWAYAM NPTEL & A Student.pptx
2024 Winter SWAYAM NPTEL & A Student.pptx2024 Winter SWAYAM NPTEL & A Student.pptx
2024 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008
Glenn Rivera
 
3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx
UmeshTimilsina1
 
ASP.NET Core Interview Questions PDF By ScholarHat.pdf
ASP.NET Core Interview Questions PDF By ScholarHat.pdfASP.NET Core Interview Questions PDF By ScholarHat.pdf
ASP.NET Core Interview Questions PDF By ScholarHat.pdf
Scholarhat
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
Nguyen Thanh Tu Collection
 
JavaScript Interview Questions PDF By ScholarHat
JavaScript Interview  Questions PDF By ScholarHatJavaScript Interview  Questions PDF By ScholarHat
JavaScript Interview Questions PDF By ScholarHat
Scholarhat
 
Introduction to Google Productivity Tools for Office and Personal Use
Introduction to Google Productivity Tools for Office and Personal UseIntroduction to Google Productivity Tools for Office and Personal Use
Introduction to Google Productivity Tools for Office and Personal Use
Excellence Foundation for South Sudan
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
Celine George
 
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.pptFIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
ashutoshklal29
 
Lecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privilegesLecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privileges
Murugan146644
 
Introduction to Banking System in India.ppt
Introduction to Banking System in India.pptIntroduction to Banking System in India.ppt
Introduction to Banking System in India.ppt
Dr. S. Bulomine Regi
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
UmeshTimilsina1
 
1. Importance_of_reducing_postharvest_loss.pptx
1. Importance_of_reducing_postharvest_loss.pptx1. Importance_of_reducing_postharvest_loss.pptx
1. Importance_of_reducing_postharvest_loss.pptx
UmeshTimilsina1
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
Murugan Solaiyappan
 
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour International
 
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptxParkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
AnujVishwakarma34
 
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa
 
QCE – Unpacking the syllabus Implications for Senior School practices and ass...
QCE – Unpacking the syllabus Implications for Senior School practices and ass...QCE – Unpacking the syllabus Implications for Senior School practices and ass...
QCE – Unpacking the syllabus Implications for Senior School practices and ass...
mansk2
 

Recently uploaded (20)

Open Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdfOpen Source and AI - ByWater Closing Keynote Presentation.pdf
Open Source and AI - ByWater Closing Keynote Presentation.pdf
 
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
11EHS Term 3 Week 1 Unit 1 Review: Feedback and improvementpptx
 
2024 Winter SWAYAM NPTEL & A Student.pptx
2024 Winter SWAYAM NPTEL & A Student.pptx2024 Winter SWAYAM NPTEL & A Student.pptx
2024 Winter SWAYAM NPTEL & A Student.pptx
 
DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008DepEd School Calendar 2024-2025 DO_s2024_008
DepEd School Calendar 2024-2025 DO_s2024_008
 
3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx3. Maturity_indices_of_fruits_and_vegetable.pptx
3. Maturity_indices_of_fruits_and_vegetable.pptx
 
ASP.NET Core Interview Questions PDF By ScholarHat.pdf
ASP.NET Core Interview Questions PDF By ScholarHat.pdfASP.NET Core Interview Questions PDF By ScholarHat.pdf
ASP.NET Core Interview Questions PDF By ScholarHat.pdf
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH LỚP 12 - GLOBAL SUCCESS - FORM MỚI 2025 - ...
 
JavaScript Interview Questions PDF By ScholarHat
JavaScript Interview  Questions PDF By ScholarHatJavaScript Interview  Questions PDF By ScholarHat
JavaScript Interview Questions PDF By ScholarHat
 
Introduction to Google Productivity Tools for Office and Personal Use
Introduction to Google Productivity Tools for Office and Personal UseIntroduction to Google Productivity Tools for Office and Personal Use
Introduction to Google Productivity Tools for Office and Personal Use
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
 
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.pptFIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
FIRST AID PRESENTATION ON INDUSTRIAL SAFETY by dr lal.ppt
 
Lecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privilegesLecture Notes Unit4 Chapter13 users , roles and privileges
Lecture Notes Unit4 Chapter13 users , roles and privileges
 
Introduction to Banking System in India.ppt
Introduction to Banking System in India.pptIntroduction to Banking System in India.ppt
Introduction to Banking System in India.ppt
 
2 Post harvest Physiology of Horticulture produce.pptx
2 Post harvest Physiology of Horticulture  produce.pptx2 Post harvest Physiology of Horticulture  produce.pptx
2 Post harvest Physiology of Horticulture produce.pptx
 
1. Importance_of_reducing_postharvest_loss.pptx
1. Importance_of_reducing_postharvest_loss.pptx1. Importance_of_reducing_postharvest_loss.pptx
1. Importance_of_reducing_postharvest_loss.pptx
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
 
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
Codeavour 5.0 International Impact Report - The Biggest International AI, Cod...
 
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptxParkinson Disease & Anti-Parkinsonian Drugs.pptx
Parkinson Disease & Anti-Parkinsonian Drugs.pptx
 
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
Dr. Nasir Mustafa CERTIFICATE OF APPRECIATION "NEUROANATOMY"
 
QCE – Unpacking the syllabus Implications for Senior School practices and ass...
QCE – Unpacking the syllabus Implications for Senior School practices and ass...QCE – Unpacking the syllabus Implications for Senior School practices and ass...
QCE – Unpacking the syllabus Implications for Senior School practices and ass...
 

ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and Compliance

  • 3. Denis Elvis Omara, Chief Information Officer || DPO || Certified Chief Information Security Officer || Lead ISO/IEC 27001—Information Security Management Systems Implementer
  • 4. AGENDA 1. Introduction to ISO/IEC 27001 2. Annex A (ISO/IEC 27002) – The Controls 3. Implementation Road Map- Step-by-step Approach 4. Comprehensive Risk Management 5. Implementation of Management Systems
  • 5. Introduction to ISO/IEC 27001 In addition to meeting Annex A control requirements, organisations must meet the requirements from clauses 4-10 of the standard to achieve ISO 27001 certification: Composition of Clauses (Clauses 4-10) Clause 4: Context of the organisation Clause 5: Leadership Clause 6: Planning Clause 7: Support Clause 8: Operation Clause 9: Performance evaluation Clause 10: Improvement The standard is designed to a structured framework (Plan  Do Check  Act)
  • 6. Simplicity with underlying complexities Structured Design Plan Context Leadership Support Do Operations (All Annex A) Check Performance and Evaluation Act Improvement
  • 7. Annex A – Objectives and Controls The 2022 updated Annex has 93 controls divided into 4 categories or themes (Organisational controls, People controls, physical controls and Technology controls) and 14 Domains. 1. Information Security Policies- A5 2. Organisation of information- A6 3. Human Resources Security -A7 4. Asset Management- A8 5. Access Control – A9 6. Cryptography – A10 7. Physical and Environmental Security – A11 8. Operations Security – A12 9. Communications Security- A13 10.System Acquisition, Development and Maintenance – A14 11.Supplier relationships – A15 12.Information security incident management – A16 13.Business continuity – A17 14.Compliance – A18
  • 8. Implementation road map- Secure Blueprint 1. Understanding your environment, including the security requirements and internal and external actors, 2. Formulating a step-by-step strategy for implementing ISO/IEC 27001, including management buy-in and approval, 3. Scope definition includes clearly defining the boundaries and applicability of the ISMS (Information Security Management System). 4. Comprehensive risk management involves identifying, assessing, and prioritising information security risks. 5. Produce a statement of Applicability 6. Implement management systems 7. Testing deployments 8. Conduct an Internal Audit
  • 9. Risk Assessment 1. Define the scope, context, and the risk criteria. 2. Conduct risk assessment – Identify- Analyse- Evaluate 3. Define risk treatment. 4. Asset Classification 5. Monitor continuously. 6. Involve staff and other stakeholders. 7. Document and keep records in an easily accessible place. MUST DOCUMENT Definition of Information and Assets available.  Digital – Data stored electronically.  Physical- Paper-based, desks whiteboards  Soft or Knowledge- Employees Knowledge and specialists Consider the following. 1. Vulnerability 2. Threat 3. Threat Agents 4. Risks 5. Exposure 6. Controls
  • 10. Implementing Management Systems 1. Have a written Information Security Management Systems Manual, detailing within it the clauses; i) Context of organisation ii) Leadership iii)Planning iv)Support v) Operations vi)Performance and evaluation vii)Improvements 2. Implement the Manual 3. Conduct Internal Audit 4. Conduct a Management review
  • 11. Alexandru Gheorghe Senior Legal Counsel || Senior Data Privacy Consultant || DPO || Cybersecurity Program Implementer (ISO 27032)|| Legal Design Expert || Artificial Intelligence Ethics Explainer || PhD Student in Applied Ethics at Bucharest Philosophy University ||
  • 12. Agenda  AI Act – history to present date  On ISO42001  Can we trust AI?
  • 13. AI ACT – history to present date
  • 14. April 2019 – Initial Proposal by the EU Commission (EC) - focus on ethics, transparency and accountability of February 2020 – EC released a White Paper on AI to outline policy options April 2021 – EC officially presents AI Act proposal 2022 – back and forth between the EU Parliament and different EU member representatives (France, Czech Republic); general approach on AI by the EU Council is adopted *6th Dec 2023 - three versions were discussed; G 7 countries agree to an AI Code of Conduct; Joe Biden Executive Order on Trustworthy AI 2024 – AI ACT expected to be signed and finally adopted with phased implementation over the next 2 years (around June 2026) AI ACT – history to present date
  • 15. AI ACT EU AI Board outlined by the AI Act European Data Protection Board + European Data Protection Supervisor AI regulatory bodies of member states EU Authorities overseeing AI Compliance
  • 16. The Race for AI Regulatory (Fragmentation)
  • 18. From using AI technology to societal changes Focus and Objective of ISO42001 “ISO/IEC 42001 is a globally recognized standard that provides guidelines for the governance and management of AI technologies. It offers a systematic approach to addressing the challenges associated with AI implementation in a recognized management system framework covering areas such as ethics, accountability, transparency and data privacy. Designed to oversee the various aspects of artificial intelligence, it provides an integrated approach to managing AI projects, from risk assessment to effective treatment of these risks.” Read more: https://www.iso.org/artificial-intelligence/ai-management-systems
  • 19. Ethical Privacy Security Risks Transparency ISO42001 Integrates other organizational processes to ensure continuous improvement and alignment with other (ISO) standards. Ensures coherence with organizational goals and ethical standards. A systematic approach to identify and mitigate risks thorough the AI lifecycle. Provides support on evaluating the consequences and impact of AI on individuals and societies. Assistance on compliance efforts with privacy laws and safeguarding AI systems against threats Helps organizations build a culture based on transparent decision – making process to foster trust and accountability. Provides insight of its goals and standards and that such concepts are integrated into the organization’s procedures for continuous monitoring and improvement of AI systems.
  • 20. AI ACT: Personal data processing will be regulated by GDPR” Intersection of ISO42001 with GDPR Data for development and enhancement of AI system Acquisition of data Quality of data for AI systems Data provenance Data preparation A.7 Data for AI systems – from ISO42001
  • 22. To TRUST AI, means to KNOW AI You know AI …  if you build it  if you understand it Annex IV – Technical Documentation, point 2 from the AIA requires “a detailed description of the elements of the AI system and of the process for its development, including: - methods and steps performed by the developer of the AI system, like recourse to pre-trained systems or tools provided by third parties and how these have been used, integrated or modified by the provider; - description of the architecture, design specifications, algorithms and the data structure, a decomposition of its components and interfaces; - data requirements -> data sheets describing the training methodologies and techniques and the training data set used and information about the provenance of those data sets and main scope and characteristics; - assessment of the human oversight measures needed (according to art 13 and 14); - cybersecurity measures put in place; etc….
  • 23. Don’t wait to get to 100% ! Start with 60%...

Editor's Notes

  1. The ISO 27001 standard guides the establishment, evaluation, maintenance, and improvement of a secure ISMS, emphasizing its significance in protecting information assets across the organisation. An Information Security Management System (ISMS) is a comprehensive framework that includes people, systems, technology, processes, and information security policies to safeguard an organisation's sensitive data. It goes beyond physical components and software, encompassing principles that guide how information is used, stored, and retrieved and how risks are assessed and addressed to enhance data security. An ISMS encompasses the four Ps: People Policies and processes Products and technologies Partners and third-party vendors
  2. Simplicity with Underlying Complexities: ISO 27001 clauses and Annex A controls will depend on your unique organization. The ISO 27001 standard is written so that different types of organizations can meet the legal, regulatory, and contractual requirements in their own way.
  3. Previously, there were 114 controls: When the International Organization for Standardization updated the ISO 27001:2013 standard in 2022, they added 11 new controls. They are: A.5.7: Threat intelligence A.5.23: Information security for use of cloud services A.5.30: ICT readiness for business continuity A.7.4: Physical security monitoring A.8.9: Configuration management A.8.10: Information deletion A.8.11: Data masking A.8.12: Data leakage prevention A.8.16: Monitoring activities A.8.23: Web filtering A.8.28: Secure coding
  4. Implementation roadmap Understanding your environment, including the security requirements and internal and external actors, involves thoroughly assessing the organization's infrastructure, systems, and processes. This can include identifying potential security threats and vulnerabilities, understanding the roles and responsibilities of internal and external stakeholders, and analysing the regulatory and compliance requirements relevant to the organisation. 2. Formulating a step-by-step strategy for implementing ISO/IEC 27001, including management buy-in and approval, may involve activities such as creating a project plan, establishing a cross-functional implementation team, conducting awareness and training sessions for key stakeholders, and obtaining senior management support and commitment to the implementation process. 3. Scope definition, a critical part of the implementation roadmap, includes clearly defining the boundaries and applicability of the ISMS (Information Security Management System). This may involve identifying the assets, processes, and locations to be included within the ISMS, determining the boundaries of the information security management processes, and identifying any exclusions. 4. Comprehensive risk management involves identifying, assessing, and prioritising information security risks. This can include conducting risk assessments, identifying potential threats and vulnerabilities, evaluating the likelihood and impact of risks, and developing risk treatment plans to mitigate or manage identified risks. 5. Producing a statement of Applicability involves determining which controls within the ISO/IEC 27001 standard are applicable to the organization and providing justification for their inclusion or exclusion. This may involve conducting a gap analysis, mapping organizational controls to the standard's requirements, and documenting the rationale for including or excluding specific controls. 6. Implementing management systems includes activities such as developing and implementing information security policies, procedures, and processes, establishing roles and responsibilities for information security management, deploying security controls and safeguards, and integrating information security into the organization's overall business processes. 7. Testing deployments involves validating the effectiveness and performance of implemented security controls and safeguards. This may include activities such as conducting security testing and vulnerability assessments, performing penetration testing, and monitoring the functioning of security controls to ensure they operate as intended. 8. Conducting an internal audit involves evaluating the effectiveness and adequacy of the implemented ISMS. This can include conducting periodic internal audits to assess compliance with the ISO/IEC 27001 standard, identifying non-conformities or areas for improvement, and documenting audit findings and recommendations for corrective actions.
  5. Must have an information security risk register. Item Vulnerability Harm Risk Level Controls Residual Risk level Mitigations Contingencies
  6. Consider Involve experts in some of the various areas- Pull experiences both technical and legal from various place- do not do everything yourself or just the small implementation team. Have steering committees covering all levels of the business to be actively involved Do not rush the implementation.