SlideShare a Scribd company logo

ISO/IEC 27001 and ISO 22301: How do they map?

Download as PPTX, PDF
PECB
PECB

An organization should enable continual operation of its information security after each incident. That means that information security and business continuity have one thing in common, which is the protection of the availability of information. Amongst others, the webinar covers: • ISO27001 ‘Information Security Management System’ Overview • ISO22301 ‘Business Continuity Management System’ Overview • Improving an ISO27001 Continuity Plan with ISO22301 Presenters: Rod Crowder Rod is the Founder, Managing Director & Principal Consultant of OpsCentre, a boutique provider of: Risk Management, Crisis and Business Continuity, IT Disaster Recovery, Information Security and IT Service Management Consultancy & Training. He is the Australia and New Zealand Country Representative & the Lead Instructor for Disaster Recovery Institute International, the oldest and largest NFP organization serving resilience professionals. He has over 25 years experience in Risk, Resilience, BCP, ITDRP & Information Security projects across Asia Pacific, for 140+ clients and over 420 client consultancy projects. He chairs the Adaptive Business Continuity Advisory Group; an international think-tank committed to developing new resilience and business continuity methodologies and practices. Rudy Shoushany Rudy is a motivational digital leader and Keynote speaker. He has a wide experience in Digital transformation in the financial sector Field, with over 22 years of experience in assisting organizations. His specialty ICT Strategies in Digital Transformation, Governance, Compliance, Blockchain, and CyberSecurity. Rudy is a Certified professional with many achievements and awards skilled in executive leadership & Coaching by PWC. Graduated from University of South Africa, with Certification from Stanford in Cybersecurity Strategies and Boston University in Digital Transformation. Rudy has been lately selected to be on the Forbes Technology Council and selected as top 25 Global Thought leader and Influencer in Technology and Top 100 Leaders in Governance in the digital transformation innovations. He serves as Board Member, coach, Judge and mentor for different Organizations and startups. Date: September 14, 2022 Find out more about ISO training and certification services Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection https://pecb.com/article/business-continuity-management-advice-for-employers--covid-19-coronavirus-outbreak https://pecb.com/article/investing-in-information-security-awareness Webinars: https://pecb.com/webinars

Technology
1 of 30
Agenda  Introductions  ISO27001 ‘Information Security Management System’ Overview  ISO22301 ‘Business Continuity Management System’ Overview  Improving an ISO27001 Continuity Plan with ISO22301  Case Studies, Implementation examples and Challenges
Introductions Rudy Shoushany Strategist in Governance of Cybersecurity & Digital Transformation Rod Crowder Author, Speaker, and Managing Director at OpsCentre
ISO/IEC 27001 Information Security Management System Overview
What is ISO/IEC 27001 ISMS? • ISO 27001 is the international standard for information security • It sets out the specification for an Information Security Management System (ISMS) • ISO27001 helps organizations manage information security via people, process and technology • Certification to ISO27001 is recognised worldwide
Four Key Benefits of ISO/IEC 27001 Compliance Reduced Expenses Marketing Edge Place you organisation in order
ISO/IEC 27001: A Global Standard on ISMS ISO/IEC 27001 has: • 14 Control Areas (or ‘Domains’) • 34 Control Objectives • 114 Individual Control Points
ISO/IEC 27001 Control Areas
ISO/IEC 27001 Compliance Steps 8 Steps to Compliance: • Organization Context • Scope • Leadership • Planning • Organization Context • Operations • Performance • Improvement
ISO/IEC 27001 describes the structure of the framework and uses the Plan-Do-Check- Act cycle (PDCA-cycle). ISO/IEC 27001 PDCA Cycle
HOW WILL 2022 CHANGES AFFECT MY CURRENT ISO/IEC 27001 CERTIFICATE? In our opinion, the best way to comply with these changes is: 1.To update your risk treatment process with new controls 2.To update your Statement of Applicability 3.To adapt certain sections in your existing policies and procedures. 2022 Changes to ISO/IEC 27001
ISO/IEC 27001 New Controls introduced in 2022
ISO 22301 Business Continuity Management System Overview
What is Business Continuity Management? Business Continuity Management assists an organization to continue its critical business operations in the event of a significant incident or business disruption. A Business Continuity Framework provides a structured response to an incident, minimizing the overall impact to the organsation and it’s key internal and external stakeholders
Scope of ISO 22301 “The ISO 22301 International Standard for business continuity management specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system The goal is to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”
Business Disruption Incidents Business Continuity Plans focus on what resources are impacted rather than what incident has happened Loss of, or impact to Premises • Fire • Flood • Utility Loss • Denial of Access • Civil disturbance Loss of, or impact to People • Pandemic or Epidemic • Unexpected loss or absence of key Personnel • Large scale of people impacted • Travel/transport incident Loss of, or impact to ICT • Local/external network • Data centre outage • Communications • Hardware software failure • Cyber security incident Loss of, or impact to Key Suppliers • Key suppliers experience an event/disaster • Product supply impact • Industry-wide impact
Similar to ISO/IEC 27001, ISO 2230 specifies the requirements for setting up and managing a BCMS ISO 22301 Structure Requirements (Sections 4 to 10) • Section 4 Context of the Organisation • Section 5 Leadership • Section 6 Planning • Section 7 Support • Section 8 Operations • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish and Implement Business Continuity Procedures • 8.5 Exercising & Testing • Section 9 Performance Evaluation • Section 10 Improvement • Section 7 Support • Section 8 Operations • Section 9 Performance Evaluation • Section 10 Improvement
Similar to ISO/IEC 27001, ISO 22301 specifies the requirements for setting up and managing a BCMS ISO 22301 Structure Requirements (Sections 4 to 10) • Section 4 Context of the Organisation • Section 5 Leadership • Section 6 Planning • Section 7 Support • Section 8 Operations • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish and Implement Business Continuity Procedures • 8.5 Exercising & Testing • Section 9 Performance Evaluation • Section 10 Improvement • Section 7 Support • Section 8 Operations • Section 9 Performance Evaluation • Section 10 Improvement Key Business Continuity Content ‘Section 8:Operations’ • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish/Implement Business Continuity Procedures • 8.5 Exercising & Testing
ISO 22301 & ISO/IEC 27001 Mapping Source: https://www.isaca.org/resources/isaca-journal/issues/2015/volume-2/simultaneous-implementation-of-an-integrated-isms-and-a-bcms 1. Both ISO's protect Availability - but ISO 27001 also focuses on Confidentiality and Integrity 2. Both are based on Plan Do Check Act (PDCA) Cycle 3. Both work towards Risk Management with different objectives, but similar goals
ISO 22301 & ISO/IEC 27001 Differences Focuses on preserving the CIA (Confidentiality, Integrity and Availability) of Information Focuses on recovery and restoration of critical business functions and processes after a disaster/incident Technology/Information focus Business-wide focus (People, Technology, Premises & 3rd Parties) Protection / Pre-Incident focus Response / Post-Incident focus ISO22301 Business Continuity ISO27001 Information Security Common Management System 4 – Context of the Organisation 5 – Leadership 6 – Planning 7 -Support 8 – Operation 9 – Performance Evaluation 10 – Improvement Domain A.17 Information Security Continuity ISO22301 Provides implementation to guidance for ISO27001 A.17
Improving an ISO/IEC 27001 Continuity Plan with ISO 22301
How ISO 22301 supports ISO/IEC 27001 A.17.1.1 Determine its requirements for information security and the continuity of information security management in adverse situations ISO 22301 Supporting Guidance ISO/IEC 27001 Information Security Requirements A.17.1.2 Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation;’ A.17.1.3 Verify the established and implemented information security controls at regular intervals in order to ensure that they are valid and effective during adverse situations’ 8.2.2 – Business Impact Analysis 8.2.3 – Business Continuity Strategy 8.3.2 – Establishing Resource Requirements 8.4.1 – Establish & Implement BC Procedures 8.4.2 – Incident Response Structure 8.4.4 – Business Continuity Plans 8.5 – Exercising & Testing 9.1 – Performance Evaluation 10.0 – Improvement
A.17.1.1 Determine Requirements 8.2.2 – Business Impact Analysis 8.3.1 – Business Continuity Strategy 8.3.2 – Establish Resource Requirements ‘A.17.1.1. Determine requirements for information security and the continuity of information security management in adverse situations’ ISO 22301 Guidance Determine Key Activities by time and their criticality, including peak periods and time variables Key Resources People, IT Systems & Applications, information, records, and supply chains to achieve objectives Inter-dependencies and how they may be affected by a disruption Possible impacts (i.e. financial, customer, legal, reputation, compliance, staffing) Risk Assessment identify and analyse disruption-related risks that need treatment Determine Strategies to protect activities, respond to incidents, prioritise resumption timeframes Determine Resources needed (people, information, data, premises, IT systems and applications, finance, 3rd party partners and suppliers) Consider Proactive Measures to reduce the likelihood, shorten the disruption and limit the impact Business Impact Assessment Business Continuity Strategies Business Continuity Resource Requirements
A.17.1.2 Establish Plans 8.4.1 – Establish Process & Procedures 8.4.2 – Incident Response Structure 8.4.4 – Business Continuity Plans ISO 22301 Guidance ‘A.17.1.2 Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation’ Establish Processes & Procedures • Establish Communications • Determine Immediate Steps • Respond to unanticipated threats • Focus on disruptive events • Minimise consequences Incident Response Structure • Identify incident thresholds • Activate BC Response • Define processes and procedures • Ensure resources are available • Communicate with stakeholders Business Continuity Plans • Define Roles & Responsibilities • Response activation • Manage immediate incident consequences • Recover prioritised activities • Define Communications Strategy • Post incident stand-down ISO22301 provides guidance to: • Establish Processes and Procedures • Define an Incident Response Structure • Develop business Continuity Plans
A.17.1.3 Verify Controls ‘A.17.1.3 Verify the information security controls at regular intervals to ensure that they are valid and effective during adverse situations’’ 8.5 – Exercising & Testing 9.1 – Performance Evaluation 10.0 – Improvement ISO 22301 Guidance Exercise & Test Appropriate Scenarios Validate BCMS requirements minimise risk of disruption Develop post- exercise reports Review for Continual Improvement Conduct at planned intervals Performance Evaluation What should be monitored? Monitoring Methods Monitoring Frequency Analysis of Results Improvement Identify Nonconformities React to Nonconformities Eliminate Nonconformity causes Implement corrective actions Review effectiveness of corrective actions Update BCMS if needed ISO22301 provides guidance for : • Exercising & Testing • Evaluating Performance • Continual Improvement
• Pitfalls & Implementation Challenges
Pitfalls in ISO/IEC 27001 & ISO 22301
Culture of the company Top Management commitment Scope effort ( Time and Resources) Risk assessment and Treatment ISO/IEC 27001 Implementation Challenges
THANK YOU Q&A rod.crowder@opscentre.com https://www.linkedin.com/in/rodcrowder/ https://www.linkedin.com/in/rudyshoushany/ rudy@dxtalks.com

Recommended

Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
 
Governance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskGovernance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskAndrew Smart
 
08 enterprise risk management telkom 2011 risk profile
08 enterprise risk management telkom 2011 risk profile08 enterprise risk management telkom 2011 risk profile
08 enterprise risk management telkom 2011 risk profilewisnu wardhana, i nyoman
 
01 enterprise risk management pegantar - telkom
01 enterprise risk management pegantar - telkom 01 enterprise risk management pegantar - telkom
01 enterprise risk management pegantar - telkom wisnu wardhana, i nyoman
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
03 enterprise risk management telkom 2011 rac
03 enterprise risk management telkom 2011 rac03 enterprise risk management telkom 2011 rac
03 enterprise risk management telkom 2011 racwisnu wardhana, i nyoman
 
Manajemen Risiko SNIISO31000
Manajemen Risiko SNIISO31000Manajemen Risiko SNIISO31000
Manajemen Risiko SNIISO31000National Standardization Agency of Indonesia
 
02 enterprise risk management coso framework telkom 2011
02 enterprise risk management coso framework telkom 201102 enterprise risk management coso framework telkom 2011
02 enterprise risk management coso framework telkom 2011wisnu wardhana, i nyoman
 

Recommended

Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
 
Governance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskGovernance Culture & Incentives- Fundamentals of Operational Risk
Governance Culture & Incentives- Fundamentals of Operational RiskAndrew Smart
 
08 enterprise risk management telkom 2011 risk profile
08 enterprise risk management telkom 2011 risk profile08 enterprise risk management telkom 2011 risk profile
08 enterprise risk management telkom 2011 risk profilewisnu wardhana, i nyoman
 
01 enterprise risk management pegantar - telkom
01 enterprise risk management pegantar - telkom 01 enterprise risk management pegantar - telkom
01 enterprise risk management pegantar - telkom wisnu wardhana, i nyoman
 
Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Integrating Risk into your Balanced Scorecard
Integrating Risk into your Balanced Scorecard Andrew Smart
 
03 enterprise risk management telkom 2011 rac
03 enterprise risk management telkom 2011 rac03 enterprise risk management telkom 2011 rac
03 enterprise risk management telkom 2011 racwisnu wardhana, i nyoman
 
Manajemen Risiko SNIISO31000
Manajemen Risiko SNIISO31000Manajemen Risiko SNIISO31000
Manajemen Risiko SNIISO31000National Standardization Agency of Indonesia
 
02 enterprise risk management coso framework telkom 2011
02 enterprise risk management coso framework telkom 201102 enterprise risk management coso framework telkom 2011
02 enterprise risk management coso framework telkom 2011wisnu wardhana, i nyoman
 
How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for DummiesWilliam L. McGill
 
09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicators09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicatorswisnu wardhana, i nyoman
 
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...Muhammad Bahrudin
 
Risiko risiko puncak-internal audit-global isu 2019_Chief Executive Audit
Risiko risiko puncak-internal audit-global isu 2019_Chief Executive AuditRisiko risiko puncak-internal audit-global isu 2019_Chief Executive Audit
Risiko risiko puncak-internal audit-global isu 2019_Chief Executive AuditDr .Maizar Radjin, SE., M.Ak., QIA., QRMA, CRGP
 
1.gambaran umum manajemen risiko paparan skpd
1.gambaran umum manajemen risiko paparan skpd1.gambaran umum manajemen risiko paparan skpd
1.gambaran umum manajemen risiko paparan skpdSofi Kumai
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRCTranscendent Group
 
Manigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureManigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureAndrew Smart
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
ISO 37001:2016 Awareness - Oktober 2020
ISO 37001:2016 Awareness - Oktober 2020ISO 37001:2016 Awareness - Oktober 2020
ISO 37001:2016 Awareness - Oktober 2020Ali Fuad R
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdf
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdfMateri Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdf
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdfMuhReperizaFurqon
 
Gold Silver Bronze Command By J Mc Cann
Gold Silver Bronze Command By J Mc CannGold Silver Bronze Command By J Mc Cann
Gold Silver Bronze Command By J Mc CannJames McCann
 
7. Risiko operasional (1).ppt
7. Risiko operasional (1).ppt7. Risiko operasional (1).ppt
7. Risiko operasional (1).pptwahyunurul7
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementJorge Vaz Girão , CISA, PMP, PMDPro I, ERMCP
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides SlideTeam
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 

More Related Content

What's hot

How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkColleen Beck-Domanico
 
09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicators09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicatorswisnu wardhana, i nyoman
 
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...Muhammad Bahrudin
 
1.gambaran umum manajemen risiko paparan skpd
1.gambaran umum manajemen risiko paparan skpd1.gambaran umum manajemen risiko paparan skpd
1.gambaran umum manajemen risiko paparan skpdSofi Kumai
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Andrew Smart
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Manigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureManigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureAndrew Smart
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksInternational Federation of Accountants
 
ISO 37001:2016 Awareness - Oktober 2020
ISO 37001:2016 Awareness - Oktober 2020ISO 37001:2016 Awareness - Oktober 2020
ISO 37001:2016 Awareness - Oktober 2020Ali Fuad R
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk ManagementAndrew Smart
 
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdf
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdfMateri Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdf
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdfMuhReperizaFurqon
 
Gold Silver Bronze Command By J Mc Cann
Gold Silver Bronze Command By J Mc CannGold Silver Bronze Command By J Mc Cann
Gold Silver Bronze Command By J Mc CannJames McCann
 
7. Risiko operasional (1).ppt
7. Risiko operasional (1).ppt7. Risiko operasional (1).ppt
7. Risiko operasional (1).pptwahyunurul7
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides SlideTeam
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB
 

What's hot (20)

How to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management FrameworkHow to Build an Enterprise Risk Management Framework
How to Build an Enterprise Risk Management Framework
 
Coso erm
Coso ermCoso erm
Coso erm
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicators09 enterprise risk management telkom 2011 key risk indicators
09 enterprise risk management telkom 2011 key risk indicators
 
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...
Desain Implementasi ISO 31000 sebagai Pedoman Manajemen Risiko di Unit Dokume...
 
Risiko risiko puncak-internal audit-global isu 2019_Chief Executive Audit
Risiko risiko puncak-internal audit-global isu 2019_Chief Executive AuditRisiko risiko puncak-internal audit-global isu 2019_Chief Executive Audit
Risiko risiko puncak-internal audit-global isu 2019_Chief Executive Audit
 
1.gambaran umum manajemen risiko paparan skpd
1.gambaran umum manajemen risiko paparan skpd1.gambaran umum manajemen risiko paparan skpd
1.gambaran umum manajemen risiko paparan skpd
 
Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite Shaping Your Culture via Risk Appetite
Shaping Your Culture via Risk Appetite
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
 
Manigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureManigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And Exposure
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
 
ISO 37001:2016 Awareness - Oktober 2020
ISO 37001:2016 Awareness - Oktober 2020ISO 37001:2016 Awareness - Oktober 2020
ISO 37001:2016 Awareness - Oktober 2020
 
Integrating Strategy and Risk Management
Integrating Strategy and Risk ManagementIntegrating Strategy and Risk Management
Integrating Strategy and Risk Management
 
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdf
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdfMateri Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdf
Materi Manajemen Risiko di Lingkungan DJCK - Direktur KI (1).pdf
 
Gold Silver Bronze Command By J Mc Cann
Gold Silver Bronze Command By J Mc CannGold Silver Bronze Command By J Mc Cann
Gold Silver Bronze Command By J Mc Cann
 
7. Risiko operasional (1).ppt
7. Risiko operasional (1).ppt7. Risiko operasional (1).ppt
7. Risiko operasional (1).ppt
 
ERM-Enterprise Risk Management
ERM-Enterprise Risk ManagementERM-Enterprise Risk Management
ERM-Enterprise Risk Management
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
 

More from PECB

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 

More from PECB (20)

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

ISO/IEC 27001 and ISO 22301: How do they map?

  • 1.
  • 2. Agenda  Introductions  ISO27001 ‘Information Security Management System’ Overview  ISO22301 ‘Business Continuity Management System’ Overview  Improving an ISO27001 Continuity Plan with ISO22301  Case Studies, Implementation examples and Challenges
  • 3. Introductions Rudy Shoushany Strategist in Governance of Cybersecurity & Digital Transformation Rod Crowder Author, Speaker, and Managing Director at OpsCentre
  • 4. ISO/IEC 27001 Information Security Management System Overview
  • 5. What is ISO/IEC 27001 ISMS? • ISO 27001 is the international standard for information security • It sets out the specification for an Information Security Management System (ISMS) • ISO27001 helps organizations manage information security via people, process and technology • Certification to ISO27001 is recognised worldwide
  • 6. Four Key Benefits of ISO/IEC 27001 Compliance Reduced Expenses Marketing Edge Place you organisation in order
  • 7. ISO/IEC 27001: A Global Standard on ISMS ISO/IEC 27001 has: • 14 Control Areas (or ‘Domains’) • 34 Control Objectives • 114 Individual Control Points
  • 9. ISO/IEC 27001 Compliance Steps 8 Steps to Compliance: • Organization Context • Scope • Leadership • Planning • Organization Context • Operations • Performance • Improvement
  • 10. ISO/IEC 27001 describes the structure of the framework and uses the Plan-Do-Check- Act cycle (PDCA-cycle). ISO/IEC 27001 PDCA Cycle
  • 11.
  • 12. HOW WILL 2022 CHANGES AFFECT MY CURRENT ISO/IEC 27001 CERTIFICATE? In our opinion, the best way to comply with these changes is: 1.To update your risk treatment process with new controls 2.To update your Statement of Applicability 3.To adapt certain sections in your existing policies and procedures. 2022 Changes to ISO/IEC 27001
  • 13. ISO/IEC 27001 New Controls introduced in 2022
  • 14. ISO 22301 Business Continuity Management System Overview
  • 15. What is Business Continuity Management? Business Continuity Management assists an organization to continue its critical business operations in the event of a significant incident or business disruption. A Business Continuity Framework provides a structured response to an incident, minimizing the overall impact to the organsation and it’s key internal and external stakeholders
  • 16. Scope of ISO 22301 “The ISO 22301 International Standard for business continuity management specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system The goal is to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”
  • 17. Business Disruption Incidents Business Continuity Plans focus on what resources are impacted rather than what incident has happened Loss of, or impact to Premises • Fire • Flood • Utility Loss • Denial of Access • Civil disturbance Loss of, or impact to People • Pandemic or Epidemic • Unexpected loss or absence of key Personnel • Large scale of people impacted • Travel/transport incident Loss of, or impact to ICT • Local/external network • Data centre outage • Communications • Hardware software failure • Cyber security incident Loss of, or impact to Key Suppliers • Key suppliers experience an event/disaster • Product supply impact • Industry-wide impact
  • 18. Similar to ISO/IEC 27001, ISO 2230 specifies the requirements for setting up and managing a BCMS ISO 22301 Structure Requirements (Sections 4 to 10) • Section 4 Context of the Organisation • Section 5 Leadership • Section 6 Planning • Section 7 Support • Section 8 Operations • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish and Implement Business Continuity Procedures • 8.5 Exercising & Testing • Section 9 Performance Evaluation • Section 10 Improvement • Section 7 Support • Section 8 Operations • Section 9 Performance Evaluation • Section 10 Improvement
  • 19. Similar to ISO/IEC 27001, ISO 22301 specifies the requirements for setting up and managing a BCMS ISO 22301 Structure Requirements (Sections 4 to 10) • Section 4 Context of the Organisation • Section 5 Leadership • Section 6 Planning • Section 7 Support • Section 8 Operations • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish and Implement Business Continuity Procedures • 8.5 Exercising & Testing • Section 9 Performance Evaluation • Section 10 Improvement • Section 7 Support • Section 8 Operations • Section 9 Performance Evaluation • Section 10 Improvement Key Business Continuity Content ‘Section 8:Operations’ • 8.1 Operational Planning & Control • 8.2 Business Impact Analysis and Risk Assessment • 8.3 Business Continuity Strategy • 8.4 Establish/Implement Business Continuity Procedures • 8.5 Exercising & Testing
  • 20. ISO 22301 & ISO/IEC 27001 Mapping Source: https://www.isaca.org/resources/isaca-journal/issues/2015/volume-2/simultaneous-implementation-of-an-integrated-isms-and-a-bcms 1. Both ISO's protect Availability - but ISO 27001 also focuses on Confidentiality and Integrity 2. Both are based on Plan Do Check Act (PDCA) Cycle 3. Both work towards Risk Management with different objectives, but similar goals
  • 21. ISO 22301 & ISO/IEC 27001 Differences Focuses on preserving the CIA (Confidentiality, Integrity and Availability) of Information Focuses on recovery and restoration of critical business functions and processes after a disaster/incident Technology/Information focus Business-wide focus (People, Technology, Premises & 3rd Parties) Protection / Pre-Incident focus Response / Post-Incident focus ISO22301 Business Continuity ISO27001 Information Security Common Management System 4 – Context of the Organisation 5 – Leadership 6 – Planning 7 -Support 8 – Operation 9 – Performance Evaluation 10 – Improvement Domain A.17 Information Security Continuity ISO22301 Provides implementation to guidance for ISO27001 A.17
  • 22. Improving an ISO/IEC 27001 Continuity Plan with ISO 22301
  • 23. How ISO 22301 supports ISO/IEC 27001 A.17.1.1 Determine its requirements for information security and the continuity of information security management in adverse situations ISO 22301 Supporting Guidance ISO/IEC 27001 Information Security Requirements A.17.1.2 Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation;’ A.17.1.3 Verify the established and implemented information security controls at regular intervals in order to ensure that they are valid and effective during adverse situations’ 8.2.2 – Business Impact Analysis 8.2.3 – Business Continuity Strategy 8.3.2 – Establishing Resource Requirements 8.4.1 – Establish & Implement BC Procedures 8.4.2 – Incident Response Structure 8.4.4 – Business Continuity Plans 8.5 – Exercising & Testing 9.1 – Performance Evaluation 10.0 – Improvement
  • 24. A.17.1.1 Determine Requirements 8.2.2 – Business Impact Analysis 8.3.1 – Business Continuity Strategy 8.3.2 – Establish Resource Requirements ‘A.17.1.1. Determine requirements for information security and the continuity of information security management in adverse situations’ ISO 22301 Guidance Determine Key Activities by time and their criticality, including peak periods and time variables Key Resources People, IT Systems & Applications, information, records, and supply chains to achieve objectives Inter-dependencies and how they may be affected by a disruption Possible impacts (i.e. financial, customer, legal, reputation, compliance, staffing) Risk Assessment identify and analyse disruption-related risks that need treatment Determine Strategies to protect activities, respond to incidents, prioritise resumption timeframes Determine Resources needed (people, information, data, premises, IT systems and applications, finance, 3rd party partners and suppliers) Consider Proactive Measures to reduce the likelihood, shorten the disruption and limit the impact Business Impact Assessment Business Continuity Strategies Business Continuity Resource Requirements
  • 25. A.17.1.2 Establish Plans 8.4.1 – Establish Process & Procedures 8.4.2 – Incident Response Structure 8.4.4 – Business Continuity Plans ISO 22301 Guidance ‘A.17.1.2 Establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation’ Establish Processes & Procedures • Establish Communications • Determine Immediate Steps • Respond to unanticipated threats • Focus on disruptive events • Minimise consequences Incident Response Structure • Identify incident thresholds • Activate BC Response • Define processes and procedures • Ensure resources are available • Communicate with stakeholders Business Continuity Plans • Define Roles & Responsibilities • Response activation • Manage immediate incident consequences • Recover prioritised activities • Define Communications Strategy • Post incident stand-down ISO22301 provides guidance to: • Establish Processes and Procedures • Define an Incident Response Structure • Develop business Continuity Plans
  • 26. A.17.1.3 Verify Controls ‘A.17.1.3 Verify the information security controls at regular intervals to ensure that they are valid and effective during adverse situations’’ 8.5 – Exercising & Testing 9.1 – Performance Evaluation 10.0 – Improvement ISO 22301 Guidance Exercise & Test Appropriate Scenarios Validate BCMS requirements minimise risk of disruption Develop post- exercise reports Review for Continual Improvement Conduct at planned intervals Performance Evaluation What should be monitored? Monitoring Methods Monitoring Frequency Analysis of Results Improvement Identify Nonconformities React to Nonconformities Eliminate Nonconformity causes Implement corrective actions Review effectiveness of corrective actions Update BCMS if needed ISO22301 provides guidance for : • Exercising & Testing • Evaluating Performance • Continual Improvement
  • 27. • Pitfalls & Implementation Challenges
  • 28. Pitfalls in ISO/IEC 27001 & ISO 22301
  • 29. Culture of the company Top Management commitment Scope effort ( Time and Resources) Risk assessment and Treatment ISO/IEC 27001 Implementation Challenges

Editor's Notes

  1. Webinar Invite How can we make an ISO/IEC 27001 business continuity plan smother and easier with ISO 22301? For an organization to have a proper information security management system in place and to ensure that the business runs the same, even after incidents, it should be able to have a business continuity plan implemented as well. Register for our upcoming webinar and learn more on the mapping of ISO/IEC 27001 and ISO 22301.
  2. 15 mins Rudy (ISO27001) 15 mins Rod (22301) 15 mins Focused Discussion - How can we make an ISO/IEC 27001 business continuity plan smother and easier with ISO 22301 Audience Questions Case studies, implementation examples, implementation challenges etc ?
  3. Rudy Shoushany Strategist in Governance of Cybersecurity & Digital Transformation Rod Crowder Author, Speaker, and Managing Director at OpsCentre
  4. ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of: understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives, implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents, monitoring and reviewing the performance and effectiveness of the BCMS, and continual improvement based on objective measurement. ISO27001 specifies the requirements for setting up and managing an effective Information Security Management System (ISMS); which preserves the Confidentiality, Integrity and Availability (CIA) of information by applying a Risk Management process and gives confidence to interested parties that risks are adequately managed.
  5. What is ISO 27001?  Originally published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 makes up the core framework for the ISO 27000 series—a collection of documents outlining standards for information security management. ISO 27001, also known as ISO/IEC 27001, is the central set of certification standards for planning, implementing, operating, monitoring, and improving an information security management system (ISMS).  The goal of ISO 27001 certification is the effective establishment and management of an ISMS Information Security Management Systems (ISMS) An ISMS is a holistic approach to securing the confidentiality, integrity, and availability (CIA) of corporate information assets. An ISO 27001 ISMS consists of policies, procedures and other controls involving people, processes, and technology. Informed by regular information security risk assessments, an ISMS is an efficient, risk-based, and technology-neutral approach to keeping your information assets secure. many use ISO 27001 as a guiding framework for developing and implementing information security best practices. It is built around v14 domains  114 controls
  6. Four Key Benefits of ISO 27001 In today’s market, competition is more, and it is challenging to find something that protect your organization’s information and data from your customers. ISO 27001 is a unique certification and could be indeed selling point, especially if the organization required to handle customer’s database and information. Compliance: The first benefit of ISO 27001, is compliance, it might seem odd to list this as the top benefit, but it often shows the fastest “Return on Investment (ROI)” — if any of the organization must comply to various regulations regarding Data privacy, data protection, and IT governance (particularly for such industries like health, banking, and government agencies), then ISO 27001 can bring in the methodology which allows to do it most efficient way Marketing Edge: and business opportunities In today’s market, the competition is more; it is challenging to find something that protects your organization’s information and data of your customers. ISO 27001 is a unique certification and could be indeed selling point, especially if the organization required to handle customer database and sensitive information Reduce the expenses: EGS offers a broad range of network infrastructure, web applications, and mobile application security assessment services designed to detect and gauge security vulnerabilities. Take the FREE VAPT for up to 10 external IPs, worth $5,000 and get a customized report! Placing your organization in order: Many of the companies which have been growing sharply for the last few years, you might experience problems like — who is responsible for certain information assets, who has to decide what, who has to authorize access to infosec, etc. Here, ISO 27001 is and excellent service to soring these things out — it will force you to define both roles and responsibilities very accurately, and therefore, strengthen your internal organization.
  7. How to Implement ISMS in your organization? Following is a generic process for implementing a ISO 27001 based ISMS in your organization: STEP 1:Build a team responsible for ISMS. It should be from all relevant departments. STEP 2: Identify all assets. Assign a valus to each asset – The value to asset can be acquisition value or loss value. Identify owner of each asset. Assets can be of many kinds such as Information Assets Hardware Assets People Assets Building Assets Software Assets STEP 3 : identify and finalize a risk analysis technique. Train your ISMS team in this risk analysis technique. STEP4: Conduct a risk analysis and evaluate risks to all assets STEP 5: Select controls and apply them STEP6 : conduct Internal Audit STEP 7 Conduct management review
  8. 14 domains  114 controls A5 Information Security Policy (2 controls) Management needs to provide direction and support for information security in accordance with business requirements and relevant laws and regulations. In essence, your InfoSec team needs to create an information security policy. This document defines how your organization will set up your ISMS. It should contain a set of policies for management to communicate with employees and external parties (such suppliers, customers). A6 Organizing information security (7 controls) Setting up a management framework to initiate, control the and operation of information security within the organization. Your organization should think about the roles and responsibilities as well as the segregation of duties. Who and how should you communicate with special interest groups and authorities? What about the security during teleworking and the use of mobile devices? A7 Human resource security (6 controls) Information security within Human Resources is defined under section A7 of ISO 27001. It is divided into different stages: before, during, and termination or change of employment. All these requirements make sense within HR related processes, including prospective employee screening, communicating the terms and conditions of employment, disciplinary processes, and information and security awareness training. A8 Asset management (10 controls) Your company needs to create an inventory of all assets associated with information (including non-digital assets) and assigned ownership. You also should think about the acceptable use, return, labelling, handling, and classification of those assets. Your organization will have to implement controls for media removal and define how to transfer or dispose of media. A9 Access control (14 controls) This set of controls handles access control to systems, documents, and software of users. Your organization will need to write an access control policy, manage user access through registration, review and adjust access rights on a regular base. This topic also includes password management, source code restrictions, and the use of secret authentication information. A10 Cryptography (2 controls) The cryptographic controls are needed to ensure the protection of the confidentiality, authenticity, and the integrity of the information. Make sure you think about a mature encryption solution for hard disks and review your external information sharing solution(s). Encrypting (personal) information is also an obligation of the GDPR regulation. A11 Physical and environmental security (15 controls) The goals of the implementation of these controls is to prevent unauthorised access, damage and interference to information and facilities (buildings, IT rooms, development environment, etc.). It covers secure areas and equipment of the organization. These controls include physical access controls, such as issuing key(s) (badges) or access codes to authorised personnel, and protection against natural disasters, malicious attacks and accidents. Another set of controls in this section covers how to handle equipment issues such as regularly scheduled maintenance, clean desk and screen policies, delivery of equipment. It also asks for guidelines on how to ensure appropriate protection for unattended equipment. A12 Operations security (14 controls) The Operations control of ISO 27001 covers the securing of all operational matters of the processes within the scope of the ISMS. From documentation of procedures and event logging to protection against malware and management of technical vulnerabilities. Change and capacity management also deserve the necessary attention here. Taking and maintaining backups of information and software are also part of these controls. As an organization, you have a lot of work to do! A13 Communications security (7 controls) Within this chapter, a high-level network topology is an added value. Starting from this high-level map, you can dive more in depth to check the settings on firewalls, switches, access point, VLANs. Think also about network architecture and data flow diagrams.  In a clear policy you should define how information can be transferred between parties depending on their information classification. Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. A14 System acquisition, development, and maintenance (13 controls) A14 aims to build security into the infrastructure of information systems. This includes requirements for information systems throughout the entire lifecycle, including design, testing, implementation, and analysis. Controls under A14 include securing applications used on public networks (A14.1.2) and protecting application services transactions (A14.1.3). This is also where the agreements and principles are drawn up about the safe development of software. Most of these checks apply to your developers and system engineers. A15 Supplier relationships (5 controls) With these 5 controls on supplier relationships, you must address security within supplier agreements, regularly monitor and assess supplier services, and manage supplier (service) changes to mitigate risk. Here lies the cause of the famous long Information Security Questionnaires you receive. A16 Information security incident management (7 controls) A16 is all about management of information security incidents, events and weaknesses. The objective in this Annex A area is to ensure a consistent and effective approach to the lifecycle of incidents, events and weaknesses. First of all, you should have the proper procedures for handling security incidents, including incidents where personal information is involved. (GDPR art 33 & 34) in place. In practice you should be able to demonstrate your reporting on security incidents. When it happened; what was the impact; what was the quick fix you put in place to eliminate the incident? What was the corrective action you implemented after a Root Cause Analysis? A17 Information security aspects of business continuity management (4 controls) This is where we will see with Rod more on the BC side and the mapping One of the main reasons for implementing ISO 27001 is to guarantee the availability of the information (systems). A good business continuity plan, inclusive regular tests are key to achieve a level of peace of mind. Redundant equipment where appropriate also always contributes to the availability of information. A18 Compliance (8 controls) Follow your own rules! These controls ask your organization to avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security. Basically, it asks that the organization makes sure that it complies with the policies and procedures laid out in the above requirements. A (yearly) penetration testing contributes also to the latest technical compliance. Pitfalls
  9. The goal of the ISO 27001 Certification includes the following: Develop a security culture in an Organization Protect the company’s brand reputation Minimize information security risks Protect the company personnel information and data Ensure Confidentiality, Integrity and Availability Preserve the integrity of data Promote the availability of data for an authorized user Preserve the integrity of data Promote the availability of data for an authorized user Promote the availability of data for an authorized user Secure exchange of information between interested parties Save time and money. The ISO 27001 standard focused on the requirements for an information security framework that relies on confidentiality (information is only available to authorized users); integrity (information is accurate and complete) and availability (authorized users have access to information when they need it). Technology/Information focus Protection / Pre-Incident focus
  10. What is ISO 27002? ISO 27002, or ISO/IEC 27002:2022, provides guidance on the selection, implementation, and management of security controls based on an organization's information security risk environment.  In other words, it is a supplementary standard supporting ISO 27001 that goes into greater detail about the information security controls an organization may apply from the ISO 27001 list. ISO 27002 organizes the controls into 14 main groups, described under clauses 5-18:  A.5 Information security policies A.6 Organization of information security  A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development, and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance According to the International Organization for Standardization, ISO 27002 is designed to be used by organizations that intend to: Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001; Implement commonly accepted information security controls; Develop their own information security management guidelines. What is ISO 27003? ISO 27003, also called ISO/IEC 27003:2017, provides guidance for implementing an ISMS based on ISO 27001. ISO 27003 covers the process of ISMS specification and design from inception to planning. It describes how to: obtain management approval to implement an ISMS  define an ISMS implementation project  plan the ISMS project  As a result, organizations that follow ISO 27003 will produce a final ISMS project implementation plan. Clauses 4 through 10 mirror the organization of ISO 27001, making them easy to compare and reference. The descriptions follow the same structure throughout: Required activity: Outlines key activities required in the corresponding subclause of ISO/IEC 27001. Explanation: Explains what the requirements of ISO/IEC 27001 imply. Guidance: Provides additional details and supporting information to implement the “required activity,” with examples. Other information: Supplies further information that can be considered. ISO 27001 vs. ISO 27002  The main difference between ISO 27001 and ISO 27002 is that ISO 27002 is a detailed supplementary guide to the security controls in the ISO 27001 framework. ISO 27002 provides best-practices guidance on selecting and implementing the controls listed in ISO 27001. These controls are referenced in ISO 27001 documentation in Appendix A, which includes 114 security controls divided into 14 control sets.  But where ISO 27001 provides a brief outline of key information security controls, ISO 27002 describes them in depth, explaining how each control works, its purpose and objectives, and how it can be implemented. In other words, ISO 27002 is a supporting document and should be read alongside ISO 27001.  ISO 27001 vs. ISO 27003  ISO 27003 provides basic but comprehensive guidance for all the requirements of an information security management system described under ISO 27001. This includes recommendations (‘should’), possibilities (‘can’), and permissions (‘may’) related to those requirements.  However, ISO 27003 is not a certification standard like ISO 27001—organizations are under no obligation to follow the guidance in ISO 27003.
  11. HOW WILL 2022 CHANGES AFFECT MY CURRENT ISO 27001 CERTIFICATE? The new updates do not impact your existing certification against ISO 27001 standard. Instead, the accreditation bodies will jointly work with the certification companies on a transition period to allow organisations with ISO 27001 certification to shift to the newer version efficiently. Still, until the updated version of ISO 27001 is officially released, your Statement of Applicability (SoA) should refer to the controls contained in Annex A of ISO 27001:2013. ISO 27002:2022 should only be used as a reference to other controls.
  12. The updated iso This has been restructured Will be having 93 controls
  13. Business Continuity Management is a program that assists an organisation to continue its critical business operations in the event of a significant incident or business disruption. This is achieved by identifying the critical business functions, processes and resources to build a Business Continuity Plan that provides response and recovery strategies. A Business Continuity Framework provides a structured response to an incident, minimising the overall impact to the organsation and it’s key internal and external stakeholders (employees, clients, community, public, government, suppliers and other stakeholders). ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of: understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives, implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents, monitoring and reviewing the performance and effectiveness of the BCMS, and continual improvement based on objective measurement.
  14. Business Continuity Management is a program that assists an organisation to continue its critical business operations in the event of a significant incident or business disruption. This is achieved by identifying the critical business functions, processes and resources to build a Business Continuity Plan that provides response and recovery strategies. A Business Continuity Framework provides a structured response to an incident, minimising the overall impact to the organsation and it’s key internal and external stakeholders (employees, clients, community, public, government, suppliers and other stakeholders). ISO22301 specifies the requirements for setting up and managing an effective Business Continuity Management System (BCMS). A BCMS emphasizes the importance of: understanding the organization’s needs and the necessity for establishing business continuity management policy and objectives, implementing and operating controls and measures for managing an organization’s overall capability to manage disruptive incidents, monitoring and reviewing the performance and effectiveness of the BCMS, and continual improvement based on objective measurement.
  15. Requirements (Sections 4 to 10) Section 4 Context of the Organisation Section 5 Leadership Section 6 Planning Section 7 Support Section 8 Operations 8.1 Operational Planning & Control 8.2 Business Impact Analysis and Risk Assessment 8.3 Business Continuity Strategy 8.4 Establish and Implement Business Continuity Procedures 8.5 Exercising & Testing Section 9 Performance Evaluation Section 10 Improvement Section 7 Support Section 8 Operations Section 9 Performance Evaluation Section 10 Improvement
  16. A.17 defines Information Security Continuity but does not provide any details of how to achieve it. This is where 22301 supports 27001. ISO22301: Business Focus, not just Information/Technology Focus Responds to multiple types of Events – People, Technology, Presmises and Third-Parties Can be used to support implementation of IS27001 ISMS Control A.17
  17. Workarounds and/or preventative countermeasures that can be implemented in the event of a major business disruption
  18. 1 – Establish Processes, Procedures & Controls TBA TBA 2 – Establish Incident Response Structure TBA TBA 3 – Develop Business Continuity Plans TBA TBA
  19. 1 – Exercise and Test Security Controls 2 – Undertake Management Reviews 3 – Implement Continual Improvement
  20. Pitfalls ISO 27001 documentation can be the biggest “chunk” of the implementation. Because the management system requires more procedural documents such as policies, the focus on writing those policies takes up a lot of time. But setting up the infrastructure for regularly scheduled reviews, such as access control, also requires time and commitment from all involved within the company. To avoid writing this documentation (policies, procedures, work instructions) all by yourself, you can work with a consultant who provides templates and guidelines to mature your organization’s awareness quickly. Bear in mind that an audit is sample-based, but your controls need to continue to operate between annual audits. Otherwise, it’s likely that your organization will risk non-compliance and create more work when the time comes to be audited again. ISMS is a story of continuous improvement!