SlideShare a Scribd company logo

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?

Download as PPTX, PDF
PECB
PECB

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map? Because of the ongoing increase in consumer data collection, breaches have also been increasing. In this regards the information security, data privacy, and cybersecurity standards provide some guidelines and requirements on how to better manage and deal with such breaches. Amongst others, the webinar covers: • ISO 27032:2012 – A Framework for Cybersecurity Risks • ISO/IEC 27000-series, Standards, 27001 vs 27002 • ISO 27002:2022 and 27001:2022 Updates Presenters: Danny Manimbo Danny Manimbo is a Principal with Schellman, based in Denver, Colorado. As a member of Schellman’s West Coast/Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice and the development and oversight of Schellman's SOC practice line, as well as specialty practices such as HIPAA. Danny has been with Schellman for nine years and has over 11 years of experience in providing data security audit and compliance services. Erik Tomasi Erik Tomasi is the Managing Partner at EMTsec, a security consulting firm based in Miami and New York. He leads the firm’s consulting division and manages client relationships across several industry sectors. Mr. Tomasi is considered an expert in information security, risk management, and technology management. Sawyer Miller Sawyer is a Senior Manager who oversees the ISO practice for risk3sixty, an Atlanta-based Security, Privacy, and Compliance firm helping clients implement business-first information security and compliance programs. Date: June 22, 2022 Tags: ISO, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27032, Data protection, Data Privacy, Cybersecurity, Information Security ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection https://pecb.com/whitepaper/no-iso-27001-certified-companies-among-largest-data-breaches-2014-2015 https://pecb.com/whitepaper/isoiec-270022013-information-technology---security-techniques-code-of-practice-for-information-security-controls Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/fE3DqISAfQY

Technology
1 of 27
Speakers Danny Manimbo Principal / ISO Practice Co-Director Based in Denver, CO Erik Tomasi Managing Director, EMTsec Based in Miami, FL Sawyer Miller Senior Manager/ ISO Practice Leader Based in Atlanta, GA Follow us @Schellman Twitter@ErikTomasi or LinkedIn Check out our YouTube Channel and connect with us on LinkedIn
Agenda  ISO 27032:2012 – A Framework for Cybersecurity Risks  ISO/IEC 27000-series, Standards, 27001 vs 27002  ISO 27002:2022 and 27001:2022 Updates  Q&A
1 ISO 27032:2012 - A Framework for Cybersecurity Risks
Security Concepts and Relationships • Cybersecurity focuses on protecting the Confidentiality, Integrity, and Availability of Assets/data stakeholders care about • So how do we build a model that enables us to conceptualize how to best do that? • We must identify Assets, Threats against them, and Vulnerabilities in our control framework • Potential exploitation of vulnerabilities by threats create risks • Risks should be managed at an acceptable level 1
Who are the Stakeholders? • Executives • Boards • Shareholders • Regulatory Bodies • Partners • Consumers (You and Me!!) From ISO 27032:2012: “The Cyberspace belongs to no one; everyone can participate and has a stake in it.” 1
ISO 27032:2012 Concepts in Action • Read ISO 27032:2012 and filter for your needs • Define the roles and responsibilities - A good place to start is department/Business Unit leaders • Get a good GRC tool – one that enables you to track risks, risk owners, and treatment plans • Set up interviews with the individuals and small groups • Take them through the exercise of identifying Assets, Threats, and Vulnerabilities • Articulate risks statements from the information gathered • Identify Risk Owners and work with them to develop treatment plans and due dates 1
Risk Management Tips It depends on your organization. Right-size it. What is your risk appetite? Be clear on scope. Be clear on purpose. Focus on topics and known issues first. Ask open ended questions. If you could change anything, what would you change to reduce InfoSec risk the most? Don’t try to boil the Ocean. 80/20 rule usually applies. 1
2 ISO/IEC 27000-series, Standards, 27001 vs 27002
ISO/IEC 27000-series • Jointly published by International Organization for Standardization (ISO) & International Electrotechnical Commission (IEC) in 2005 • Revised, and current version, published in 2013 • Information Security Management System: • Defines and Manages set of security control • Designed to protect the Confidentiality, Integrity, and Availability (CIA) of IT assets • Risk Based Approach (post asset identification and valuation) • Threats • Vulnerabilities • Risk Matrix: Impact vs Likelihood • Mitigation • Also known as ISMS Family of Standards or “ISO27K” • Considered the Gold standard of Information Security Frameworks • Numerous use cases (Global multinational firm, SaaS vendor) 2
ISO/IEC 27000 Partial List of Publications 2 Standard Title Description 27000 ISMS Overview and vocabulary of the framework 27001 IT Security Techniques Core InfoSec standard, Generic ISMS. Management clauses and Annex A (5-18) controls 27002 InfoSec Code of practice Detailed catalog of security controls 27003 InfoSec Implementation Guide Project Plan on approach and recommendations 27004 InfoSec Management Auditing Guide – Monitoring & Measuring (KPIs) 27005 InfoSec Risk Management How to identify, assess, evaluate and treat InfoSec risk. 27701 Privacy Information Management System (PIMS) One of dozens of 27000 series publications, focused on privacy risk. Published in 2019
ISO/IEC 27001:2013 Control Summary 2
27001:2013 Control Example – Annex 5 2
ISO/IEC 27001 as a Framework - Questions to consider How mature is my organizations InfoSec program?  If immature might pay to use a less rigorous standard  Improve security program and controls  Use a crosswalk to leverage existing work  Are we a global organization?  If domestic only, other options  Does our industry have specific standards?  Healthcare (HIPAA), Retail (PCI)  Maybe comply with multiple standards  What is the scope of assets we want to protect?  If broad scope might be difficult to achieve  If yes, do we want to adhere or become certified?  Meeting the standard, is often enough for stakeholders  Compliance, is minimum 3-year process  Extensive evidence controls are in place and being met 2
How does ISO 27002 differ from ISO 27001? 2 Publication What is it? When should you use it? ISO 27001 Management standard that defines how to build an ISMS When you need to scope, design, and build a compliant ISMS ISO 27002 Set of guidelines and techniques for implementing security controls When you’re ready to implement specific security controls to safeguard your ISMS Please note in terms of certification - only ISO 27001
Sample ISO 27002 Control 2
Sample ISO 27001controls questionnaire 2
3 ISO 27002:2022 & ISO 27001:2022 Updates
ISO 27002 Updates – Control Set Structure • 14 control domains to 4 control categories (or themes) • a) people, if they concern individual people (Clause 6); • b) physical, if they concern physical objects (Clause 7); • c) technological, if they concern technology (Clause 8); • d) otherwise they are categorized as organizational (Clause 5). • Idea is to make controls more modernized, simplified, and versatile • 50+ controls from 27002:2013 were merged for simplification and ease of use and understanding and it also removed outdated references (e.g., obsolete technologies) 3
ISO 27002 Updates – Highlight of Changes • Total control count went from 114 to 93 • 75% of the controls in the 2022 version are within the Organizational and Technological themes. • 24 controls in the 2022 version include a consolidation of 57 controls from the 2013 version (2+ controls combined into 1 control). • 58 controls are roughly a one-for-one from the 2013 version to the 2022 version (note these are general mappings; updates were made to control context). • 11 new controls introduced in the 2022 version. • All controls from the 2013 version are mapped to the 2022 control set. 3
ISO 27002 Updates – Mapping (New and Old) 3 Table B.1 — Correspondence between controls in this document and controls in ISO/IEC 27002:2013 ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name 5.1 05.1.1, 05.1.2 Policies for information security 5.2 06.1.1 Information security roles and responsibilities 5.3 06.1.2 Segregation of duties Table B.2 — Correspondence between controls in ISO/IEC 27002:2013 and controls in this document ISO/IEC 27002:2013 Control Identifier ISO/IEC 27002:2022 Control Identifier Control name according to ISO/IEC 27002:2013 5 Information security policies 5.1 Management direction for information security 5.1.1 5.1 Policies for information security 5.1.2 5.1 Review of the policies for information security
ISO 27002 Updates – 11 “Net New” Controls 11 New Controls • Threat Intelligence (5.7) • Information Security for Use of Cloud Services (5.23) • ICT Readiness for Business Continuity (5.30) • Physical Security Monitoring (7.4) • Configuration Management (8.9) • Information Deletion (8.10) • Data Masking (8.11) • Data Leakage Prevention (8.12) • Monitoring Activities (8.16) • Web Filtering (8.23) • Secure Coding (8.28) 3
ISO 27002 Updates – Control Set – Consolidated & New 3 ISO/IEC 27002:2013 (A.5-A.18) A.5 Information security policies (2) A.9 Access control (14) A.13 Communications security (7) A.16 Information security incident management (7) A.6 Organization of information security (7) A.10 Cryptography (2) A.14 System acquisition, development and maintenance (13) A.17 Information security aspects of business continuity management (4) A.7 Human resources security (6) A.11 Physical and environmental security (15) A.8 Asset management (10) A.12 Operations security (14) A.15 Supplier relationships (5) A.18 Compliance (8) ISO/IEC 27002:2022 (Clauses 5-8) 5 Organizational (37) 6 People (8) 7 Physical (14) 8 Technological (34)
ISO 27002 Updates – Control Set – Consolidated & New 3 High Level Comparison Consolidated (24) ISO 27002:2022 ISO 27002:2013 ISO 27002:2022 ISO 27002:2013 5.1 – Policies for information security 5.1.1, 5.1.2 6.8 – Information security event reporting 16.1.2, 16.1.3 5.8 – Information security in project management 6.1.5, 14.1.1 7.2 – Physical entry controls 11.1.2, 11.1.6 5.9 – Inventory of information and other associated assets 8.1.1, 8.1.2 7.10 – Storage media 8.3.1, 8.3.2, 8.3.3, 11.2.5 5.10 – Acceptable use of information and other associated assets 8.1.3, 8.2.3 8.1 – User endpoint devices 6.2.1, 11.2.8 5.14 – Information transfer 13.2.1, 13.2.2, 13.2.3 8.8 – Management of technical vulnerabilities 12.6.1, 18.2.3 5.15 – Access control 9.1.1, 9.1.2 8.15 – Logging 12.4.1, 12.4.2, 12.4.3 5.17 – Authentication information 9.2.4, 9.3.1, 9.4.3 8.19 – Installation of software on operational systems 12.5.1, 12.6.2 5.18 – Access rights 9.2.2, 9.2.5, 9.2.6 8.24 – Use of cryptography 10.1.1, 10.1.2 5.22 – Monitoring, review and change management of supplier services 15.2.1, 15.2.2 8.26 – Application security requirements 14.1.2, 14.1.3 5.29 – Information security during disruption 17.1.1, 17.1.2, 17.1.3 8.29 – Security testing in development and acceptance 14.2.8, 14.2.9 5.31 – Identification of legal, statutory, regulatory and contractual requirements 18.1.1, 18.1.5 8.31 – Separation of development, test and production environments 12.1.4, 14.2.6 5.36 – Compliance with policies and standards for information security 18.2.2, 18.2.3 8.32 – Change management 12.1.2, 14.2.2, 14.2.3, 14.2.4 New (11) 5.7 – Threat intelligence 8.11 – Data masking 5.23 – Information security for use of cloud services 8.12 – Data leakage prevention 5.30 – ICT readiness for business continuity 8.16 – Monitoring activities 7.4 – Physical security monitoring 8.23 – Web filtering 8.9 – Configuration management 8.28 – Secure coding 8.10 – Information deletion
What about ISO 27001? Annex A (based on ISO 27002:2013) is the current control set in 27001:2013. ISO will be updating ISO 27001 to include within Annex A the control set of the new ISO 27002:2022 (to replace A.5-A.18) and slight modifications to ISMS clause 6. • ISMS clause 6.1.3 c, which specifically references “control objectives” which as noted previously will no longer exist • For that reason, a minor update to the clause language is needed • No other anticipated changes will be made to ISMS clauses 4-10 3
What about ISO 27001? Anticipated timeframe to publish 27001:2022 is late Q4 or potentially early 2023 (still TBD) It is assumed that with ISO 27001:2022 getting published, a two-year (24 month) transition period will be provided for organizations to update their ISMS and demonstrate conformance to the new version of ISO 27001. 3
THANK YOU ? danny.manimbo@schellman.com Danny Manimbo Sawyer.Miller@risk3sixty.com Sawyer Miller etomasi@emtsec.com Erik Tomasi

Recommended

CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
powertech
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
JhonGIg
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1
Sylvain Martinez
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
Kathirvel Ayyaswamy
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 

Recommended

CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
powertech
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
JhonGIg
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1
Sylvain Martinez
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
Kathirvel Ayyaswamy
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
Zubair Rahim
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
ramya119
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdf
toncik
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
MEDS
MEDSMEDS
MEDSmielmarketing
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
Information security management system ISMS
Information security management system ISMSInformation security management system ISMS
Information security management system ISMS
arcraving
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
ITIL Indonesia
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Nguyễn Đăng Quang
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 

More Related Content

Similar to ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?

ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
Zubair Rahim
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
ramya119
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdf
toncik
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
Information security management system ISMS
Information security management system ISMSInformation security management system ISMS
Information security management system ISMS
arcraving
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
ITIL Indonesia
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Nguyễn Đăng Quang
 

Similar to ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map? (20)

ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdf
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
MEDS
MEDSMEDS
MEDS
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Information security management system ISMS
Information security management system ISMSInformation security management system ISMS
Information security management system ISMS
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 

More from PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
PECB
 

More from PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Recently uploaded

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?

  • 1.
  • 2. Speakers Danny Manimbo Principal / ISO Practice Co-Director Based in Denver, CO Erik Tomasi Managing Director, EMTsec Based in Miami, FL Sawyer Miller Senior Manager/ ISO Practice Leader Based in Atlanta, GA Follow us @Schellman Twitter@ErikTomasi or LinkedIn Check out our YouTube Channel and connect with us on LinkedIn
  • 3. Agenda  ISO 27032:2012 – A Framework for Cybersecurity Risks  ISO/IEC 27000-series, Standards, 27001 vs 27002  ISO 27002:2022 and 27001:2022 Updates  Q&A
  • 4. 1 ISO 27032:2012 - A Framework for Cybersecurity Risks
  • 5. Security Concepts and Relationships • Cybersecurity focuses on protecting the Confidentiality, Integrity, and Availability of Assets/data stakeholders care about • So how do we build a model that enables us to conceptualize how to best do that? • We must identify Assets, Threats against them, and Vulnerabilities in our control framework • Potential exploitation of vulnerabilities by threats create risks • Risks should be managed at an acceptable level 1
  • 6. Who are the Stakeholders? • Executives • Boards • Shareholders • Regulatory Bodies • Partners • Consumers (You and Me!!) From ISO 27032:2012: “The Cyberspace belongs to no one; everyone can participate and has a stake in it.” 1
  • 7. ISO 27032:2012 Concepts in Action • Read ISO 27032:2012 and filter for your needs • Define the roles and responsibilities - A good place to start is department/Business Unit leaders • Get a good GRC tool – one that enables you to track risks, risk owners, and treatment plans • Set up interviews with the individuals and small groups • Take them through the exercise of identifying Assets, Threats, and Vulnerabilities • Articulate risks statements from the information gathered • Identify Risk Owners and work with them to develop treatment plans and due dates 1
  • 8. Risk Management Tips It depends on your organization. Right-size it. What is your risk appetite? Be clear on scope. Be clear on purpose. Focus on topics and known issues first. Ask open ended questions. If you could change anything, what would you change to reduce InfoSec risk the most? Don’t try to boil the Ocean. 80/20 rule usually applies. 1
  • 10. ISO/IEC 27000-series • Jointly published by International Organization for Standardization (ISO) & International Electrotechnical Commission (IEC) in 2005 • Revised, and current version, published in 2013 • Information Security Management System: • Defines and Manages set of security control • Designed to protect the Confidentiality, Integrity, and Availability (CIA) of IT assets • Risk Based Approach (post asset identification and valuation) • Threats • Vulnerabilities • Risk Matrix: Impact vs Likelihood • Mitigation • Also known as ISMS Family of Standards or “ISO27K” • Considered the Gold standard of Information Security Frameworks • Numerous use cases (Global multinational firm, SaaS vendor) 2
  • 11. ISO/IEC 27000 Partial List of Publications 2 Standard Title Description 27000 ISMS Overview and vocabulary of the framework 27001 IT Security Techniques Core InfoSec standard, Generic ISMS. Management clauses and Annex A (5-18) controls 27002 InfoSec Code of practice Detailed catalog of security controls 27003 InfoSec Implementation Guide Project Plan on approach and recommendations 27004 InfoSec Management Auditing Guide – Monitoring & Measuring (KPIs) 27005 InfoSec Risk Management How to identify, assess, evaluate and treat InfoSec risk. 27701 Privacy Information Management System (PIMS) One of dozens of 27000 series publications, focused on privacy risk. Published in 2019
  • 13. 27001:2013 Control Example – Annex 5 2
  • 14. ISO/IEC 27001 as a Framework - Questions to consider How mature is my organizations InfoSec program?  If immature might pay to use a less rigorous standard  Improve security program and controls  Use a crosswalk to leverage existing work  Are we a global organization?  If domestic only, other options  Does our industry have specific standards?  Healthcare (HIPAA), Retail (PCI)  Maybe comply with multiple standards  What is the scope of assets we want to protect?  If broad scope might be difficult to achieve  If yes, do we want to adhere or become certified?  Meeting the standard, is often enough for stakeholders  Compliance, is minimum 3-year process  Extensive evidence controls are in place and being met 2
  • 15. How does ISO 27002 differ from ISO 27001? 2 Publication What is it? When should you use it? ISO 27001 Management standard that defines how to build an ISMS When you need to scope, design, and build a compliant ISMS ISO 27002 Set of guidelines and techniques for implementing security controls When you’re ready to implement specific security controls to safeguard your ISMS Please note in terms of certification - only ISO 27001
  • 16. Sample ISO 27002 Control 2
  • 17. Sample ISO 27001controls questionnaire 2
  • 18. 3 ISO 27002:2022 & ISO 27001:2022 Updates
  • 19. ISO 27002 Updates – Control Set Structure • 14 control domains to 4 control categories (or themes) • a) people, if they concern individual people (Clause 6); • b) physical, if they concern physical objects (Clause 7); • c) technological, if they concern technology (Clause 8); • d) otherwise they are categorized as organizational (Clause 5). • Idea is to make controls more modernized, simplified, and versatile • 50+ controls from 27002:2013 were merged for simplification and ease of use and understanding and it also removed outdated references (e.g., obsolete technologies) 3
  • 20. ISO 27002 Updates – Highlight of Changes • Total control count went from 114 to 93 • 75% of the controls in the 2022 version are within the Organizational and Technological themes. • 24 controls in the 2022 version include a consolidation of 57 controls from the 2013 version (2+ controls combined into 1 control). • 58 controls are roughly a one-for-one from the 2013 version to the 2022 version (note these are general mappings; updates were made to control context). • 11 new controls introduced in the 2022 version. • All controls from the 2013 version are mapped to the 2022 control set. 3
  • 21. ISO 27002 Updates – Mapping (New and Old) 3 Table B.1 — Correspondence between controls in this document and controls in ISO/IEC 27002:2013 ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name 5.1 05.1.1, 05.1.2 Policies for information security 5.2 06.1.1 Information security roles and responsibilities 5.3 06.1.2 Segregation of duties Table B.2 — Correspondence between controls in ISO/IEC 27002:2013 and controls in this document ISO/IEC 27002:2013 Control Identifier ISO/IEC 27002:2022 Control Identifier Control name according to ISO/IEC 27002:2013 5 Information security policies 5.1 Management direction for information security 5.1.1 5.1 Policies for information security 5.1.2 5.1 Review of the policies for information security
  • 22. ISO 27002 Updates – 11 “Net New” Controls 11 New Controls • Threat Intelligence (5.7) • Information Security for Use of Cloud Services (5.23) • ICT Readiness for Business Continuity (5.30) • Physical Security Monitoring (7.4) • Configuration Management (8.9) • Information Deletion (8.10) • Data Masking (8.11) • Data Leakage Prevention (8.12) • Monitoring Activities (8.16) • Web Filtering (8.23) • Secure Coding (8.28) 3
  • 23. ISO 27002 Updates – Control Set – Consolidated & New 3 ISO/IEC 27002:2013 (A.5-A.18) A.5 Information security policies (2) A.9 Access control (14) A.13 Communications security (7) A.16 Information security incident management (7) A.6 Organization of information security (7) A.10 Cryptography (2) A.14 System acquisition, development and maintenance (13) A.17 Information security aspects of business continuity management (4) A.7 Human resources security (6) A.11 Physical and environmental security (15) A.8 Asset management (10) A.12 Operations security (14) A.15 Supplier relationships (5) A.18 Compliance (8) ISO/IEC 27002:2022 (Clauses 5-8) 5 Organizational (37) 6 People (8) 7 Physical (14) 8 Technological (34)
  • 24. ISO 27002 Updates – Control Set – Consolidated & New 3 High Level Comparison Consolidated (24) ISO 27002:2022 ISO 27002:2013 ISO 27002:2022 ISO 27002:2013 5.1 – Policies for information security 5.1.1, 5.1.2 6.8 – Information security event reporting 16.1.2, 16.1.3 5.8 – Information security in project management 6.1.5, 14.1.1 7.2 – Physical entry controls 11.1.2, 11.1.6 5.9 – Inventory of information and other associated assets 8.1.1, 8.1.2 7.10 – Storage media 8.3.1, 8.3.2, 8.3.3, 11.2.5 5.10 – Acceptable use of information and other associated assets 8.1.3, 8.2.3 8.1 – User endpoint devices 6.2.1, 11.2.8 5.14 – Information transfer 13.2.1, 13.2.2, 13.2.3 8.8 – Management of technical vulnerabilities 12.6.1, 18.2.3 5.15 – Access control 9.1.1, 9.1.2 8.15 – Logging 12.4.1, 12.4.2, 12.4.3 5.17 – Authentication information 9.2.4, 9.3.1, 9.4.3 8.19 – Installation of software on operational systems 12.5.1, 12.6.2 5.18 – Access rights 9.2.2, 9.2.5, 9.2.6 8.24 – Use of cryptography 10.1.1, 10.1.2 5.22 – Monitoring, review and change management of supplier services 15.2.1, 15.2.2 8.26 – Application security requirements 14.1.2, 14.1.3 5.29 – Information security during disruption 17.1.1, 17.1.2, 17.1.3 8.29 – Security testing in development and acceptance 14.2.8, 14.2.9 5.31 – Identification of legal, statutory, regulatory and contractual requirements 18.1.1, 18.1.5 8.31 – Separation of development, test and production environments 12.1.4, 14.2.6 5.36 – Compliance with policies and standards for information security 18.2.2, 18.2.3 8.32 – Change management 12.1.2, 14.2.2, 14.2.3, 14.2.4 New (11) 5.7 – Threat intelligence 8.11 – Data masking 5.23 – Information security for use of cloud services 8.12 – Data leakage prevention 5.30 – ICT readiness for business continuity 8.16 – Monitoring activities 7.4 – Physical security monitoring 8.23 – Web filtering 8.9 – Configuration management 8.28 – Secure coding 8.10 – Information deletion
  • 25. What about ISO 27001? Annex A (based on ISO 27002:2013) is the current control set in 27001:2013. ISO will be updating ISO 27001 to include within Annex A the control set of the new ISO 27002:2022 (to replace A.5-A.18) and slight modifications to ISMS clause 6. • ISMS clause 6.1.3 c, which specifically references “control objectives” which as noted previously will no longer exist • For that reason, a minor update to the clause language is needed • No other anticipated changes will be made to ISMS clauses 4-10 3
  • 26. What about ISO 27001? Anticipated timeframe to publish 27001:2022 is late Q4 or potentially early 2023 (still TBD) It is assumed that with ISO 27001:2022 getting published, a two-year (24 month) transition period will be provided for organizations to update their ISMS and demonstrate conformance to the new version of ISO 27001. 3
  • 27. THANK YOU ? danny.manimbo@schellman.com Danny Manimbo Sawyer.Miller@risk3sixty.com Sawyer Miller etomasi@emtsec.com Erik Tomasi