SlideShare a Scribd company logo

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity Maturity

Download as PPTX, PDF
PECB
PECB

The importance of a robust cybersecurity strategy cannot be overstated. Learning on the effective measures to be taken and tools needed to navigate the evolving cybersecurity landscape successfully is essential. Amongst others, the webinar covers: • ISO/IEC 27002 and ISO/IEC 27032 and their key components • Key Components of a Resilient Cybersecurity Strategy • CMMC Frameworks Presenters: Dr. Oz Erdem Governance, Risk and Compliance (GRC) consultant, trainer, auditor, and speaker Dr. Erdem has over 25 years of experience in information security, trade compliance, data privacy, and risk management. He took leadership roles in governance and compliance at various Fortune 100-500 companies and SMBs, including Siemens Corporation, Siemens Industry, Linqs, Texas Instruments, Rtrust, ICEsoft Technologies, NATO C3A, and BILGEM. In addition, successfully managed software development (i.e., embedded, cloud, and SaaS) and digital product projects involving information security, mobile networks, and IoT networks. Further, Dr. Erdem led several non-profit organizations, such as National Association of District Export Councils (NADEC), Government Contractors Council (GovConCouncil), and Central-North Florida District Export Council as the Chairman of the Board. Peter Geelen Peter Geelen is the director and managing consultant at CyberMinute and Owner of Quest for Security, Belgium. Over more than 20 years, Peter has built strong experience in enterprise security & architecture, Identity & Access management, but also privacy, information & data protection, cyber- and cloud security. Last few years, the focus is on ISO/IEC 27001 and other ISO certification mechanisms. Peter is accredited Lead Auditor for ISO/IEC 27001, ISO 9001, PECB Trainer and Fellow in Privacy. Committed to continuous learning, Peter holds renowned security certificates as certified ISO/IEC 27701 lead implementer and lead auditor, ISO/IEC 27001 Master, Sr. Lead Cybersecurity Manager, ISO/IEC 27002 lead manager, ISO/IEC 27701 Lead Implementer, cDPO, Risk management, Lead Incident Mgr., Disaster Recovery, and many more. George Usi - CEO of Omnistruct An internet pioneer and award-winning leader in internet governance with over 25 years of experience, George Usi knows that getting hacked is not a matter of ‘if’ but, ‘when’ and the fiscal and reputational effects that has on a business, the executives, and the board. George is the Co-Founder of Omnistruct, a cyber risk company. Omnistruct protects and expands revenue creation, reputation, and customer retention through cyber risk transference, governance, and compliance. We ensure that security and privacy programs work. Date: January 24, 2024 YouTube Video: https://youtu.be/9i5p5WFExT4 Website: https://bit.ly/3SjovIP

Education
1 of 33
Agenda  ISO 27002 & ISO 27032 Information Security vs Cyber ISO vs NIST (and other)  Cybersecurity Maturity Model Certification (CMMC) Evolution of CMMC Proposed Rule Certification Levels Applicable NIST Cybersecurity Standards Documentation Assessment & Certification  Risk Assessment and Selection of Framework Executive Sponsorship/Support Program and Framework Automation GRC Sample Summary of Actions
ISO standards Act Plan Do Check Act Plan Do Check Security Improvement Time
The essentials • ISO 27001 ISMS Clauses & Annex Certification • ISO 27002 2013 vs 2022 • ISO 27032 Information security Cybersecurity ISO 27002 & ISO 27032 ISO27001 Clauses Annex ISO27002 Cyber
The essentials • ISO 27001 ISMS Clauses & Annex Certification • ISO 27002 2013 vs 2022 • ISO 27032 Information security Cybersecurity • Other frameworks NIST NIST CSF ISO 27002 & ISO 27032
ISO27001 ISO 27002 (ISO 27001 Annex) ISO27701 (PIMS) ISO27001 #Legal_and_ compliance #Governanc e #Human_res ource_secur ity #Asset_man agement #Identity_an d_access_m anagement #Secure_co nfiguration #Physical_se curity #Threat_and _vulnerabilit y_managem ent #Application _security #Supplier_re lationships_ security #Informatio n_security_ event_mana gement #Continuity #Informatio n_protectio n #System_an d_network_ security ISO 27034 Application Security ISO 27035 Incident Mgmt ISO 27014 IS Governance ISO 22301 BCM ISO 55001 Asset Mgmt ISO 27032 Cyber ISO 27099 PKI ISO 21502 Project Mgmt ISO 38500 IT Gov ISO 37301 Compl Mgmt ISO/IEC 29146 Access mgt ISO 22361 Crisis Mgtm ISO 22316 Resilience ISO 27031 ISO 27033 Network ISO 27017 Cloud ISO 27018 PII in Cloud ISO 27021 Competence ISO 20000 IT operations ISO 22317 BIA ISO27701 (PIMS) ISO27001 4. Context ISO9001 Quality 5. Leadership ISO 31000 Risk 6 Planning 8. Operation 9.Perfor- mance 10. Improve- ment 7. Support ISO 27005 Risk Mgmt ISO 27014 IS Governance ISO 38500 IT Gov ISO 27006 ISMS Audit Reqs ISO 17021-1 MS Audit ISO 19011 Audit Guidance ISO 26000 Social Resp. ISO 27103 ISMS Cyber ISO 27110 Cyber Framework ISO 29100 Privacy Framework ISO 275xx Privacy operations #Informatio n_security_ assurance ISO 27007 ISMS Audit guidelines ISO 291xx Privacy guidelines ISO 28000 Supply Chain Security ISO 27036 ICT supply chain & cloud ISO 27001:2022 ISO 27016 IS Governance ISO 27022 ISMS Processes ISO 27002 & ISO 27032
ISO27002 ISO 27002 & ISO 27032 ISO 27002 (ISO 27001 Annex) ISO27001 #Legal_and_ compliance #Governanc e #Human_res ource_secur ity #Asset_man agement #Identity_an d_access_m anagement #Secure_co nfiguration #Physical_se curity #Threat_and _vulnerabilit y_managem ent #Application _security #Supplier_re lationships_ security #Informatio n_security_ event_mana gement #Continuity #Informatio n_protectio n #System_an d_network_ security ISO 27034 Application Security ISO 27035 Incident Mgmt ISO 27014 IS Governance ISO 22301 BCM ISO 55001 Asset Mgmt ISO 27032 Cyber ISO 27099 PKI ISO 21502 Project Mgmt ISO 38500 IT Gov ISO 37301 Compl Mgmt ISO/IEC 29146 Access mgt ISO 22361 Crisis Mgtm ISO 22316 Resilience ISO 27031 ISO 27033 Network ISO 27017 Cloud ISO 27018 PII in Cloud ISO 27021 Competence ISO 20000 IT operations ISO 22317 BIA ISO 31000 Risk ISO 27103 ISMS Cyber ISO 27110 Cyber Framework ISO 29100 Privacy Framework ISO 275xx Privacy operations #Informatio n_security_ assurance ISO 291xx Privacy guidelines ISO 28000 Supply Chain Security ISO 27036 ICT supply chain & cloud ISO 27002:2022 ISO 27022 ISMS Processes
ISO27032 - Cybersecurity The focus today ISO 27002 (ISO 27001 Annex) ISO27701 (PIMS) ISO27001 #Legal_and_ compliance #Governanc e #Human_res ource_secur ity #Asset_man agement #Identity_an d_access_m anagement #Secure_co nfiguration #Physical_se curity #Threat_and _vulnerabilit y_managem ent #Application _security #Supplier_re lationships_ security #Informatio n_security_ event_mana gement #Continuity #Informatio n_protectio n #System_an d_network_ security ISO 27034 Application Security ISO 27035 Incident Mgmt ISO 27032 Cyber ISO 27031 ISO 27033 Network ISO 27017 Cloud ISO 27018 PII in Cloud ISO 31000 Risk ISO 27005 Risk Mgmt ISO 27103 ISMS Cyber ISO 27110 Cyber Framework #Informatio n_security_ assurance ISO 27036 ICT supply chain & cloud Cybersecurity
New framework emerging • ISO27100 series ISO standards and cybersecurity ISO 27002 (ISO 27001 Annex) ISO27001 #Threat_and _vulnerabilit y_managem ent #System_an d_network_ security ISO 27032 Cyber ISO 27033 Network ISO 27017 Cloud ISO 27103 ISMS Cyber ISO 27110 Cyber Framework #Informatio n_security_ assurance
Secure Controls framework • CSF https://securecontrolsframework.com/ https://securecontrolsframework.com/scf-download/ More inf
Maturity • ISO 27001 ISMS Clauses & Annex Certification • ISO 27002 2013 vs 2022 • ISO 27032 Information security Cybersecurity • Other frameworks NIST NIST CSF ISO 27002 & ISO 27032
ISO, NIST & EU cyberprograms • ISO Global best practices & standards • NIST US standards CMMC (DOD) • EU NIS 2 Emerging frameworks (BE) CCB Cyberfundamentals • More info: PECB Lead Cybersecurity manager PECB NIS 2 Lead Implementer Before we dive into CMMC
ISO & NIST CSF Act Plan Do Check Act Plan Do Check Security Improvement Time
• NIST SP 800-53 Rev. 5 Security and privacy standard for U.S. federal information systems, except for those related to national security Used for FedRAMP Moderate baseline (Federal Risk and Authorization Management Program) • NIST SP 800-171 Rev. 2, and 800-171A Security standard for non-federal (contractor) systems handling CUI 14 security families; 110 controls 800-171A: Assessment guide for the 800-171 • NIST SP 800-172, and 800-172A Security standard for non-federal (contractor) systems handling high- value CUI in critical programs 14 security families; NIST SP 800-171 + 35 enhanced controls 800-172A: Assessment guide for the 800-172 Applicable NIST Cybersecurity Standards
Evolution of CMMC DFARS 252.204- 7012 • Controlled Technical Information (CTI) • Covered Defense Information (CDI) • DoD contractor to comply with NIST SP 800-171 or FedRAMP moderate • Cyber Incident Reporting • Flow-down CMMC v1.0 • Certification required before contract • 3rd party certification • Level 1- Level 5 DFARS 252.204- 7019-7020 • Basic assessment Score to report on SPRS • System Security Plan (SSP) • Score to be current during the contract • DoD assessment requirement for Medium and High assessments • Flow-down DFARS 252.204- 7021 • CMMC v2.0 is active (proposed rule) in 2024 • Level 1 - Level 3
• DoD cybersecurity assessment model, which will be mandatory in most contracts by 1H 2025 • Published in Dec 2023. Updates Title 32 CFR by adding Cybersecurity Maturity Model Certification (CMMC) Program • Replaces the prior practices of “self-assessment” with third-party assessment and government assessment for most of contracts • Introduces 3 certification levels • Includes guidance on CMMC Ecosystem (i.e., PMO, DCMA DIBCAC, Cyber AB, CAICO, C3PAO, CCP, CCA, LTP, LPP, etc.) Scoping Assessment Hashing CMMC 2.0 Proposed Rule
CMMC 2.0 Certification Levels Level 1 To receive, store, handle, and generate Federal Contract Information (FCI) Self-assessment Contractors and subcontractors to implement all applicable requirements in FAR clause 52.204–21 (17 practices) Level 2 To receive, store, handle, and generate Controlled Unclassified Information (CUI) Self-certification in some cases, C3PAO certification in all other cases (Triennial) All applicable requirements of NIST SP 800–171 Rev 2 (110 practices) and DFARS clause 252.204–7012 Level 3 To receive, store, handle, and generate sensitive (high-value) Controlled Unclassified Information (CUI) DoD certification (Triennial) 24 selected security requirements of NIST SP 800–172 in addition to Level 2 requirements Senior officials of prime contractor and all subcontractors are required to affirm continuing compliance, initially, and annually on SPRS
• System Security Plan (SSP) Describes the security controls in alignment with the NIST SP 800-171/172 standard, including scope, system environment, boundaries, and the CUI asset inventory No SSP for Level 1 Use NIST 800-171A objectives for Level 2 Use NIST 800-172A objectives for Level 3 • Plan of Actions & Milestones (POA&M) Describes the plan for implementing the gaps No POA&M for Level 1 Only allowed if minimal score is 0.8/1 (or 88/110) Not allowed for controls that have weight > 1 or listed as ineligible Must be closed out within 180 days of the initial assessment • Senior leadership approval on documents • Separate procedures to support SSP is ok and encouraged CMMC Documentation
• Define Boundary and Scope What is In-scope & Out-of-scope? CUI Flow System Environment • Identify Assets FCI & CUI assets Security protection assets Contractor risk managed assets Specialized assets Out-of-scope assets • Certification by C3PAO / DoD • POA&M (if needed) • Submit score to SPRS & Affirmation Assessment & Certification
Risk Assessment and Selection of Framework CMMC, ISO, and other  Get Executive Support – Tops Down  Risk Assessment  Explaining Functional GRC  Summary of Actions
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. The Three-Slide Executive “Why” x2 ◼ Cyber Laws ◼ Getting Hacked ◼ Executive Accountability
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. CYBER LAWS ARE “Looming” CYBERSECURITY CYBER LAWS
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. GETTING HACKED IS A MATTER OF “When”
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. ALL EXECUTIVES “Accountable”
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. In 2023, there were 7 new state privacy laws introduced; now there are eleven signed with enforcement dates looming. GROWING US DATA PRIVACY LAWS BY STATE ★ Source IAPP: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. European Union - GDPR UK (Brexit Note) - DPA Australia – APP/PA Brazil - LGPD Canada - PIPEDA China - PIPL Hong Kong – PDPO S1 Singapore - PDPA South Korea - PIPA Turkey - PDPL INTERNATIONAL DATA PRIVACY LAWS ★ Key Countries to Note: Source DLA Piper: https://www.dlapiperdataprotection.com/
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. CYBERSECURITY GROUND WAR vs CYBER RISK AIR WAR The cybersecurity “ground war” that patrol and stop hackers from crashing into your business. The Tech The “air war” you must prove to prepare for when customers, regulators, and lawmakers pursue you for cyber regulatory violations. The Business
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. EXPLAINING THE DIFFERENCE & SOLUTION Cybersecurity ◼ Technical Protection From Hackers (Applying Framework Controls) ◼ “The Cybersecurity Compliance of Tech” Data Privacy Laws, Risk, & Regulations ◼ Privacy Rights of Individuals & Confidentiality of Contracts and Secrets of Businesses (Framework[s] Governance) ◼ “The Governance & Risk of Business" R C G Compliance Program Deployment, Automation, & Upkeep
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. Get CISO Certification Training Slide from new PECB Certified CISO course launched October 2023
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. Get Cybersecurity Certification Training Slide from new PECB Cybersecurity Lead Manager (ISO27032:2023)
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. Use a Compliance Automation Tool With Cross-Mapping Sample Framework Implementation, Risk Register, Audits, Basic Third Party Management with team/executive reports
NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. SUMMARY OF ACTIONS Risk Assessment & Treatment 1 Onboard Framework(s) 2 Address Ground War CONTROLS 3 Address Air War GOVERNANCE 4 ✔ GRC to keep Fresh 5
THANK YOU Q&A gusi@omnistruct.com George Usi oz@drozerdem.net Oz Erdem peter@cyberminute.com Peter Geelen

Recommended

A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfJack Nichelson
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 Ignyte Assurance Platform
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWithum
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 

Recommended

A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfA Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdf
A Clear Path to NIST & CMMC Compliance - 2023 Cleveland Security Summit.pdfJack Nichelson
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 Ignyte Assurance Platform
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 
Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWithum
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Cyber Security Partners
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...CMG - The Digital Transformation Association
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...promediakw
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsIgnyte Assurance Platform
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?Alvin Integrated Services [AIS]
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...Vsevolod Shabad
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceWilliam McBorrough
 
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...Priyanka Aash
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 

More Related Content

Similar to ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity Maturity

ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...Ignyte Assurance Platform
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...promediakw
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?Alvin Integrated Services [AIS]
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Robert E Jones
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...Vsevolod Shabad
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceWilliam McBorrough
 
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...Priyanka Aash
 

Similar to ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity Maturity (20)

ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023Kevin Else LegalTech event Feb 2023
Kevin Else LegalTech event Feb 2023
 
Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...Standards for protection of data on storage device are emerging from both the...
Standards for protection of data on storage device are emerging from both the...
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
How the DoD’s Cyber Security Maturity Model (CMMC) will impact your business ...
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Framework
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)Cybersecurity Maturity Model Certification (CMMC)
Cybersecurity Maturity Model Certification (CMMC)
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide Deck
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
 
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
ciso-platform-annual-summit-2013-Mitigating the security risks of cloud servi...
 

More from PECB

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?PECB
 

More from PECB (20)

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
 

Recently uploaded

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........LeaCamillePacle
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxsqpmdrvczh
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 

Recently uploaded (20)

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity Maturity

  • 1.
  • 2. Agenda  ISO 27002 & ISO 27032 Information Security vs Cyber ISO vs NIST (and other)  Cybersecurity Maturity Model Certification (CMMC) Evolution of CMMC Proposed Rule Certification Levels Applicable NIST Cybersecurity Standards Documentation Assessment & Certification  Risk Assessment and Selection of Framework Executive Sponsorship/Support Program and Framework Automation GRC Sample Summary of Actions
  • 3. ISO standards Act Plan Do Check Act Plan Do Check Security Improvement Time
  • 4. The essentials • ISO 27001 ISMS Clauses & Annex Certification • ISO 27002 2013 vs 2022 • ISO 27032 Information security Cybersecurity ISO 27002 & ISO 27032 ISO27001 Clauses Annex ISO27002 Cyber
  • 5. The essentials • ISO 27001 ISMS Clauses & Annex Certification • ISO 27002 2013 vs 2022 • ISO 27032 Information security Cybersecurity • Other frameworks NIST NIST CSF ISO 27002 & ISO 27032
  • 6. ISO27001 ISO 27002 (ISO 27001 Annex) ISO27701 (PIMS) ISO27001 #Legal_and_ compliance #Governanc e #Human_res ource_secur ity #Asset_man agement #Identity_an d_access_m anagement #Secure_co nfiguration #Physical_se curity #Threat_and _vulnerabilit y_managem ent #Application _security #Supplier_re lationships_ security #Informatio n_security_ event_mana gement #Continuity #Informatio n_protectio n #System_an d_network_ security ISO 27034 Application Security ISO 27035 Incident Mgmt ISO 27014 IS Governance ISO 22301 BCM ISO 55001 Asset Mgmt ISO 27032 Cyber ISO 27099 PKI ISO 21502 Project Mgmt ISO 38500 IT Gov ISO 37301 Compl Mgmt ISO/IEC 29146 Access mgt ISO 22361 Crisis Mgtm ISO 22316 Resilience ISO 27031 ISO 27033 Network ISO 27017 Cloud ISO 27018 PII in Cloud ISO 27021 Competence ISO 20000 IT operations ISO 22317 BIA ISO27701 (PIMS) ISO27001 4. Context ISO9001 Quality 5. Leadership ISO 31000 Risk 6 Planning 8. Operation 9.Perfor- mance 10. Improve- ment 7. Support ISO 27005 Risk Mgmt ISO 27014 IS Governance ISO 38500 IT Gov ISO 27006 ISMS Audit Reqs ISO 17021-1 MS Audit ISO 19011 Audit Guidance ISO 26000 Social Resp. ISO 27103 ISMS Cyber ISO 27110 Cyber Framework ISO 29100 Privacy Framework ISO 275xx Privacy operations #Informatio n_security_ assurance ISO 27007 ISMS Audit guidelines ISO 291xx Privacy guidelines ISO 28000 Supply Chain Security ISO 27036 ICT supply chain & cloud ISO 27001:2022 ISO 27016 IS Governance ISO 27022 ISMS Processes ISO 27002 & ISO 27032
  • 7. ISO27002 ISO 27002 & ISO 27032 ISO 27002 (ISO 27001 Annex) ISO27001 #Legal_and_ compliance #Governanc e #Human_res ource_secur ity #Asset_man agement #Identity_an d_access_m anagement #Secure_co nfiguration #Physical_se curity #Threat_and _vulnerabilit y_managem ent #Application _security #Supplier_re lationships_ security #Informatio n_security_ event_mana gement #Continuity #Informatio n_protectio n #System_an d_network_ security ISO 27034 Application Security ISO 27035 Incident Mgmt ISO 27014 IS Governance ISO 22301 BCM ISO 55001 Asset Mgmt ISO 27032 Cyber ISO 27099 PKI ISO 21502 Project Mgmt ISO 38500 IT Gov ISO 37301 Compl Mgmt ISO/IEC 29146 Access mgt ISO 22361 Crisis Mgtm ISO 22316 Resilience ISO 27031 ISO 27033 Network ISO 27017 Cloud ISO 27018 PII in Cloud ISO 27021 Competence ISO 20000 IT operations ISO 22317 BIA ISO 31000 Risk ISO 27103 ISMS Cyber ISO 27110 Cyber Framework ISO 29100 Privacy Framework ISO 275xx Privacy operations #Informatio n_security_ assurance ISO 291xx Privacy guidelines ISO 28000 Supply Chain Security ISO 27036 ICT supply chain & cloud ISO 27002:2022 ISO 27022 ISMS Processes
  • 8. ISO27032 - Cybersecurity The focus today ISO 27002 (ISO 27001 Annex) ISO27701 (PIMS) ISO27001 #Legal_and_ compliance #Governanc e #Human_res ource_secur ity #Asset_man agement #Identity_an d_access_m anagement #Secure_co nfiguration #Physical_se curity #Threat_and _vulnerabilit y_managem ent #Application _security #Supplier_re lationships_ security #Informatio n_security_ event_mana gement #Continuity #Informatio n_protectio n #System_an d_network_ security ISO 27034 Application Security ISO 27035 Incident Mgmt ISO 27032 Cyber ISO 27031 ISO 27033 Network ISO 27017 Cloud ISO 27018 PII in Cloud ISO 31000 Risk ISO 27005 Risk Mgmt ISO 27103 ISMS Cyber ISO 27110 Cyber Framework #Informatio n_security_ assurance ISO 27036 ICT supply chain & cloud Cybersecurity
  • 9. New framework emerging • ISO27100 series ISO standards and cybersecurity ISO 27002 (ISO 27001 Annex) ISO27001 #Threat_and _vulnerabilit y_managem ent #System_an d_network_ security ISO 27032 Cyber ISO 27033 Network ISO 27017 Cloud ISO 27103 ISMS Cyber ISO 27110 Cyber Framework #Informatio n_security_ assurance
  • 10. Secure Controls framework • CSF https://securecontrolsframework.com/ https://securecontrolsframework.com/scf-download/ More inf
  • 11. Maturity • ISO 27001 ISMS Clauses & Annex Certification • ISO 27002 2013 vs 2022 • ISO 27032 Information security Cybersecurity • Other frameworks NIST NIST CSF ISO 27002 & ISO 27032
  • 12. ISO, NIST & EU cyberprograms • ISO Global best practices & standards • NIST US standards CMMC (DOD) • EU NIS 2 Emerging frameworks (BE) CCB Cyberfundamentals • More info: PECB Lead Cybersecurity manager PECB NIS 2 Lead Implementer Before we dive into CMMC
  • 13. ISO & NIST CSF Act Plan Do Check Act Plan Do Check Security Improvement Time
  • 14. • NIST SP 800-53 Rev. 5 Security and privacy standard for U.S. federal information systems, except for those related to national security Used for FedRAMP Moderate baseline (Federal Risk and Authorization Management Program) • NIST SP 800-171 Rev. 2, and 800-171A Security standard for non-federal (contractor) systems handling CUI 14 security families; 110 controls 800-171A: Assessment guide for the 800-171 • NIST SP 800-172, and 800-172A Security standard for non-federal (contractor) systems handling high- value CUI in critical programs 14 security families; NIST SP 800-171 + 35 enhanced controls 800-172A: Assessment guide for the 800-172 Applicable NIST Cybersecurity Standards
  • 15. Evolution of CMMC DFARS 252.204- 7012 • Controlled Technical Information (CTI) • Covered Defense Information (CDI) • DoD contractor to comply with NIST SP 800-171 or FedRAMP moderate • Cyber Incident Reporting • Flow-down CMMC v1.0 • Certification required before contract • 3rd party certification • Level 1- Level 5 DFARS 252.204- 7019-7020 • Basic assessment Score to report on SPRS • System Security Plan (SSP) • Score to be current during the contract • DoD assessment requirement for Medium and High assessments • Flow-down DFARS 252.204- 7021 • CMMC v2.0 is active (proposed rule) in 2024 • Level 1 - Level 3
  • 16. • DoD cybersecurity assessment model, which will be mandatory in most contracts by 1H 2025 • Published in Dec 2023. Updates Title 32 CFR by adding Cybersecurity Maturity Model Certification (CMMC) Program • Replaces the prior practices of “self-assessment” with third-party assessment and government assessment for most of contracts • Introduces 3 certification levels • Includes guidance on CMMC Ecosystem (i.e., PMO, DCMA DIBCAC, Cyber AB, CAICO, C3PAO, CCP, CCA, LTP, LPP, etc.) Scoping Assessment Hashing CMMC 2.0 Proposed Rule
  • 17. CMMC 2.0 Certification Levels Level 1 To receive, store, handle, and generate Federal Contract Information (FCI) Self-assessment Contractors and subcontractors to implement all applicable requirements in FAR clause 52.204–21 (17 practices) Level 2 To receive, store, handle, and generate Controlled Unclassified Information (CUI) Self-certification in some cases, C3PAO certification in all other cases (Triennial) All applicable requirements of NIST SP 800–171 Rev 2 (110 practices) and DFARS clause 252.204–7012 Level 3 To receive, store, handle, and generate sensitive (high-value) Controlled Unclassified Information (CUI) DoD certification (Triennial) 24 selected security requirements of NIST SP 800–172 in addition to Level 2 requirements Senior officials of prime contractor and all subcontractors are required to affirm continuing compliance, initially, and annually on SPRS
  • 18. • System Security Plan (SSP) Describes the security controls in alignment with the NIST SP 800-171/172 standard, including scope, system environment, boundaries, and the CUI asset inventory No SSP for Level 1 Use NIST 800-171A objectives for Level 2 Use NIST 800-172A objectives for Level 3 • Plan of Actions & Milestones (POA&M) Describes the plan for implementing the gaps No POA&M for Level 1 Only allowed if minimal score is 0.8/1 (or 88/110) Not allowed for controls that have weight > 1 or listed as ineligible Must be closed out within 180 days of the initial assessment • Senior leadership approval on documents • Separate procedures to support SSP is ok and encouraged CMMC Documentation
  • 19. • Define Boundary and Scope What is In-scope & Out-of-scope? CUI Flow System Environment • Identify Assets FCI & CUI assets Security protection assets Contractor risk managed assets Specialized assets Out-of-scope assets • Certification by C3PAO / DoD • POA&M (if needed) • Submit score to SPRS & Affirmation Assessment & Certification
  • 20. Risk Assessment and Selection of Framework CMMC, ISO, and other  Get Executive Support – Tops Down  Risk Assessment  Explaining Functional GRC  Summary of Actions
  • 21. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. The Three-Slide Executive “Why” x2 ◼ Cyber Laws ◼ Getting Hacked ◼ Executive Accountability
  • 22. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. CYBER LAWS ARE “Looming” CYBERSECURITY CYBER LAWS
  • 23. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. GETTING HACKED IS A MATTER OF “When”
  • 24. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. ALL EXECUTIVES “Accountable”
  • 25. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. In 2023, there were 7 new state privacy laws introduced; now there are eleven signed with enforcement dates looming. GROWING US DATA PRIVACY LAWS BY STATE ★ Source IAPP: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
  • 26. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. European Union - GDPR UK (Brexit Note) - DPA Australia – APP/PA Brazil - LGPD Canada - PIPEDA China - PIPL Hong Kong – PDPO S1 Singapore - PDPA South Korea - PIPA Turkey - PDPL INTERNATIONAL DATA PRIVACY LAWS ★ Key Countries to Note: Source DLA Piper: https://www.dlapiperdataprotection.com/
  • 27. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. CYBERSECURITY GROUND WAR vs CYBER RISK AIR WAR The cybersecurity “ground war” that patrol and stop hackers from crashing into your business. The Tech The “air war” you must prove to prepare for when customers, regulators, and lawmakers pursue you for cyber regulatory violations. The Business
  • 28. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. EXPLAINING THE DIFFERENCE & SOLUTION Cybersecurity ◼ Technical Protection From Hackers (Applying Framework Controls) ◼ “The Cybersecurity Compliance of Tech” Data Privacy Laws, Risk, & Regulations ◼ Privacy Rights of Individuals & Confidentiality of Contracts and Secrets of Businesses (Framework[s] Governance) ◼ “The Governance & Risk of Business" R C G Compliance Program Deployment, Automation, & Upkeep
  • 29. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. Get CISO Certification Training Slide from new PECB Certified CISO course launched October 2023
  • 30. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. Get Cybersecurity Certification Training Slide from new PECB Cybersecurity Lead Manager (ISO27032:2023)
  • 31. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. Use a Compliance Automation Tool With Cross-Mapping Sample Framework Implementation, Risk Register, Audits, Basic Third Party Management with team/executive reports
  • 32. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission. SUMMARY OF ACTIONS Risk Assessment & Treatment 1 Onboard Framework(s) 2 Address Ground War CONTROLS 3 Address Air War GOVERNANCE 4 ✔ GRC to keep Fresh 5
  • 33. THANK YOU Q&A gusi@omnistruct.com George Usi oz@drozerdem.net Oz Erdem peter@cyberminute.com Peter Geelen