SlideShare a Scribd company logo

Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Management Processes?

KMD
KMD

Slides from Lars Neuparts Bright Talk webinar concerning the new ISO 27001 changes and how they would affect a company's IT Risk Management Processes. It is possible to watch the webinar here: http://www.neupart.com/events/webcasts.aspx

TechnologyBusiness
1 of 30
How  Does  the  new  ISO  27001  Impact   Your  IT  Risk  Management  Processes?   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   LN@neupart.com   twiBer  @neupart    
The  ISO  2700x  standards   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement.     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
New  drafts  available   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
Information  Security   Management  Systems  –   Requirements   ISO  27001  –  the  2013  edition  ISO/IEC  DIS  27001  =  draft.     I.e.  changes  are  likely  to  happen     Aim  of  todays  webinar  is  to  give  you  a  head  start  preparing  for   the  new  standard  so  you  can  have  a  smoother  transition.  
What’s  new?   •  A  lot!   •  New  content   •  New  requirements   numbering   •  Still  short:  9  pages  of   requirements  to  an  ISMS   •  Controls  are  still  listed  in   Annex  A,  and  referring   to  ISO  27002  (the  new)   •  Maintaining  a  fair   portion  of  backwards   compatibility  
Poll:  How  do  you  use  ISO  27001   today?   •  We  are  certified   •  We  plan  to  certify   •  We  plan  to  comply;  no   certification   •  Best  practice   inspiration   •  Don't  know  
Still  risk  oriented:   •  The  first  requirement   in  the  new  ISO  27001   refers  to  an  Enterprise   Risk  Management   Standard:  ISO  31000  
ISO  31000  Enterprise  Risk  Management   Plan   Do   Check   Act  
Enterprise  Risk   Management  (ISO   31000)   InformaKon   Security  Risk   Management  (ISO   27005)   ISMS   Requirements   (ISO  27001)    
ISO  27005  recap  
IT  Risk  Management  -­‐  Explained   Risk Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
Reduce LikelihoodProactive Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus Reactive Security Reduce Consequence IT Service Continuity Teams IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Emergency Operations Flexibility Standby Equipment Virtualization Backup IT  Risk  Management  -­‐  Explained   Risk Prioritization Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
Vulnerability  &  control  environment  assessment   AdministraKve   Measures   Physical  /  Technical   Measures   PrevenKve   Measures   CorrecKve   Measures   Firewall   AnKvirus   Server   Cluster   RAID   Backup   Standby   Equipment   VirtualizaKon   Security   Policy   System   DocumentaKon   Awareness   Compliance   Checks   Alarm   System   Fire   Suppression   Logging   Change   Management   IT  Service   ConKnuity  Plan   Disaster  Recovery   Procedures   Business   ConKnuity   Strategy   Redundancy   Access  Control   System   Standby  Site   Server  snapshots   Assessments  based  on   Capability  Maturity   Model   Monitoring  
Assets:  Dependency  Hierarchy   Business  Impact  values   are  inherited  downwards   Vulnerability  values   are  inherited  upwards   Server  01   Virtual  Server   SAN  01   Data  Staorage   HP  DL380   Hardware    unit   Data  Center  Oslo   Datacenter   Finance  DB   Database   ERP   IT  Service   Dynamics  AOS   Business  system   HP  DL380   Hardware  unit   Server  02   Virtual  Server   Finance   Business  Process  
Comparing  ISO  27005,  NIST  SP800-­‐30   ISO  27005   NIST  SP800-­‐30   Context  establishment               Identification  of  assets   System  Characterization   Identification  of  threats   Threat  Identification   Identification  of  existing  controls   Vulnerability  Identification   Identification  of  vulnerabilities   Control  Analysis   Identification  of  consequences               Assessment  of  consequences   Likelihood  Determination   Assessment  of  incident  likelihood   Impact  Analysis   Risk  estimation   Risk  Determination           Risk  evaluation               Risk  treatment   Control  Recommendations   Risk  acceptance       Risk  communication   Results  Documentation  
Examples  of  how  the  27001  update   will  impact  your  risk  management   processes  
27001:  Not  only  downside  risks   •  6.1  Actions  to  address  risks   and  opportunities     •  Quote  ISO  31000:   “Organizations  of  all  types   and  sizes  face  internal  and   external  factors  and   influences  that  make  it   uncertain  whether  and   when  they  will  achieve   their  objectives.  The  effect   this  uncertainty  has  on  an   organization's  objectives  is   “risk”.  
Risk  Owner   •  Risk  Owner  approves  risk  treatment  plan  and  accepts  residual  risks   •  Note:  Asset  ownership  is  formally  no  longer  a  ISO  27001  requirement,  but  it’s  still  in  the  annex  A  Control   List.  Practically  same  requirement,  as  you  can’t  expect  it  to  not  be  in  your  Statement  of  Applicability  
Increased  flexibility  in  your  choice     of  risk  method   The  organization  shall  define  an  information   security  risk  assessment  process  that:     1.  establishes  and  maintains  information  security   risk  criteria,  including  the  risk  acceptance   criteria;     2.  determines  the  criteria  for  performing   information  security  risk  assessments;  and     3.  ensures  that  repeated  information  security  risk   assessments  produce  consistent,  valid  and   comparable  results.     (section  6.1  )    
Time  to  vote   •  What  IT  risk  assessment   method  or  framework   do  you  use  today?   –  ISO  27005   –  NIST  SP  800  series   –  IRAM     –  OCTAVE   –  Some  other  threat  based   approach   –  Some  other  control  based   approach   –  Don’t  know  
The  organization  shall  apply  an   information  security  risk  treatment   process    
Treating  Risks   Accept   Reduce   Share   Avoid   Treatment  opKons  according  to  ISO  27001:2005  and  ISO  27005.   ISO  27001:2013,  do  not  require  these  specific  treatment  opKons;  but   you  are  free  to    choose  these.  
SoA  linked  even  closer  to  Risk  Treatment   Risk  treatment   SoA  =   Statement  of   Applicability   •  Select  treatment  options   •  Determine  controls   •  Check  controls  with  Annex  A,     verify  no  necessary  controls  are   omitted   •  Make  SoA  and  justify  exclusions   AND  inclusions  (new)   •  Clearly  worded  that  you  must   determine  all  necessary  controls  
Review  of  Neuparts  well  known  4   responsible  short-­‐cuts  –  do  they  still  apply?   Assess  your  most   important  assets  first     (you  can  add  more   later)   1:  Not  all  assets   Do  not  use  complete   threat  catalogue  on   each  of  your  assets   (relevant  threats   depends  on  asset  type)   2:  Not  all  threats   • Inheritance:  Business   impact  values  inherits   downwards   • Vulnerability  scores   inherits  upwards   • Asset  dependencies  /   Hierarchy   3:  Inheritance   • Make  overall   assessment  first  –   refine  later   • Example:  Assess   threats  combined  first   –  individually  later   4:  Fewer  assessments  
Oh,  what  happened  to  PDCA?   Plan  -­‐  Do  –  Check  -­‐  Act  is  still  there,  now  called  continual   improvement  
Risk  Management   •  Risk  Owner   •  (Assets)   •  Threats   •  Business  Impact   Assessment   •  Vulnerability  Assessment   •  Reporting  &  evaluating   •  Treating  (Accept,  Reduce,  Share,   Avoid)  
Time  to  vote   •  Will  the  new  ISO  improve   your  risk  management   processes?   –  Yes  –  the  update  is  easy  to   understand  and  makes   sense   –  Not  much  –  nothing  really   new  here   –  I’m  concerned  of  the   introduced  flexibility   –  Don’t  know  
About  Neupart   •  ISO  27001  certified  company   •  Provides  SecureAware®,    an  all-­‐in-­‐one,   efficient  IT  GRC  solution  allowing   organizations  to  automate  IT  governance,   risk  and  compliance  management     •  “The  ERP  of  Security”   •  HQ  in  Denmark,  subsidiary  in  Germany  and   a  200+  customer  portfolio  covering  a  wide   range  of  private  enterprises  and   governmental  agencies     IT  GRC  =   IT  Governance,     Risk  &  Compliance   Management  
SecureAware  Risk  TNG  Benefits   •  Less  specialist  knowledge   needed  to  conduct  professional   risk  management   •  Know  your  IT  related  business   risks   •  Fast  results   •  Saves  time  for  you  and  your   organization   •  ISO  27005  based  methodology  – and  fully  compatible  with  NIST   SP800-­‐30     •  Cloud  or  on-­‐premise  software  
Try  ISO  27001  compliant  IT  GRC  soluKon  at  www.neupart.com   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   LN@neupart.com   twiBer  @neupart    

Recommended

How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsLars Neupart
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSchellman & Company
 

Recommended

How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?How Does the New ISO 27001 Impact Your IT Risk Management Processes?
How Does the New ISO 27001 Impact Your IT Risk Management Processes?Lars Neupart
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsLars Neupart
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSchellman & Company
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 ImplementationPECB
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changesn|u - The Open Security Community
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013SAIGlobalAssurance
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSReza Teynia ISMS, ITSM, MSc
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...himalya sharma
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certificationramya119
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergKinverg
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms ComplianceRamkumar Ramachandran
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCALead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCAmyTectra Learning Solutions Private Ltd
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 
Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Andrea Porter
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4Obrina Candra, CISA, ISMS-LA
 

More Related Content

What's hot

7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 ImplementationPECB
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013SAIGlobalAssurance
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Servicesmcloete
 
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...himalya sharma
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certificationramya119
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergKinverg
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002pgpmikey
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guidemfmurat
 

What's hot (20)

7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
Transitioning to iso 27001 2013
Transitioning to iso 27001 2013Transitioning to iso 27001 2013
Transitioning to iso 27001 2013
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
ISO 27001 Checklist - information Security risk management- clause 6.1.1, 6.1...
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms Compliance
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002Implementing a Security Framework based on ISO/IEC 27002
Implementing a Security Framework based on ISO/IEC 27002
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCALead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
Lead Auditor Course on ISO 27001:2013 (ISMS) - IRCA
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 

Similar to Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Management Processes?

Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Andrea Porter
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012Hakem Filiz
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxSIS Certifications Pvt Ltd
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NA Putra
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Risk Management for Medical Devices - ISO 14971 Overview
Risk Management for Medical Devices - ISO 14971 Overview Risk Management for Medical Devices - ISO 14971 Overview
Risk Management for Medical Devices - ISO 14971 Overview Greenlight Guru
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information SecurityAna Meskovska
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?PECB
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 

Similar to Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Management Processes? (20)

Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012University iso 27001 bgys intro and certification lami kaya may2012
University iso 27001 bgys intro and certification lami kaya may2012
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptxISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Risk Management for Medical Devices - ISO 14971 Overview
Risk Management for Medical Devices - ISO 14971 Overview Risk Management for Medical Devices - ISO 14971 Overview
Risk Management for Medical Devices - ISO 14971 Overview
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
4 System For Information Security
4 System For Information Security4 System For Information Security
4 System For Information Security
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
ISO27001
ISO27001ISO27001
ISO27001
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Management Processes?

  • 1. How  Does  the  new  ISO  27001  Impact   Your  IT  Risk  Management  Processes?   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   LN@neupart.com   twiBer  @neupart    
  • 2. The  ISO  2700x  standards   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement.     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
  • 3. New  drafts  available   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
  • 4. Information  Security   Management  Systems  –   Requirements   ISO  27001  –  the  2013  edition  ISO/IEC  DIS  27001  =  draft.     I.e.  changes  are  likely  to  happen     Aim  of  todays  webinar  is  to  give  you  a  head  start  preparing  for   the  new  standard  so  you  can  have  a  smoother  transition.  
  • 5. What’s  new?   •  A  lot!   •  New  content   •  New  requirements   numbering   •  Still  short:  9  pages  of   requirements  to  an  ISMS   •  Controls  are  still  listed  in   Annex  A,  and  referring   to  ISO  27002  (the  new)   •  Maintaining  a  fair   portion  of  backwards   compatibility  
  • 6. Poll:  How  do  you  use  ISO  27001   today?   •  We  are  certified   •  We  plan  to  certify   •  We  plan  to  comply;  no   certification   •  Best  practice   inspiration   •  Don't  know  
  • 7. Still  risk  oriented:   •  The  first  requirement   in  the  new  ISO  27001   refers  to  an  Enterprise   Risk  Management   Standard:  ISO  31000  
  • 8. ISO  31000  Enterprise  Risk  Management   Plan   Do   Check   Act  
  • 9. Enterprise  Risk   Management  (ISO   31000)   InformaKon   Security  Risk   Management  (ISO   27005)   ISMS   Requirements   (ISO  27001)    
  • 11. IT  Risk  Management  -­‐  Explained   Risk Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
  • 12. Reduce LikelihoodProactive Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus Reactive Security Reduce Consequence IT Service Continuity Teams IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Emergency Operations Flexibility Standby Equipment Virtualization Backup IT  Risk  Management  -­‐  Explained   Risk Prioritization Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
  • 13. Vulnerability  &  control  environment  assessment   AdministraKve   Measures   Physical  /  Technical   Measures   PrevenKve   Measures   CorrecKve   Measures   Firewall   AnKvirus   Server   Cluster   RAID   Backup   Standby   Equipment   VirtualizaKon   Security   Policy   System   DocumentaKon   Awareness   Compliance   Checks   Alarm   System   Fire   Suppression   Logging   Change   Management   IT  Service   ConKnuity  Plan   Disaster  Recovery   Procedures   Business   ConKnuity   Strategy   Redundancy   Access  Control   System   Standby  Site   Server  snapshots   Assessments  based  on   Capability  Maturity   Model   Monitoring  
  • 14. Assets:  Dependency  Hierarchy   Business  Impact  values   are  inherited  downwards   Vulnerability  values   are  inherited  upwards   Server  01   Virtual  Server   SAN  01   Data  Staorage   HP  DL380   Hardware    unit   Data  Center  Oslo   Datacenter   Finance  DB   Database   ERP   IT  Service   Dynamics  AOS   Business  system   HP  DL380   Hardware  unit   Server  02   Virtual  Server   Finance   Business  Process  
  • 15. Comparing  ISO  27005,  NIST  SP800-­‐30   ISO  27005   NIST  SP800-­‐30   Context  establishment               Identification  of  assets   System  Characterization   Identification  of  threats   Threat  Identification   Identification  of  existing  controls   Vulnerability  Identification   Identification  of  vulnerabilities   Control  Analysis   Identification  of  consequences               Assessment  of  consequences   Likelihood  Determination   Assessment  of  incident  likelihood   Impact  Analysis   Risk  estimation   Risk  Determination           Risk  evaluation               Risk  treatment   Control  Recommendations   Risk  acceptance       Risk  communication   Results  Documentation  
  • 16. Examples  of  how  the  27001  update   will  impact  your  risk  management   processes  
  • 17. 27001:  Not  only  downside  risks   •  6.1  Actions  to  address  risks   and  opportunities     •  Quote  ISO  31000:   “Organizations  of  all  types   and  sizes  face  internal  and   external  factors  and   influences  that  make  it   uncertain  whether  and   when  they  will  achieve   their  objectives.  The  effect   this  uncertainty  has  on  an   organization's  objectives  is   “risk”.  
  • 18. Risk  Owner   •  Risk  Owner  approves  risk  treatment  plan  and  accepts  residual  risks   •  Note:  Asset  ownership  is  formally  no  longer  a  ISO  27001  requirement,  but  it’s  still  in  the  annex  A  Control   List.  Practically  same  requirement,  as  you  can’t  expect  it  to  not  be  in  your  Statement  of  Applicability  
  • 19. Increased  flexibility  in  your  choice     of  risk  method   The  organization  shall  define  an  information   security  risk  assessment  process  that:     1.  establishes  and  maintains  information  security   risk  criteria,  including  the  risk  acceptance   criteria;     2.  determines  the  criteria  for  performing   information  security  risk  assessments;  and     3.  ensures  that  repeated  information  security  risk   assessments  produce  consistent,  valid  and   comparable  results.     (section  6.1  )    
  • 20. Time  to  vote   •  What  IT  risk  assessment   method  or  framework   do  you  use  today?   –  ISO  27005   –  NIST  SP  800  series   –  IRAM     –  OCTAVE   –  Some  other  threat  based   approach   –  Some  other  control  based   approach   –  Don’t  know  
  • 21. The  organization  shall  apply  an   information  security  risk  treatment   process    
  • 22. Treating  Risks   Accept   Reduce   Share   Avoid   Treatment  opKons  according  to  ISO  27001:2005  and  ISO  27005.   ISO  27001:2013,  do  not  require  these  specific  treatment  opKons;  but   you  are  free  to    choose  these.  
  • 23. SoA  linked  even  closer  to  Risk  Treatment   Risk  treatment   SoA  =   Statement  of   Applicability   •  Select  treatment  options   •  Determine  controls   •  Check  controls  with  Annex  A,     verify  no  necessary  controls  are   omitted   •  Make  SoA  and  justify  exclusions   AND  inclusions  (new)   •  Clearly  worded  that  you  must   determine  all  necessary  controls  
  • 24. Review  of  Neuparts  well  known  4   responsible  short-­‐cuts  –  do  they  still  apply?   Assess  your  most   important  assets  first     (you  can  add  more   later)   1:  Not  all  assets   Do  not  use  complete   threat  catalogue  on   each  of  your  assets   (relevant  threats   depends  on  asset  type)   2:  Not  all  threats   • Inheritance:  Business   impact  values  inherits   downwards   • Vulnerability  scores   inherits  upwards   • Asset  dependencies  /   Hierarchy   3:  Inheritance   • Make  overall   assessment  first  –   refine  later   • Example:  Assess   threats  combined  first   –  individually  later   4:  Fewer  assessments  
  • 25. Oh,  what  happened  to  PDCA?   Plan  -­‐  Do  –  Check  -­‐  Act  is  still  there,  now  called  continual   improvement  
  • 26. Risk  Management   •  Risk  Owner   •  (Assets)   •  Threats   •  Business  Impact   Assessment   •  Vulnerability  Assessment   •  Reporting  &  evaluating   •  Treating  (Accept,  Reduce,  Share,   Avoid)  
  • 27. Time  to  vote   •  Will  the  new  ISO  improve   your  risk  management   processes?   –  Yes  –  the  update  is  easy  to   understand  and  makes   sense   –  Not  much  –  nothing  really   new  here   –  I’m  concerned  of  the   introduced  flexibility   –  Don’t  know  
  • 28. About  Neupart   •  ISO  27001  certified  company   •  Provides  SecureAware®,    an  all-­‐in-­‐one,   efficient  IT  GRC  solution  allowing   organizations  to  automate  IT  governance,   risk  and  compliance  management     •  “The  ERP  of  Security”   •  HQ  in  Denmark,  subsidiary  in  Germany  and   a  200+  customer  portfolio  covering  a  wide   range  of  private  enterprises  and   governmental  agencies     IT  GRC  =   IT  Governance,     Risk  &  Compliance   Management  
  • 29. SecureAware  Risk  TNG  Benefits   •  Less  specialist  knowledge   needed  to  conduct  professional   risk  management   •  Know  your  IT  related  business   risks   •  Fast  results   •  Saves  time  for  you  and  your   organization   •  ISO  27005  based  methodology  – and  fully  compatible  with  NIST   SP800-­‐30     •  Cloud  or  on-­‐premise  software  
  • 30. Try  ISO  27001  compliant  IT  GRC  soluKon  at  www.neupart.com   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   LN@neupart.com   twiBer  @neupart