SlideShare a Scribd company logo

NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf

J
JhonGIg

NQA-Webinar-A-guide-to-the-changes-to-ISO-27002

Internet
1 of 36
Download to read offline
ISO 27002:2022 – A GUIDE TO THE CHANGES Tim Pinnell
KEY INFO • 45 minute webinar • Questions in the chat box • Q&A at the end • Recording of webinar circulated shortly YOUR PRESENTER
LONDON BOSTON BANGALORE SHANGHAI AMERICA’S No. 1 CHINA’S No. 1 Certification body in aerospace sector Certification body in automotive sector OUR IS TO HELP CUSTOMERS DELIVER PRODUCTS THE WORLD CAN TRUST PURPOSE NQA is a world leading certification body with global operations. NQA specialises in certification in high technology and engineering sectors. GLOBAL No.1 Certification body in telecommunications and Automotive sector GLOBAL No.3 Certification body in Aerospace sector Top3 IN THE UK ISO 9001 ISO 14001 ISO 45001 ISO 27001 UK’S No.2 Certification body in Aerospace sector
30 YEARS 90 OVER OPERATING COUNTRIES 10 YEARS AVERAGE PARTNERSHIP CUSTOMER CERTIFICATES GLOBALLY 50,000 ALL INCLUSIVE FEES 100% EMPLOYEES WORLDWIDE 1000+
WHAT WE WILL COVER TODAY • A quick overview of 27002 • The changes to 27002 • New controls • ISMS implications • Implications for other 27k standards • Transition timelines • Q&A
THE STANDARD: ISO 27002
ISO 27001 & ISO 27002 Management System - Requirements ISO 27001:2013 Information security management systems - Requirements Code of practice - Guidance ISO 27002:2017 Code of practice for information security controls Management System 4. Context 5. Leadership 6. Planning 7. Support 8. Operations 9. Performance 10. Improvement Annex A (114 controls) 5. Policies 6. Organisation 7. Human resources 8. Asset management 9. Access Control 10. Cryptography 11. Physical 12. Operations 13. Communications 14. Dev and maintenance 15. Suppliers 16. Incidents 17. Business Continuity 18. Compliance 114 controls 5. Policies 6. Organisation 7. Human resources 8. Asset management 9. Access Control 10. Cryptography 11. Physical 12. Operations 13. Communications 14. Dev and maintenance 15. Suppliers 16. Incidents 17. Business Continuity 18. Compliance
REQUIREMENTS VS. GUIDANCE Management System - Requirements ISO 27001:2013 Information security management systems - Requirements Code of practice - Guidance ISO 27002:2017 Code of practice for information security controls
THE CHANGES ISO27002:2022
THE CHANGES TO 27002: TITLE 2017 Information technology – Security techniques – Code of practise for information security controls (ISO/IEC 27002:2013) 2022 Information security, cybersecurity and privacy protection – Information security controls
THE CHANGES TO 27002: CONTROL GROUPS 2017 14 Control Groups 2022 4 Themes Control Groups 5. Policies 12. Operations 6. Organisation 13. Communications 7. Human resources 14. Dev and maintenance 8. Asset management 15. Suppliers 9. Access Control 16. Incidents 10. Cryptography 17. Business Continuity 11. Physical 18. Compliance Theme clauses 5. Organisational 7. Physical 6. People 8. Technology
THE CHANGES TO 27002: NO GROUP OBJECTIVES 2017
THE CHANGES TO 27002: CONTROLS 2017 2022 114 controls 93 controls 19 controls consolidated 11 new controls n deleted controls?
THE CHANGES TO 27002: ATTRIBUTES Attributes are used to create different views of the controls Control type Information security properties Cybersecurity concepts Operational capabilities Security domains #Preventive #Detective #Corrective #Confidentiality #Integrity #Availability #Identity #Protect #Detect #Respond #Recover #Governance #Asset_management #Information_protection #Human_resource_security #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability #Continuity #Supplier_relationships_security #Legal_and_compliance #Information_security_event_management #Information_security_assurance #Governance_and_Ecosystem #Protection #Defence #Resilience
THE CHANGES TO 27002: ATTRIBUTES Attributes are used to create different views of the controls
THE CHANGES TO 27002: ATTRIBUTES You can create your own attributes You can ignore those in the standard For example: 1. Assign risk references to the controls treating specific risks 2. Maturity implementation level 3. Implementation state 4. Responsible department Control Treating risk Implementation maturity Implementation state Responsible department Information security properties Operational capabilities 5.7 Threat intelligence #6 #15 #Level_2 #Partially_implemented #CISO #Confidentiality #Integrity #Availability #Threat_and_vulnera bility_management 5.8 Information security in project management #2 #Level_3 #Fully_implemented #CISO #CSO #Confidentiality #Integrity #Availability #Governance
NEW CONTROLS
THE CHANGES TO 27002: NEW CONTROLS 5.7 Threat intelligence Control Information relating to information security threats should be collected and analysed to produce threat intelligence. Purpose To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.
THE CHANGES TO 27002: NEW CONTROLS 5.23 Information security for use of cloud services Control Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements. Purpose To specify and manage information security for the use of cloud services.
THE CHANGES TO 27002: NEW CONTROLS 5.30 ICT readiness for business continuity Control ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. Purpose To ensure the availability of the organization’s information and other associated assets during disruption.
THE CHANGES TO 27002: NEW CONTROLS 7.4 Physical security monitoring Control Premises should be continuously monitored for unauthorized physical access. Purpose To detect and deter unauthorized physical access.
THE CHANGES TO 27002: NEW CONTROLS 8.9 Configuration management Control Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. Purpose To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.
THE CHANGES TO 27002: NEW CONTROLS 8.10 Information deletion Control Information stored in information systems, devices or in any other storage media should be deleted when no longer required. Purpose To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.
THE CHANGES TO 27002: NEW CONTROLS 8.11 Data masking Control Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. Purpose To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.
THE CHANGES TO 27002: NEW CONTROLS 8.12 Data leakage prevention Control Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. Purpose To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.
THE CHANGES TO 27002: NEW CONTROLS 8.16 Monitoring activities Control Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. Purpose To detect anomalous behaviour and potential information security incidents.
THE CHANGES TO 27002: NEW CONTROLS 8.23 Web filtering Control Access to external websites should be managed to reduce exposure to malicious content. Purpose To protect systems from being compromised by malware and to prevent access to unauthorized web resources.
THE CHANGES TO 27002: NEW CONTROLS 8.28 Secure coding Control Secure coding principles should be applied to software development. Purpose To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
ISMS IMPLICATIONS
RISK ASSESSMENT & TREATMENT • You will need to review your risk assessment ISO 27001: Clause 8.2 The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur. • You will need to review your SoA and risk treatment plan:- ISO 27001: Clause 6.1.3 b) Determine all controls that are necessary to implement the information security risk treatment options c) Compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary controls have been omitted d) Produce a statement of applicability e) Formulate an information security risk treatment plan
STATEMENT OF APPLICABILITY #Governance A.6 Organisation of information security #Asset_management A.8 Asset management #Information_protection #Human_resource_security A.7 Human resources security #Physical_security A.11 Physical and environmental security #System_and_network_security A.13 Communications security #Application_security A.14 Acquisition, development and maintenance #Secure_configuration #Identity_and_access_management A.9 Access control #Threat_and_vulnerability #Continuity A.17 Business continuity #Supplier_relationships_security A.15 Supplier relationships #Legal_and_compliance A.18 Compliance #Information_security_event_management A.16 Incident management #Information_security_assurance You will need to remap Operational attributes can help
IMPLICATIONS FOR OTHER STANDARDS There are no plans to change these standards
TRANSITION TIMELINE
TIMELINE TBC 2022 Transition period begins All current existing certificates to ISO 27001:2013 will expire two years from the last day of the month of the release and publication of the updated version of ISO 27001. CB’s must cease conducting initial and recertification audits. As such, all initial and recertification audits occurring after this date must be conducted against the updated version. Any remaining transition audits should be completed (allowing suitable time for corrective actions and certificates to be issued). Transition period ends 2024 Certificates for ISO 27001:2013 will no longer be valid TBC TBC
Q&A
THANK YOU Warwick House | Houghton Hall Park | Houghton Regis | Dunstable | LU5 5ZX | United Kingdom 0800 052 2424 | info@nqa.com | www.nqa.com

Recommended

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdftoncik
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 

Recommended

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdftoncik
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certificationramya119
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Sylvain Martinez
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?Alvin Integrated Services [AIS]
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information TechnologyKathirvel Ayyaswamy
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wpketanaagja
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças Fernando Palma
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
27001 2013 iso geek
27001 2013 iso geek27001 2013 iso geek
27001 2013 iso geekofficialmanager
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud SecurityIT Governance Ltd
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 

More Related Content

Similar to NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf

Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certificationramya119
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Sylvain Martinez
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?Alvin Integrated Services [AIS]
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information TechnologyKathirvel Ayyaswamy
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wpketanaagja
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças Fernando Palma
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud SecurityIT Governance Ltd
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 

Similar to NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf (20)

Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
Tripwire Iso 27001 Wp
Tripwire Iso 27001 WpTripwire Iso 27001 Wp
Tripwire Iso 27001 Wp
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
27001 2013 iso geek
27001 2013 iso geek27001 2013 iso geek
27001 2013 iso geek
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Cyber Security and Cloud Security
Cyber Security and Cloud SecurityCyber Security and Cloud Security
Cyber Security and Cloud Security
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 

Recently uploaded

✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistKHM Anwar
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 

Recently uploaded (20)

✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization Specialist
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 

NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf

  • 1. ISO 27002:2022 – A GUIDE TO THE CHANGES Tim Pinnell
  • 2. KEY INFO • 45 minute webinar • Questions in the chat box • Q&A at the end • Recording of webinar circulated shortly YOUR PRESENTER
  • 3. LONDON BOSTON BANGALORE SHANGHAI AMERICA’S No. 1 CHINA’S No. 1 Certification body in aerospace sector Certification body in automotive sector OUR IS TO HELP CUSTOMERS DELIVER PRODUCTS THE WORLD CAN TRUST PURPOSE NQA is a world leading certification body with global operations. NQA specialises in certification in high technology and engineering sectors. GLOBAL No.1 Certification body in telecommunications and Automotive sector GLOBAL No.3 Certification body in Aerospace sector Top3 IN THE UK ISO 9001 ISO 14001 ISO 45001 ISO 27001 UK’S No.2 Certification body in Aerospace sector
  • 5. WHAT WE WILL COVER TODAY • A quick overview of 27002 • The changes to 27002 • New controls • ISMS implications • Implications for other 27k standards • Transition timelines • Q&A
  • 7. ISO 27001 & ISO 27002 Management System - Requirements ISO 27001:2013 Information security management systems - Requirements Code of practice - Guidance ISO 27002:2017 Code of practice for information security controls Management System 4. Context 5. Leadership 6. Planning 7. Support 8. Operations 9. Performance 10. Improvement Annex A (114 controls) 5. Policies 6. Organisation 7. Human resources 8. Asset management 9. Access Control 10. Cryptography 11. Physical 12. Operations 13. Communications 14. Dev and maintenance 15. Suppliers 16. Incidents 17. Business Continuity 18. Compliance 114 controls 5. Policies 6. Organisation 7. Human resources 8. Asset management 9. Access Control 10. Cryptography 11. Physical 12. Operations 13. Communications 14. Dev and maintenance 15. Suppliers 16. Incidents 17. Business Continuity 18. Compliance
  • 8. REQUIREMENTS VS. GUIDANCE Management System - Requirements ISO 27001:2013 Information security management systems - Requirements Code of practice - Guidance ISO 27002:2017 Code of practice for information security controls
  • 10. THE CHANGES TO 27002: TITLE 2017 Information technology – Security techniques – Code of practise for information security controls (ISO/IEC 27002:2013) 2022 Information security, cybersecurity and privacy protection – Information security controls
  • 11. THE CHANGES TO 27002: CONTROL GROUPS 2017 14 Control Groups 2022 4 Themes Control Groups 5. Policies 12. Operations 6. Organisation 13. Communications 7. Human resources 14. Dev and maintenance 8. Asset management 15. Suppliers 9. Access Control 16. Incidents 10. Cryptography 17. Business Continuity 11. Physical 18. Compliance Theme clauses 5. Organisational 7. Physical 6. People 8. Technology
  • 12. THE CHANGES TO 27002: NO GROUP OBJECTIVES 2017
  • 13. THE CHANGES TO 27002: CONTROLS 2017 2022 114 controls 93 controls 19 controls consolidated 11 new controls n deleted controls?
  • 14. THE CHANGES TO 27002: ATTRIBUTES Attributes are used to create different views of the controls Control type Information security properties Cybersecurity concepts Operational capabilities Security domains #Preventive #Detective #Corrective #Confidentiality #Integrity #Availability #Identity #Protect #Detect #Respond #Recover #Governance #Asset_management #Information_protection #Human_resource_security #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability #Continuity #Supplier_relationships_security #Legal_and_compliance #Information_security_event_management #Information_security_assurance #Governance_and_Ecosystem #Protection #Defence #Resilience
  • 15. THE CHANGES TO 27002: ATTRIBUTES Attributes are used to create different views of the controls
  • 16. THE CHANGES TO 27002: ATTRIBUTES You can create your own attributes You can ignore those in the standard For example: 1. Assign risk references to the controls treating specific risks 2. Maturity implementation level 3. Implementation state 4. Responsible department Control Treating risk Implementation maturity Implementation state Responsible department Information security properties Operational capabilities 5.7 Threat intelligence #6 #15 #Level_2 #Partially_implemented #CISO #Confidentiality #Integrity #Availability #Threat_and_vulnera bility_management 5.8 Information security in project management #2 #Level_3 #Fully_implemented #CISO #CSO #Confidentiality #Integrity #Availability #Governance
  • 18. THE CHANGES TO 27002: NEW CONTROLS 5.7 Threat intelligence Control Information relating to information security threats should be collected and analysed to produce threat intelligence. Purpose To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken.
  • 19. THE CHANGES TO 27002: NEW CONTROLS 5.23 Information security for use of cloud services Control Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization’s information security requirements. Purpose To specify and manage information security for the use of cloud services.
  • 20. THE CHANGES TO 27002: NEW CONTROLS 5.30 ICT readiness for business continuity Control ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. Purpose To ensure the availability of the organization’s information and other associated assets during disruption.
  • 21. THE CHANGES TO 27002: NEW CONTROLS 7.4 Physical security monitoring Control Premises should be continuously monitored for unauthorized physical access. Purpose To detect and deter unauthorized physical access.
  • 22. THE CHANGES TO 27002: NEW CONTROLS 8.9 Configuration management Control Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. Purpose To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.
  • 23. THE CHANGES TO 27002: NEW CONTROLS 8.10 Information deletion Control Information stored in information systems, devices or in any other storage media should be deleted when no longer required. Purpose To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.
  • 24. THE CHANGES TO 27002: NEW CONTROLS 8.11 Data masking Control Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. Purpose To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.
  • 25. THE CHANGES TO 27002: NEW CONTROLS 8.12 Data leakage prevention Control Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. Purpose To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.
  • 26. THE CHANGES TO 27002: NEW CONTROLS 8.16 Monitoring activities Control Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. Purpose To detect anomalous behaviour and potential information security incidents.
  • 27. THE CHANGES TO 27002: NEW CONTROLS 8.23 Web filtering Control Access to external websites should be managed to reduce exposure to malicious content. Purpose To protect systems from being compromised by malware and to prevent access to unauthorized web resources.
  • 28. THE CHANGES TO 27002: NEW CONTROLS 8.28 Secure coding Control Secure coding principles should be applied to software development. Purpose To ensure software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
  • 30. RISK ASSESSMENT & TREATMENT • You will need to review your risk assessment ISO 27001: Clause 8.2 The organisation shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur. • You will need to review your SoA and risk treatment plan:- ISO 27001: Clause 6.1.3 b) Determine all controls that are necessary to implement the information security risk treatment options c) Compare the controls determined in 6.1.3 b) with those in Annex A and verify that no necessary controls have been omitted d) Produce a statement of applicability e) Formulate an information security risk treatment plan
  • 31. STATEMENT OF APPLICABILITY #Governance A.6 Organisation of information security #Asset_management A.8 Asset management #Information_protection #Human_resource_security A.7 Human resources security #Physical_security A.11 Physical and environmental security #System_and_network_security A.13 Communications security #Application_security A.14 Acquisition, development and maintenance #Secure_configuration #Identity_and_access_management A.9 Access control #Threat_and_vulnerability #Continuity A.17 Business continuity #Supplier_relationships_security A.15 Supplier relationships #Legal_and_compliance A.18 Compliance #Information_security_event_management A.16 Incident management #Information_security_assurance You will need to remap Operational attributes can help
  • 32. IMPLICATIONS FOR OTHER STANDARDS There are no plans to change these standards
  • 34. TIMELINE TBC 2022 Transition period begins All current existing certificates to ISO 27001:2013 will expire two years from the last day of the month of the release and publication of the updated version of ISO 27001. CB’s must cease conducting initial and recertification audits. As such, all initial and recertification audits occurring after this date must be conducted against the updated version. Any remaining transition audits should be completed (allowing suitable time for corrective actions and certificates to be issued). Transition period ends 2024 Certificates for ISO 27001:2013 will no longer be valid TBC TBC
  • 35. Q&A
  • 36. THANK YOU Warwick House | Houghton Hall Park | Houghton Regis | Dunstable | LU5 5ZX | United Kingdom 0800 052 2424 | info@nqa.com | www.nqa.com