360 likes | 2.07k Views
To download this complete presentation, visit:<br>https://www.oeconsulting.com.sg/training-presentations<br><br>LEARNING OBJECTIVES:<br>1. Acquire knowledge on the fundamentals of information security<br>2. Describe the ISO/IEC 27001:2022 structure<br>3. Understand the ISO/IEC 27001:2022 implementation and certification process<br>4. Gather useful tips on handling an audit session
E N D
ISO/IEC 27001:2022 Information Security Management Systems © Operational Excellence Consulting © Operational Excellence Consulting. All rights reserved.
NOTE: This is a PARTIAL PREVIEW. To download the complete presentation, please visit: https://www.oeconsulting.com.sg LEARNING OBJECTIVES Acquire knowledge on the fundamentals of information security Describe the ISO/IEC 27001:2022 structure Understand the ISO/ IEC 27001:2022 implementation and certification process Gather useful tips on handling an audit session 2 © Operational Excellence Consulting
CONTENTS 02 03 04 01 FUNDAMENTALS OF INFORMATION SECURITY ISO/IEC 27001:2022 STRUCTURE IMPLEMENTATION, CERTIFICATION & AUDITS HANDLING AN AUDIT SESSION 3 © Operational Excellence Consulting
125% Increase in cyber-attacks in 2021, with evidence suggesting a continued uptick through 2022. 4 Source: Global Cybersecurity Outlook, 2022 © Operational Excellence Consulting
DEFINITION OF INFORMATION SECURITY Preservation of confidentiality, integrity and availability of information (source: ISO/IEC 2014) ● © Operational Excellence Consulting 5 5
THREE PRINCIPLES OF INFORMATION SECURITY (CIA TRIAD) Property that information is not made available or disclosed to unauthorized individuals, entities, or processes CONFIDENTIALITY INFORMATION SECURITY Property of being accessible and usable upon demand by an authorized entity Property of accuracy and completeness INTEGRITY AVAILABILITY 6 Source: Adapted from ISO/IEC © Operational Excellence Consulting
INFORMATION SECURITY IS ACHIEVED USING A COMBINATION OF SUITABLE STRATEGIES & APPROACHES Determining the risks to information and treating them accordingly (proactive risk management) Protecting CIA (Confidentiality, Integrity and Availability) Securing people, processes and technology… not just IT! Avoiding, preventing, detecting and recovering from incidents 7 © Operational Excellence Consulting
WHAT ARE THE IMPACTS OF SECURITY INCIDENTS? Devaluation of intellectual property IT downtime, business interruption Financial losses and costs Reputation and brand damage leading to loss of customer, market, etc. confidence and lost business Breaking laws and regulations, leading to prosecutions, fines and penalties Fear, uncertainty and doubt 8 © Operational Excellence Consulting
HISTORY OF ISO/IEC 27001 2022 2013 06 05 ISO/IEC 27001:2022 (3rdedition) ISO/IEC 27001:2013 (2ndedition) 2000 03 2005 ISO/IEC 17799 04 ISO/IEC 27001:2005 (1stedition) 1992 1995 02 01 Code of Practice for Security Management British Standards Institute (BSI) BS7799 9 © Operational Excellence Consulting
WHAT IS ISO/IEC 27001? ISO/IEC 27001 is an international standard designed and formulated to help create a robust information security management system (ISMS) Includes people, processes and technology, not just IT systems, by applying a risk management process ● ● A comprehensive set of controls that comprise best practices in information security ● A systematic approach to help organizations secure their information assets – vital in today’s increasingly digital world ● 10 © Operational Excellence Consulting
ISO/IEC 27000 SERIES –KEY STANDARDS & GUIDELINES AT A GLANCE ISO/IEC 27001:2022 ISO/IEC 27000:2018 ISO/IEC 27002:2022 Security techniques – Information security management systems – Overview and vocabulary Information security management systems — Requirements Information security, cybersecurity and privacy protection – Information security controls This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document provides a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001. 11 © Operational Excellence Consulting
WHAT ARE THE NEW SECURITY CONTROLS? A.5.7 Threat intelligence A.5.23 Information security for use of cloud services A.5.30 ICT readiness for business continuity A.7.4 Physical security monitoring A.8.9 Configuration management A.8.10 Information deletion A.8.11 Data masking A.8.12 Data leakage prevention A.8.16 Monitoring activities A.8.23 Web filtering A.8.28 Secure coding 12 © Operational Excellence Consulting
BENEFITS OF ADOPTING ISO/IEC 27001 STANDARD Demonstrable commitment to security by the organization Increase resilience to cyber-attacks Manages and minimizes risk exposure Legal and regulatory compliance Protects the organization’s assets, shareholders and customers Respond to evolving security threats Reduce costs and spending on ineffective defense technology Commercial credibility, confidence and assurance 13 © Operational Excellence Consulting
ADVANTAGES OF CERTIFICATION Certification to ISO/IEC 27001 is voluntary ● Independent check of conformity by a third party ● Indicates an effective Information Security Management System ● National/International recognition ● Provides competitive advantage ● Improves company image ● © Operational Excellence Consulting © Operational Excellence Consulting 14 14
PLAN-DO-CHECK-ACT (PDCA) PROCESS MODEL 4. ACT 1. PLAN Take action to improve performance, as necessary. Establish objectives, resources required, customer and stakeholder requirements, organizational policies and identify risks and opportunities. ACT PLAN THE DEMING CYCLE 3. CHECK 2. DO CHECK DO Monitor and measure processes to establish performance against policies, objectives, requirements and planned activities and report the results. Implement what was planned. 15 © Operational Excellence Consulting
ISO/IEC 27001:2022 IS BASED ON THE PDCA MODEL INFORMATION SECURITY MANAGEMENT SYSTEM (Clause 4.0) ESTABLISH ISMS INTERESTED PARTIES INTERESTED PARTIES Do Plan MAINTAIN & IMPROVE THE ISMS IMPLEMENT & OPERATE THE ISMS INFORMATION SECURITY REQUIREMENTS & EXPECTATIONS Check Act MANAGED INFORMATION SECURITY MONITOR & REVIEW THE ISMS 16 Source: Based on ISO © Operational Excellence Consulting
ANNEX L IS A FRAMEWORK FOR A GENERIC MANAGEMENT SYSTEM However, it requires the addition of discipline-specific requirements to make a fully functional standard. Annex L High-level structure Identical core text Common definition 17 © Operational Excellence Consulting
ISO/IEC 27001:2022 IS BASED ON THE ISO HIGH-LEVEL STRUCTURE FOR MANAGEMENT SYSTEM STANDARDS 1. Scope 6. Planning 2. Normative References 7. Support 3. Terms & Definitions 8. Operation 4. Context of the Organization 9. Performance Evaluation 5. Leadership 10. Improvement 18 © Operational Excellence Consulting
PDCA AND ISO/IEC 27001:2022 CLAUSE STRUCTURE 4. Context of the Organization 0. Introduction 1. Scope 2. Normative References 3. Terms & Definitions 5. Leadership ACT PLAN 10. Improvement 6. Planning CHECK DO 7. Support 9. Performance Evaluation 8. Operation 19 © Operational Excellence Consulting
ISO/IEC 27001:2022 KEY CLAUSE STRUCTURE (4-10) PLAN DO CHECK ACT 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement 4.1 Understanding the organization and its context 5.1 Leadership and commitment 6.1 Actions to address risks and opportunities 7.1 Resources 8.1 Operational planning and control 9.1 Monitoring, measurement, analysis and evaluation 10.1 Nonconformity and corrective action 4.2 Understanding the needs and expectations of interested parties 5.2 Policy 6.2 Information security objectives and planning to achieve them 7.2 Competence 8.2 Information security risk assessment 9.2 Internal audit 10.2 Continual improvement 4.3 Determining the scope of the ISMS 5.3 Organizational roles, responsibilities and authorities 7.3 Awareness 8.3 Information security risk treatment 9.3 Management review 4.4 Information Security Management System 7.4 Communication 7.5 Documented information 20 © Operational Excellence Consulting
BECOMING ISO/IEC 27001:2022 CERTIFIED The certification body examines the ISMS for conformity to the ISO/IEC 27001:2022 standard ● The ISMS audit is a compliance audit ● Certification means the organization has a documented ISMS that is fully implemented and meets ISO/IEC 27001:2022 requirements ● 21 21 © Operational Excellence Consulting © Operational Excellence Consulting
ISO/IEC 27001:2022 CERTIFICATION PROCESS Conduct Internal Audit and Review Result by Top Management Confirmation of Registration Stage 1 Audit 2 4 6 1 3 5 7 Continual Improvement and Surveillance Audits Selection of a Certification Body Implementation of ISMS Stage 2 Audit 22 © Operational Excellence Consulting
ISO/IEC 27001:2022 CERTIFICATION TRANSITION TIMELINE Published ISO/IEC 27001:2022 (October 25, 2022) 2022 Transition to full compliance 2022- 2025 Recertification audits to new standard Companies that are currently certified to ISO/IEC 27001:2013 have to transition to ISO/IEC 27001:2022 within 3 years of the publication of the new standard 2023 Recertification audits to new standard Full conformance with new standard (October 31, 2025) 2024 2025 © Operational Excellence Consulting 23
AUDIT FINDINGS MAJOR NON-CONFORMITY MINOR NON-CONFORMITY OBSERVATION § A minor non-conformity is an observed lapse in your systems ability to meet the requirements of the standard or your internal systems, while the overall process remains intact § An observation or opportunity for improvement relates to a matter about which the Auditor is concerned but which cannot be clearly stated as a non- conformity § A major non-conformity relates to the absence or total breakdown of a required process or a number of minor non-conformities listed against similar areas § A major non-conformity at the Registration Audit would defer recommendation for registration until that major has been closed § Observations also indicate trends which may result in a future non-conformity 24 © Operational Excellence Consulting
HOW TO HANDLE AN AUDIT SESSION? Do not panic Offer evidence and explain patiently Take note of improvement areas highlighted by the auditor Ask and clarify Show internal audit report, when necessary Admit obvious non-conformities 25 © Operational Excellence Consulting
AUDITEE’S CONDUCT Polite ● Professional ● Positive / Receptive ● Sincere ● Commitment ● Formal but not overly serious ● © Operational Excellence Consulting © Operational Excellence Consulting 26 26
Information security is everybody’s job! 27 © Operational Excellence Consulting
ABOUT OPERATIONAL EXCELLENCE CONSULTING Operational Excellence Consulting is a management training and consulting firm that assists organizations in improving business performance and effectiveness. Based in Singapore, the firm’s mission is to create business value for organizations through innovative design and operational excellence management training and consulting solutions. For more information, please visit www.oeconsulting.com.sg © Operational Excellence Consulting