ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
Because of the ongoing increase in consumer data collection, breaches have also been increasing.
In this regards the information security, data privacy, and cybersecurity standards provide some guidelines and requirements on how to better manage and deal with such breaches.
Amongst others, the webinar covers:
• ISO 27032:2012 – A Framework for Cybersecurity Risks
• ISO/IEC 27000-series, Standards, 27001 vs 27002
• ISO 27002:2022 and 27001:2022 Updates
Presenters:
Danny Manimbo
Danny Manimbo is a Principal with Schellman, based in Denver, Colorado. As a member of Schellman’s West Coast/Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice and the development and oversight of Schellman's SOC practice line, as well as specialty practices such as HIPAA. Danny has been with Schellman for nine years and has over 11 years of experience in providing data security audit and compliance services.
Erik Tomasi
Erik Tomasi is the Managing Partner at EMTsec, a security consulting firm based in Miami and New York. He leads the firm’s consulting division and manages client relationships across several industry sectors. Mr. Tomasi is considered an expert in information security, risk management, and technology management.
Sawyer Miller
Sawyer is a Senior Manager who oversees the ISO practice for risk3sixty, an Atlanta-based Security, Privacy, and Compliance firm helping clients implement business-first information security and compliance programs.
Date: June 22, 2022
Tags: ISO, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27032, Data protection, Data Privacy, Cybersecurity, Information Security
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/isoiec-270022022--information-security-cybersecurity-and-privacy-protection
https://pecb.com/whitepaper/no-iso-27001-certified-companies-among-largest-data-breaches-2014-2015
https://pecb.com/whitepaper/isoiec-270022013-information-technology---security-techniques-code-of-practice-for-information-security-controls
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/fE3DqISAfQY
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
1.
2. Speakers
Danny Manimbo
Principal / ISO Practice Co-Director
Based in Denver, CO
Erik Tomasi
Managing Director, EMTsec
Based in Miami, FL
Sawyer Miller
Senior Manager/ ISO Practice Leader
Based in Atlanta, GA
Follow us @Schellman
Twitter@ErikTomasi or LinkedIn
Check out our YouTube Channel
and connect with us on LinkedIn
3. Agenda
ISO 27032:2012 – A Framework for
Cybersecurity Risks
ISO/IEC 27000-series, Standards,
27001 vs 27002
ISO 27002:2022 and 27001:2022
Updates
Q&A
5. Security Concepts and Relationships
• Cybersecurity focuses on protecting the
Confidentiality, Integrity, and Availability
of Assets/data stakeholders care about
• So how do we build a model that enables
us to conceptualize how to best do that?
• We must identify Assets, Threats against
them, and Vulnerabilities in our control
framework
• Potential exploitation of vulnerabilities
by threats create risks
• Risks should be managed at an
acceptable level
1
6. Who are the Stakeholders?
• Executives
• Boards
• Shareholders
• Regulatory Bodies
• Partners
• Consumers (You and Me!!)
From ISO 27032:2012:
“The Cyberspace belongs to no one; everyone can participate and has a stake in it.”
1
7. ISO 27032:2012 Concepts in Action
• Read ISO 27032:2012 and filter for your needs
• Define the roles and responsibilities - A good place to start is
department/Business Unit leaders
• Get a good GRC tool – one that enables you to track risks, risk owners, and
treatment plans
• Set up interviews with the individuals and small groups
• Take them through the exercise of identifying Assets, Threats, and
Vulnerabilities
• Articulate risks statements from the information gathered
• Identify Risk Owners and work with them to develop treatment plans and due
dates
1
8. Risk Management Tips
It depends on your organization. Right-size it. What is your risk appetite?
Be clear on scope. Be clear on purpose.
Focus on topics and known issues first.
Ask open ended questions.
If you could change anything, what would you change to reduce InfoSec risk the
most?
Don’t try to boil the Ocean. 80/20 rule usually applies.
1
10. ISO/IEC 27000-series
• Jointly published by International Organization for Standardization (ISO) & International
Electrotechnical Commission (IEC) in 2005
• Revised, and current version, published in 2013
• Information Security Management System:
• Defines and Manages set of security control
• Designed to protect the Confidentiality, Integrity, and Availability (CIA) of IT assets
• Risk Based Approach (post asset identification and valuation)
• Threats
• Vulnerabilities
• Risk Matrix: Impact vs Likelihood
• Mitigation
• Also known as ISMS Family of Standards or “ISO27K”
• Considered the Gold standard of Information Security Frameworks
• Numerous use cases (Global multinational firm, SaaS vendor)
2
11. ISO/IEC 27000 Partial List of Publications
2
Standard Title Description
27000 ISMS Overview and vocabulary of the framework
27001 IT Security Techniques Core InfoSec standard, Generic ISMS. Management clauses and
Annex A (5-18) controls
27002 InfoSec Code of practice Detailed catalog of security controls
27003 InfoSec Implementation Guide Project Plan on approach and recommendations
27004 InfoSec Management Auditing Guide – Monitoring & Measuring (KPIs)
27005 InfoSec Risk Management How to identify, assess, evaluate and treat InfoSec risk.
27701 Privacy Information
Management System (PIMS)
One of dozens of 27000 series publications, focused on privacy risk.
Published in 2019
14. ISO/IEC 27001 as a Framework - Questions to consider
How mature is my organizations InfoSec program?
If immature might pay to use a less rigorous standard
Improve security program and controls
Use a crosswalk to leverage existing work
Are we a global organization?
If domestic only, other options
Does our industry have specific standards?
Healthcare (HIPAA), Retail (PCI)
Maybe comply with multiple standards
What is the scope of assets we want to protect?
If broad scope might be difficult to achieve
If yes, do we want to adhere or become certified?
Meeting the standard, is often enough for stakeholders
Compliance, is minimum 3-year process
Extensive evidence controls are in place and being met
2
15. How does ISO 27002 differ from ISO 27001?
2
Publication What is it? When should you use it?
ISO 27001 Management standard
that defines how to build
an ISMS
When you need to scope,
design, and build a
compliant ISMS
ISO 27002 Set of guidelines and
techniques for
implementing security
controls
When you’re ready to
implement specific
security controls to
safeguard your ISMS
Please note in terms of certification - only ISO 27001
19. ISO 27002 Updates – Control Set Structure
• 14 control domains to 4 control categories
(or themes)
• a) people, if they concern individual people (Clause 6);
• b) physical, if they concern physical objects (Clause 7);
• c) technological, if they concern technology (Clause 8);
• d) otherwise they are categorized as organizational (Clause 5).
• Idea is to make controls more modernized, simplified, and versatile
• 50+ controls from 27002:2013 were merged for simplification and ease of use and
understanding
and it also removed outdated references
(e.g., obsolete technologies)
3
20. ISO 27002 Updates – Highlight of Changes
• Total control count went from 114 to 93
• 75% of the controls in the 2022 version are within the Organizational and
Technological themes.
• 24 controls in the 2022 version include a consolidation of 57 controls from
the 2013 version (2+ controls combined into 1 control).
• 58 controls are roughly a one-for-one from the 2013 version to the 2022 version
(note these are general mappings; updates were made to control context).
• 11 new controls introduced in the 2022 version.
• All controls from the 2013 version are mapped to the 2022 control set.
3
21. ISO 27002 Updates – Mapping (New and Old)
3
Table B.1 — Correspondence between controls in this document and controls in ISO/IEC 27002:2013
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.1 05.1.1, 05.1.2 Policies for information security
5.2 06.1.1 Information security roles and responsibilities
5.3 06.1.2 Segregation of duties
Table B.2 — Correspondence between controls in ISO/IEC 27002:2013 and controls in this document
ISO/IEC 27002:2013 Control Identifier ISO/IEC 27002:2022 Control Identifier Control name according to ISO/IEC 27002:2013
5 Information security policies
5.1 Management direction for information security
5.1.1 5.1 Policies for information security
5.1.2 5.1 Review of the policies for information security
22. ISO 27002 Updates – 11 “Net New” Controls
11 New Controls
• Threat Intelligence (5.7)
• Information Security for Use of Cloud Services (5.23)
• ICT Readiness for Business Continuity (5.30)
• Physical Security Monitoring (7.4)
• Configuration Management (8.9)
• Information Deletion (8.10)
• Data Masking (8.11)
• Data Leakage Prevention (8.12)
• Monitoring Activities (8.16)
• Web Filtering (8.23)
• Secure Coding (8.28)
3
23. ISO 27002 Updates – Control Set – Consolidated & New
3
ISO/IEC 27002:2013 (A.5-A.18)
A.5 Information security
policies (2)
A.9 Access control (14)
A.13 Communications
security (7)
A.16 Information security
incident management (7)
A.6 Organization of
information security (7)
A.10 Cryptography (2) A.14 System acquisition,
development and
maintenance (13)
A.17 Information security
aspects of business
continuity management (4)
A.7 Human resources
security (6)
A.11 Physical and
environmental security (15)
A.8 Asset management (10) A.12 Operations security (14)
A.15 Supplier relationships
(5)
A.18 Compliance (8)
ISO/IEC 27002:2022 (Clauses 5-8)
5 Organizational (37) 6 People (8) 7 Physical (14) 8 Technological (34)
24. ISO 27002 Updates – Control Set – Consolidated & New
3
High Level Comparison
Consolidated (24)
ISO 27002:2022 ISO 27002:2013 ISO 27002:2022 ISO 27002:2013
5.1 – Policies for information security 5.1.1, 5.1.2 6.8 – Information security event reporting 16.1.2, 16.1.3
5.8 – Information security in project management 6.1.5, 14.1.1 7.2 – Physical entry controls 11.1.2, 11.1.6
5.9 – Inventory of information and other associated assets 8.1.1, 8.1.2 7.10 – Storage media 8.3.1, 8.3.2, 8.3.3, 11.2.5
5.10 – Acceptable use of information and other associated assets 8.1.3, 8.2.3 8.1 – User endpoint devices 6.2.1, 11.2.8
5.14 – Information transfer 13.2.1, 13.2.2, 13.2.3 8.8 – Management of technical vulnerabilities 12.6.1, 18.2.3
5.15 – Access control 9.1.1, 9.1.2 8.15 – Logging 12.4.1, 12.4.2, 12.4.3
5.17 – Authentication information 9.2.4, 9.3.1, 9.4.3 8.19 – Installation of software on operational systems 12.5.1, 12.6.2
5.18 – Access rights 9.2.2, 9.2.5, 9.2.6 8.24 – Use of cryptography 10.1.1, 10.1.2
5.22 – Monitoring, review and change management of supplier services 15.2.1, 15.2.2 8.26 – Application security requirements 14.1.2, 14.1.3
5.29 – Information security during disruption 17.1.1, 17.1.2, 17.1.3 8.29 – Security testing in development and acceptance 14.2.8, 14.2.9
5.31 – Identification of legal, statutory, regulatory and contractual requirements 18.1.1, 18.1.5 8.31 – Separation of development, test and production environments 12.1.4, 14.2.6
5.36 – Compliance with policies and standards for information security 18.2.2, 18.2.3 8.32 – Change management 12.1.2, 14.2.2, 14.2.3, 14.2.4
New (11)
5.7 – Threat intelligence 8.11 – Data masking
5.23 – Information security for use of cloud services 8.12 – Data leakage prevention
5.30 – ICT readiness for business continuity 8.16 – Monitoring activities
7.4 – Physical security monitoring 8.23 – Web filtering
8.9 – Configuration management 8.28 – Secure coding
8.10 – Information deletion
25. What about ISO 27001?
Annex A (based on ISO 27002:2013) is the current control set in 27001:2013.
ISO will be updating ISO 27001 to include within Annex A the control set of the
new ISO 27002:2022 (to replace A.5-A.18) and slight modifications to ISMS
clause 6.
• ISMS clause 6.1.3 c, which specifically references “control objectives”
which as noted previously will no longer exist
• For that reason, a minor update to the clause language is needed
• No other anticipated changes will be made to ISMS clauses 4-10
3
26. What about ISO 27001?
Anticipated timeframe to publish 27001:2022 is late Q4 or potentially early 2023
(still TBD)
It is assumed that with ISO 27001:2022 getting published, a two-year (24 month)
transition period will be provided for organizations to update their ISMS and
demonstrate conformance to the new version of ISO 27001.
3