ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?

Speakers
Danny Manimbo
Principal / ISO Practice Co-Director
Based in Denver, CO
Erik Tomasi
Managing Director, EMTsec
Based in Miami, FL
Sawyer Miller
Senior Manager/ ISO Practice Leader
Based in Atlanta, GA
Follow us @Schellman
Twitter@ErikTomasi or LinkedIn
Check out our YouTube Channel
and connect with us on LinkedIn

Agenda
 ISO 27032:2012 – A Framework for
Cybersecurity Risks
 ISO/IEC 27000-series, Standards,
27001 vs 27002
 ISO 27002:2022 and 27001:2022
Updates
 Q&A

1
ISO 27032:2012 - A Framework
for Cybersecurity Risks

Security Concepts and Relationships
• Cybersecurity focuses on protecting the
Confidentiality, Integrity, and Availability
of Assets/data stakeholders care about
• So how do we build a model that enables
us to conceptualize how to best do that?
• We must identify Assets, Threats against
them, and Vulnerabilities in our control
framework
• Potential exploitation of vulnerabilities
by threats create risks
• Risks should be managed at an
acceptable level
1

Who are the Stakeholders?
• Executives
• Boards
• Shareholders
• Regulatory Bodies
• Partners
• Consumers (You and Me!!)
From ISO 27032:2012:
“The Cyberspace belongs to no one; everyone can participate and has a stake in it.”
1

ISO 27032:2012 Concepts in Action
• Read ISO 27032:2012 and filter for your needs
• Define the roles and responsibilities - A good place to start is
department/Business Unit leaders
• Get a good GRC tool – one that enables you to track risks, risk owners, and
treatment plans
• Set up interviews with the individuals and small groups
• Take them through the exercise of identifying Assets, Threats, and
Vulnerabilities
• Articulate risks statements from the information gathered
• Identify Risk Owners and work with them to develop treatment plans and due
dates
1

Risk Management Tips
It depends on your organization. Right-size it. What is your risk appetite?
Be clear on scope. Be clear on purpose.
Focus on topics and known issues first.
Ask open ended questions.
If you could change anything, what would you change to reduce InfoSec risk the
most?
Don’t try to boil the Ocean. 80/20 rule usually applies.
1

2
ISO/IEC 27000-series,
Standards, 27001 vs 27002

ISO/IEC 27000-series
• Jointly published by International Organization for Standardization (ISO) & International
Electrotechnical Commission (IEC) in 2005
• Revised, and current version, published in 2013
• Information Security Management System:
• Defines and Manages set of security control
• Designed to protect the Confidentiality, Integrity, and Availability (CIA) of IT assets
• Risk Based Approach (post asset identification and valuation)
• Threats
• Vulnerabilities
• Risk Matrix: Impact vs Likelihood
• Mitigation
• Also known as ISMS Family of Standards or “ISO27K”
• Considered the Gold standard of Information Security Frameworks
• Numerous use cases (Global multinational firm, SaaS vendor)
2

ISO/IEC 27000 Partial List of Publications
2
Standard Title Description
27000 ISMS Overview and vocabulary of the framework
27001 IT Security Techniques Core InfoSec standard, Generic ISMS. Management clauses and
Annex A (5-18) controls
27002 InfoSec Code of practice Detailed catalog of security controls
27003 InfoSec Implementation Guide Project Plan on approach and recommendations
27004 InfoSec Management Auditing Guide – Monitoring & Measuring (KPIs)
27005 InfoSec Risk Management How to identify, assess, evaluate and treat InfoSec risk.
27701 Privacy Information
Management System (PIMS)
One of dozens of 27000 series publications, focused on privacy risk.
Published in 2019

ISO/IEC 27001:2013 Control Summary
2

27001:2013 Control Example – Annex 5
2

ISO/IEC 27001 as a Framework - Questions to consider
How mature is my organizations InfoSec program?
 If immature might pay to use a less rigorous standard
 Improve security program and controls
 Use a crosswalk to leverage existing work 
Are we a global organization?
 If domestic only, other options
 Does our industry have specific standards?
 Healthcare (HIPAA), Retail (PCI)
 Maybe comply with multiple standards
 What is the scope of assets we want to protect?
 If broad scope might be difficult to achieve
 If yes, do we want to adhere or become certified?
 Meeting the standard, is often enough for stakeholders
 Compliance, is minimum 3-year process
 Extensive evidence controls are in place and being met
2

How does ISO 27002 differ from ISO 27001?
2
Publication What is it? When should you use it?
ISO 27001 Management standard
that defines how to build
an ISMS
When you need to scope,
design, and build a
compliant ISMS
ISO 27002 Set of guidelines and
techniques for
implementing security
controls
When you’re ready to
implement specific
security controls to
safeguard your ISMS
Please note in terms of certification - only ISO 27001

Sample ISO 27001controls questionnaire
2

3
ISO 27002:2022 &
ISO 27001:2022 Updates

ISO 27002 Updates – Control Set Structure
• 14 control domains to 4 control categories
(or themes)
• a) people, if they concern individual people (Clause 6);
• b) physical, if they concern physical objects (Clause 7);
• c) technological, if they concern technology (Clause 8);
• d) otherwise they are categorized as organizational (Clause 5).
• Idea is to make controls more modernized, simplified, and versatile
• 50+ controls from 27002:2013 were merged for simplification and ease of use and
understanding
and it also removed outdated references
(e.g., obsolete technologies)
3

ISO 27002 Updates – Highlight of Changes
• Total control count went from 114 to 93
• 75% of the controls in the 2022 version are within the Organizational and
Technological themes.
• 24 controls in the 2022 version include a consolidation of 57 controls from
the 2013 version (2+ controls combined into 1 control).
• 58 controls are roughly a one-for-one from the 2013 version to the 2022 version
(note these are general mappings; updates were made to control context).
• 11 new controls introduced in the 2022 version.
• All controls from the 2013 version are mapped to the 2022 control set.
3

ISO 27002 Updates – Mapping (New and Old)
3
Table B.1 — Correspondence between controls in this document and controls in ISO/IEC 27002:2013
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.1 05.1.1, 05.1.2 Policies for information security
5.2 06.1.1 Information security roles and responsibilities
5.3 06.1.2 Segregation of duties
Table B.2 — Correspondence between controls in ISO/IEC 27002:2013 and controls in this document
ISO/IEC 27002:2013 Control Identifier ISO/IEC 27002:2022 Control Identifier Control name according to ISO/IEC 27002:2013
5 Information security policies
5.1 Management direction for information security
5.1.1 5.1 Policies for information security
5.1.2 5.1 Review of the policies for information security

ISO 27002 Updates – 11 “Net New” Controls
11 New Controls
• Threat Intelligence (5.7)
• Information Security for Use of Cloud Services (5.23)
• ICT Readiness for Business Continuity (5.30)
• Physical Security Monitoring (7.4)
• Configuration Management (8.9)
• Information Deletion (8.10)
• Data Masking (8.11)
• Data Leakage Prevention (8.12)
• Monitoring Activities (8.16)
• Web Filtering (8.23)
• Secure Coding (8.28)
3

ISO 27002 Updates – Control Set – Consolidated & New
3
ISO/IEC 27002:2013 (A.5-A.18)
A.5 Information security
policies (2)
A.9 Access control (14)
A.13 Communications
security (7)
incident management (7)
A.6 Organization of
information security (7)
A.10 Cryptography (2) A.14 System acquisition,
development and
maintenance (13)
aspects of business
continuity management (4)
A.7 Human resources
security (6)
A.11 Physical and
environmental security (15)
A.8 Asset management (10) A.12 Operations security (14)
A.15 Supplier relationships
(5)
A.18 Compliance (8)
ISO/IEC 27002:2022 (Clauses 5-8)
5 Organizational (37) 6 People (8) 7 Physical (14) 8 Technological (34)

ISO 27002 Updates – Control Set – Consolidated & New
3
High Level Comparison
Consolidated (24)
ISO 27002:2022 ISO 27002:2013 ISO 27002:2022 ISO 27002:2013
5.1 – Policies for information security 5.1.1, 5.1.2 6.8 – Information security event reporting 16.1.2, 16.1.3
5.8 – Information security in project management 6.1.5, 14.1.1 7.2 – Physical entry controls 11.1.2, 11.1.6
5.9 – Inventory of information and other associated assets 8.1.1, 8.1.2 7.10 – Storage media 8.3.1, 8.3.2, 8.3.3, 11.2.5
5.10 – Acceptable use of information and other associated assets 8.1.3, 8.2.3 8.1 – User endpoint devices 6.2.1, 11.2.8
5.14 – Information transfer 13.2.1, 13.2.2, 13.2.3 8.8 – Management of technical vulnerabilities 12.6.1, 18.2.3
5.15 – Access control 9.1.1, 9.1.2 8.15 – Logging 12.4.1, 12.4.2, 12.4.3
5.17 – Authentication information 9.2.4, 9.3.1, 9.4.3 8.19 – Installation of software on operational systems 12.5.1, 12.6.2
5.18 – Access rights 9.2.2, 9.2.5, 9.2.6 8.24 – Use of cryptography 10.1.1, 10.1.2
5.22 – Monitoring, review and change management of supplier services 15.2.1, 15.2.2 8.26 – Application security requirements 14.1.2, 14.1.3
5.29 – Information security during disruption 17.1.1, 17.1.2, 17.1.3 8.29 – Security testing in development and acceptance 14.2.8, 14.2.9
5.31 – Identification of legal, statutory, regulatory and contractual requirements 18.1.1, 18.1.5 8.31 – Separation of development, test and production environments 12.1.4, 14.2.6
5.36 – Compliance with policies and standards for information security 18.2.2, 18.2.3 8.32 – Change management 12.1.2, 14.2.2, 14.2.3, 14.2.4
New (11)
5.7 – Threat intelligence 8.11 – Data masking
5.23 – Information security for use of cloud services 8.12 – Data leakage prevention
5.30 – ICT readiness for business continuity 8.16 – Monitoring activities
7.4 – Physical security monitoring 8.23 – Web filtering
8.9 – Configuration management 8.28 – Secure coding
8.10 – Information deletion

What about ISO 27001?
Annex A (based on ISO 27002:2013) is the current control set in 27001:2013.
ISO will be updating ISO 27001 to include within Annex A the control set of the
new ISO 27002:2022 (to replace A.5-A.18) and slight modifications to ISMS
clause 6.
• ISMS clause 6.1.3 c, which specifically references “control objectives”
which as noted previously will no longer exist
• For that reason, a minor update to the clause language is needed
• No other anticipated changes will be made to ISMS clauses 4-10
3

What about ISO 27001?
Anticipated timeframe to publish 27001:2022 is late Q4 or potentially early 2023
(still TBD)
It is assumed that with ISO 27001:2022 getting published, a two-year (24 month)
transition period will be provided for organizations to update their ISMS and
demonstrate conformance to the new version of ISO 27001.
3

THANK YOU
?
danny.manimbo@schellman.com Danny Manimbo
Sawyer.Miller@risk3sixty.com Sawyer Miller
etomasi@emtsec.com Erik Tomasi

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?

Recommandé

Recommandé

Contenu connexe

Similaire à ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?

Similaire à ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map? (20)

Plus de PECB

Plus de PECB (20)

Dernier

Dernier (20)

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?