ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

1. • Introduction • ISO/IEC 27001 & 27701- quick recap (prev. sessions) • Introduction to NIST • NIST SP800-53 Walk-through • Comparing ISMS, PIMS & NIST • What about certification? • Q & A Agenda

2. Introduction

3. Before we start… Previous session recap

4. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard - (2019-12-09) 2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29) 3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation (2020-04-15) 4. Key Data Privacy Roles Explained: Data Protection Officer, Information Security Manager, and Information Security Auditor (2020-06-24) • Check the past webinars on the PECB website at • https://pecb.com/past-webinars Find all sessions with Q&A + collaterals (decks, recording) at: http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page) Previous sessions

5. • Best practices ≠ regulations • ISO Requirements (ref. audit) vs guidelines • Privacy ≠ Data Protection • Data protection ≠ Information Security • PII vs Personal Data • International vs. Regional Quick Recap

6. • ISO27001 = ISMS • ISO27701 = PIMS Quick Recap

7. ISO or NIST deep dive • Course material reference see later • NIST document reference see later The nuts and bolts of ISMS Just know that it has • 10 chapters, 7 clauses (Clause 4..10, built on PDCA) • Annex with • 14 main categories (A5..A18) • 35 subcategories • 114 controls / measures • Course material reference, see later What this session is not about

8. ISO/IEC 27000 series • ISO27001 and ISO27701 = certifiable • Total 59 documents ISO27000 series including • Code of practices • Guidance • Auditing (ISO27006) • Incident management (ISO27035) • Cybersecurity (ISO27032) • Business continuity, Communications security, Application Security, Supply Chain, Storage, … • More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0 And also

9. The nuts and bolts of PIMS Just know that it • Is certifiable like ISMS • Is Privacy & GDPR add-on to ISMS • Add specifications to interpretation of information security • Now including PII/personal data • Extra requirements from GDPR & other legislation • Interesting annex • GDPR mapping • ISO29100 (Privacy) mapping What this session is not about

10. Introduction to NIST National Institute of Standards and Technology (US Dept of Commerce)

11. Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values About • Founded in 1901 • Now part of US Department of Commerce Mission “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” Core competencies • Measurement science • Rigorous traceability • Development and use of standards NIST

12. Publications (dd 2020-10-13) Source: https://www.nist.gov/publications NIST

13. This session focus • NIST Special publications (SP) • https://csrc.nist.gov/publications/sp • Computer security (SP800) • https://csrc.nist.gov/publications/sp800 • 188 docs Also check (not covered today) • SP1800 (Cybersecurity practice guides) • https://csrc.nist.gov/publications/sp1800 • Not covered in detail today • 25 documents NIST – Privacy, Cyber & Information security

14. ISO27001 NIST SP800-53 Management Clauses 7 Incl. Control Categories 15 20 Subcategories 35 321 Total Controls 114 1189 Pages 23+80 464 Additional ISO27x standards NIST SP800 series 59 188 NIST SP1800 (Cyber) 25 NIST – SP800 level of detail

15. SP800 Series • 800-53 rev 5 (dd 2020-09-23, fresh !) • Security and Privacy Controls for Information Systems and Organizations • (FYI, 464 pag.) But also • 800-12: Intro to Information Security • 800-39: Information Security Risk • 800-55: Performance management, And • Patch management, Firewalls, electronic mail, TLS, PKI, Bluetooth, … NIST – SP800

16. NIST SP800-53 Walk-through Security and Privacy Controls for Information Systems and Organizations

17. Info https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Downloads • SP 800-53 Rev. 5 (DOI) • Local Download Supplements • Spreadsheet of 800-53 Rev. 5 Controls (xls) • SP 800-53 Collaboration Index Template (xls) • SP 800-53 Collaboration Index Template (word) NIST SP800-53 rev.5

18. Abstract • Catalog of security and privacy control • For information systems and organizations • To protect organizational operations and assets, individuals, other organizations • Against from a diverse set of threats and risks, • including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. • Controls are flexible and customizable • Implemented as part of an organization-wide process to manage risk • Derived from mission and business needs, regulations, legal requirement … • Functionality (effectiveness) and assurance perspective (trust) NIST SP800-53 rev.5

19. Add-ons • [SP 800-30] provides guidance on the risk assessment process. • [IR 8062] introduces privacy risk concepts. • [SP 800-39] provides guidance on risk management processes and strategies. • [SP 800-37] provides a comprehensive risk management process. • [SP 800-53A] provides guidance on assessing the effectiveness of controls. • [SP 800-53B] provides guidance for tailoring security and privacy control baselines and for developing overlays to support the specific protection needs and requirements of stakeholders and their organizations. NIST SP800-53 rev.5

20. Setup • Chapter 1: Introduction (p1..6) • Chapter 2: the fundamentals (p7..14) • Chapter 3: The controls (p16..363) • Reference • Appendixes • Glossary • Acronyms • Control summaries (p.427..464) (!) NIST SP800-53 rev.5

21. Chapter 1 (quick check) • The need to protect information, systems, organization & individuals • Purpose & applicability • Audience • Organization responsibilities • Relation to other publications • Revision & extensions • Rev 5 (2020) vs Rev 4 (2016) NIST SP800-53 rev.5

22. Chapter 2 • Fundamental concepts • Associated with security and privacy • Controls, including • The structure of the controls, • How the controls are organized in the consolidated catalog, • Control implementation approaches, • The relationship between • Security and privacy controls, and • Trustworthiness and assurance NIST SP800-53 rev.5

23. Chapter 3 (full catalog) • Consolidated catalog of security and privacy controls • Incl. discussion section to explain the purpose of each control and • Provide useful information regarding • control implementation and • assessment, • A list of related controls to show • The relationships and dependencies among controls, and • A list of references to supporting • Publications that may be helpful to organizations NIST SP800-53 rev.5

24. Control Structure NIST SP800-53 rev.5

25. Detail provided on every security control/measure • Control identifier • Control name • Base control • Security measure definition • Organization tasks (org defined parameter) • Control enhancement • Additional sources • Links to other controls NIST SP800-53 rev.5

26. Detail provided on every security control/measure NIST SP800-53 rev.5

27. Control implementation & classification • Implementation approaches • Common implementation (applies to multiple system) • System Specific • Hybrid (mix of both) • Security vs Privacy • Trustworthiness • Important part of risk management strategy • Impact on trustworthiness • Functionality (effectiveness of security) • Assurance (measure of confidence) NIST SP800-53 rev.5

28. Control Structure - Focus NIST SP800-53 rev.5

29. Comparing ISMS, PIMS & NIST How do they map (or not)?

30. The essentials • ISMS • high level approach • Part 1 = clauses (Management responsibilities) • Part 2 = operational security measures (ref ISO27002) • ISO27002 • Advisory & suggestions on ISMS (& PIMS) • PIMS • Turns “information security” • Into “information security & data protection (PII)” • Add-on to ISO27001, ISO27002 & ISO29100 • NIST • Highly detailed on all categories ISMS, PIMS & NIST

31. Attention points • ISMS • No practical advise, or implementation guidance • Lots of freedom & choice • 114 control points / measures • You can plug in any technical / implementation framework to achieve ISO27001 • International level • NIST • US level • Extremely detailed, very extended • Well organized, super practical guidance & reference ISMS, PIMS & NIST

32. And also • ISO • Limited set publicly Available Standards: http://ffwd2.me/FreeISO • Subscription/License model • NIST • Free ISMS, PIMS & NIST

33. What about certification? ISO vs NIST

34. Context Certification Certification ISO international ISO27001, ISO27701 (and also ISO9001, …) GDPR, NIS, Cyber Act & requirements by other international legislation or sectors

35. ISO27001 • International, • Standardized • Mutual recognition • Linked to other standards & process references (like ISO9001) • PDCA cycle Why is this important?

36. NIST • NIST does not offer certification and accreditation methods to certify information security management systems • No equivalent process to ISO Certification

37. NIST Alternatives • assessment and authorization (A&A) process that is part of the NIST Risk Management Framework (RMF) • As part of control assessment, the organization selects the appropriate assessor or assessment team • Fully described in NIST SP800-37, Rev.2 [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final]. • Guidance for assessing • Controls: NIST SP 800-53A, • Risk: NIST SP 800-30 • Infosec Continuous monitoring: NIST SP 800-137A Certification

38. Ramping up… Relevant PECB Training courses

39. Relevant Training PIMS • PECB ISO 27701 Foundation • PECB ISO 27701 LI • PECB ISO 27701 LA Information Security • PECB ISO 27001 LI • PECB ISO 27001 LA • PECB ISO 27002 LM

40. Relevant Training Data protection • PECB Certified Data protection Officer (GDPR) Privacy • PECB ISO29100 LI

41. Other Relevant Training Incident Management • PECB ISO 27035 LI Risk Management • PECB ISO 27005 LI

42. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda

43. Q&A

44. Appendix

45. Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor

46. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor

47. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager

48. Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer

49. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer

50. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager

51. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager

52. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events

53. THANK YOU ? info@cyberminute.com CyberMinute hello@shiftleftsecurity.eu Shift Left Security

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

Plus De Contenu Connexe

Diaporamas pour vous

Similaire à ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

Plus par PECB

À la une

Livres associés

Livres audio associés

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

Notes de l'éditeur