Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

Télécharger pour lire hors ligne


Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats.
How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701?

In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another.

The webinar will cover:

• A quick recap of the topics covered in ISO27001/ISO27701
• Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800)
• Main differences and mappings between NIST guidance and ISO27001
• About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations)
• Implementing information & cyber-security best practices

Date: October 14, 2020
YouTube presentation: https://youtu.be/zfsxSaaErqg
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION


Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats.
How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701?

In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another.

The webinar will cover:

• A quick recap of the topics covered in ISO27001/ISO27701
• Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800)
• Main differences and mappings between NIST guidance and ISO27001
• About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations)
• Implementing information & cyber-security best practices

Date: October 14, 2020
YouTube presentation: https://youtu.be/zfsxSaaErqg
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION

Plus De Contenu Connexe

Livres associés

Gratuit avec un essai de 30 jours de Scribd

Tout voir

Livres audio associés

Gratuit avec un essai de 30 jours de Scribd

Tout voir

ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know

  1. 1. • Introduction • ISO/IEC 27001 & 27701- quick recap (prev. sessions) • Introduction to NIST • NIST SP800-53 Walk-through • Comparing ISMS, PIMS & NIST • What about certification? • Q & A Agenda
  2. 2. Introduction
  3. 3. Before we start… Previous session recap
  4. 4. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard - (2019-12-09) 2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29) 3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation (2020-04-15) 4. Key Data Privacy Roles Explained: Data Protection Officer, Information Security Manager, and Information Security Auditor (2020-06-24) • Check the past webinars on the PECB website at • https://pecb.com/past-webinars Find all sessions with Q&A + collaterals (decks, recording) at: http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page) Previous sessions
  5. 5. • Best practices ≠ regulations • ISO Requirements (ref. audit) vs guidelines • Privacy ≠ Data Protection • Data protection ≠ Information Security • PII vs Personal Data • International vs. Regional Quick Recap
  6. 6. • ISO27001 = ISMS • ISO27701 = PIMS Quick Recap
  7. 7. ISO or NIST deep dive • Course material reference see later • NIST document reference see later The nuts and bolts of ISMS Just know that it has • 10 chapters, 7 clauses (Clause 4..10, built on PDCA) • Annex with • 14 main categories (A5..A18) • 35 subcategories • 114 controls / measures • Course material reference, see later What this session is not about
  8. 8. ISO/IEC 27000 series • ISO27001 and ISO27701 = certifiable • Total 59 documents ISO27000 series including • Code of practices • Guidance • Auditing (ISO27006) • Incident management (ISO27035) • Cybersecurity (ISO27032) • Business continuity, Communications security, Application Security, Supply Chain, Storage, … • More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0 And also
  9. 9. The nuts and bolts of PIMS Just know that it • Is certifiable like ISMS • Is Privacy & GDPR add-on to ISMS • Add specifications to interpretation of information security • Now including PII/personal data • Extra requirements from GDPR & other legislation • Interesting annex • GDPR mapping • ISO29100 (Privacy) mapping What this session is not about
  10. 10. Introduction to NIST National Institute of Standards and Technology (US Dept of Commerce)
  11. 11. Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values About • Founded in 1901 • Now part of US Department of Commerce Mission “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” Core competencies • Measurement science • Rigorous traceability • Development and use of standards NIST
  12. 12. Publications (dd 2020-10-13) Source: https://www.nist.gov/publications NIST
  13. 13. This session focus • NIST Special publications (SP) • https://csrc.nist.gov/publications/sp • Computer security (SP800) • https://csrc.nist.gov/publications/sp800 • 188 docs Also check (not covered today) • SP1800 (Cybersecurity practice guides) • https://csrc.nist.gov/publications/sp1800 • Not covered in detail today • 25 documents NIST – Privacy, Cyber & Information security
  14. 14. ISO27001 NIST SP800-53 Management Clauses 7 Incl. Control Categories 15 20 Subcategories 35 321 Total Controls 114 1189 Pages 23+80 464 Additional ISO27x standards NIST SP800 series 59 188 NIST SP1800 (Cyber) 25 NIST – SP800 level of detail
  15. 15. SP800 Series • 800-53 rev 5 (dd 2020-09-23, fresh !) • Security and Privacy Controls for Information Systems and Organizations • (FYI, 464 pag.) But also • 800-12: Intro to Information Security • 800-39: Information Security Risk • 800-55: Performance management, And • Patch management, Firewalls, electronic mail, TLS, PKI, Bluetooth, … NIST – SP800
  16. 16. NIST SP800-53 Walk-through Security and Privacy Controls for Information Systems and Organizations
  17. 17. Info https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Downloads • SP 800-53 Rev. 5 (DOI) • Local Download Supplements • Spreadsheet of 800-53 Rev. 5 Controls (xls) • SP 800-53 Collaboration Index Template (xls) • SP 800-53 Collaboration Index Template (word) NIST SP800-53 rev.5
  18. 18. Abstract • Catalog of security and privacy control • For information systems and organizations • To protect organizational operations and assets, individuals, other organizations • Against from a diverse set of threats and risks, • including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. • Controls are flexible and customizable • Implemented as part of an organization-wide process to manage risk • Derived from mission and business needs, regulations, legal requirement … • Functionality (effectiveness) and assurance perspective (trust) NIST SP800-53 rev.5
  19. 19. Add-ons • [SP 800-30] provides guidance on the risk assessment process. • [IR 8062] introduces privacy risk concepts. • [SP 800-39] provides guidance on risk management processes and strategies. • [SP 800-37] provides a comprehensive risk management process. • [SP 800-53A] provides guidance on assessing the effectiveness of controls. • [SP 800-53B] provides guidance for tailoring security and privacy control baselines and for developing overlays to support the specific protection needs and requirements of stakeholders and their organizations. NIST SP800-53 rev.5
  20. 20. Setup • Chapter 1: Introduction (p1..6) • Chapter 2: the fundamentals (p7..14) • Chapter 3: The controls (p16..363) • Reference • Appendixes • Glossary • Acronyms • Control summaries (p.427..464) (!) NIST SP800-53 rev.5
  21. 21. Chapter 1 (quick check) • The need to protect information, systems, organization & individuals • Purpose & applicability • Audience • Organization responsibilities • Relation to other publications • Revision & extensions • Rev 5 (2020) vs Rev 4 (2016) NIST SP800-53 rev.5
  22. 22. Chapter 2 • Fundamental concepts • Associated with security and privacy • Controls, including • The structure of the controls, • How the controls are organized in the consolidated catalog, • Control implementation approaches, • The relationship between • Security and privacy controls, and • Trustworthiness and assurance NIST SP800-53 rev.5
  23. 23. Chapter 3 (full catalog) • Consolidated catalog of security and privacy controls • Incl. discussion section to explain the purpose of each control and • Provide useful information regarding • control implementation and • assessment, • A list of related controls to show • The relationships and dependencies among controls, and • A list of references to supporting • Publications that may be helpful to organizations NIST SP800-53 rev.5
  24. 24. Control Structure NIST SP800-53 rev.5
  25. 25. Detail provided on every security control/measure • Control identifier • Control name • Base control • Security measure definition • Organization tasks (org defined parameter) • Control enhancement • Additional sources • Links to other controls NIST SP800-53 rev.5
  26. 26. Detail provided on every security control/measure NIST SP800-53 rev.5
  27. 27. Control implementation & classification • Implementation approaches • Common implementation (applies to multiple system) • System Specific • Hybrid (mix of both) • Security vs Privacy • Trustworthiness • Important part of risk management strategy • Impact on trustworthiness • Functionality (effectiveness of security) • Assurance (measure of confidence) NIST SP800-53 rev.5
  28. 28. Control Structure - Focus NIST SP800-53 rev.5
  29. 29. Comparing ISMS, PIMS & NIST How do they map (or not)?
  30. 30. The essentials • ISMS • high level approach • Part 1 = clauses (Management responsibilities) • Part 2 = operational security measures (ref ISO27002) • ISO27002 • Advisory & suggestions on ISMS (& PIMS) • PIMS • Turns “information security” • Into “information security & data protection (PII)” • Add-on to ISO27001, ISO27002 & ISO29100 • NIST • Highly detailed on all categories ISMS, PIMS & NIST
  31. 31. Attention points • ISMS • No practical advise, or implementation guidance • Lots of freedom & choice • 114 control points / measures • You can plug in any technical / implementation framework to achieve ISO27001 • International level • NIST • US level • Extremely detailed, very extended • Well organized, super practical guidance & reference ISMS, PIMS & NIST
  32. 32. And also • ISO • Limited set publicly Available Standards: http://ffwd2.me/FreeISO • Subscription/License model • NIST • Free ISMS, PIMS & NIST
  33. 33. What about certification? ISO vs NIST
  34. 34. Context Certification Certification ISO international ISO27001, ISO27701 (and also ISO9001, …) GDPR, NIS, Cyber Act & requirements by other international legislation or sectors
  35. 35. ISO27001 • International, • Standardized • Mutual recognition • Linked to other standards & process references (like ISO9001) • PDCA cycle Why is this important?
  36. 36. NIST • NIST does not offer certification and accreditation methods to certify information security management systems • No equivalent process to ISO Certification
  37. 37. NIST Alternatives • assessment and authorization (A&A) process that is part of the NIST Risk Management Framework (RMF) • As part of control assessment, the organization selects the appropriate assessor or assessment team • Fully described in NIST SP800-37, Rev.2 [https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final]. • Guidance for assessing • Controls: NIST SP 800-53A, • Risk: NIST SP 800-30 • Infosec Continuous monitoring: NIST SP 800-137A Certification
  38. 38. Ramping up… Relevant PECB Training courses
  39. 39. Relevant Training PIMS • PECB ISO 27701 Foundation • PECB ISO 27701 LI • PECB ISO 27701 LA Information Security • PECB ISO 27001 LI • PECB ISO 27001 LA • PECB ISO 27002 LM
  40. 40. Relevant Training Data protection • PECB Certified Data protection Officer (GDPR) Privacy • PECB ISO29100 LI
  41. 41. Other Relevant Training Incident Management • PECB ISO 27035 LI Risk Management • PECB ISO 27005 LI
  42. 42. Check the PECB agenda, select the ISO/IEC 27701 Lead Implementer https://pecb.com/en/partnerEvent/event_schedule_list Training Events For full detailed information about an event click on the ‘View’ button on the right hand side under ‘View full details’. Note: Before applying for any training courses listed below, please make sure you are registered to PECB Training Agenda
  43. 43. Q&A
  44. 44. Appendix
  45. 45. Relevant Training PECB ISO 27701 Foundation https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-foundation PECB ISO 27701 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-implementer PECB ISO 27701 Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27701/iso-iec-27701-lead-auditor
  46. 46. Relevant Training PECB ISO 27001 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001 Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-implementer Lead Auditor https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27001/iso-iec-27001-lead-auditor
  47. 47. Relevant Training PECB ISO 27002 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002 Lead Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec- 27002/iso-iec-27002-lead-manager
  48. 48. Relevant Training PECB GDPR https://pecb.com/en/education-and-certification-for-individuals/gdpr CDPO https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified- data-protection-officer
  49. 49. Relevant Training PECB ISO29100 https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer Lead Implementer https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100- privacy-implementer/iso-29100-lead-privacy-implementer
  50. 50. Relevant Training PECB ISO27035 - Incident Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 Lead Incident Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035 /iso-iec-27035-lead-incident-manager
  51. 51. Relevant Training PECB ISO27005 - Risk Management https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 Lead Risk Manager https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005 /iso-27005-lead-risk-manager
  52. 52. ISO/IEC 27701 Training Courses • ISO/IEC 27701 Foundation 2 Day Course • ISO/IEC 27701 Lead Implementer 5Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/iso- 27701 www.pecb.com/events
  53. 53. THANK YOU ? info@cyberminute.com CyberMinute hello@shiftleftsecurity.eu Shift Left Security

Notes de l'éditeur

  • Peter
  • Peter
  • Peter
  • Peter
  • Peter

    https://www.linkedin.com/pulse/pecb-webinar-collaterals-iso27001iso27701-series-peter-geelen-/
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Erwin
  • Peter
  • peter
  • peter
  • Peter
  • Peter
  • peter
  • peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • Peter
  • peter
  • Peter
  • Peter
  • Peter
  • Lead Auditor for
    ISO27001
    ISO27701 (to be launched)

×