Extended version of PECB Webinar of 15/oct/2020 Base version here: https://www.slideshare.net/PECBCERTIFICATION/isoiec-27701-vs-isoiec-27001-vs-nist-essential-things-you-need-to-know

2. • Introduction
• ISO/IEC 27001 & 27701- quick recap (prev. sessions)
• Introduction to NIST
• NIST SP800-53 Walk-through
• Comparing ISMS, PIMS & NIST
• What about certification?
• Q & A
Agenda

3. Introduction

4. Before we start…
Previous session recap

5. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard -
(2019-12-09)
2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29)
3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
(2020-04-15)
4. Key Data Privacy Roles Explained: Data Protection Officer, Information
Security Manager, and Information Security Auditor (2020-06-24)
• Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Find all sessions with Q&A + collaterals (decks, recording) at:
http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page)
Previous sessions

6. • Best practices ≠ regulations
• ISO Requirements (ref. audit) vs guidelines
• Privacy ≠ Data Protection
• Data protection ≠ Information Security
• PII vs Personal Data
• International vs. Regional
Quick Recap

7. • ISO27001 = ISMS
• ISO27701 = PIMS
Quick Recap

8. ISO or NIST deep dive
• Course material reference see later
• NIST document reference see later
The nuts and bolts of ISMS
Just know that it has
• 10 chapters, 7 clauses (Clause 4..10, built on PDCA)
• Annex with
• 14 main categories (A5..A18)
• 35 subcategories
• 114 controls / measures
• Course material reference, see later
What this session is not about

9. ISO/IEC 27000 series
• ISO27001 and ISO27701 = certifiable
• Total 59 documents
ISO27000 series including
• Code of practices
• Guidance
• Auditing (ISO27006)
• Incident management (ISO27035)
• Cybersecurity (ISO27032)
• Business continuity, Communications security, Application Security, Supply Chain,
Storage, …
• More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0
And also

10. The nuts and bolts of PIMS
Just know that it
• Is certifiable like ISMS
• Is Privacy & GDPR add-on to ISMS
• Add specifications to interpretation of information security
• Now including PII/personal data
• Extra requirements from GDPR & other legislation
• Interesting annex
• GDPR mapping
• ISO29100 (Privacy) mapping
What this session is not about

11. Introduction to NIST
National Institute of Standards and Technology
(US Dept of Commerce)

12. Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values
About
• Founded in 1901
• Now part of US Department of Commerce
Mission
“To promote U.S. innovation and industrial competitiveness by advancing measurement science,
standards, and technology in ways that enhance economic security and improve our quality of life.”
Core competencies
• Measurement science
• Rigorous traceability
• Development and use of standards
NIST

13. Publications (dd 2020-10-13)
Source: https://www.nist.gov/publications
NIST

14. This session focus
• NIST Special publications (SP)
• https://csrc.nist.gov/publications/sp
• Computer security (SP800)
• https://csrc.nist.gov/publications/sp800
• 188 docs
Also check (not covered today)
• SP1800 (Cybersecurity practice guides)
• https://csrc.nist.gov/publications/sp1800
• Not covered in detail today
• 25 documents
NIST – Privacy, Cyber & Information security

15. ISO27001 NIST SP800-53
Management Clauses 7 Incl.
Control Categories 15 20
Subcategories 35 321
Total Controls 114 1189
Pages 23+80 464
Additional ISO27x standards NIST SP800 series
59 188
NIST SP1800 (Cyber)
25
NIST – SP800 level of detail

16. SP800 Series
• 800-53 rev 5 (dd 2020-09-23, fresh !)
• Security and Privacy Controls for Information Systems and Organizations
• (FYI, 464 pag.)
But also
• 800-12: Intro to Information Security
• 800-39: Information Security Risk
• 800-55: Performance management,
And
• Patch management, Firewalls, electronic mail, TLS, PKI, Bluetooth, …
NIST – SP800

17. NIST SP800-53 Walk-through
Security and Privacy Controls for
Information Systems and Organizations

18. Info
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Downloads
• SP 800-53 Rev. 5 (DOI)
• Local Download
Supplements
• Spreadsheet of 800-53 Rev. 5 Controls (xls)
• SP 800-53 Collaboration Index Template (xls)
• SP 800-53 Collaboration Index Template (word)
NIST SP800-53 rev.5

19. Abstract
• Catalog of security and privacy control
• For information systems and organizations
• To protect organizational operations and assets, individuals, other
organizations
• Against from a diverse set of threats and risks,
• including hostile attacks, human errors, natural disasters, structural failures,
foreign intelligence entities, and privacy risks.
• Controls are flexible and customizable
• Implemented as part of an organization-wide process to manage risk
• Derived from mission and business needs, regulations, legal requirement …
• Functionality (effectiveness) and assurance perspective (trust)
NIST SP800-53 rev.5

20. Add-ons
• [SP 800-30] provides guidance on the risk assessment process.
• [IR 8062] introduces privacy risk concepts.
• [SP 800-39] provides guidance on risk management processes and strategies.
• [SP 800-37] provides a comprehensive risk management process.
• [SP 800-53A] provides guidance on assessing the effectiveness of controls.
• [SP 800-53B] provides guidance for tailoring security and privacy control
baselines and for developing overlays to support the specific protection needs
and requirements of stakeholders and their organizations.
NIST SP800-53 rev.5

21. Setup
• Chapter 1: Introduction (p1..6)
• Chapter 2: the fundamentals (p7..14)
• Chapter 3: The controls (p16..363)
• Reference
• Appendixes
• Glossary
• Acronyms
• Control summaries (p.427..464) (!)
NIST SP800-53 rev.5

22. Chapter 1 (quick check)
• The need to protect information, systems, organization & individuals
• Purpose & applicability
• Audience
• Organization responsibilities
• Relation to other publications
• Revision & extensions
• Rev 5 (2020) vs Rev 4 (2016)
NIST SP800-53 rev.5

23. Chapter 2
• Fundamental concepts
• Associated with security and privacy
• Controls, including
• The structure of the controls,
• How the controls are organized in the consolidated catalog,
• Control implementation approaches,
• The relationship between
• Security and privacy controls, and
• Trustworthiness and assurance
NIST SP800-53 rev.5

24. Chapter 3 (full catalog)
• Consolidated catalog of security and privacy controls
• Incl. discussion section to explain the purpose of each control and
• Provide useful information regarding
• control implementation and
• assessment,
• A list of related controls to show
• The relationships and dependencies among controls, and
• A list of references to supporting
• Publications that may be helpful to organizations
NIST SP800-53 rev.5

25. Control Structure
NIST SP800-53 rev.5

26. Detail provided on every security control/measure
• Control identifier
• Control name
• Base control
• Security measure definition
• Organization tasks (org defined parameter)
• Control enhancement
• Additional sources
• Links to other controls
NIST SP800-53 rev.5

27. Detail provided on every security control/measure
NIST SP800-53 rev.5

28. Control implementation & classification
• Implementation approaches
• Common implementation (applies to multiple system)
• System Specific
• Hybrid (mix of both)
• Security vs Privacy
• Trustworthiness
• Important part of risk management strategy
• Impact on trustworthiness
• Functionality (effectiveness of security)
• Assurance (measure of confidence)
NIST SP800-53 rev.5

29. Control Structure - Focus
NIST SP800-53 rev.5

30. Access control
• 25 main
• 122 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
AC-1 Policy and Procedures
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
AC-7 Unsuccessful Logon Attempts
AC-8 System Use Notification
AC-9 Previous Logon Notification
AC-10 Concurrent Session Control
AC-11 Device Lock
AC-12 Session Termination
AC-13 Supervision and Review-Access Control
AC-14 Permitted Actions without Identification or Authentication
AC-15 Automated Marking
AC-16 Security and Privacy Attributes
AC-17 Remote Access
AC-18 Wireless Access
AC-19 Access Control for Mobile Devices
AC-20 Use of External Systems
AC-21 Information Sharing
AC-22 Publicly Accessible Content
AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-25 Reference Monitor
ACCESS CONTROL FAMILY
Collaboration
Index Value

31. Awareness and training
• 6 main
• 11 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
AT-1 Policy and Procedures
AT-2 Literacy Training and Awareness
AT-3 Role-Based Training
AT-4 Training Records
AT-5 Contacts with Security Groups and Associations
AT-6 Training Feedback
AWARENESS AND TRAINING FAMILY
Collaboration
Index Value

32. Audit & accountability
• 16 main
• 53 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
AU-1 Policy and Procedures
AU-2 Event Logging
AU-3 Content of Audit Records
AU-4 Audit Log Storage Capacity
AU-5 Response to Audit Logging Process Failures
AU-6 Audit Record Review, Analysis, and Reporting
AU-7 Audit Record Reduction and Report Generation
AU-8 Time Stamps
AU-9 Protection of Audit Information
AU-10 Non-repudiation
AU-11 Audit Record Retention
AU-12 Audit Record Generation
AU-13 Monitoring for Information Disclosure
AU-14 Session Audit
AU-15 Alternate Audit Logging Capability
AU-16 Cross-Organizational Audit Logging
AUDIT AND ACCOUNTABILITY FAMILY
Collaboration
Index Value

33. Assessment, AuthN and monitoring
• 9 main
• 23 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
CA-1 Policy and Procedures
CA-2 Control Assessments
CA-3 Information Exchange
CA-4 Security Certification
CA-5 Plan of Action and Milestones
CA-6 Authorization
CA-7 Continuous Monitoring
CA-8 Penetration Testing
CA-9 Internal System Connections
ASSESSMENT, AUTHORIZATION, AND MONITORING FAMILY
Collaboration
Index Value

34. Configuration Management
• 14 main
• 53 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
CM-1 Policy and Procedures
CM-2 Baseline Configuration
CM-3 Configuration Change Control
CM-4 Impact Analyses
CM-5 Access Restrictions for Change
CM-6 Configuration Settings
CM-7 Least Functionality
CM-8 System Component Inventory
CM-9 Configuration Management Plan
CM-10 Software Usage Restrictions
CM-11 User-Installed Software
CM-12 Information Location
CM-13 Data Action Mapping
CM-14 Signed Components
CONFIGURATION MANAGEMENT FAMILY
Collaboration
Index Value

35. Contingency planning
• 13 main
• 43 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
CP-1 Policy and Procedures
CP-2 Contingency Plan
CP-3 Contingency Training
CP-4 Contingency Plan Testing
CP-5 Contingency Plan Update
CP-6 Alternate Storage Site
CP-7 Alternate Processing Site
CP-8 Telecommunications Services
CP-9 System Backup
CP-10 System Recovery and Reconstitution
CP-11 Alternate Communications Protocols
CP-12 Safe Mode
CP-13 Alternative Security Mechanisms
CONTINGENCY PLANNING FAMILY
Collaboration
Index Value

36. Identification & Authentication
• 12 main
• 58 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
IA-1 Policy and Procedures
IA-2 Identification and Authentication (Organizational Users)
IA-3 Device Identification and Authentication
IA-4 Identifier Management
IA-5 Authenticator Management
IA-6 Authentication Feedback
IA-7 Cryptographic Module Authentication
IA-8 Identification and Authentication (Non-Organizational Users)
IA-9 Service Identification and Authentication
IA-10 Adaptive Authentication
IA-11 Re-authentication
IA-12 Identity Proofing
IDENTIFICATION AND AUTHENTICATION FAMILY
Collaboration
Index Value

37. Incident response
• 9 main
• 32 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
IR-1 Policy and Procedures
IR-2 Incident Response Training
IR-3 Incident Response Testing
IR-4 Incident Handling
IR-5 Incident Monitoring
IR-6 Incident Reporting
IR-7 Incident Response Assistance
IR-8 Incident Response Plan
IR-9 Information Spillage Response
INCIDENT RESPONSE FAMILY
Collaboration
Index Value

38. Maintenance
• 7 main
• 23 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
MA-1 Policy and Procedures
MA-2 Controlled Maintenance
MA-3 Maintenance Tools
MA-4 Nonlocal Maintenance
MA-5 Maintenance Personnel
MA-6 Timely Maintenance
MA-7 Field Maintenance
MAINTENANCE FAMILY
Collaboration
Index Value

39. Media protection
• 8 main
• 22 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
MP-1 Policy and Procedures
MP-2 Media Access
MP-3 Media Marking
MP-4 Media Storage
MP-5 Media Transport
MP-6 Media Sanitization
MP-7 Media Use
MP-8 Media Downgrading
MEDIA PROTECTION FAMILY
Collaboration
Index Value

40. Physical protection
• 23 main
• 36 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
PE-1 Policy and Procedures
PE-2 Physical Access Authorizations
PE-3 Physical Access Control
PE-4 Access Control for Transmission
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access
PE-7 Visitor Control
PE-8 Visitor Access Records
PE-9 Power Equipment and Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
PE-14 Environmental Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18 Location of System Components
PE-19 Information Leakage
PE-20 Asset Monitoring and Tracking
PE-21 Electromagnetic Pulse Protection
PE-22 Component Marking
PE-23 Facility Location
PHYSICAL AND ENVIRONMENTAL PROTECTION FAMILY
Collaboration
Index Value

41. Planning (& policies)
• 11 main
• 6 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
PL-1 Policy and Procedures
PL-2 System Security and Privacy Plans
PL-3 System Security Plan Update
PL-4 Rules of Behavior
PL-5 Privacy Impact Assessment
PL-6 Security-Related Activity Planning
PL-7 Concept of Operations
PL-8 Security and Privacy Architectures
PL-9 Central Management
PL-10 Baseline Selection
PL-11 Baseline Tailoring
PLANNING FAMILY
Collaboration
Index Value

42. Program management
• 32 main
• 5 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
PM-1 Information Security Program Plan
PM-2 Information Security Program Leadership Role
PM-3 Information Security and Privacy Resources
PM-4 Plan of Action and Milestones Process
PM-5 System Inventory
PM-6 Measures of Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Authorization Process
PM-11 Mission and Business Process Definition
PM-12 Insider Threat Program
PM-13 Security and Privacy Workforce
PM-14 Testing, Training, and Monitoring
PM-15 Security and Privacy Groups and Associations
PM-16 Threat Awareness Program
PM-17 Protecting Controlled Unclassified Information on External Systems
PM-18 Privacy Program Plan
PM-19 Privacy Program Leadership Role
PM-20 Dissemination of Privacy Program Information
PM-21 Accounting of Disclosures
PM-22 Personally Identifiable Information Quality Management
PM-23 Data Governance Body
PM-24 Data Integrity Board
PM-25
Minimization of Personally Identifiable Information Used in
Testing, Training, and Research
PM-26 Complaint Management
PM-27 Privacy Reporting
PM-28 Risk Framing
PM-29 Risk Management Program Leadership Roles
PM-30 Supply Chain Risk Management Strategy
PM-31 Continuous Monitoring Strategy
PM-32 Purposing
PROGRAM MANAGEMENT FAMILY
Collaboration
Index Value

43. Personnel
• 9 main
• 9 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
PS-1 Policy and Procedures
PS-2 Position Risk Designation
PS-3 Personnel Screening
PS-4 Personnel Termination
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 External Personnel Security
PS-8 Personnel Sanctions
PS-9 Position Descriptions
PERSONNEL SECURITY FAMILY
Collaboration
Index Value

44. PII
• 8 main
• 13 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
PT-1 Policy and Procedures
PT-2 Authority to Process Personally Identifiable Information
PT-3 Personally Identifiable Information Processing Purposes
PT-4 Consent
PT-5 Privacy Notice
PT-6 System of Records Notice
PT-7 Specific Categories of Personally Identifiable Information
PT-8 Computer Matching Requirements
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY FAMILY
Collaboration
Index Value

45. Risk assessment
• 10 main
• 16 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
RA-1 Policy and Procedures
RA-2 Security Categorization
RA-3 Risk Assessment
RA-4 Risk Assessment Update
RA-5 Vulnerability Monitoring and Scanning
RA-6 Technical Surveillance Countermeasures Survey
RA-7 Risk Response
RA-8 Privacy Impact Assessments
RA-9 Criticality Analysis
RA-10 Threat Hunting
RISK ASSESSMENT FAMILY
Collaboration
Index Value

46. System & services acquisition
• 23 main
• 122 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
SA-1 Policy and Procedures
SA-2 Allocation of Resources
SA-3 System Development Life Cycle
SA-4 Acquisition Process
SA-5 System Documentation
SA-6 Software Usage Restrictions
SA-7 User-Installed Software
SA-8 Security and Privacy Engineering Principles
SA-9 External System Services
SA-10 Developer Configuration Management
SA-11 Developer Testing and Evaluation
SA-12 Supply Chain Protection
SA-13 Trustworthiness
SA-14 Criticality Analysis
SA-15 Development Process, Standards, and Tools
SA-16 Developer-Provided Training
SA-17 Developer Security and Privacy Architecture and Design
SA-18 Tamper Resistance and Detection
SA-19 Component Authenticity
SA-20 Customized Development of Critical Components
SA-21 Developer Screening
SA-22 Unsupported System Components
SA-23 Specialization
SYSTEM AND SERVICES ACQUISITION FAMILY
Collaboration
Index Value

47. System & communication protection (SC)
• 51 main
• 111 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
SC-1 Policy and Procedures
SC-2 Separation of System and User Functionality
SC-3 Security Function Isolation
SC-4 Information in Shared System Resources
SC-5 Denial-of-Service Protection
SC-6 Resource Availability
SC-7 Boundary Protection
SC-8 Transmission Confidentiality and Integrity
SC-9 Transmission Confidentiality
SC-10 Network Disconnect
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment and Management
SC-13 Cryptographic Protection
SC-14 Public Access Protections
SC-15 Collaborative Computing Devices and Applications
SC-16 Transmission of Security and Privacy Attributes
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-19 Voice over Internet Protocol
SC-20 Secure Name/Address Resolution Service (Authoritative Source)
SC-21
Secure Name/Address Resolution Service (Recursive or Caching
Resolver)
SC-22 Architecture and Provisioning for Name/Address Resolution Service
SC-23 Session Authenticity
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Decoys
SC-27 Platform-Independent Applications
SC-28 Protection of Information at Rest
SC-29 Heterogeneity
SC-30 Concealment and Misdirection
SC-31 Covert Channel Analysis
SC-32 System Partitioning
SC-33 Transmission Preparation Integrity
SC-34 Non-Modifiable Executable Programs
SC-35 External Malicious Code Identification
SC-36 Distributed Processing and Storage
SC-37 Out-of-Band Channels
SC-38 Operations Security
SC-39 Process Isolation
SC-40 Wireless Link Protection
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-43 Usage Restrictions
SC-44 Detonation Chambers
SC-45 System Time Synchronization
SC-46 Cross Domain Policy Enforcement
SC-47 Alternate Communications Paths
SC-48 Sensor Relocation
SC-49 Hardware-Enforced Separation and Policy Enforcement
SC-50 Software-Enforced Separation and Policy Enforcement
SC-51 Hardware-Based Protection
SYSTEM AND COMMUNICATIONS PROTECTION FAMILY
Collaboration
Index Value

48. System & info integrity
• 23 main
• 95 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
SI-1 Policy and Procedures
SI-2 Flaw Remediation
SI-3 Malicious Code Protection
SI-4 System Monitoring
SI-5 Security Alerts, Advisories, and Directives
SI-6 Security and Privacy Function Verification
SI-7 Software, Firmware, and Information Integrity
SI-8 Spam Protection
SI-9 Information Input Restrictions
SI-10 Information Input Validation
SI-11 Error Handling
SI-12 Information Management and Retention
SI-13 Predictable Failure Prevention
SI-14 Non-Persistence
SI-15 Information Output Filtering
SI-16 Memory Protection
SI-17 Fail-Safe Procedures
SI-18 Personally Identifiable Information Quality Operations
SI-19 De-Identification
SI-20 Tainting
SI-21 Information Refresh
SI-22 Information Diversity
SI-23 Information Fragmentation
SYSTEM AND INFORMATION INTEGRITY FAMILY
Collaboration
Index Value

49. Supply chain
• 12 main
• 15 sub
NIST SP800-53 rev.5
Control Control Name
Number Control Enhancement Name
SR-1 Policy and Procedures
SR-2 Supply Chain Risk Management Plan
SR-3 Supply Chain Controls and Processes
SR-4 Provenance
SR-5 Acquisition Strategies, Tools, and Methods
SR-6 Supplier Assessments and Reviews
SR-7 Supply Chain Operations Security
SR-8 Notification Agreements
SR-9 Tamper Resistance and Detection
SR-10 Inspection of Systems or Components
SR-11 Component Authenticity
SR-12 Component Disposal
SUPPLY CHAIN RISK MANAGEMENT FAMILY
Collaboration
Index Value

50. Comparing ISMS, PIMS & NIST
How do they map (or not)?

51. The essentials
• ISMS
• high level approach
• Part 1 = clauses (Management responsibilities)
• Part 2 = operational security measures (ref ISO27002)
• ISO27002
• Advisory & suggestions on ISMS (& PIMS)
• PIMS
• Turns “information security”
• Into “information security & data protection (PII)”
• Add-on to ISO27001, ISO27002 & ISO29100
• NIST
• Highly detailed on all categories
ISMS, PIMS & NIST

52. Attention points
• ISMS
• No practical advise, or implementation guidance
• Lots of freedom & choice
• 114 control points / measures
• You can plug in any technical / implementation framework to achieve
ISO27001
• International level
• NIST
• US level
• Extremely detailed, very extended
• Well organized, super practical guidance & reference
ISMS, PIMS & NIST

53. And also
• ISO
• Limited set publicly Available Standards: http://ffwd2.me/FreeISO
• Subscription/License model
• NIST
• Free
ISMS, PIMS & NIST

54. What about certification?
ISO vs NIST

55. Context
Certification
Certification ISO international
ISO27001, ISO27701 (and also ISO9001, …)
GDPR, NIS, Cyber Act & requirements by other
international legislation or sectors

56. ISO27001
• International,
• Standardized
• Mutual recognition
• Linked to other standards & process references (like ISO9001)
• PDCA cycle
Why is this important?

57. NIST
• NIST does not offer certification and accreditation methods to
certify information security management systems
• No equivalent process to ISO
Certification

58. NIST Alternatives
• assessment and authorization (A&A) process that is part of the NIST
Risk Management Framework (RMF)
• As part of control assessment, the organization selects the appropriate
assessor or assessment team
• Fully described in NIST SP800-37, Rev.2
[https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final].
• Guidance for assessing
• Controls: NIST SP 800-53A,
• Risk: NIST SP 800-30
• Infosec Continuous monitoring: NIST SP 800-137A
Certification

59. Ramping up…
Relevant PECB Training courses

60. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM

61. Relevant Training
Data protection
• PECB Certified Data protection Officer (GDPR)
Privacy
• PECB ISO29100 LI

62. Other Relevant Training
Incident Management
• PECB ISO 27035 LI
Risk Management
• PECB ISO 27005 LI

63. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda

64. Q&A

65. Appendix

66. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor

67. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor

68. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager

69. Relevant Training
PECB GDPR
https://pecb.com/en/education-and-certification-for-individuals/gdpr
CDPO
https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified-
data-protection-officer

70. Relevant Training
PECB ISO29100
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer/iso-29100-lead-privacy-implementer

71. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager

72. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager

73. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events

74. THANK YOU
?
info@cyberminute.com CyberMinute
hello@shiftleftsecurity.eu Shift Left Security