The document discusses changes to the new ISO 27001 standard for information security management systems. Some key changes include new content and requirements numbering, while maintaining backwards compatibility. It emphasizes the importance of risk management, referencing ISO 31000 for enterprise risk management. The new standard provides more flexibility in choosing a risk assessment method. It also requires identifying risks and opportunities, and designating a risk owner to approve treatment plans and accept residual risks.
How Does the New ISO 27001 Impact Your IT Risk Management Processes?
1. How
Does
the
new
ISO
27001
Impact
Your
IT
Risk
Management
Processes?
Presented
by
Lars
Neupart
Founder,
CEO
of
Neupart
–
The
ERP
of
Security
LN@neupart.com
twiBer
@neupart
2. The
ISO
2700x
standards
ISO
27000
• Overview
and
vocabulary
ISO27001
• InformaKon
Security
Management
Systems
–
Requirements
ISO27002
• Code
of
pracKce
for
informaKon
security
management
ISO
27003
• ISMS
ImplementaKon
Guidelines
ISO
27004
• InformaKon
Security
Management
-‐
Measurement.
ISO27005
• InformaKon
Security
Risk
Management
ISO27006
• Requirements
for
bodies
providing
audit
and
cerKficaKon
+
+
+
+
3. New
drafts
available
ISO
27000
• Overview
and
vocabulary
ISO27001
• InformaKon
Security
Management
Systems
–
Requirements
ISO27002
• Code
of
pracKce
for
informaKon
security
management
ISO
27003
• ISMS
ImplementaKon
Guidelines
ISO
27004
• InformaKon
Security
Management
-‐
Measurement
ISO27005
• InformaKon
Security
Risk
Management
ISO27006
• Requirements
for
bodies
providing
audit
and
cerKficaKon
+
+
+
+
4. Information
Security
Management
Systems
–
Requirements
ISO
27001
–
the
2013
edition
ISO/IEC
DIS
27001
=
draft.
I.e.
changes
are
likely
to
happen
Aim
of
todays
webinar
is
to
give
you
a
head
start
preparing
for
the
new
standard
so
you
can
have
a
smoother
transition.
5. What’s
new?
• A
lot!
• New
content
• New
requirements
numbering
• Still
short:
9
pages
of
requirements
to
an
ISMS
• Controls
are
still
listed
in
Annex
A,
and
referring
to
ISO
27002
(the
new)
• Maintaining
a
fair
portion
of
backwards
compatibility
6. Poll:
How
do
you
use
ISO
27001
today?
• We
are
certified
• We
plan
to
certify
• We
plan
to
comply;
no
certification
• Best
practice
inspiration
• Don't
know
7. Still
risk
oriented:
• The
first
requirement
in
the
new
ISO
27001
refers
to
an
Enterprise
Risk
Management
Standard:
ISO
31000
11. IT
Risk
Management
-‐
Explained
Risk
Incident
Likelihood
Incident
Consequence
Threat
Frequency
Threat
Effect
Threats
Preventive
Measures
Corrective
Measures
12. Reduce
LikelihoodProactive
Security
IT Security Policy
Compliance & Awareness
Change Management
Operating Procedures
Access Control
Monitoring
System Redundancy
Firewall
Antivirus
Reactive
Security
Reduce
Consequence
IT Service Continuity Teams
IT Service Continuity Strategy
IT Service Continuity Plans
Disaster Recovery Procedures
Emergency Operations
Flexibility
Standby Equipment
Virtualization
Backup
IT
Risk
Management
-‐
Explained
Risk
Prioritization
Incident
Likelihood
Incident
Consequence
Threat
Frequency
Threat
Effect
Threats
Preventive
Measures
Corrective
Measures
13. Vulnerability
&
control
environment
assessment
AdministraKve
Measures
Physical
/
Technical
Measures
PrevenKve
Measures
CorrecKve
Measures
Firewall
AnKvirus
Server
Cluster
RAID
Backup
Standby
Equipment
VirtualizaKon
Security
Policy
System
DocumentaKon
Awareness
Compliance
Checks
Alarm
System
Fire
Suppression
Logging
Change
Management
IT
Service
ConKnuity
Plan
Disaster
Recovery
Procedures
Business
ConKnuity
Strategy
Redundancy
Access
Control
System
Standby
Site
Server
snapshots
Assessments
based
on
Capability
Maturity
Model
Monitoring
14. Assets:
Dependency
Hierarchy
Business
Impact
values
are
inherited
downwards
Vulnerability
values
are
inherited
upwards
Server
01
Virtual
Server
SAN
01
Data
Staorage
HP
DL380
Hardware
unit
Data
Center
Oslo
Datacenter
Finance
DB
Database
ERP
IT
Service
Dynamics
AOS
Business
system
HP
DL380
Hardware
unit
Server
02
Virtual
Server
Finance
Business
Process
15. Comparing
ISO
27005,
NIST
SP800-‐30
ISO
27005
NIST
SP800-‐30
Context
establishment
Identification
of
assets
System
Characterization
Identification
of
threats
Threat
Identification
Identification
of
existing
controls
Vulnerability
Identification
Identification
of
vulnerabilities
Control
Analysis
Identification
of
consequences
Assessment
of
consequences
Likelihood
Determination
Assessment
of
incident
likelihood
Impact
Analysis
Risk
estimation
Risk
Determination
Risk
evaluation
Risk
treatment
Control
Recommendations
Risk
acceptance
Risk
communication
Results
Documentation
16. Examples
of
how
the
27001
update
will
impact
your
risk
management
processes
17. 27001:
Not
only
downside
risks
• 6.1
Actions
to
address
risks
and
opportunities
• Quote
ISO
31000:
“Organizations
of
all
types
and
sizes
face
internal
and
external
factors
and
influences
that
make
it
uncertain
whether
and
when
they
will
achieve
their
objectives.
The
effect
this
uncertainty
has
on
an
organization's
objectives
is
“risk”.
18. Risk
Owner
• Risk
Owner
approves
risk
treatment
plan
and
accepts
residual
risks
• Note:
Asset
ownership
is
formally
no
longer
a
ISO
27001
requirement,
but
it’s
still
in
the
annex
A
Control
List.
Practically
same
requirement,
as
you
can’t
expect
it
to
not
be
in
your
Statement
of
Applicability
19. Increased
flexibility
in
your
choice
of
risk
method
The
organization
shall
define
an
information
security
risk
assessment
process
that:
1. establishes
and
maintains
information
security
risk
criteria,
including
the
risk
acceptance
criteria;
2. determines
the
criteria
for
performing
information
security
risk
assessments;
and
3. ensures
that
repeated
information
security
risk
assessments
produce
consistent,
valid
and
comparable
results.
(section
6.1
)
20. Time
to
vote
• What
IT
risk
assessment
method
or
framework
do
you
use
today?
– ISO
27005
– NIST
SP
800
series
– IRAM
– OCTAVE
– Some
other
threat
based
approach
– Some
other
control
based
approach
– Don’t
know
22. Treating
Risks
Accept
Reduce
Share
Avoid
Treatment
opKons
according
to
ISO
27001:2005
and
ISO
27005.
ISO
27001:2013,
do
not
require
these
specific
treatment
opKons;
but
you
are
free
to
choose
these.
23. SoA
linked
even
closer
to
Risk
Treatment
Risk
treatment
SoA
=
Statement
of
Applicability
• Select
treatment
options
• Determine
controls
• Check
controls
with
Annex
A,
verify
no
necessary
controls
are
omitted
• Make
SoA
and
justify
exclusions
AND
inclusions
(new)
• Clearly
worded
that
you
must
determine
all
necessary
controls
24. Review
of
Neuparts
well
known
4
responsible
short-‐cuts
–
do
they
still
apply?
Assess
your
most
important
assets
first
(you
can
add
more
later)
1:
Not
all
assets
Do
not
use
complete
threat
catalogue
on
each
of
your
assets
(relevant
threats
depends
on
asset
type)
2:
Not
all
threats
• Inheritance:
Business
impact
values
inherits
downwards
• Vulnerability
scores
inherits
upwards
• Asset
dependencies
/
Hierarchy
3:
Inheritance
• Make
overall
assessment
first
–
refine
later
• Example:
Assess
threats
combined
first
–
individually
later
4:
Fewer
assessments
25. Oh,
what
happened
to
PDCA?
Plan
-‐
Do
–
Check
-‐
Act
is
still
there,
now
called
continual
improvement
27. Time
to
vote
• Will
the
new
ISO
improve
your
risk
management
processes?
– Yes
–
the
update
is
easy
to
understand
and
makes
sense
– Not
much
–
nothing
really
new
here
– I’m
concerned
of
the
introduced
flexibility
– Don’t
know
28. About
Neupart
• ISO
27001
certified
company
• Provides
SecureAware®,
an
all-‐in-‐one,
efficient
IT
GRC
solution
allowing
organizations
to
automate
IT
governance,
risk
and
compliance
management
• “The
ERP
of
Security”
• HQ
in
Denmark,
subsidiary
in
Germany
and
a
200+
customer
portfolio
covering
a
wide
range
of
private
enterprises
and
governmental
agencies
IT
GRC
=
IT
Governance,
Risk
&
Compliance
Management
29. SecureAware
Risk
TNG
Benefits
• Less
specialist
knowledge
needed
to
conduct
professional
risk
management
• Know
your
IT
related
business
risks
• Fast
results
• Saves
time
for
you
and
your
organization
• ISO
27005
based
methodology
–
and
fully
compatible
with
NIST
SP800-‐30
• Cloud
or
on-‐premise
software
30. Try
ISO
27001
compliant
IT
GRC
soluKon
at
www.neupart.com
Presented
by
Lars
Neupart
Founder,
CEO
of
Neupart
–
The
ERP
of
Security
LN@neupart.com
twiBer
@neupart