20 August CPE ISO 27002 - Web Upload
20 August CPE ISO 27002 - Web Upload
20 August CPE ISO 27002 - Web Upload
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved.
About me
Consultant in a private sector company. He has 14+ years
of experience in the industry, works in the area of SOX
audits and controls review. He has also conducted ISO
27001 audits, regulatory audits, third-party audits, internal
audits, IT audits, BCP reviews, user awareness training,
internal auditor training, risk assessments and
implemented ISO 27001, among other tasks. He is
currently ISACA New Delhi (India) Chapter leader and
social media chair. He is also a topic leader for the ISACA
Certified Information Systems Auditor (CISA ) online
forum and GLS task force member. He has spoken in
international conferences, published articles related to the
information security domain in the ISACA Now blog,
COBIT Focus, and in the ISACA Journal
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Contents
• Learning Objectives
• Elements of Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Learning Objectives
• Know the differences between the current version and previous version
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Introduction to ISO 27002:2022
• ISO is specialized system for worldwide standardization. Standard provides guidelines for
Information security, cybersecurity and privacy protection of Information security controls
• Helps in developing controls necessary to ensure that the residual risk to the organization
meets its risk acceptance criteria
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Main changes to ISO 27002:2022
Modified title “Information security, cybersecurity and privacy protection - Information security
controls”
Changed structure with controls having simplified taxonomy, and associated attributes
Some controls are merged, deleted, and new controls are introduced in Annex B
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Clauses and Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
New Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Renamed Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Renamed Controls
ISO/IEC 27002:2013 control ISO/IEC 27002:2022 control
12.7.1 Information systems audit 8.34 Protection of information systems during audit
controls testing
13.1.1 Network controls 8.20 Networks security
13.1.3 Segregation in networks 8.22 Segregation of networks
14.2.1 Secure development policy 8.25 Secure development life cycle
14.2.5 Secure system engineering 8.27 Secure system architecture and engineering
principles principles
14.3.1 Protection of test data 8.33 Test information
15.1.1 Information security policy for 5.19 Information security in supplier relationships
supplier relationships
15.1.2 Addressing security within 5.20 Addressing information security within supplier
supplier agreements agreements
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Renamed Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Merged Controls
18.1.1 Identification of applicable legislation 5.31 Legal, statutory, regulatory and contractual
and contractual requirements requirements
18.1.5 Regulation of cryptographic controls
18.2.2 Compliance with security policies 5.36 Conformance with policies, rules and
and standards standards for information security
18.2.3 Technical compliance review
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Split Controls
There is only one control that was split: 18.2.3 Technical compliance review
was split into 5.36 Conformance with policies, rules and standards for
information security and 8.8 Management of technical vulnerabilities.
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Elements of each control
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Status of already existing elements in ISO 27002:2013
The elements that already existed in the ISO 27002:2013 & remain in this new revision are:
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Control Layout
• Control title
• Attribute table
• Control
• Purpose
• Guidance
• other information
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Sample – Control 5.5 Contact with Authorities
Control: The organisation should establish and maintain contact with relevant authorities
Purpose: To ensure appropriate flow of information takes place with respect to information
security between the organisation and relevant legal, regulatory and supervisory authorities
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Sample – Control 5.5 Contact with Authorities
Guidance: The organisation should specify when and by whom authorities (eg., law enforcement,
regulatory bodies, supervisory authorities) should be contacted and how identified information
security incidents should be reported in a timely manner.
Contact with authorities should also be used to facilitate the understanding about the current and
upcoming expectations of these authorities (eg., application information security regulations)
Other information Organisations under attack can request authorities to take action against the
attack source.
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Using Attributes – Annex A
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
ISO 27002:2013 and ISO 27002:2022 Comparison
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
ISO 27002:2013 and ISO 27002:2022 Comparison
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
ISO 27002:2013 and ISO 27002:2022 Comparison
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Process of ISO 27001 certification
• Gap Analysis
• Documentation
• Implementation
• Awareness training
• Selecting Certification body
• Operation
• Records and metrics
• Pre-assessment
• Internal Audit
• Corrective action plan
• Management review
• Stage 1 & Stage 2 Audit
• Certification
• Surveillance audits (annual)
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Implementation of ISO 27001
• Requirements
• Agility
• Metrics
• Continual improvements
• Reporting
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Road Ahead
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
References
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon
Questions ?
Contact: [email protected]
https://www.linkedin.com/in/harisaiprasad-k-cisa-app-b4225015/
Thank You !
Copyright © 2022 Information Systems Audit and Control Association, Inc. All rights reserved. #ISACACon