‎a) information security policy, objectives, and activities aligned with objectives

I‎ SO/IEC 27000:2018 Information technology — Security techniques —

‎b) an approach and framework for designing, implementing, monitoring, maintaining, ‎Information security management systems — Overview and vocabulary
‎and improving information security consistent with the organizational culture
‎It provides the overview of information security management systems (ISMS)
‎c) visible support and commitment from all levels of management, especially top management
‎Intro ‎It also provides terms and definitions commonly used in the ISMS family of standards
‎d) an understanding of information asset protection requirements achieved through I‎ SMS
‎the application of information security risk management (see ISO/IEC 27005)
‎critical
‎e) an effective information security awareness, training and education programme, informing ‎success ‎Preservation of confidentiality, integrity and availability of information
‎all employees and other relevant parties of their information security obligations set forth in ‎factors ‎Information Security
‎the information security policies, standards, etc., and motivating them to act accordingly ‎ ote: In addition, other properties, such as
N
‎authenticity, accountability, non-repudiation and
‎reliability can also be involved
‎f ) an effective information security incident management process

‎ roperty that information is not made available or

P
‎g) an effective business continuity management approach ‎Confidentiality ‎disclosed to unauthorized individuals, entities, or processes

‎h) a measurement system used to evaluate performance in information

‎The CIA Triad ‎Integrity ‎Property of accuracy and completeness
‎security management and feedback suggestions for improvement

‎ roperty of being accessible and usable

P
‎The aim of continual improvement of an ISMS is to increase the ‎Availability ‎on demand by an authorized entity
‎probability of achieving objectives concerning the preservation
‎of the confidentiality, availability and integrity of information ‎ et of interrelated or interacting elements of an
S
‎Management system ‎organization to establish policies and objectives
‎The focus of continual improvement is seeking opportunities for improvement and not ‎and processes to achieve those objectives
‎ ssuming that existing management activities are good enough or as good as they can
a
‎ ystem by which an organization’s information
S
‎Governance of information security ‎security activities are directed and controlled
‎a) analysing and evaluating the existing ‎ ontinual
C
‎situation to identify areas for improvement
‎improvement ‎Requirement ‎Need or expectation that is stated, generally implied or obligatory

‎b) establishing the objectives for improvement

‎Objective ‎Result to be achieved

‎c) searching for possible solutions to achieve the objectives

‎ erson or organization that can affect, be affected by,
P
‎Interested party / Stakeholder ‎or perceive itself to be affected by a decision or activity
‎Actions for
‎d) evaluating these solutions and making a selection
‎improvement
‎Policy ‎Intentions and direction of an organization, as formally expressed by its top management
‎e) implementing the selected solution
‎Measure that is modifying risk
‎f ) measuring, verifying, analysing and evaluating results of the ‎Control
i‎mplementation to determine that the objectives have been met ‎ ote: Controls include any process, policy, device,
N
‎practice, or other actions which modify risk
‎Terms
‎g) formalizing changes
‎ tatement describing what is to be achieved as a result
S
‎Control objective
‎a) identify information assets and their ‎of implementing controls
‎associated information security requirements
‎ et of interrelated or interacting activities which
S
‎Process ‎transforms inputs into outputs
‎b) assess information security risks and treat information security risks
‎ISMS
‎c) select and implement relevant controls to manage unacceptable risks ‎Implementation ‎Process approach
‎ he application of a system of processes within an organization, together with
T
‎the identification and interactions of these processes, and their management

‎d) monitor, maintain and improve the effectiveness of controls ‎Effect of uncertainty on objectives
‎associated with the organization’s information assets

‎a) satisfy the information security requirements

I‎ SO 27000:2018 ‎Risk
‎ ote: Risk is often expressed in terms of a combination of the
N
‎consequences of an event and the associated “likelihood” of occurrence
‎of customers and other stakeholders
‎ISMS. Overview
‎Continual improvement ‎Recurring activity to enhance performance
‎b) improve an organization’s plans and activities
‎ anagement
M
‎and vocabulary
‎Nonconformity ‎Non-fulfilment of a requirement
‎c) meet the organization’s information security objectives ‎system allows an
1.0 10.07.2023 www.patreon.com/AndreyProzorov
‎organization to: ‎Correction ‎Action to eliminate a detected nonconformity
‎d) comply with regulations, legislation and industry mandates
‎Corrective action ‎Action to eliminate the cause of a nonconformity and to prevent recurrence
‎e) manage information assets in an organized way that facilitates
‎continual improvement and adjustment to current organizational goals ‎ xtent to which planned activities are realized and
E
‎Benefits ‎Effectiveness ‎planned results achieved
‎a) achieve greater assurance that its information assets are
‎adequately protected against threats on a continual basis ‎Performance ‎Measurable result

‎b) maintain a structured and comprehensive framework ‎Vocabulary ‎ISO 27000

‎ he successful adoption
T
‎for identifying and assessing information security risks,
‎of an ISMS allowing an
‎selecting and applying applicable controls, and ‎ISO 27001 ‎ISMS. Requirements
‎organization to:
‎measuring and improving their effectiveness ‎Requirements
‎ISO 27006 / 27009
‎c) continually improve its control environment
‎ISO 27002 ‎Information Security Controls
‎d) effectively achieve legal and regulatory compliance
‎ISO 27003 ‎ISMS. Guidance
‎ISMS
f‎ amily of ‎Guidelines ‎ISO 27004 ‎Monitoring, measurement, analysis and evaluation

‎standards
‎An ISMS consists of the policies, procedures, guidelines, and associated resources and activities, ‎ISO 27005 ‎Guidance on managing information security risks
‎collectively managed by an organization, in the pursuit of protecting its information assets
‎ISO 27007 / 27008 / 27013 / 27014 / 27016 / 27021
‎An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing,
‎maintaining and improving an organization’s information security to achieve business objectives. ‎Sector-specific standards ‎ISO 27010 / 27011 / 27017 / 27018 / 27019

I‎ t is based on a risk assessment and the organization’s risk ‎ hat is

W ‎Control-specific standards ‎ISO 2703x / 2704x
‎acceptance levels designed to effectively treat and manage risks ‎an ISMS?
‎Analysing requirements for the protection of information assets and applying
‎appropriate controls to ensure the protection of these information assets ‎a) collect, process, store, and transmit information

‎a) awareness of the need for information security ‎ ) recognize that information, and related processes, systems, networks
b
‎Organizations ‎and people are important assets for achieving organization objectives
‎ ontributes to
C
‎b) assignment of responsibility for information security ‎of all types
‎the successful
‎and sizes: ‎c) face a range of risks that can affect the functioning of assets
‎implementation
‎c) incorporating management commitment and the interests of stakeholders ‎of an ISMS
‎ ) address their perceived risk exposure by
d
‎d) enhancing societal values ‎implementing information security controls

‎e) risk assessments determining appropriate controls to reach acceptable levels of risk ‎Other ‎ he term information security is generally based on information being
T
‎considered as an asset which has a value requiring appropriate protection,
‎f ) security incorporated as an essential element of information networks and systems ‎for example, against the loss of availability, confidentiality and integrity

‎g) active prevention and detection of information security incidents ‎ nabling accurate and complete information to be available in a timely
E
‎manner to those with an authorized need is a catalyst for business efficiency.
‎h) ensuring a comprehensive approach to information security management ‎General
‎ oordinated activities directing the implementation of suitable controls
C
‎i) continual reassessment of information security ‎and treating unacceptable information security risks are generally
‎and making of modifications as appropriate ‎known as elements of information security management.

‎ ) monitor and evaluate the effectiveness of

a
‎implemented controls and procedures

‎Organizations need to: ‎b) identify emerging risks to be treated

‎c) select, implement and improve appropriate controls as needed

‎ ach organization needs to establish its policy and objectives for information
E
‎security and achieve those objectives effectively by using a management system
 ‎ISO 27001 ‎Information security management systems (ISMS). Requirements

‎ISO 27002 ‎Information security controls

‎ISO 27005 ‎Guidance on managing information security risks

‎ISO 27007 ‎Guidelines for information security management systems auditing

‎ se of ISO/IEC 27001 family of standards in
U
‎ISO 27024
‎Governmental / Regulatory requirements
‎ISO 27009 ‎Sector-specific application of ISO/IEC 27001 — Requirements
‎ dditional document for ISO/IEC 27002 and
a
‎??? ‎ISO 27029 ‎ISO 27011 ‎Information security controls based on ISO/IEC 27002 for telecommunications organizations
‎ISO and IEC standards

‎Big data security and privacy — Processes ‎ISO 27045 ‎Other ‎ISO 27013 ‎Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

‎Big data security and privacy — Implementation guidelines ‎ISO 27046 ‎ISO 27014 ‎Governance of information security
‎Information security,
‎ ealth informatics — Information security
H ‎cybersecurity and ‎ISO 27028 ‎Guidance on ISO/IEC 27002 attributes
‎ISO 27799
‎management in health using ISO/IEC 27002 ‎privacy protection
‎ISO 27551 ‎Requirements for attribute-based unlinkable entity authentication

‎ISO 27554 ‎Application of ISO 31000 for assessment of identity-related risk

‎Part 1: Local modes ‎Security and Privacy requirements ‎ISO 27555 ‎Guidelines on personally identifiable information deletion
‎ISO 27553 ‎for authentication using
‎Part 2: Remote modes ‎biometrics on mobile devices ‎ISO 27556 ‎User-centric privacy preferences management framework

Legend ‎ISO 27557 ‎Application of ISO 31000:2018 for organizational privacy risk management

Under development ‎ISO 27559 ‎Privacy enhancing data de-identification framework

‎Consent record information structure ‎ISO 27560
Important
‎ xtension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
E
‎ISO 27701
‎Privacy operationalisation model and method for engineering (POMME) ‎ISO 27561 ‎— Requirements and guidelines
Very Important

‎Privacy guidelines for fintech services ‎ISO 27562 ‎ISO 24745 ‎Biometric information protection

‎Security and privacy in artificial intelligence use cases

‎ISO 27563
‎— Best practices

‎Guidelines on privacy preservation based on zero knowledge proofs ‎ISO 27565 ‎Requirements for bodies ‎Part 1: General
‎Privacy ‎providing audit and ‎ISO 27006
‎Age assurance systems — Framework ‎ISO 27566 ‎Part 2: Privacy information management systems
‎technologies ‎certification of ISMSs
‎Privacy guidelines for smart cities ‎ISO 27570

‎Privacy framework ‎ISO 29100

‎ISO 27000 ‎Overview and vocabulary
‎Guidelines for privacy impact assessment ‎ISO 29134
‎ISO 27003 ‎ISMS. Guidance
‎Code of practice for personally identifiable information protection ‎ISO 29151
‎ISO 27004 ‎Monitoring, measurement, analysis and evaluation
‎Privacy capability assessment model ‎ISO 29190
‎ISO 27008 ‎Guidelines for the assessment of information security controls

‎Guidelines ‎ISO 27400 ‎ISO 27010 ‎Information security management for inter-sector and inter-organizational communications
I‎ oT security
‎Device baseline requirements ‎ISO 27402 ‎ISO 27015 ‎Information security management guidelines for financial services
‎and privacy
‎Guidelines for IoT-domotics ‎ISO 27403 ‎ he ISO 27000
T ‎ISO 27016 ‎Information security management — Organizational economics

‎Part 1: Overview and concepts

‎Family of Standards ‎ ode of practice for information security controls
C
‎ISO 27017
‎based on ISO/IEC 27002 for cloud services
‎Part 2: Requirements 16.05.2023 www.patreon.com/AndreyProzorov
‎Supplier ‎ISO 27018
‎ ode of practice for protection of personally identifiable
C
‎ISO 27036 ‎information (PII) in public clouds acting as PII processors
‎Part 3: Guidelines for information and ‎relationships
‎communication technology supply chain security
‎ISO 27019 ‎Information security controls for the energy utility industry
‎Part 4: Guidelines for security of cloud services
‎ISO 27021 ‎Competence requirements for information security management systems professionals
‎Security
‎Part 1: Principles and process ‎ISO 27022 ‎Guidance on information security management system processes
‎techniques
‎Part 2: Guidelines to plan and prepare for incident response ‎ISO 27023 ‎Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002
‎Information security
‎ISO 27035
‎Part 3: Guidelines for ICT incident response operations
i‎ncident management ‎ISO 27037 ‎Guidelines for identification, collection, acquisition and preservation of digital evidence

‎ISO 27038 ‎Specification for digital redaction

‎Part 4: Coordination

‎ISO 27039 ‎Selection, deployment and operations of intrusion detection and prevention systems (IDPS)

‎Part 1: Overview and concepts ‎ISO 27040 ‎Storage security

‎Part 2: Organization normative framework ‎ISO 27041 ‎Guidance on assuring suitability and adequacy of incident investigative method

‎Part 3: Application security management process ‎ISO 27042 ‎Guidelines for the analysis and interpretation of digital evidence

‎Application
‎Part 4: Validation and verification ‎ISO 27034 ‎ISO 27043 ‎Incident investigation principles and processes
‎security
‎Part 5: Protocols and application security controls data structure ‎ISO 27070 ‎Requirements for establishing virtualized roots of trust

‎Part 5-1: Protocols and application security controls data structure, XML schemas ‎ISO 29115 ‎Entity authentication assurance framework

‎ISO 29146 ‎A framework for access management

‎Part 6: Case studies

‎Part 7: Assurance prediction framework

‎ISO 27031 ‎Guidelines for information and communication technology readiness for business continuity

‎ISO 27032 ‎Guidelines for cybersecurity -> Guidelines for Internet security
‎Part 1: Overview and concepts
‎ISO 27100 ‎Overview and concepts
‎Part 2: Guidelines for the design and implementation of network security
‎Cybersecurity ‎ISO 27102 ‎Guidelines for cyber-insurance
‎Part 3: Reference networking scenarios — Threats, design techniques and control issues
‎ISO 27103 ‎Cybersecurity and ISO and IEC Standards
‎Network
‎Part 4: Securing communications between networks using security gateways ‎ISO 27033
‎security ‎ISO 27109 ‎Cybersecurity education and training

‎Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
‎ISO 27110 ‎Cybersecurity framework development guidelines

‎Part 6: Securing wireless IP network access

‎Part 7: Guidelines for network virtualization security

 I‎ SO 27001:2022 Information security, cybersecurity and privacy
Legend ‎protection — Information security management systems — Requirements
‎A.5. Organizational controls (37)
New 2022 ‎ his document specifies the requirements for establishing, implementing, maintaining and continually
T
‎improving an information security management system within the context of the organization
‎A.6. People controls (8)
Required Documents, 27007
‎Annex A. Information
‎ his document also includes requirements for the assessment and treatment
T
Important ‎Security Control Reference
‎A.7. Physical controls (14) ‎of information security risks tailored to the needs of the organization.
‎Intro
‎ he requirements set out in this document are generic and are intended
T
‎A.8. Technological controls (34) ‎to be applicable to all organizations, regardless of type, size or nature.

‎ xcluding any of the requirements specified in Clauses 4 to 10 is not

E
‎acceptable when an organization claims conformity to this document.

‎10.1 Continual improvement ‎ et of interrelated or interacting elements of an organization to establish

S
‎Management system
‎policies and objectives and processes to achieve those objectives
‎15. Evidence of the nature of the nonconformities ‎10. Improvement
‎and any subsequent actions taken
‎10.2 Nonconformity and corrective action ‎ reservation of confidentiality, integrity and
P
‎Information Security
‎16. Evidence of the results of any corrective action
‎availability of information

‎Measure that is modifying risk

‎Control
‎Terms
‎Note: Controls include any process, policy, device, practice, or other actions which modify risk
‎9.1 Monitoring, measurement,
‎12. Evidence of the monitoring and measurement results
‎analysis and evaluation ‎ tatement describing what is to be achieved as
S

‎9.2.1 General
I‎ SO 27001:2022 ‎Control objective
‎a result of implementing controls

‎9. Performance
‎ 3. Evidence of the audit
1
‎programme(s) and the audit results
‎9.2.2 Internal audit programme
‎9.2 Internal audit
‎evaluation ‎Information security ‎4.1 Understanding the organization and its context

‎9.3.1 General ‎management systems ‎4. Context of

‎4.2 Understanding the needs and expectations of interested parties

‎9.3.2 Management review inputs ‎9.3 Management review ‎(ISMS) ‎the organization ‎ .3 Determining the scope of the
4
‎information security management system
‎1. Scope of the ISMS

‎14. Evidence of the results

‎9.3.3 Management review results ‎4.4 Information security management system
‎of management reviews 3.3 10.07.2023 www.patreon.com/AndreyProzorov

‎9. Operational planning and control (set) ‎8.1 Operational planning and control ‎5.1 Leadership and commitment

‎10. Results of the information security risk assessments ‎8.2 Information security risk assessment ‎8. Operation ‎5. Leadership ‎5.2 Policy ‎2. Information Security Policy

‎11. Results of the information security risk treatment ‎8.3 Information security risk treatment ‎5.3 Organizational roles, responsibilities and authorities

‎7.1 Resources
‎6.1.1 General
‎7. Evidence of competence ‎7.2 Competence
‎ .1 Actions to address
6 ‎ .1.2 Information security
6
‎3. Information security risk assessment process
‎risks and opportunities ‎risk assessment
‎7.3 Awareness
‎4. Information security risk treatment process
‎7.4 Communication ‎7. Support ‎ .1.3 Information security
6
‎risk treatment
‎5. Statement of Applicability (SoA)
‎8. Documented information determined by the organization ‎6. Planning
‎7.5.1 General
‎as being necessary for the effectiveness of the ISMS (set)
‎ .2 Information security objectives
6
‎6. Information security objectives
‎7.5 Information ‎and planning to achieve them
‎7.5.2 Creating and updating
‎requirements
‎6.3 Planning of changes
‎7.5.3 Control of documented information
 ‎0-5 ‎Maturity
I‎ SO/IEC 27002:2022 Information security, cybersecurity
‎ o do, in progress, partially
T
‎and privacy protection — Information security controls
‎Implementation state
‎implemented, fully implemented
‎ his document provides a reference set of generic information
T
‎1, 2, 3, etc. ‎Priority ‎security controls including implementation guidance

‎security, ICT, HR, ‎ ) within the context of an information security

a
‎Organizational areas involved ‎management system (ISMS) based on ISO/IEC27001
‎top management, etc.
‎ ther attributes
O
‎Events ‎(examples and ‎ his document is designed
T ‎ ) for implementing information security controls
b
‎Intro ‎to be used by organizations: ‎based on internationally recognized best practices
‎Assets involved ‎possible values)
c‎ ) for developing organization-specific
‎Build and run, to differentiate controls used in ‎information security management guidelines
‎the different steps of the service life cycle
‎For organizations of all types and sizes
‎Other frameworks the organization
‎works with or can be transitioning from

‎Fundamental ‎1. Scope

‎by ISF SoGP
‎Specialised ‎2. Normative references
‎Attributes
‎3. Terms, definitions and abbreviated terms
‎#Governance_and_Ecosystem
‎4. Structure of this document
‎#Protection
‎e) Security domains
‎#Defence ‎5. Organizational controls (37)

‎#Resilience ‎Contents ‎6. People controls (8)

‎Categories
‎ he practitioner’s perspective of
T ‎7. Physical controls (14)
‎information security capabilities
‎8. Technological controls (34)
‎#Governance

‎#Asset_management ‎Annex A — Using attributes

‎#Information_protection ‎Annex B — Correspondence with ISO/IEC 27002:2013

‎#Human_resource_security

‎#Physical_security ‎Control: Measure that maintains and/or modifies risk

‎#System_and_network_security
‎#Application_security
‎#Secure_configuration
‎ ote 1: Controls include, but are not limited to, any process, policy, device,
N
‎practice or other conditions and/or actions which maintain and/or modify risk
‎d) Operational capabilities
‎ISO 27002:2022 ‎Note 2: Controls may not always exert the intended or assumed modifying effect

‎#Identity_and_access_management
‎Information ‎Synonyms
‎Safeguard

‎Countermeasure
‎security controls
‎#Threat_and_vulnerability_management
ISACA
‎#Continuity
‎Controls can be of an administrative, technical, management, or legal nature
‎#Supplier_relationships_security www.patreon.com/AndreyProzorov v.1.1
ISACA
04.07.2023
‎#Legal_and_compliance
‎ tatement describing what is to be achieved as
S
‎#Information_security_event_management ‎a result of implementing controls
‎Control objective
‎My comment: No longer in use, replaced by "Purpose"
‎#Information_security_assurance
‎Terms
‎ he policies, procedures, practices and organizational
T
‎The association of controls to cybersecurity ‎structures designed to provide reasonable assurance that
‎concepts defined in the cybersecurity ‎Internal controls ‎business objectives will be achieved and undesired events
‎framework described in ISO/IEC TS 27110 ‎will be prevented or detected and corrected.
ISACA
+NIST
‎ person in whom the enterprise has invested the
A
‎#Identify ‎authority and accountability for making control-related
‎Control owner ‎decisions and is responsible for ensuring that the control is
‎#Protect ‎c) Cybersecurity concepts ISACA ‎implemented and is operating effectively and efficiently

‎#Detect ‎Assessment of risks

‎ ources of information
S
‎#Respond ‎Legal, statutory, regulatory and contractual requirements
‎security requirements
‎#Recover ‎Set of principles, objectives and business requirements

‎ haracteristic of information the

C
‎control will contribute to preserving ‎Total number of controls - 93 ‎11 new
‎#Confidentiality
‎Control title ‎Short name of the control
‎b) Information security properties
‎#Integrity
‎ table shows the value(s) of each
A
‎Attribute table
‎attribute for the given control
‎#Availability
‎ ontrol
C
‎Control ‎What the control is
‎When and how the control modifies the risk with regard to ‎layout
‎the occurrence of an information security incident
‎Purpose ‎Why the control should be implemented

t‎he control that is intended to prevent the

‎occurrence of an information security incident
‎#Preventive ‎Guidance ‎How the control should be implemented

‎a) Control type ‎Other information ‎Explanatory text or references

‎the control acts when an information
‎#Detective
‎security incident occurs

‎the control acts after an information ‎Controls (27002)

‎#Corrective
‎security incident occurs

‎#Attributes (example)

‎ he organization can use attributes to create different views which are different
T
‎categorizations of controls as seen from a different perspective to the themes
 ‎A. PIMS-specific reference control objectives and controls (PII Controllers)
I‎ SO/IEC 27701:2019 Security techniques.
‎B. PIMS-specific reference control objectives and controls (PII Processors) ‎Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy
‎information management. Requirements and guidelines
‎C. Mapping to ISO/IEC 29100
‎Annexes ‎ his document specifies requirements and provides guidance for establishing, implementing,
T
‎D. Mapping to the GDPR ‎maintaining and continually improving a PIMS in the form of an extension to ISO/IEC 27001
‎and ISO/IEC 27002 for privacy management within the context of the organization.
‎E. Mapping to ISO/IEC 27018 and ISO/IEC 29151 ‎Intro
‎PII Controllers
‎F. How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002 ‎This document can be used by
‎PII Processors

‎8.1. General ‎This document is applicable to all types and sizes of organizations

‎8.2.1 Customer agreement

‎8.2.2 Organization’s purposes ‎Personally Identifiable Information (PII) ‎not defined

‎Terms
‎8.2.3 Marketing and advertising use I‎ nformation Security Management System
‎8.2 Conditions for ‎ rivacy Information
P
‎which addresses the protection of privacy as
‎collection and processing ‎Management System (PIMS)
‎potentially affected by the processing of PII
‎8.2.4 Infringing instruction

‎8.2.5 Customer obligations

‎5.2.1 Understanding the organization and its context
‎8.2.6 Records related to processing PI ‎ Additional
8
‎ .2.2 Understanding the needs and
5
‎ISO/IEC 27002 ‎expectations of interested parties
‎8.3.1 Obligations to PII principals ‎8.3 Obligations to PII principals ‎ .2 Context of
5
‎guidance for
‎the organization ‎ .2.3 Determining the scope of the information
5
‎8.4.1 Temporary files ‎PII processors
‎security management system
‎ .4 Privacy by design
8
‎8.4.2 Return, transfer or disposal of PII
‎and privacy by default ‎5.2.4 Information security management system
‎8.4.3 PII transmission controls

‎8.5.1 Basis for PII transfer between jurisdictions ‎5.3.1 Leadership and commitment

‎ .5.2 Countries and international

8 ‎5.3 Leadership ‎5.3.2 Policy
‎organizations to which PII can be transferred
‎5.3.3 Organizational roles, responsibilities and authorities
‎8.5.3 Records of PII disclosure to third parties
‎8.5 PII sharing,
‎8.5.4 Notification of PII disclosure requests ‎transfer, and
‎5.4.1.1 General
‎disclosure
‎8.5.5 Legally binding PII disclosures
‎ .4.1 Actions to address
5 ‎ .4.1.2 Information
5
‎risks and opportunities ‎security risk assessment
‎8.5.6 Disclosure of subcontractors used to process PII
‎ .4.1.3 Information
5
‎8.5.7 Engagement of a subcontractor to process PII ‎5.4 Planning ‎security risk treatment

‎8.5.8 Change of subcontractor to process PII ‎7.1. General ‎ .4.2 Information security objectives and
5
‎planning to achieve them
‎7.2.1 Identify and document purpose
I‎ SO/IEC 27701:2019
‎7.2.2 Identify lawful basis
‎Privacy information ‎5.5.1 Resources

‎7.2.3 Determine when and how consent is to be obtained

‎7.2. Conditions ‎management ‎5.5.2 Competence

‎7.2.4 Obtain and record consent ‎for collection

‎5.5 Support ‎5.5.3 Awareness
‎and processing 1.1 www.patreon.com/AndreyProzorov
‎7.2.5 Privacy impact assessment ‎5.5.4 Communication

‎7.2.6 Contracts with PII processors ‎Creating and updating

‎ .5.5 Documented
5
‎7.2.7 Joint PII controller ‎information
‎Control of documented information

‎7.2.8 Records related to processing PII

‎7.3.1 Determining and fulfilling obligations to PII principals ‎5.6.1 Operational planning and control

‎7.3.2 Determining information for PII principals ‎5.6 Operation ‎5.6.2 Information security risk assessment

‎7.3.3 Providing information to PII principals ‎5.6.3 Information security risk treatment

‎7.3.4 Providing mechanism to modify or withdraw consent

‎7.3 Obligations to ‎ .7.1 Monitoring, measurement,

5
‎7.3.5 Providing mechanism to object to PII processing ‎analysis and evaluation
‎PII principals

‎7.3.6 Access, correction and/or erasure

‎ Additional
7 ‎5.7 Performance evaluation ‎5.7.2 Internal audit

‎7.3.7 PII controllers' obligations to inform third parties

‎ISO/IEC 27002
‎5.7.3 Management review
‎guidance for
‎7.3.8 Providing copy of PII processed ‎PII controllers
‎7.3.9 Handling requests ‎5.8.1 Nonconformity and corrective action
‎5.8 Improvement
‎7.3.10 Automated decision making ‎5.8.2 Continual improvement

‎7.4.1 Limit collection

‎6.2 Information security policies
‎7.4.2 Limit processing
‎6.3 Organization of information security
‎7.4.3 Accuracy and quality
‎6.4 Human resource security
‎7.4.4 PII minimization objectives

‎7.4 Privacy ‎6.5 Asset management

‎7.4.5 PII de-identification and I‎ S Controls.
‎by design and ‎!!! They have to be updated soon
‎deletion at the end of processing ‎6.6 Access control
‎privacy by default ‎(see ISO 27002:2022)
‎7.4.6 Temporary files ‎6.7 Cryptography

‎7.4.7 Retention ‎ PIMS-specific guidance

6
‎6.8 Physical and environmental security
‎related to ISO/IEC 27002
‎7.4.8 Disposal ‎6.9 Operations security

‎7.4.9 PII transmission controls ‎6.10 Communications security

‎7.5.1 Identify basis for PII transfer between jurisdictions ‎6.11 System acquisition, development and maintenance

‎7.5.2 Countries and international ‎6.12 Supplier relationships

‎7.5 PII sharing,
‎organizations to which PII can be transferred
‎transfer, and
‎disclosure ‎6.13 Information security incident management
‎7.5.3 Records of transfer of PII
‎6.14 Information security aspects of business continuity management
‎7.5.4 Records of PII disclosure to third parties
‎6.15 Compliance
 ISO 27001:2022. ISMS Requirements and Information security controls
5. Organizational controls 6. People controls 8. Technological controls
5.1. Policies for information security 6.1. Screening 8.1. User endpoint devices
5.2. Information security roles and responsibilities 6.2. Terms and conditions of employment 8.2. Privileged access rights
5.3. Segregation of duties 6.3. Information security awareness, education and 8.3. Information access restriction
5.4. Management responsibilities training 8.4. Access to source code
5.5. Contact with authorities 6.4. Disciplinary process 8.5. Secure authentication
5.6. Contact with special interest groups 6.5. Responsibilities after termination or change of 8.6. Capacity management
5.7. Threat intelligence employment 8.7. Protection against malware
5.8. Information security in project management 6.6. Confidentiality or non-disclosure agreements 8.8. Management of technical vulnerabilities
5.9. Inventory of information and other associated assets 6.7. Remote working 8.9. Configuration management
5.10. Acceptable use of information and other associated assets 6.8. Information security event reporting 8.10. Information deletion
5.11. Return of assets 8.11. Data masking
5.12. Classification of information 7. Physical controls 8.12. Data leakage prevention
5.13. Labelling of information 7.1. Physical security perimeter 8.13. Information backup
5.14. Information transfer 7.2. Physical entry 8.14. Redundancy of information processing facilities
5.15. Access control 7.3. Securing offices, rooms and facilities 8.15. Logging
5.16. Identity management 7.4. Physical security monitoring 8.16. Monitoring activities
5.17. Authentication information 7.5. Protecting against physical and environmental threats 8.17. Clock synchronization
5.18. Access rights 7.6. Working in secure areas 8.18. Use of privileged utility programs
5.19. Information security in supplier relationships 7.7. Clear desk and clear screen 8.19. Installation of software on operational systems
5.20. Addressing information security within supplier 7.8. Equipment siting and protection 8.20. Network security
agreements 7.9. Security of assets off-premises 8.21. Security of network services
5.21. Managing information security in the ICT supply chain 7.10. Storage media 8.22. Segregation of networks
5.22. Monitoring, review and change management of supplier 7.11. Supporting utilities 8.23. Web filtering
services 7.12. Cabling security 8.24. Use of cryptography
5.23. Information security for use of cloud services 7.13. Equipment maintenance 8.25. Secure development life cycle
5.24. Information security incident management planning and 7.14. Secure disposal or re-use of equipment 8.26. Application security requirements
preparation 8.27. Secure system architecture and engineering
5.25. Assessment and decision on information security events ISMS Requirements (ISO 27001) principles
5.26. Response to information security incidents 4. Context of the organization 8.28. Secure coding
5.27. Learning from information security incidents 4.1 Understanding the organization and its context / 4.2 Understanding the needs and expectations of
interested parties / 4.3 Determining the scope of the ISMS / 4.4 ISMS 8.29. Security testing in development and
5.28. Collection of evidence 5. Leadership acceptance
5.29. Information security during disruption 5.1 Leadership and commitment / 5.2 Policy / 5.3 Organizational roles, responsibilities and authorities
8.30. Outsourced development
5.30. ICT readiness for business continuity 6. Planning 8.31. Separation of development, test and
6.1 Actions to address risks and opportunities / 6.2 Information security objectives and planning to achieve
5.31. Legal, statutory, regulatory and contractual requirements them / 6.3 Planning of changes production environments
5.32. Intellectual property rights 7. Support 8.32. Change management
7.1 Resources / 7.2 Competence / 7.3 Awareness / 7.4 Communication / 7.5 Documented information
5.33. Protection of records 8. Operation 8.33. Test information
5.34. Privacy and protection of PII 8.1 Operational planning and control / 8.2 Information security risk assessment / 8.3 Information security 8.34. Protection of information systems during audit
risk treatment
5.35. Independent review of information security testing
9. Performance evaluation
5.36. Compliance with policies, rules and standards for 9.1 Monitoring, measurement, analysis and evaluation / 9.2 Internal audit / 9.3 Management review

information security 10. Improvement *New controls, 2022

5.37. Documented operating procedures 10.1 Continual improvement / 10.2 Nonconformity and corrective action

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 - www.patreon.com/AndreyProzorov Control: measure that maintains and/or modifies risk