Scribd Logo
Upload

Welcome to Scribd!

  • Main Changes in ISO 27001 27002 and What To Do About Them en - Presentation Deck

    Uploaded by

    Jorge D. Zunini C.
    6 views20 pages

    Original Title

    Main Changes in ISO 27001 27002 and What to Do About Them en - Presentation Deck

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views20 pages

    Main Changes in ISO 27001 27002 and What To Do About Them en - Presentation Deck

    Uploaded by

    Jorge D. Zunini C.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    Main changes in ISO 27001/27002

    and what to do about them

    Presenter: Dejan Kosutic


    Changes in ISO 27001 and ISO 27002

    To go through the transition without too


    much stress…

    … you should plan the steps carefully

    ©2022 27001Academy www.advisera.com/27001academy 2


    In 2022 we will see
    the biggest changes in
    ISO 27001 & ISO 27002
    since 2013

    ©2022 27001Academy www.advisera.com/27001academy 3


    Agenda

    • Timeline
    • Key changes in ISO 27001/ISO 27002
    • What has stayed the same?
    • When to start with the new controls?
    • Main steps in the transition
    • Examples
    • What will Advisera do?

    ©2022 27001Academy www.advisera.com/27001academy 4


    Timeline of the transition

    ©2022 27001Academy www.advisera.com/27001academy 5


    Key changes

    • Controls organized in 4 sections


    • Instead of 114 → 93 controls
    • 57 controls merged into 24
    • 23 renamed controls
    • 11 new controls
    • 1 split control
    • 0 excluded controls

    ©2022 27001Academy www.advisera.com/27001academy 6


    New sections for controls

    • Section A.5 Organizational controls


    • Section A.6 People controls
    • Section A.7 Physical controls
    • Section A.8 Technological controls

    ©2022 27001Academy www.advisera.com/27001academy 7


    11 new controls

    • 5.7 Threat intelligence


    • 5.23 Information security for use of cloud services
    • 5.30 ICT readiness for business continuity
    • 7.4 Physical security monitoring
    • 8.9 Configuration management
    • 8.10 Information deletion
    • 8.11 Data masking
    • 8.12 Data leakage prevention
    • 8.16 Monitoring activities
    • 8.23 Web filtering
    • 8.28 Secure coding
    ©2022 27001Academy www.advisera.com/27001academy 8
    What has stayed the same?

    • 35 controls
    • Clauses 4 to 10 of ISO 27001
    • ISO 27001 remains the main standard, and
    ISO 27002 remans only the supporting
    guidance

    ©2022 27001Academy www.advisera.com/27001academy 9


    No changes needed for the
    following documents
    • ISMS scope
    • Interested parties
    • Information security policy
    • Risk assessment methodology
    • Training & awareness
    • Communication
    • Document control
    • Monitoring and measurement
    • Internal audit
    • Management review
    • Corrective actions
    ©2022 27001Academy www.advisera.com/27001academy 10
    When to start with the new
    controls?

    New implementation:
    • a) Certification before March 31, 2023 →
    go for existing set of 114 controls
    • b) Certification after April 1, 2023 → go for
    new set of 93 controls

    Existing implementation/certification:
    • Prepare until Q3, 2024

    ©2022 27001Academy www.advisera.com/27001academy 11


    Timeline of the transition

    ©2022 27001Academy www.advisera.com/27001academy 12


    Main steps in the transition

    Your Text
    Risk treatment → new controls

    Your Textof Applicability →


    Statement
    Mandatory procedures
    new controls

    Adapt
    Your sections in policies
    YourText
    Text
    Analyze and assess
    and procedures

    ©2022 27001Academy www.advisera.com/27001academy 13


    Key points for the transition

    • Changes are only moderate, and are


    mostly about reorganizing controls
    • Transition effort = between 5 and 20% of
    the initial implementation effort
    • Do not add new documents or delete any of
    the existing documents
    • For certified companies, the auditors will
    verify the transition through surveillance
    audits

    ©2022 27001Academy www.advisera.com/27001academy 14


    Examples for adapting
    documentation

    • New control 5.30 ICT readiness for


    business continuity → include it in the
    existing Disaster Recovery Plan
    • Merged controls 8.1.3 Acceptable use of
    assets and 8.2.3 Handling of assets →
    include them in the existing IT Security
    Policy (Acceptable Use Policy)

    ©2022 27001Academy www.advisera.com/27001academy 15


    What will Advisera do?

    • ISO 27001 courses – existing clients


    • ISO 27001 courses – new clients
    • ISO 27001 toolkits – existing clients
    • ISO 27001 toolkits – new clients
    • Conformio – existing clients
    • Conformio – new clients
    • Conformio ISO 27001 transition package –
    new clients with existing certification

    ©2022 27001Academy www.advisera.com/27001academy 16


    Biggest challenges with the
    changes

    • Knowing which controls map with which


    policies and procedures
    • Should we start implementing 2013 or 2022
    revision of the standard
    • Incorporating/consolidating the reduced
    number of controls into our policies
    • Implementation of 11 new controls
    • Amount of effort needed to integrate the
    changes

    ©2022 27001Academy www.advisera.com/27001academy 17


    Conclusion

    ISO 27001 will change only moderately


    – compliance effort will be also
    moderate if approached systematically

    ISO 27001:2022 Documentation Toolkit


    https://advi.li/iso-27001-toolkit

    ©2022 27001Academy www.advisera.com/27001academy 18


    Q&A

    Dejan Kosutic
    Thank you!
    https://advi.li/iso-27001-toolkit

    You might also like