➢ ISO 27001 standard remain unchanged

➢ Annexure A changes

➢ ISO 27002 changes

➢ ISO27002 code of practices are now

knows as information security controls
  14 domains are now converted to 4 domains
Old Domains:
A5. Information security policies
A6. Organization of information security
A7. Human resource security
A8. Asset management New domains
A9. Access control
A10. Cryptography 1. Organizational
A11. Physical environmental security 2. People
A12. Operations security
3. Physical
A13. Communication security
A14. System acquisition, development and maintenance 4. Technological
A15.Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of BCM
A.18 Compliance
 4 domains, 2 Annexures and 93 controls

• Organizational controls- 37
• People Controls – 8
• Physical controls – 14
• Technological controls – 34
• Annex A - Using attributes
• Annex B - Correspondence with ISO
27001:2013
Clause Controls
Organizational controls 5.7 Threat intelligence

5.23 Information security for use of cloud services

5.30 ICT readiness for business continuity

People controls 7.4 Physical security monitoring

Technological controls 8.9 Configuration management

8.10 Information deletion

8.11 Data masking

\
8.12 Data leakage prevention

8.16 Monitoring activities

8.23 Web filtering

8.28 Secure coding

1. Review of the policies for information security
2. Ownership of assets
3. Password management system
4. Restrictions on software installations
5. ‘Protection of log information
6. Securing application services on public network
7. Protecting information applications services transactions
8. Reporting security weaknesses
9. Mobile device policy
10. Handling of assets
11. Delivery and loading areas
12. Unattended user equipment
13. Removal of assets
14. Electronic messaging
15. System acceptance testing
16. Technical compliance review
 Every control will have 5 attributes
1. Control type

2. Control Classification

3. Security Domain

4. Cyber Security Concept

5. Operational Capabilities
Eg-
5.1 authentication information
Control Information Cyber Operational Security
type security security Capabilities Domain
attributes concept
Preventive C, I, A Protect IAM Protection
 Control type  Cyber security
❖ #Preventive concept
❖#Identify
❖ #Detective ❖#Protect
❖ #Corrective ❖#Detect
❖# Respond
❖# Recover
 Classification
❖ #Confidentiality  Security domains
❖ #Integrity ❖#Governance and
❖ #Availability Ecosystem
❖# Resilience
❖# Protection
❖#Defence
 Operational capabilities
❖ #Governance
❖ #Asset management
❖ # Information Protection
❖ # Human resource security
❖ # Physical security
❖ # System and network security
❖ # Application security
❖ # Secure configuration
❖ # IAM
❖ # Threat and vulnerability management
❖ # Continuity
❖ # Supplier relationship security
❖ # Legal and compliance