Professional Documents
Culture Documents
No part of this publication may be reproduced, stored, utilized or transmitted in any form or by any means, electronic,
mechanical, or otherwise, without the prior written permission from EXIN.
002
Introduction to the Body of Knowledge
• These slides contain presentation material designed to prepare students for the EXIN Information Security Management Professional
based on ISO/IEC 27001 certification. You can also use this slide deck as the basis for accredited training.
• The material refers to all exam specifications and basic concepts. It covers the body of knowledge of the certification.
• A proper training requires examples of practical experience, deepening of exam specifications and basic concepts, exercises, elaborating
subjects of particular interest to the audience.
• In case of minimal training duration, candidates should study this Body of Knowledge (compare training duration with study load in
Preparation Guide).
• The order of the topics presented in this slide deck follows the order in the exam specifications.
• When you make use of this Body of Knowledge, your organization will still need to go through EXIN's standard accreditation procedure.
You can find the requirements for accreditation in the Accreditation Manual.
• Please note that this Body of Knowledge cannot be sold commercially. ATO’s are allowed to use these materials for the sole
purpose of developing their own full courseware to be used in EXIN accredited training. They may not create other
commercial products and services based on this file without permission from EXIN. When parts of it are used in another
context the source must be referenced and the EXIN copyright statement added.
003
EXIN Information Security Management based on ISO/IEC 27001
program
004
Course objectives and target audience
005
Certification requirements
006
Exam details
• Number of questions: 30
• Open book: No
• Notes: No
The Rules and Regulations for EXIN’s examinations apply to this exam.
007
Additional exam literature
008
ISO/IEC 27001:2022 overview
09
ISO/IEC 27001 structure
• 0 Introduction – General introduction to the standard and the wider ISO/IEC • 7 Support – description of the actions that must be taken to assign adequate
27000 series of standards. and competent resources, create and develop information security
awareness, prepare, publish and control the required documented processes,
• 1 Scope – description of an ISMS generic requirements suitable for any size policies and procedures.
and type of organization.
• 8 Operation – description of detailed actions to assess and treat information
• 2 Normative references – description of other ISO standards that are required security risks, change management and documents (registers to facilitate
to understand this standard. auditing activities).
• 3 Terms and definitions – description of the main terms and definitions used • 9 Performance evaluation - description of the actions that must be taken to
by ISO/IEC 27001. monitor, measure, analyze and evaluate/audit/review the information
security controls, processes and management system, systematically
• 4 Context of the organization – description of how organizations should look improving where necessary.
to their own context in order to define a good scope for the ISMS, to manage
the stakeholders' expectations and the main items and processes that must be • 10 Improvement - description of the actions that must be taken to
established, implemented, maintained and continually improved in the ISMS. continuously improve the ISMS based on audit findings, management
reviews, customers inputs, among others.
• 5 Leadership - description of the role and responsibilities from Top
Management regarding to the ISMS, as well as define the information security • Annex A Controls reference – description of the main information security
main roles. controls that must be adopted by the organizations. The selected and used
controls as well as the non-used ones must be described on the Statement of
• 6 Planning - description of the actions that must be taken to identify, analyze Applicability (SoA) document.
and plan to treat information risks. A description and definition of the
information security objectives must take place as well.
010
ISO 27001 certification path (overview)
The ISMS implementation and certification can differ from organization to organization. However, these are the most common steps.
1 2 3 4 5 6
ISMS objectives
Obtain Define scope
and overall Information
management and context of Plan the project Risk assessment
management security policy
commitment the ISMS
system
7 8 9 10 11 12
011
0. Introduction
Definition of the subject
013
This implies…
014
1. Information security
perspectives
Information security perspectives
business service
perspective provider/supplier
of information responsibilities in
security security assurance
016
1.1 Business interest of
information security
The business perspective
Information has become the most critical asset for many organizations.
018
The business perspective
Due to the open marketplace customers can take their business customer (end user)
elsewhere. perspective on
governance
Concerns surrounding privacy are still very strong. Although the use
of social media, and the selling out of personal privacy as a result,
indicate that this is highly contextual.
021
Customer (end user) perspective on governance
In B2B environments the chain of
trust requires compliance and
governance.
024
Service provider/supplier security assurance responsibility
Service providers need to
understand their customers’
business and requirements.
Risk assessment
Selection of mitigating
controls/strategies 2 3 Residual risk
027
2.1. Risk management
principles
Risk assessment
029
Steps in risk assessment processes
1 Assets Risks 3
• Determine which assets are in scope of the assessment • Define a formula to calculate the magnitude of risks
• Determine who the owners of the assets are • Define the risk appetite of the owner(s)
• Discuss the threats to these assets with the owners • Find options to mitigate unacceptable risk(s)
2 Threats Controls 4
• Decide who the threat agents are • Implement controls
• Get expert opinions on vulnerabilities of these assets • Understand and mitigate the new risks of the controls
• Get expert opinions on likelihood that the threats will occur • Accept any residual risks and repeat all of the above
• Get expert opinions on the impact if/when the threats occur
• Have a brainstorm with representatives of all stakeholders
030
Risk management generic workflow
value
Owners wish to minimize
impose
to reduce
Controls
that may
that may be possess
reduced by
Vulnerabilities
may be aware of
leading to
that
Threat agents exploit Risk
give
rise to that increase to
Threats to Assets
031
wish to abuse and/or may damage
Risk management according to ISO/IEC 27001:2022
Significance of risk
Risk Analysis Risk Evaluation
Risk assessment
No
Risk Treatment
(information
security controls)
Risk management
• Produce a Business Impact Analysis first to determine where a risk assessment is required.
• Implement a baseline on the risks. However, risk mitigation controls must be implemented only when required.
• Discussing risks that have not (yet) occurred needs an open mind.
• Analyzing risks can be facilitated by a specialist but requires a multi-disciplinary approach with members of each business
function.
• There are many tools available, but tools can only assist the process; not perform it!
• The risk assessment will provide the direction as to which controls must be implemented to tackle the risks that are being faced
by the organization. This is a must when designing an enterprise-wide information security program.
• The best way to achieve a good level of effectiveness in security governance is to perform a periodic risk assessment as part of
a risk management program.
• The organization will not bring the number of risks down to zero. However, stakeholders must be informed regarding to the
residual risks and accept them in agreement with the organization’s risk appetite.
033
Business impact analysis (BIA)
BIA
In business terms, i.e. monetary loss, Does not analyze assets, threats,
damage to reputation, legal vulnerabilities, probabilities etc.;
consequences etc. only the impact of events.
034
Baseline principle
• Implement a limited set of controls for assets that are part of the scope.
• Be able to explain and justify why it is sufficient to implement only those specific
controls on those assets (tool: business impact analysis).
• Do a risk assessment on all the other assets and implement extra controls only where
required.
• Represents the way to start setting the information security controls for the organization.
035
2.2.1 Assessing the risks -
Guidance
Determine which assets are in scope of the assessment
• Purpose:
Determine which assets will be assessed during the next steps.
• How:
The business impact analysis (BIA) will have made clear what processes
result in the highest impact if loss, damage, or disclosure occurs. Assets
within these processes are people, systems, applications, operating
systems, buildings/rooms, utilities etc.
• Guidelines:
Draft the list of assets but keep a high level of abstraction and try to
group assets where possible.
037
Determine who the owners of these assets are
• Purpose:
Only the owners can clearly discuss the value of assets.
• Guidelines:
Determining the owners of shared assets (such as network, email infrastructure,
internet access) can be tricky. When this is the case, the owner will be the
manager responsible for (delegated) maintenance of these assets.
038
Discuss the threats to the assets with these owners
• Purpose:
Determine which threats are applicable to the assets within scope. Only those
threats need to be analyzed in the next steps.
• How:
Standard lists of threats do exist, but whether the list is complete should be
discussed with the owner.
• Guidelines:
Be as complete as possible, do not filter out threats at this point. Try to compile
a list of inherent threats, not the threats for which there are residual risks at this
moment. For instance, do not exclude the threat of data loss because back-ups
are already made.
039
Decide who the threat agents are
• Purpose:
Knowing your enemy enables you to better determine which vulnerabilities
there are and the probability of threats occurring.
• How:
Discuss who might be interested in attacking your organization and the means
these adversaries have to their disposal.
• Guidelines:
Adversaries can be employees, criminals, hackers (of every kind), competitors,
states, terrorists etc.
040
Get expert opinions on vulnerabilities of the assets
• Purpose:
Enable those present during the risk assessment workshop to have enough
detailed information to make informed decisions.
Vulnerability 1 • How:
Vulnerability 2 Interviews with experts about information security aspects that are relevant to
…. the assets in scope. This can include technical experts and facility managers but
also local government, police, fire brigade etc.
• Guidelines:
The obtained data needs to be judged as to whether there is high, medium, or
low vulnerability. Try to be exhaustive. Talk to as many experts as possible
within scope and budget.
041
Get expert opinions on the likelihood that threats will occur
• Purpose:
Enable those present during the risk assessment workshop to have enough
detailed information to make informed decisions.
Probability 1 • How:
Probability 2 Interviews with experts about information security aspects relevant to the assets
…. in scope. This can include technical experts and facility managers but also local
government, police, fire brigade etc. Also get publicly available information
(where available) from incidents in the past both within and outside of the
organization.
• Guidelines:
The obtained data needs to be judged as to whether there is high, medium, or
low likelihood and impact. Try to be exhaustive. Talk to as many experts as
possible within scope and budget.
042
Define the impact for all threats when they occur
• Purpose:
Enable those present during the risk assessment workshop to have enough
detailed information to make informed decisions.
• How:
For every threat, discuss with experts what the maximum impact would be
if/when the threat occurs.
• Guidelines:
It is difficult to consider the impact on the organization when a threat has never
occurred. Consider monetary losses, legal problems, loss of business,
advantages it would give a competitor, loss of image etc. If possible, classify all
possible losses in monetary terms.
043
Define a formula to calculate risk
• Purpose:
Bring all information about a threat together in one quantitative or qualitative
parameter which will enable deciding whether the risk is above or below the
acceptable risk level.
• How:
• Quantitative: When only numbers are used to calculate the risk.
• Qualitative: When using classes of risk, for instance LL (low likelihood,
medium impact) or quantify (VL=1, L=2, M=3, H=4, VH=5) and then
multiply (L*M = 1*3 = 3) or use a different formula (most accepted risk
methodology).
• Guidelines:
Be careful when quantifying risks not to lose the distinction between for
instance L*M=1*3 and M*L=3*1 (both are 3).
044
Define the risk appetite of the owner(s)
• Purpose:
Determine the level above which a risk is unacceptable (i.e. should be mitigated
where possible).
• How:
For each threat, or all threats in one go, have the process owner decide which
level of risk is unacceptable.
• Guidelines:
Also take an outside view. What would customers/suppliers find acceptable?
What would legal entities consider acceptable?
045
Remarks
Example:
• Imagine two houses next to a chemical factory. An explosion at the factory causes fires in the
? ? ? surroundings. Both houses are equally likely (probability) to catch fire as a result of the
? explosion in that factory.
Probability
? ? • But, if one of the houses is made from wood and the other is made from concrete, the wooden
? ? Vulnerability house is much more vulnerable if there is a fire. Since vulnerability is difficult to determine,
limit the number of classes to (for instance) only high or low vulnerability.
? ? ? ?
The distinction between probability
and vulnerability is not always clear.
046
Remarks
Risk assessment needs to be part of the scope of every project. Usually, a simple identification and rating mechanism for the threats and risks
specifically related to the project is sufficient.
Before doing a risk assessment, an organization will need to reach consensus on classes for probability, vulnerability and impacts.
For instance: Impact:
high: could lead to bankruptcy
medium: impacts the bottom line
low: no impact
Vulnerability: Probability:
high: when it happens there is a big high: it can happen any day
impact medium: could happen yearly
low: when it happens there will be low: will never happen
minor impact
047
2.2.2 Controlling the risks
Risk treatment in ISO/IEC 27001:2022
• Obtain the risk owners’ approvals to treat the risks and their acceptance of
residual risk
049
Find ways to mitigate unacceptable risk(s)
• Purpose:
Select the risks for which mitigating controls are required.
• How:
Decide whether a risk can be avoided, transferred to another party, accepted or
whether it needs mitigation. Or maybe the risk is already mitigated by a control.
• Guidelines:
For example, avoidance of the risk means cancelling the business process in
question or moving the organization to an area with a lower/other risk profile.
Transferring a risk can be done by insuring against it. Both avoidance and
transferring tend to be exceptions. This tends to lead to discussions to decide
whether a risk can be accepted or needs mitigation. Sometimes risks are already
covered, for example Escrow arrangements to protect software code.
050
Implementing controls
• Purpose:
Where there are risks that cannot be accepted, controls need to be selected and
implemented with the aim of lowering probability, vulnerability and/or impact.
• How:
Controls should always follow from the risk assessment. For inspiration, a
standard baseline best-practice set of controls such as ISO/IEC 27002 can be
used to select those controls that mitigate the risk.
• Guidelines:
Whether controls mitigate a risk requires expertise in technical, legal,
procedural, physical/facility aspects. Ensure the expert view on all these aspects
is available.
051
Remarks
Use the available controls in ISO/IEC 27001 (Annex A) and ISO/IEC 27002 for further guidance or inspiration for risk mitigation activities
Organisation of
A.6 information security
Human resource
A.7 security
...
052
Statement of Applicability (SoA)
• The SoA is a document that must be produced as a result of the risk assessment
process.
• The document can be a matrix, by listing the used information security controls (to
mitigate and/or minimize the risks), the treatment options, and often also the
person(s) accountable for them.
053
2.3. Residual risks
Understand and mitigate the new risks of the controls
• Purpose:
Determine whether the controls that have been selected to mitigate the
unacceptable risks introduce new risks themselves.
• How:
Discuss the implications of the selected controls with suitable experts. Decide
on mitigation strategies if new risks are found.
• Guidelines:
An example might be key management. Physical locks or electronic keys
(passwords/certificates) introduce all sorts of new problems (key management,
key loss, revoking keys etc.) that need to be understood and mitigated.
055
Accept any residual risks and repeat
• Purpose:
Residual Formally accept the residual risks and embed this process.
risk
acceptance
• How:
Have the organization’s management document the fact that residual risks do
exist but that these can or should be accepted. Embed this risk management
process within the management system, perhaps based on ISO/IEC 27001 or
even ISO 9001 (quality) or ISO/IEC 20000 (service management).
• Guidelines:
This risk management process should be linked to the incident management
process and the change management process. This guarantees that new threats
will be considered and mitigated when required.
056
PDCA
Control
Act Check required to assure risks are mitigated – audit/review it all (e.g.
check). Lastly all possible improvements should again be
considered (e.g. act) and lead to new plans.
057
3. Information security controls
Strategies for controls
Information security can only be improved by implementing controls , i.e. the Plan-activities of the PDCA cycle are the most important
ones. Nevertheless, implementing the right controls is crucial and testing whether these actually work (i.e. mitigate risk) is even more
important.
• Focus on ‘do’;
059
A good mix of controls
• Important remarks:
• Top management reviews the ISMS on a regular basis. Input is the performance of
the ISMS. Output is decisions on improvement and change.
• The commitment of management and tactical control are the most important aspects.
060
Protecting confidentiality
• Preventing access to information means user DL_OPS • Encryption of information comes down to
identification and authorization is critical. scrambling the information in such a way
Subsequent access should be based on access that legitimate users can easily descramble it
control lists (ACL) that describe what kind of DL_ADM but an adversary cannot. This requires some
access the user has; read, write, execute, sort of digital key and a one-way decryption
create, delete etc. method that will not allow descrambling data
without the key.
061
ISO/IEC 27002:2022
063
ISO/IEC 27002 themes
ISO/IEC
27002:2022
5. Organizational controls
6. People controls
7. Physical controls
8. Technological controls
064
Organizational controls
Organizational Organizational
5.1 Policies for information security 5.19 Information security in supplier relationships
5.2 Information security roles and responsibilities 5.20 Addressing information security within supplier agreements
5.3 Segregation of duties 5.21 Managing information security in the ICT supply chain
5.4 Management responsibilities 5.22 Monitoring, review and change management of supplier services
5.5 Contact with authorities 5.23 Information security for use of cloud services
5.6 Contact with special interest groups 5.24 Information security incident management planning and preparation
5.7 Threat intelligence 5.25 Assessment and decision on information security events
5.8 Information security in project management 5.26 Response to information security incidents
5.9 Inventory of information and other associated assets 5.27 Learning from information security incidents
5.10 Acceptable use of information and other associated assets 5.28 Collection of evidence
5.11 Return of assets 5.29 Information security during disruption
5.12 Classification of information 5.30 ICT readiness for business continuity
5.13 Labelling of information 5.31 Legal, statutory, regulatory and contractual requirements
5.14 Information transfer 5.32 Intellectual property rights
5.15 Access control 5.33 Protection of records
5.16 Identity management 5.34 Privacy and protection of PII
5.17 Authentication information 5.35 Independent review of information security
5.18 Access rights 5.36 Compliance with policies, rules and standards for information security
5.37 Documented operating procedures
065
People controls
People
6.1 Screening
6.2 Terms and conditions of employment
6.3 Information security awareness, education and training
6.4 Disciplinary process
6.5 Responsibilities after termination or change of employment
6.6 Confidentiality or non-disclosure agreements
6.7 Remote working
6.8 Information security event reporting
066
Physical controls
Physical
067
Technological controls
Technological Technological
8.1 User endpoint devices 8.18 Use of privileged utility programs
8.2 Privileged access rights 8.19 Installation of software on operational systems
8.3 Information access restriction
8.20 Networks security
8.4 Access to source code
8.5 Secure authentication 8.21 Security of network services
8.6 Capacity management 8.22 Segregation of networks
8.7 Protection against malware 8.23 Web filtering
8.8 Management of technical vulnerabilities 8.24 Use of cryptography
8.9 Configuration management
8.25 Secure development life cycle
8.10 Information deletion
8.11 Data masking 8.26 Application security requirements
8.12 Data leakage prevention 8.27 Secure system architecture and engineering principles
8.13 Information back-up 8.28 Secure coding
8.14 Redundancy of information processing facilities 8.29 Security testing in development and acceptance
8.15 Logging
8.30 Outsourced development
8.16 Monitoring activities
8.17 Clock synchronization 8.31 Separation of development, test and production environments
8.32 Change management
8.33 Test information
8.34 Protection of information systems during audit testing
068
3.1. Organizational controls
Examples of organizational controls
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022. 070
5.1 Policies for information security
071
5.37 Documented operating procedures
Internal
Public
…
Information security policy Management commitment Asset management Change management Separation of duties
and its review process including classification of procedures
assets/information
Access control program & Incident management Identification of applicable Protection of intellectual Protection of personal
policy and its review procedures legislation property rights information
process
072
Procedure and process (definition from ISO 9001)
Procedure Process
A B C
073
5.12 Classification of information
• Only secure what is required (according to the ISMS’ • Let the asset owners classify information based on the
scope). impact of loss, damage and/or disclosure.
• Add a corresponding label to the information, for • Have rules to deal with these labels, for instance
instance: highly confidential, confidential, or public. confidential information should be encrypted or
transported by registered mail.
• Classified documents can only be accessed
by persons cleared for that level or higher.
074
5.7 Threat intelligence
075
5.9, 5.10, 5.11 Asset management
Acceptable Use
Policy
Return
076
5.19-5.21 Information security in supplier management
Low High
Supplier Contractual
T&Cs Agreement
077
Continuity/availability
ISO/IEC 27002 control 5.29 is called From an information security perspective, the
“Information security during disruption” and term continuity should be interpreted as:
deals with aspects of business continuity
management (BCM). • continuity of security when an organization faces
The BCM process within an organization is a business continuity problem;
of course much broader than just
information security incident management. • availability of security systems, procedures and
services during normal operation.
Integrity Availability
078
Business continuity planning
079
Continuity controls
5.29 Information security during disruption 5.30 ICT readiness for business continuity
This is the main control related to how to protect This control focuses on the redundancy of
information security during disruptive events ICT services, such as servers, network and
when a business continuity plan is invoked. applications.
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
080
ICT business continuity planning
When a severe incident has led to substantial damage to RTO specifies the duration of time and
information processing and related services, there is one
important constraint: time! RTO a service level within which a service
must be restored after a disaster or
disruption.
The maximum allowable downtime (if longer the RPO is the maximum amount of data
organization will not be able to recover) should have
been translated into recovery time objective (RTO) and
recovery point objective (RPO).
RPO that might be lost from a service due
to a disruption.
081
ICT business continuity planning
082
Guidance for information back-up and restore
• It should be understood, at every level within the organization, • For proper restore a large number of other requirements exist,
that ‘back-up’ is not a problem. such as:
• Understand what the timeframe for restore is.
• The problem is being able to restore all relevant information • Understand the order in which systems should be
whatever the threat to data loss is, under all circumstances, restored.
within the required timeframe. • Availability of systems to restore on.
• Personnel knowledgeable in restore activities.
• When it is properly understood that ‘restore’ is the problem, it • Software required to do the restore.
will be clear that ‘back-up’ is only part of the solution. • Restore procedures describing the activities required.
• Test procedures after a restore to decide whether
production can restart.
083
ICT business continuity planning
RTO required. Since time is the only constraint, RTOs expressed in hours dictate
that all activities detecting, escalating and mitigating the incident are
documented and sufficiently trained.
The document describing this is the business During a business continuity incident the Drafting a BCP is done by assembling knowledgeable
continuity plan (BCP) or IT continuity plan. personnel involved in solving the situation experts who during normal operation are responsible for ICT
might be different than during normal or business processes. They define the actions, lead times
operation. This requires that the BCP describes and required facilities/services to be able to perform those
critical activities in large detail. actions. Subsequently these actions are put into a Gantt
chart.
084
Guidance for procedures
085
3.2. Physical controls
Examples of physical controls
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
087
Examples of physical controls
7.6 Working in secure areas 7.11 Supporting utilities 7.14 Secure disposal or re-use of
equipment
Procedures that describe the conditions for Protection against loss of utilities (cooling,
working in protected areas. For instance power, gas, water). Describes the need for Procedures and technical tooling for the
specifying that in such areas nobody may uninterruptible power supplies and no-break secure disposal of media (paper, disks)
work alone. systems. containing classified information.
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO27002:2022.
088
7.1 Perimeter protection
089
7.2 Physical access control & biometrics
090
Guidance for physical controls
General entry
Operations
Datacenter
Check legislation when Access rights management needs a Zoning helps to decide which Physical controls are often
surveillance cameras and other tight interface with the human parts of the organization need managed by the organization’s
privacy sensitive equipment is to resource department when personnel strict physical entry controls. facilities management
be installed. is hired, fired or when someone’s For example a policy for a department. To optimize these
position within the organization loading/unloading area. controls for the protection of
changes. information the security
officer/manager, the ICT
manager and the facility
manager should closely work
together on this subject.
091
Guidance for physical controls
IT systems are very vulnerable to Building management systems – A thorough environmental risk Physical barriers should not
electrical power problems. A back- controlling power, lighting, assessment should dictate what obstruct personnel leaving the
up power supply (uninterruptible access, temperature etc. – are kind of physical entry controls premises in case of an
power supply – UPS – for short computer systems themselves. are required. emergency.
outages and no-break systems – These need the same protection
generators – for longer outages) is as other computer systems
always required. within the organization.
092
3.3. People controls
Examples of people controls
6.1 Screening
Procedures for the screening of personnel in those positions 6.3 Information security awareness, education, and
where special risks could occur, for instance in financial training
positions or in positions where confidentiality requirements Procedures and all activities the organization takes to train
are high. In case of fraud to investigate the employee’s employees in information security in general and the
workstation might be the only legal possibility. organization’s policies in particular.
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
094
Awareness, training
• Aspects:
Information security
• Knowledge (understanding the rules)
• Attitude (willingness to cooperate)
• Behavior (obeying the rules)
• The awareness program must be established in alignment with the target group and led by
the information security management.
• The level of awareness of the target group should be measured. The actual mindset of
employees towards information security can for example be observed in a walkabout after
office hours.
• Behavioral change will only happen when the target group has obtained all required
knowledge and understands why security controls are required.
• Tools: class-based training, e-learning, one-to-one talks, discussion, gaming.
095
Social engineering
Most humans are willing to help. Adversaries With the success of social media an
use this to their advantage by building trust enormous amount of personal information is
with an employee. After gaining their trust, publicly available. Employees should
the adversary uses the employee to obtain understand and follow company policies
information that helps them to get access to what they can and cannot disclose on social
the organization’s assets. media about the organization they work for.
Employees should be trained to identify social engineering and know how to identify who may have
access to what asset(s).
096
Guidance for people controls
Special care should be given to those Defining roles and responsibilities is of All access rights should be reviewed
functions where high risks occur. the utmost importance. It is also vital to periodically, especially when employees
Especially in situations where access make sure that employees understand change roles within the organization. This
privileges are granted. If needed, duties their responsibilities and any that requires action from the HR department
should be separated to reduce risk. For disciplinary steps are taken if they abuse and the relevant managers.
instance administrators should only be them.
allowed to use admin rights when another
administrator is present (“four-eye
principle”).
097
3.4. Technological controls
Examples of technological controls
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
99
8.15 Logging
Event management
• Collects information from systems, applications and network elements
• Correlates this information to determine if there is an incident, such as an outage or a security incident
• Is, in part, dependent on logging of events on the systems themselves (syslogs) or on logging servers
Not all events lead to an incident, but all events should be analyzed to verify if an incident actually took place.
All logs should be protected to preserve their confidentiality, integrity and availability in order to analyze the information in them.
100
8.19 Installation of software on operational systems
End users may be able to install software on their PCs themselves. This brings with it a high risk, because this software cannot be
controlled and may contain malware or other threats.
101
8.24 Use of cryptography
102
Symmetric encryption
A B
Key Key
103
Symmetric encryption
104
Asymmetric encryption
A B
105
Asymmetric encryption
• Every party generates two keys: a private key that needs to be kept secret and a public key that
everyone may know.
• When A needs to send a confidential message to B, she uses a mathematical formula that encrypts
the message using her private key and B’s public key.
• When B receives the message, he can decrypt the message using his private key and A’s public
key.
• A separate entity, the certificate authority (CA), acts as an intermediate responsible for delivering
the public key of someone to everyone that asks for it.
• The mathematics involved should 100% guarantee that without the private keys no one can
decipher messages of the one that used the corresponding public key to cipher.
• An attention point must be given, in case the certificate authority (CA) is hacked, fake certificates
can be hacked and/or all certificates can be made invalid.
106
Digital signatures
• Together with hash functions they can be used to prove identity and/or integrity.
• A generates a hash of a document and encrypts (“signs”) that document and its
hash using her private key and sends the results to B.
• B decrypts the document and hash using A’s public key and reruns the hashing
function. If the result on the decrypted document matches the decrypted hash
that A sent, the document can only have originated from A.
• Of course this only works when A keeps her private key secret and there is
definite proof that she “owns” her public key. This is again arranged using
Certificate Authorities (CA).
107
8.20-8.22 Networks security
DMZ Mainframe
Internet
Router Firewall Router IDS
LAN
Home office
108
Infrastructural components – firewall types
109
8.7 Protection against malware
• Malware comes in a variety of types; they damage data and/or applications or steal information.
• Systems (either hardware or software based) that detect malicious code rely on signatures that represent
previously found code of the malware or detect the malicious behavior of the malware itself.
• Unfortunately, these systems generate false-positives and accurately fail to detect all known malware.
Malware
• Note that ISO/IEC 27002 uses the more general term ‘malware’. This also denotes for instance hidden
backdoors and logical bombs that can (sometimes!) only be detected by humans when doing a code review of
bespoke software.
• A lot of malware nowadays is transferred via USB sticks but mostly by visiting infected websites.
110
8.31 Separation of development, test and production environments
Authorization controls
• Tests environments should be controlled via authorization controls in order to protect the production environment’s integrity.
• By implementing this control an authorization must be made every time that data are being moved from the production to test and from the
test to the environment.
• This will increase not only the integrity of the data, but also guarantees that transferred data are aligned with the information security policy
of the organization.
111
Service Oriented Architecture (SOA)
Service request
112
Service Oriented Architecture (SOA) and information security
• When it comes down to information security, some aspects must be taken into consideration.
• It is important that when designing services or infrastructure based on SOA, the information
security team are involved in the project.
• The definition of which security services will be provided, and in which architecture, must be
defined to better align the information security requirements and the service for the customers.
113
Open-design architecture
• Open-design architecture advocates that establishing a single, consistent, clearly defined control
catalog provides an excellent means to simplify requirements from numerous standards,
governance frameworks, legislation, and regulations.
• Using OSA (Open Security Architect) patterns provides a fast start, improves the quality of the
solution that must be deployed, and reduces overall effort.
• Commonly, open-design architectures are tested a lot, which improves the security of the services.
Architectural principles
Implementation principles
Open design Secure coding practices Black box and white box testing
114
Common Criteria
• Since firewalls and other access granting equipment are the gate-keepers to the information assets
of the organization, independent certification is required.
• ISO/IEC 15408, or “common criteria”, “… is a framework in which computer system users can
specify their security functional and assurance requirements, vendors can then implement and/or
make claims about the security attributes of their products, and testing laboratories can evaluate the
products to determine if they actually meet the claims”.
• When a security product has been tested against ISO/IEC 15408, it will be assigned an Evaluation
Assurance Level (EAL). When users determine their assurance requirements, they can then decide
ISO/IEC 15408 to install only equipment with the corresponding EAL’s.
115
Thank you
Questions?
116
Contact EXIN
www.exin.com