Professional Documents
Culture Documents
System (ISMS)
ISO 27001:2022
What is information?
Information has become the most critical asset for many organizations.
02
What is Information Security?
03
ISO 27001:2022
ISO/IEC 27001:2022 overview
04
ISO 27001 Implementation path (overview)
1 2 3 4 5 6
ISMS objectives
Obtain Define scope
and overall Information
management and context of Plan the project Risk assessment
management security policy
commitment the ISMS
system
7 8 9 10 11 12
05
Definition of the subject
06
3. Information security controls
Attributes in controls
08
Organizational controls
Organizational Organizational
5.1 Policies for information security 5.19 Information security in supplier relationships
5.2 Information security roles and responsibilities 5.20 Addressing information security within supplier agreements
5.3 Segregation of duties 5.21 Managing information security in the ICT supply chain
5.4 Management responsibilities 5.22 Monitoring, review and change management of supplier services
5.5 Contact with authorities 5.23 Information security for use of cloud services
5.6 Contact with special interest groups 5.24 Information security incident management planning and preparation
5.7 Threat intelligence 5.25 Assessment and decision on information security events
5.8 Information security in project management 5.26 Response to information security incidents
5.9 Inventory of information and other associated assets 5.27 Learning from information security incidents
5.10 Acceptable use of information and other associated assets 5.28 Collection of evidence
5.11 Return of assets 5.29 Information security during disruption
5.12 Classification of information 5.30 ICT readiness for business continuity
5.13 Labelling of information 5.31 Legal, statutory, regulatory and contractual requirements
5.14 Information transfer 5.32 Intellectual property rights
5.15 Access control 5.33 Protection of records
5.16 Identity management 5.34 Privacy and protection of PII
5.17 Authentication information 5.35 Independent review of information security
5.18 Access rights 5.36 Compliance with policies, rules and standards for information security
5.37 Documented operating procedures
09
People controls
People
6.1 Screening
6.2 Terms and conditions of employment
6.3 Information security awareness, education and training
6.4 Disciplinary process
6.5 Responsibilities after termination or change of employment
6.6 Confidentiality or non-disclosure agreements
6.7 Remote working
6.8 Information security event reporting
010
Physical controls
Physical
011
Technological controls
Technological Technological
8.1 User endpoint devices 8.18 Use of privileged utility programs
8.2 Privileged access rights 8.19 Installation of software on operational systems
8.3 Information access restriction
8.20 Networks security
8.4 Access to source code
8.5 Secure authentication 8.21 Security of network services
8.6 Capacity management 8.22 Segregation of networks
8.7 Protection against malware 8.23 Web filtering
8.8 Management of technical vulnerabilities 8.24 Use of cryptography
8.9 Configuration management
8.25 Secure development life cycle
8.10 Information deletion
8.11 Data masking 8.26 Application security requirements
8.12 Data leakage prevention 8.27 Secure system architecture and engineering principles
8.13 Information back-up 8.28 Secure coding
8.14 Redundancy of information processing facilities 8.29 Security testing in development and acceptance
8.15 Logging
8.30 Outsourced development
8.16 Monitoring activities
8.17 Clock synchronization 8.31 Separation of development, test and production environments
8.32 Change management
8.33 Test information
8.34 Protection of information systems during audit testing
012
3.1. Organizational controls
Examples of organizational controls
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022. 014
5.1 Policies for information security
015
5.37 Documented operating procedures
Internal
Public
…
Information security policy Management commitment Asset management Change management Separation of duties
and its review process including classification of procedures
assets/information
Access control program & Incident management Identification of applicable Protection of intellectual Protection of personal
policy and its review procedures legislation property rights information
process
016
Procedure and process (definition from ISO 9001)
Procedure Process
A B C
017
5.12 Classification of information
• Only secure what is required (according to the ISMS’ • Let the asset owners classify information based on the
scope). impact of loss, damage and/or disclosure.
• Add a corresponding label to the information, for • Have rules to deal with these labels, for instance
instance: highly confidential, confidential, or public. confidential information should be encrypted or
transported by registered mail.
• Classified documents can only be accessed
by persons cleared for that level or higher.
018
5.7 Threat intelligence
019
5.9, 5.10, 5.11 Asset management
Acceptable Use
Policy
Return
020
5.19-5.21 Information security in supplier management
Low High
Supplier Contractual
T&Cs Agreement
021
Continuity/availability
ISO/IEC 27002 control 5.29 is called From an information security perspective, the
“Information security during disruption” and term continuity should be interpreted as:
deals with aspects of business continuity
management (BCM). • continuity of security when an organization faces
The BCM process within an organization is a business continuity problem;
of course much broader than just
information security incident management. • availability of security systems, procedures and
services during normal operation.
Integrity Availability
022
Business continuity planning
023
Continuity controls
5.29 Information security during disruption 5.30 ICT readiness for business continuity
This is the main control related to how to protect This control focuses on the redundancy of
information security during disruptive events ICT services, such as servers, network and
when a business continuity plan is invoked. applications.
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
024
ICT business continuity planning
When a severe incident has led to substantial damage to RTO specifies the duration of time and
information processing and related services, there is one
important constraint: time! RTO a service level within which a service
must be restored after a disaster or
disruption.
The maximum allowable downtime (if longer the RPO is the maximum amount of data
organization will not be able to recover) should have
been translated into recovery time objective (RTO) and
recovery point objective (RPO).
RPO that might be lost from a service due
to a disruption.
025
ICT business continuity planning
026
Guidance for information back-up and restore
• It should be understood, at every level within the organization, • For proper restore a large number of other requirements exist,
that ‘back-up’ is not a problem. such as:
• Understand what the timeframe for restore is.
• The problem is being able to restore all relevant information • Understand the order in which systems should be
whatever the threat to data loss is, under all circumstances, restored.
within the required timeframe. • Availability of systems to restore on.
• Personnel knowledgeable in restore activities.
• When it is properly understood that ‘restore’ is the problem, it • Software required to do the restore.
will be clear that ‘back-up’ is only part of the solution. • Restore procedures describing the activities required.
• Test procedures after a restore to decide whether
production can restart.
027
ICT business continuity planning
RTO required. Since time is the only constraint, RTOs expressed in hours dictate
that all activities detecting, escalating and mitigating the incident are
documented and sufficiently trained.
The document describing this is the business During a business continuity incident the Drafting a BCP is done by assembling knowledgeable
continuity plan (BCP) or IT continuity plan. personnel involved in solving the situation experts who during normal operation are responsible for ICT
might be different than during normal or business processes. They define the actions, lead times
operation. This requires that the BCP describes and required facilities/services to be able to perform those
critical activities in large detail. actions. Subsequently these actions are put into a Gantt
chart.
028
Guidance for procedures
029
3.2. Physical controls
Examples of physical controls
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
031
Examples of physical controls
7.6 Working in secure areas 7.11 Supporting utilities 7.14 Secure disposal or re-use of
equipment
Procedures that describe the conditions for Protection against loss of utilities (cooling,
working in protected areas. For instance power, gas, water). Describes the need for Procedures and technical tooling for the
specifying that in such areas nobody may uninterruptible power supplies and no-break secure disposal of media (paper, disks)
work alone. systems. containing classified information.
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO27002:2022.
032
7.1 Perimeter protection
033
7.2 Physical access control & biometrics
034
Guidance for physical controls
General entry
Operations
Datacenter
Check legislation when Access rights management needs a Zoning helps to decide which Physical controls are often
surveillance cameras and other tight interface with the human parts of the organization need managed by the organization’s
privacy sensitive equipment is to resource department when personnel strict physical entry controls. facilities management
be installed. is hired, fired or when someone’s For example a policy for a department. To optimize these
position within the organization loading/unloading area. controls for the protection of
changes. information the security
officer/manager, the ICT
manager and the facility
manager should closely work
together on this subject.
035
Guidance for physical controls
IT systems are very vulnerable to Building management systems – A thorough environmental risk Physical barriers should not
electrical power problems. A back- controlling power, lighting, assessment should dictate what obstruct personnel leaving the
up power supply (uninterruptible access, temperature etc. – are kind of physical entry controls premises in case of an
power supply – UPS – for short computer systems themselves. are required. emergency.
outages and no-break systems – These need the same protection
generators – for longer outages) is as other computer systems
always required. within the organization.
092
3.3. People controls
Examples of people controls
6.1 Screening
Procedures for the screening of personnel in those positions 6.3 Information security awareness, education, and
where special risks could occur, for instance in financial training
positions or in positions where confidentiality requirements Procedures and all activities the organization takes to train
are high. In case of fraud to investigate the employee’s employees in information security in general and the
workstation might be the only legal possibility. organization’s policies in particular.
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
038
Awareness, training
• Aspects:
Information security
• Knowledge (understanding the rules)
• Attitude (willingness to cooperate)
• Behavior (obeying the rules)
• The awareness program must be established in alignment with the target group and led by
the information security management.
• The level of awareness of the target group should be measured. The actual mindset of
employees towards information security can for example be observed in a walkabout after
office hours.
• Behavioral change will only happen when the target group has obtained all required
knowledge and understands why security controls are required.
• Tools: class-based training, e-learning, one-to-one talks, discussion, gaming.
039
Social engineering
Most humans are willing to help. Adversaries With the success of social media an
use this to their advantage by building trust enormous amount of personal information is
with an employee. After gaining their trust, publicly available. Employees should
the adversary uses the employee to obtain understand and follow company policies
information that helps them to get access to what they can and cannot disclose on social
the organization’s assets. media about the organization they work for.
Employees should be trained to identify social engineering and know how to identify who may have
access to what asset(s).
040
Guidance for people controls
Special care should be given to those Defining roles and responsibilities is of All access rights should be reviewed
functions where high risks occur. the utmost importance. It is also vital to periodically, especially when employees
Especially in situations where access make sure that employees understand change roles within the organization. This
privileges are granted. If needed, duties their responsibilities and any that requires action from the HR department
should be separated to reduce risk. For disciplinary steps are taken if they abuse and the relevant managers.
instance administrators should only be them.
allowed to use admin rights when another
administrator is present (“four-eye
principle”).
041
3.4. Technological controls
Examples of technological controls
Note: not all ISO/IEC 27002 controls are included; this list is not exhaustive, the numbers refer to ISO/IEC 27002:2022.
43
8.15 Logging
Event management
• Collects information from systems, applications and network elements
• Correlates this information to determine if there is an incident, such as an outage or a security incident
• Is, in part, dependent on logging of events on the systems themselves (syslogs) or on logging servers
Not all events lead to an incident, but all events should be analyzed to verify if an incident actually took place.
All logs should be protected to preserve their confidentiality, integrity and availability in order to analyze the information in them.
44
8.19 Installation of software on operational systems
End users may be able to install software on their PCs themselves. This brings with it a high risk, because this software cannot be
controlled and may contain malware or other threats.
45
8.24 Use of cryptography
46
Symmetric encryption
A B
Key Key
47
Symmetric encryption
48
Asymmetric encryption
A B
49
Asymmetric encryption
• Every party generates two keys: a private key that needs to be kept secret and a public key that
everyone may know.
• When A needs to send a confidential message to B, she uses a mathematical formula that encrypts
the message using her private key and B’s public key.
• When B receives the message, he can decrypt the message using his private key and A’s public
key.
• A separate entity, the certificate authority (CA), acts as an intermediate responsible for delivering
the public key of someone to everyone that asks for it.
• The mathematics involved should 100% guarantee that without the private keys no one can
decipher messages of the one that used the corresponding public key to cipher.
• An attention point must be given, in case the certificate authority (CA) is hacked, fake certificates
can be hacked and/or all certificates can be made invalid.
50
Digital signatures
• Together with hash functions they can be used to prove identity and/or integrity.
• A generates a hash of a document and encrypts (“signs”) that document and its
hash using her private key and sends the results to B.
• B decrypts the document and hash using A’s public key and reruns the hashing
function. If the result on the decrypted document matches the decrypted hash
that A sent, the document can only have originated from A.
• Of course this only works when A keeps her private key secret and there is
definite proof that she “owns” her public key. This is again arranged using
Certificate Authorities (CA).
51
8.20-8.22 Networks security
DMZ Mainframe
Internet
Router Firewall Router IDS
LAN
Home office
52
Infrastructural components – firewall types
53
8.7 Protection against malware
• Malware comes in a variety of types; they damage data and/or applications or steal information.
• Systems (either hardware or software based) that detect malicious code rely on signatures that represent
previously found code of the malware or detect the malicious behavior of the malware itself.
• Unfortunately, these systems generate false-positives and accurately fail to detect all known malware.
Malware
• Note that ISO/IEC 27002 uses the more general term ‘malware’. This also denotes for instance hidden
backdoors and logical bombs that can (sometimes!) only be detected by humans when doing a code review of
bespoke software.
• A lot of malware nowadays is transferred via USB sticks but mostly by visiting infected websites.
54
8.31 Separation of development, test and production environments
Authorization controls
• Tests environments should be controlled via authorization controls in order to protect the production environment’s integrity.
• By implementing this control an authorization must be made every time that data are being moved from the production to test and from the
test to the environment.
• This will increase not only the integrity of the data, but also guarantees that transferred data are aligned with the information security policy
of the organization.
55
Service Oriented Architecture (SOA)
Service request
56
Service Oriented Architecture (SOA) and information security
• When it comes down to information security, some aspects must be taken into consideration.
• It is important that when designing services or infrastructure based on SOA, the information
security team are involved in the project.
• The definition of which security services will be provided, and in which architecture, must be
defined to better align the information security requirements and the service for the customers.
57
Open-design architecture
• Open-design architecture advocates that establishing a single, consistent, clearly defined control
catalog provides an excellent means to simplify requirements from numerous standards,
governance frameworks, legislation, and regulations.
• Using OSA (Open Security Architect) patterns provides a fast start, improves the quality of the
solution that must be deployed, and reduces overall effort.
• Commonly, open-design architectures are tested a lot, which improves the security of the services.
Architectural principles
Implementation principles
Open design Secure coding practices Black box and white box testing
58
Common Criteria
• Since firewalls and other access granting equipment are the gate-keepers to the information assets
of the organization, independent certification is required.
• ISO/IEC 15408, or “common criteria”, “… is a framework in which computer system users can
specify their security functional and assurance requirements, vendors can then implement and/or
make claims about the security attributes of their products, and testing laboratories can evaluate the
products to determine if they actually meet the claims”.
• When a security product has been tested against ISO/IEC 15408, it will be assigned an Evaluation
Assurance Level (EAL). When users determine their assurance requirements, they can then decide
ISO/IEC 15408 to install only equipment with the corresponding EAL’s.
59
Thank you
Questions?
60
Contact EXIN
www.exin.com