Taking ISO/IEC 27002 From The

Past Into The Future

• Please make sure your microphone and camera is turned off

• Please use the chat if you would like to ask questions

INTRODUCTION

STRUCTURAL CHANGES

NEW CONTROLS

BUSINESS IMPACTS & CONCLUSIONS

01

02

03

04

INTRODUCTION01

STRUCTURAL CHANGES

NEW CONTROLS

BUSINESS IMPACTS & CONCLUSIONS

02

03

04

Alex FagerströmPontus LilliequistEli Sofie Finnøy Amdam

01

• ISMS implementation• ISMS Audits• Information security certifications• ISO 27001 Lead Auditor

Cyber Security Consultant

• Extensive knowledge withininformation security

• ISMS implementation• President ISACA Norway Chapter• ISO 27001 Lead Implementor

Information Security Consultant

• ISMS implementation• ISMS Audits• Internal control• ISO 27001/2 security awareness and

training

Team leader ITGS Norway

INTRODUCTION

STRUCTURAL CHANGES02

NEW CONTROLS

BUSINESS IMPACTS & CONCLUSIONS

03

04

INTRODUCTION01

02 STRUCTURAL CHANGES

Information Security Policies

Access control

Communications Security

Information Security

Aspects of BCM

Organization of Information

Security

Cryptography

Systems acquisition,

development and

maintenance

Compliance

Human Resources

Security

Physical and Environmental

Security

Supplier Relationships

Asset Management

Operations Security

Information Security Incident

Management

Organizational controls

(37 controls)

Physical controls

(14 controls)

People controls

(8 controls)

Technological controls

(34 controls)

02 STRUCTURAL CHANGES – ATTRIBUTES

Control types

•#Preventive, #Detective, #Corrective

Information Security properties

•#Confidentiality, #Integrity, #Availability

Cybersecurity concepts

•#Identify, #Protect, #Detect, #Respond, #Recover

Operational capabilities

•#Governance, #Asset_management, #Information_protection, #Human_resource_security, #Physical_security, Systems_and_network_security, #Application_Security, #Secure_configuration, #Identity_and_access_management, #Threat_and_vulnerability_management, #Continuity, #Supplier_relationships_security, #Legal_and_compliance, #Information_security_event_management, #Security_assurance

Security domains

•#Governance_Ecosystems, #Protection, #Defence, #Resilience

NEW CONTROLS03

BUSINESS IMPACTS & CONCLUSIONS04

STRUCTURAL CHANGES02

INTRODUCTION01

3

ICT readiness

- business continuity

4

Physical

securitymonitoring

2

Information

security -cloud services

1

ThreatIntelligence

7

Data leakageprevention

8

Monitoringactivities

6

Data masking

5

Information deletion

10

Securecoding

11

Configurationmanagement

9

Web filtering

03 NEW CONTROLS

3

ICT readiness

- business continuity

4

Physical

securitymonitoring

2

Information

security -cloud services

1

ThreatIntelligence

7

Data leakageprevention

8

Monitoringactivities

6

Data masking

5

Information deletion

10

Securecoding

11

Configurationmanagement

9

Web filtering

03 NEW CONTROLS

Threat Intelligence

1

Threat Intelligence

Benefits

Challenges

Control description

Information relating to information security threats

should be collected and analyzed to produce

threat intelligence. Threat intelligence should be

produced to provide information and awareness

about past, present and potential future threats.

• Organizational awareness of relevant

information security threats and risks

• Increased resilience over time by learning of

the past, the present and understanding the

future

03

• Involves both human and technological

resources

• Tools for gathering information for analyses

can be costly

Information security for the use of cloud services

2

Information security for the use of cloud

services

Benefits

Challenges

Control description

Strategy and processes for the acquisition,

use, management and exit of cloud services

should be established considering

organization’s information security

requirements.

03

• Maintaining protection of critical business

information using service providers

• Cloud services allow for organizational

flexibility and acceleration

• Verification of security control effectiveness

of service providers

• Defining the shared responsibilities of

information security controls between the

service provider and the service customer

Configuration Management03

Configurations, including security

configurations, of hardware, software,

services and networks should be

established, documented, implemented

and monitored.

• Up-to-date with security configurations

• Effective routines and processes for

configuration management could reduce

maintenance as an overhead cost

• Resource allocation for maintaining routines

of managing configurations

• Businesses tend to lack the structured cyber

security processes needed for configuration

management

Configuration management

11Control description

Benefits

Challenges

Secure Coding03

Secure Coding

10Control description

Benefits

Challenges

Aims to ensure software is written

securely thereby reducing the number

of potential information security

vulnerabilities in the software.

• Mitigating the risk for data breaches by

addressing potential security flaws early in

development

• Top of mind from the start of system

development, should not be addressed right

before deployment into production

• Security knowledge and costs

• A large overhead to standard development

practices

NEW CONTROLS03

BUSINESS IMPACTS & CONCLUSIONS04

STRUCTURAL CHANGES02

INTRODUCTION01

04 BUSINESS IMPACTS & CONCLUSIONS

Information security as part of

corporate governance

Flexibility of organizing information security controls according to the business

responsibility

Streamlining internal controls

QUESTIONS?

Alex FagerströmPontus LilliequistEli Sofie Finnøy Amdam

alex.fagerstrom@transcendentgroup.com

+35 840 679 26 24

Cyber Security Consultant

eli.sofie.amdam@transcendentgroup.com

+47 4 133 66 56

Information Security Consultant

pontus.lilliequist@transcendentgroup.com

+46 72 181 93 11

Team leader ITGS Norway

CONTACT US

Thank you!