Taking ISO/IEC 27002 From The Past Into The Future · 2021. 3. 11. · • ISO 27001 Lead...
Transcript of Taking ISO/IEC 27002 From The Past Into The Future · 2021. 3. 11. · • ISO 27001 Lead...
Taking ISO/IEC 27002 From The
Past Into The Future
• Please make sure your microphone and camera is turned off
• Please use the chat if you would like to ask questions
INTRODUCTION
STRUCTURAL CHANGES
NEW CONTROLS
BUSINESS IMPACTS & CONCLUSIONS
01
02
03
04
INTRODUCTION01
STRUCTURAL CHANGES
NEW CONTROLS
BUSINESS IMPACTS & CONCLUSIONS
02
03
04
Alex FagerströmPontus LilliequistEli Sofie Finnøy Amdam
01
• ISMS implementation• ISMS Audits• Information security certifications• ISO 27001 Lead Auditor
Cyber Security Consultant
• Extensive knowledge withininformation security
• ISMS implementation• President ISACA Norway Chapter• ISO 27001 Lead Implementor
Information Security Consultant
• ISMS implementation• ISMS Audits• Internal control• ISO 27001/2 security awareness and
training
Team leader ITGS Norway
INTRODUCTION
STRUCTURAL CHANGES02
NEW CONTROLS
BUSINESS IMPACTS & CONCLUSIONS
03
04
INTRODUCTION01
02 STRUCTURAL CHANGES
Information Security Policies
Access control
Communications Security
Information Security
Aspects of BCM
Organization of Information
Security
Cryptography
Systems acquisition,
development and
maintenance
Compliance
Human Resources
Security
Physical and Environmental
Security
Supplier Relationships
Asset Management
Operations Security
Information Security Incident
Management
Organizational controls
(37 controls)
Physical controls
(14 controls)
People controls
(8 controls)
Technological controls
(34 controls)
02 STRUCTURAL CHANGES – ATTRIBUTES
Control types
•#Preventive, #Detective, #Corrective
Information Security properties
•#Confidentiality, #Integrity, #Availability
Cybersecurity concepts
•#Identify, #Protect, #Detect, #Respond, #Recover
Operational capabilities
•#Governance, #Asset_management, #Information_protection, #Human_resource_security, #Physical_security, Systems_and_network_security, #Application_Security, #Secure_configuration, #Identity_and_access_management, #Threat_and_vulnerability_management, #Continuity, #Supplier_relationships_security, #Legal_and_compliance, #Information_security_event_management, #Security_assurance
Security domains
•#Governance_Ecosystems, #Protection, #Defence, #Resilience
NEW CONTROLS03
BUSINESS IMPACTS & CONCLUSIONS04
STRUCTURAL CHANGES02
INTRODUCTION01
3
ICT readiness
- business continuity
4
Physical
securitymonitoring
2
Information
security -cloud services
1
ThreatIntelligence
7
Data leakageprevention
8
Monitoringactivities
6
Data masking
5
Information deletion
10
Securecoding
11
Configurationmanagement
9
Web filtering
03 NEW CONTROLS
3
ICT readiness
- business continuity
4
Physical
securitymonitoring
2
Information
security -cloud services
1
ThreatIntelligence
7
Data leakageprevention
8
Monitoringactivities
6
Data masking
5
Information deletion
10
Securecoding
11
Configurationmanagement
9
Web filtering
03 NEW CONTROLS
Threat Intelligence
1
Threat Intelligence
Benefits
Challenges
Control description
Information relating to information security threats
should be collected and analyzed to produce
threat intelligence. Threat intelligence should be
produced to provide information and awareness
about past, present and potential future threats.
• Organizational awareness of relevant
information security threats and risks
• Increased resilience over time by learning of
the past, the present and understanding the
future
03
• Involves both human and technological
resources
• Tools for gathering information for analyses
can be costly
Information security for the use of cloud services
2
Information security for the use of cloud
services
Benefits
Challenges
Control description
Strategy and processes for the acquisition,
use, management and exit of cloud services
should be established considering
organization’s information security
requirements.
03
• Maintaining protection of critical business
information using service providers
• Cloud services allow for organizational
flexibility and acceleration
• Verification of security control effectiveness
of service providers
• Defining the shared responsibilities of
information security controls between the
service provider and the service customer
Configuration Management03
Configurations, including security
configurations, of hardware, software,
services and networks should be
established, documented, implemented
and monitored.
• Up-to-date with security configurations
• Effective routines and processes for
configuration management could reduce
maintenance as an overhead cost
• Resource allocation for maintaining routines
of managing configurations
• Businesses tend to lack the structured cyber
security processes needed for configuration
management
Configuration management
11Control description
Benefits
Challenges
Secure Coding03
Secure Coding
10Control description
Benefits
Challenges
Aims to ensure software is written
securely thereby reducing the number
of potential information security
vulnerabilities in the software.
• Mitigating the risk for data breaches by
addressing potential security flaws early in
development
• Top of mind from the start of system
development, should not be addressed right
before deployment into production
• Security knowledge and costs
• A large overhead to standard development
practices
NEW CONTROLS03
BUSINESS IMPACTS & CONCLUSIONS04
STRUCTURAL CHANGES02
INTRODUCTION01
04 BUSINESS IMPACTS & CONCLUSIONS
Information security as part of
corporate governance
Flexibility of organizing information security controls according to the business
responsibility
Streamlining internal controls
QUESTIONS?
Alex FagerströmPontus LilliequistEli Sofie Finnøy Amdam
+35 840 679 26 24
Cyber Security Consultant
+47 4 133 66 56
Information Security Consultant
+46 72 181 93 11
Team leader ITGS Norway
CONTACT US