Nov 02 2023

Implementation Guide ISO/IEC 27001:2022

Category: ISO 27kdisc7 @ 9:00 am

Implementation Guide ISO/IEC 27001:2022 by ISACA Germany Chapter.

About This Guide
Practical guide for the implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001:2022

About ISO/IEC 27001:2022
ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.

ISACA Germany Chapter
Homepage can be found here https://lnkd.in/gRu8kT75

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Implementation Guide ISO/IEC 27001:2022


Sep 10 2023

ISO 27k1/2 Transitioning to the 2022 standards

Category: ISO 27kdisc7 @ 8:08 am

Implementing and auditing an Information Security Management System in small and medium-sized businesses

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ISO 27001 2022, ISO 27002 2022


Aug 05 2023

ISO 27001 Internal Audit Report Template

Category: ISO 27kdisc7 @ 11:45 am

ISO 27001 Internal Auditor Course

Internal Auditing in Plain English: A Simple Guide to Super Effective ISO Audits 

Transition plan from ISO 27001 2013 to ISO 27001 2022

Why the updated ISO 27001 standard matters to every business’ security

Detailed explanation of 11 new security controls in ISO 27001:2022

6 Pocket eBooks every ISO professional should read

ISO 27001 Internal Audit

Tool for defining the ISO 27001 ISMS scope

Risk Management document templates

ISO 27001 & ISO 27017 & ISO 27018 CLOUD DOCUMENTATION TOOLKIT

IMPLEMENT ISO 27001 AND ISO 22301 EFFORTLESSLY

How to Maintain ISO 27001 Certification: 7 Top Tips

Implementing an ISMS – The nine Steps approach

ISO 27001 CyberSecurity Toolkit

Top 3 ITG ISO 27001 books 

Enhance your privacy management with ISO 27701

ISO/IEC 27701 2019 Standard and Toolkit

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: ISO 27001 Internal Audit, ISO 27001 Internal Auditor Course, ISO 270012022, ISO 270022022


Jul 15 2023

What is ISO 27701 and in What Situation this Cert will be appropriate?

Category: ISO 27kdisc7 @ 2:51 pm

ISO 27701 is an international standard that provides guidelines for implementing a privacy information management system (PIMS) based on the requirements of the General Data Protection Regulation (GDPR) and other relevant privacy regulations. It was published by the International Organization for Standardization (ISO) in August 2019.

ISO 27701 is an extension of ISO 27001, which is a widely recognized international standard for information security management. It introduces additional controls and requirements specific to the management of privacy information within an organization.

The standard outlines the framework for establishing, implementing, maintaining, and continually improving a privacy information management system. It helps organizations to identify and manage privacy risks, implement privacy controls, and demonstrate compliance with applicable privacy laws and regulations.

ISO 27701 focuses on protecting individuals’ privacy rights and ensuring responsible handling of personal information. It provides guidance on various aspects of privacy management, including privacy policy development, privacy risk assessment, privacy impact assessments, consent management, data subject rights, data breach management, and vendor management.

By implementing ISO 27701, organizations can enhance their privacy practices, build trust with customers and partners, and demonstrate their commitment to protecting personal information. It is especially relevant for organizations that process large amounts of personal data or handle sensitive information, as it helps them establish a systematic approach to privacy management.

It’s important to note that ISO 27701 is not a certification itself but an extension to ISO 27001. Organizations can seek certification against ISO 27001 and include ISO 27701 requirements as part of their certification process to demonstrate compliance with privacy regulations.

in what situation ISO 27701 certification may be appropriate?

ISO 27701 certification may be appropriate for organizations that handle personal data and are subject to privacy regulations such as the General Data Protection Regulation (GDPR) in the European Union or other similar privacy laws worldwide. Here are some situations where ISO 27701 certification may be relevant:

  1. Data Controllers and Processors: Organizations that act as data controllers or processors and handle personal data on a significant scale can benefit from ISO 27701 certification. This includes organizations in sectors such as healthcare, finance, e-commerce, technology, and marketing that process large volumes of personal information.
  2. Legal and Regulatory Compliance: ISO 27701 certification helps organizations demonstrate compliance with privacy regulations. If an organization operates in jurisdictions with strict privacy laws or serves customers from regions with robust privacy requirements, certification can provide assurance to stakeholders that the organization has implemented appropriate privacy controls.
  3. Third-Party Assurance: Organizations that act as vendors or service providers for other companies may pursue ISO 27701 certification to demonstrate their commitment to privacy management. This can be particularly relevant for organizations providing cloud services, data processing, or other services involving personal data, as it helps build trust and confidence with customers.
  4. Competitive Advantage: ISO 27701 certification can serve as a competitive differentiator for organizations. It showcases their dedication to privacy protection and can attract customers who prioritize strong privacy practices and compliance when selecting vendors or partners.
  5. Data Breach Prevention and Response: ISO 27701 provides guidelines for managing data breaches and responding to privacy incidents effectively. Organizations that want to establish robust incident response procedures and enhance their ability to prevent and manage data breaches can benefit from implementing ISO 27701.
  6. Privacy-Driven Culture: ISO 27701 certification promotes a privacy-centric culture within an organization. It helps organizations establish clear policies, procedures, and training programs to educate employees about privacy responsibilities and foster a privacy-aware mindset throughout the organization.

Ultimately, the decision to pursue ISO 27701 certification depends on the specific needs, risk profile, and regulatory environment of the organization. Conducting a thorough assessment of privacy risks, legal requirements, and business objectives can help determine whether certification is appropriate and beneficial for the organization.

Achieve full compliance with ISO 27701:2019

The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).

It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.

ISO 27701 Gap Analysis Tool

This standard is ideal for organizations wishing to implement a PIMS that supports their ISMS objectives and helps meet their data privacy compliance requirements, such as those stipulated by the EU’s GDPR (General Data Protection Regulation) and the UK’s DPA (Data Protection Act) 2018.

ISO/IEC 27701 2019 Standard

An ideal guide for anyone wanting to implement a PIMS (personal information management system) and understand how it can benefit their organization

ISO/IEC 27701:2019: An introduction to privacy information management

More ISO 27701 related tools and training…

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: ISO 27701, ISO 27701 2019 Standard and Toolkit, ISO 27701 Gap Analysis Tool


Jul 12 2023

What is ISO 27001 and in What Situation this Cert will be appropriate?

Category: ISO 27kdisc7 @ 2:42 pm

ISO 27001 is an internationally recognized Information Security Standard that is widely acclaimed. It is published by the International Organization for Standardization (ISO) and provides a certifiable framework comprising security policies and procedures. The standard aims to assist organizations in safeguarding their data by implementing an Information Security Management System (ISMS).

To obtain ISO 27001 certification, organizations must fulfill the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS) that aligns with their specific business needs. The ISO 27001 standard consists of two distinct parts: Clauses and Annex A. The Clauses outline the general requirements for an ISMS, while Annex A provides a set of controls and objectives that organizations can choose to implement based on their risk assessment and security requirements.

Clauses 4-10 in ISO 27001 consist of mandatory requirements that all organizations seeking certification must fulfill. Each clause includes several sub-requirements. Here is a brief overview of each clause:

  1. Clause 4: Context of the Organization – Organizations must determine the scope of their ISMS, identify internal and external issues relevant to information security, and define the interested parties.
  2. Clause 5: Leadership – Top management should demonstrate leadership and commitment to the ISMS by establishing policies, assigning responsibilities, and promoting awareness.
  3. Clause 6: Planning – This clause emphasizes the importance of risk assessment and treatment, setting objectives, and planning to achieve them.
  4. Clause 7: Support – Organizations must provide the necessary resources, competence, awareness, communication, and documented information to support the ISMS.
  5. Clause 8: Operation – This clause covers the implementation of risk treatment plans, management of changes, and effective operation of controls and processes.
  6. Clause 9: Performance Evaluation – Organizations need to monitor, measure, analyze, and evaluate the performance of the ISMS and conduct internal audits.
  7. Clause 10: Improvement – This clause focuses on nonconformities, corrective actions, continual improvement, and the management of incidents and improvements.

Meeting these mandatory requirements is crucial for organizations seeking ISO 27001 certification.

Annex A of ISO 27001 comprises a collection of security controls that are not obligatory but can be selectively implemented based on the specific needs of an organization. By conducting a risk assessment, organizations can identify the security controls that align with their security program and effectively address their risks and vulnerabilities. This approach allows organizations to tailor the implementation of controls to their unique requirements and enhance their overall information security posture.

After establishing the necessary policies, procedures, and documentation for ISO 27001 compliance and ISMS is operational, organizations can engage an accredited certification body to perform an audit. This audit assesses the implementation and effectiveness of the Information Security Management System (ISMS) against the ISO 27001 requirements. If the audit is successful and the organization meets all the necessary criteria, an ISO 27001 certificate will be issued, validating the organization’s adherence to the standard and their commitment to information security.

By adhering to ISO 27001 standards, organizations can establish robust policies, procedures, and technology measures that effectively safeguard their data, regardless of its location. This comprehensive approach significantly reduces the risk of cyber-attacks and fosters a culture of information security within the organization.

Obtaining ISO 27001 certification serves as a notable competitive advantage for businesses, irrespective of their industry or size. The certification acts as concrete evidence to customers that the organization is dedicated to protecting their data and fulfilling contractual security obligations. Moreover, ISO 27001 certification holds international recognition, making it instrumental in expanding global business opportunities and establishing trust with partners worldwide.

DISC LLC offers the expertise of a team comprised of former ISO auditors and experienced practitioners who can assist in preparing your organization for a successful ISO 27001 audit. Their services aim to guide you towards certification by identifying and addressing any gaps that may exist within your current security program. They provide support in implementing the required policies, procedures, and technologies to meet the ISO 27001 standards. With their knowledge and experience, DISC LLC can help your organization navigate the certification process and ensure a solid foundation for information security.

Following the attainment of ISO 27001 certification, we offer services to manage and maintain your Information Security Management System (ISMS). Our expert team will diligently oversee and guide your ISMS to ensure ongoing compliance with ISO 27001 requirements, thereby facilitating future certifications. By entrusting us with the management of your ISMS, you can focus on your core business activities while maintaining the necessary level of information security and sustaining your commitment to ISO 27001 standards.

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

Transition plan from ISO 27001 2013 to ISO 27001 2022

Why the updated ISO 27001 standard matters to every business’ security

Detailed explanation of 11 new security controls in ISO 27001:2022

6 Pocket eBooks every ISO professional should read

ISO 27001 Internal Audit

Tool for defining the ISO 27001 ISMS scope

Risk Management document templates

ISO 27001 & ISO 27017 & ISO 27018 CLOUD DOCUMENTATION TOOLKIT

IMPLEMENT ISO 27001 AND ISO 22301 EFFORTLESSLY

How to Maintain ISO 27001 Certification: 7 Top Tips

Implementing an ISMS – The nine Steps approach

ISO 27001 CyberSecurity Toolkit

Top 3 ITG ISO 27001 books 

Enhance your privacy management with ISO 27701

ISO/IEC 27701 2019 Standard and Toolkit

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: ISO 27001 2022, iso 27001 certification, ISO 27002 2022


Jun 27 2023

How to transition to the 2022 version of ISO27001

Category: Information Security,ISO 27kdisc7 @ 7:54 am

By Chris Hall

This article gives some guidance on how to transition to ISO27001:2022 from the 2013 version.



This approach is tried and tested in that I have used it to successfully transition an organization to the new version. In the transition audit there were no nonconformities.

#iso27001 #iso27001transition

How to transition to the 2022 version of ISO27001

Tags: ISO 27001 2022, ISO 27002 2022


May 03 2023

What Is ISO 27001 And How To Go About It The Right Way

Category: ISO 27kDISC @ 11:10 pm

What is ISO 27001?

ISO 27001 is a globally recognized standard on information and cyber security. By being compliant with this standard, you are operating in accordance with globally identified best practices. By being ISO 27001 certified, you’re not only operating in accordance with it, but you will also receive a clear stamp as evidence to your customers and other stakeholders that you are working aligned with security best practices.

Common Trap When Pursuing ISO 27001

Often companies who want to pursue ISO 27001 will quickly drop the idea when they start looking into the standard – this is because, often companies fall into the trap of starting with the controls as specified in ISO 270002 . When you only focus on the controls and implementation guidance, it can feel overwhelming and be frustrating as you will notice a lot of the implementation guidance will not make sense to your company and you can be under the impression that you are required to follow all the implementation guidance in order to become compliant or go for the certification.

This is false!

Falling into this trap, you are missing out on the core purpose of the standard. It is not about implementing all the controls and all the guidance you get from the standard – it is about building a functional management system that is aligned with your company context – it is about understanding the issues and risks you as a company are facing, and taking the appropriate measures to protect your assets and information.

How To Go About It The Right Way!

You should always start by focusing on the standard clauses in ISO 27001 that provide clear guidance on how to build a functional management system, when this is done correctly the controls will fall into place in the correct order at the right time in accordance with your company context and the risks that you as a company need to manage.

When people say that small companies should not pursue iso because it is too complex and has too many requirements – the above is the reason why it does not have to be.

All companies should prioritize and have a functional management system on how they secure their own company and the company assets. Protecting your values is a crucial element to stay in business!

Make sure you understand your company, your needs, and please avoid looking at other companies and the measures they have taken to protect themself and think that you have to do the same. Make your management system your own, build it so that it isdesigned to protect your assets. This way, you will have greater success and security will not be something that is forced on your company, it will be a tool to help you work more efficiently and securely.

Summary

To sum it up, ISO 27001 is a great standard to pursue both for small and large organizations.

Make sure you understand the purpose of the standard, and as a result implement a management system that is a perfect fit for your organization for long term success. ISO 27001 done right will result in a more secure and effective company that will again support the main goal of business continuity.

ISO 27001 Risk Assessment and Gap Assessment

Cybersecurity Management Solution Pack:


What is BS ISO/IEC 27001:2022 – Expert Commentary about?
BS ISO/IEC 27001:2022 is the third edition of this standard. It technically revises, cancels, and replaces the Second Edition – ISO/IEC 27001:2013 (also published as BS EN ISO/IEC 27001:2017). BS ISO/IEC 27001:2022 presents the requirements for an information security management system (ISMS). An ISMS assists an organization to preserve the confidentiality, integrity, and availability of information, in the face of an ever-changing threat landscape, no matter the source of risk. Thus, it deals with threats that can be technological, human, physical and environmental in nature.

The standard requires an organization to adopt a risk management framework to determine the necessary information security controls best suited to their business needs and risk appetite. To help organizations ensure that they have not inadvertently omitted any necessary control, the framework uses a reference set of controls (BS ISO/IEC 27001, Annex A), which also facilitates reliable comparisons to be drawn between organizations. The level of change incorporated into the revised version of the standard is medium.

The main changes compared to the previous edition are:
a fully revised reference information security control set (Annex A), which now aligns with ISO/IEC 27002:2022 and
alignment with the revised harmonized structure (HS) for management system standards.

Download ISO27000 family of information security standards today!

InfoSec books | InfoSec tools | InfoSec services

Tags: ISO 27001:2022, ISO 27002 2022


Feb 28 2023

Transition plan from ISO 27001 2013 to ISO 27001 2022

Category: ISO 27kDISC @ 11:10 pm

How to create a transition plan from ISO 27001 2013 to ISO 27001 2022

Transitioning from ISO 27001:2013 to ISO 27001:2022 involves updating your Information Security Management System (ISMS) to meet the new requirements specified in the latest version. Here are some steps you can take to help ensure a smooth transition:

  1. Review the changes: The first step is to familiarize yourself with the changes made in the 2022 version. Some of the key changes include a more risk-based approach, more emphasis on leadership, and greater alignment with other ISO management system standards. You can find a detailed list of changes on the ISO website.
  2. Identify gaps: Once you have reviewed the changes, identify any gaps between your current ISMS and the new requirements. This may involve reviewing your policies, procedures, and controls to ensure they align with the new standard.
  3. Develop an action plan: Based on the gaps you identified, develop an action plan to address them. This may involve updating policies and procedures, implementing new controls, or conducting additional training.
  4. Train staff: It is important to ensure that all relevant staff members are trained on the new requirements and how they impact their roles and responsibilities.
  5. Conduct internal audits: Conduct internal audits to ensure that your updated ISMS is effectively implemented and meets the new requirements.
  6. Seek certification: Once you are confident that your updated ISMS meets the new requirements, seek certification from an accredited certification body.
  7. Monitor and continually improve: Finally, monitor your ISMS and continually improve it to ensure that it remains effective and aligned with the latest best practices.

Overall, transitioning to the new version of ISO 27001 requires careful planning and execution. By following these steps, you can help ensure a successful transition and maintain the security of your organization’s information assets.

ISO 27001 2022 strategy

ISO 27001 2022 Changes

Previous posts on ISO 27k

Certified ISO 27001:2022 ISMS Transition Self-Paced Online Training Course

Detailed explanation of 11 new security controls in ISO 27001:2022

6 Pocket eBooks every ISO professional should read | ISO 27001/2 Titles

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: ISO 27001 2013, ISO 27001 2022


Nov 29 2022

Why the updated ISO 27001 standard matters to every business’ security

Category: Information Security,ISO 27kDISC @ 10:13 am

On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.

ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.

The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.

Why is ISO 27001 being updated?

It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape. 

With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.

Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.

In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.

How can ISO 27001 certification benefit your business?

Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.

Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.

Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.

In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.

There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.

Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.

Overcoming the challenge of ISO 27001 certification

A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.

While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:

  • Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
  • Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.

Next steps toward a successful future

While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.

It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.

Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.

Source: https://wordpress.com/read/blogs/126020344/posts/2830377

ISO 27001 Risk Assessment and Gap Assessment

ISO 27001 Compliance and Certification

Tags: iso 27001, iso 27002


Nov 14 2022

ISO 27001:2022 Has Been Released – What Does It Mean for Your Organization?

Category: Information Security,ISO 27kDISC @ 12:39 am

A new version of ISO 27001 was published this week, introducing several significant changes in the way organisations are expected to manage information security.

The Standard was last revised almost a decade ago (although a new iteration of the supplementary standard ISO 27002 was published in February 2022), meaning that the release of ISO 27001:2022 has been much needed and highly anticipated.

What’s changing?

The good news for organisations is that ISO 27001:2022 doesn’t drastically overhaul their compliance requirements. There are new requirements on planned changes and how your organisation should deal with them, as well as a greater focus on how you must deal with the needs and expectations of interested parties.

Annex A of ISO 27001 now refers to the updated information security controls in ISO 27002:2022, and the Standard requires organisations to document and monitor objectives.

It also aligns its terminology with that used across other ISO management system standards.

Another notable aspect of its terminology is that ISO 27002:2022 no longer refers to itself as a “code of practice”. This better reflects its purpose as a reference set of information security controls.

However, the most significant changes with the 2022 version of ISO 27002 are in its structure. It is no longer divided into 14 control categories, and is instead split into four ‘themes’: organisational, people, physical and technological.

Meanwhile, although the 2022 version of ISO 27002 is significantly longer than its predecessor, the total number of controls has decreased from 114 to 93.

This is because many of its controls have been reordered and merged. Only 35 controls are unchanged, while 11 completely new requirements have been added. These are:

  • Threat intelligence
  • Information security for use of cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

The new and amended controls are also categorised according to five types of ‘attribute’: control type, operational capabilities, security domains, cybersecurity concepts and information security properties.

This change is intended to make it easier to highlight and view all controls of a certain type, such as all preventive controls, or all controls related to confidentiality.

How will this affect organisations implementing ISO 27001?

The introduction of ISO 27001:2022 won’t have an immediate effect on organisations that are currently certified to ISO 27001:2013 or are in the process of achieving certification.

For the time being, organisations should continue to follow the 2013 version of the Standard. This means, for example, that the SoA (Statement of Applicability) should refer to the controls listed in Annex A of ISO 27001:2013, while the 2022 version of the Standard should be used only as a reference.

Indeed, the reason that the updated version is being published now is to give organisations time to familiarise themselves with the new controls before embarking on an implementation project.

The controls listed in ISO 27002:2022 can be considered an alternative control set that you will have to compare with the existing Annex A – just as you would with any other alternative control set.

ISO 27002:2022 has an annex that compares its controls with the 2013 iteration of the Standard, so this should be relatively straightforward.

What next?

There is a three-year transition period for certified organisations to revise their management system to conform to a new version of a standard, so there will be plenty of time to make the necessary changes.

However, it’s never wise to put off the planning process until the last minute. Implementation will take several months, and it’s worth knowing what’s expected of you as soon as possible.

You can begin by reading the Standard for yourself. You can purchase a digital copy of ISO 27001:2022 from our website, and we recommend comparing the updated version to the 2013 edition and your current compliance practices to determine what adjustments you’ll have to make.

If you’re unsure how to proceed, our team of experts are here to help. Having led the world’s first ISO 27001 certification project, we understand what it takes to implement the Standard.

Speak to one of our experts for more information on how we can support you.

Tags: ISO 27001:2022


Oct 18 2022

Detailed explanation of 11 new security controls in ISO 27001:2022

Category: Information Security,ISO 27kDISC @ 9:00 am

If you’re a security practitioner dealing with ISO 27001, you’re probably wondering what new things you will need to implement as part of the changes that will be made to this standard during 2022.

In this article, I’ll focus on 11 new controls that are set to be introduced in ISO 27001. For general information about the changes, see this article: Most important facts about changes in ISO 27001/ISO 27002.

What you’ll notice is that some of these new controls are very similar to old controls from the 2013 revision; however, because these controls were categorized as new in ISO 27002:2022, I have listed all 11 in this article.

As the main source for this article, I’ve used guidelines from ISO 27002:2022 – I’ve given an overview of requirements, technology, people, and documentation, but if you’d like to learn about these controls in more depth, you can purchase the ISO 27002 2022 standard.

Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.

So, let’s review the 11 controls in more detail…

https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/?

Tags: ISO 270012022, ISO 27001:2022, ISO27k


Sep 30 2022

LIST OF Materials for ISO Internal Audit

Category: Information Security,ISO 27kDISC @ 2:55 pm

Tags: ISO internal audit


Sep 29 2022

6 Pocket eBooks every ISO professional should read

Category: ISO 27kDISC @ 1:15 pm

If you’re into ISO implementation or auditing, then you know that ISO books are a valuable resource. They can teach you new things, introduce you to new concepts around implementation, auditing and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 6 essential reference eBooks for ISO professional.

ISO INTERNAL AUDIT: A PLAIN ENGLISH GUIDE

THE SHORT HANDBOOK CONTAINING EXPERT GUIDANCE ON ISO INTERNAL AUDIT

Author, auditor, and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on preparing for the ISO internal audit.

This book, ISO Internal Audit: A Plain English Guide, is based on Advisera’s internal auditor online courses. It provides a quick read for people who are focused solely on preparing for ISO 9001, ISO 14001, ISO 27001, OHSAS 18001, ISO 22000, ISO 20000, or internal audits against any other ISO standard, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to prepare for the ISO internal audit without struggle, stress, or headaches.

PREPARATIONS FOR THE ISO IMPLEMENTATION PROJECT:
A PLAIN ENGLISH GUIDE

Author and experienced ISO consultant Dejan Kosutic has created this shorter book as part of the ISO pocket book series, focused solely on preparation for the ISO implementation.

This book, Preparations for the ISO Implementation Project: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparation for the implementation of an ISO standard (e.g., ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, or IATF 16949), and who don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical advice you need to prepare for your ISO implementation without struggle, stress, or headaches.

MANAGING ISO DOCUMENTATION: A PLAIN ENGLISH GUIDE

Author and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the ISO pocket book series, focused solely on managing ISO documentation.

This book, Managing ISO Documentation: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparing documentation for ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, and/or IATF 16949, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to manage your ISO documentation without struggle, stress, or headaches.

PREPARING FOR ISO CERTIFICATION AUDIT: A PLAIN ENGLISH GUIDE

Author, certification auditor, and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on preparing for the ISO 9001/ISO 14001/ISO 27001 certification audit.

This book, Preparing for ISO Certification Audit: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparing for ISO 9001, ISO 14001, ISO 27001, or certification audit against any other ISO standard, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to prepare for the ISO certification audit process and pass the certification without struggle, stress, or headaches.

ISO 27001 ANNEX A CONTROLS IN PLAIN ENGLISH

Author and experienced information security consultant Dejan Kosutic has created this shorter book, as part of the ISO pocket book series, focused solely on safeguards specified in ISO 27001:2013.

This book, ISO 27001 Annex A Controls in Plain English, is based on an excerpt from his previous book Secure & Simple. It provides a quick read for people who are focused solely on security controls, and don’t have the time (or need) to read a comprehensive book about ISO 27001. This series of handbooks has one aim in mind: To help you understand what these 114 controls are all about.
In the second book of this series, ISO 27001 Annex A Controls in Plain English.

ISO 27001 RISK MANAGEMENT IN PLAIN ENGLISH

THE SHORT HANDBOOK CONTAINING EXPERT GUIDANCE FOR THE RISK MANAGEMENT OF ISO 27001

Author and experienced information security consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on the issues of risk management according to ISO 27001.

This book, ISO 27001 Risk Management in Plain English, is based on an excerpt from his previous book Secure & Simple. It provides a quick read for people who are focused solely on risk management, and don’t have the time (or need) to read a comprehensive book about ISO 27001. It has one aim in mind: to give you the knowledge and practical step-by-step process you need to successfully implement ISO 27001 risk assessment and treatment – without struggle, stress, or headaches.

Tags: ISO Cert Audit, ISO controls, ISO documentation, ISO implementation, ISO internal audit


Sep 22 2022

Second Course Exam for Free – ISO 9001, ISO 14001, ISO 27001 & EU GDPR

Category: Information Security,ISO 27kDISC @ 8:30 am

I just wanted to inform you that, at the end of September, Advisera launched “Second Course Exam for Free” promotional campaign. The campaign will start on September 22, and end on September 29, 2022.

Take the ISO 9001 course exam and get the ISO 14001, ISO 13485, or 45001 course exam for free


In this promotion the second course exam is completely FREE OF CHARGE.

The bundles are displayed on two landing pages, one with bundles related to ISO 9001 and another with bundles related to ISO 27001.

Take the ISO 27001 course exam and get the EU GDPR course exam for free

Foundations course exam bundles:

ISO 9001 Foundations exam + ISO 14001 Foundation exam

ISO 9001 Foundations exam + ISO 27001 Foundation exam

ISO 9001 Foundations exam + ISO 13485 Foundation exam

ISO 9001 Foundations exam + ISO 45001 Foundation exam

ISO 14001 Foundations exam + ISO 45001 Foundation exam

Internal Auditor course exam bundles:

ISO 9001 Internal Auditor exam + ISO 14001 Internal Auditor exam

ISO 9001 Internal Auditor exam + ISO 27001 Internal Auditor exam

ISO 9001 Internal Auditor exam + ISO 13485 Internal Auditor exam

ISO 9001 Internal Auditor exam + ISO 45001 Internal Auditor exam

ISO 14001 Internal Auditor exam + ISO 45001 Internal Auditor exam

Lead Auditor course exam bundles:

ISO 9001 Lead Auditor exam + ISO 14001 Lead Auditor exam

ISO 9001 Lead Auditor exam + ISO 13485 Lead Auditor exam

ISO 9001 Lead Auditor exam + ISO 45001 Lead Auditor exam

ISO 14001 Lead Auditor exam + ISO 45001 Lead Auditor exam

Lead Implementer course exam bundles:

ISO 9001 Lead Implementer exam + ISO 14001 Lead Implementer exam

ISO 9001 Lead Implementer exam + ISO 13485 Lead Implementer exam

ISO 9001 Lead Implementer exam + ISO 45001 Lead Implementer exam

ISO 14001 Lead Implementer exam + ISO 45001 Lead Implementer exam

2/ ISO 27001/EU GDPR-related bundles:

ISO 27001 Foundations exam + EU GDPR Foundations exam

ISO 27001 Foundations exam + ISO 9001 Foundation exam

ISO 27001 Internal Auditor exam + EU GDPR Data Protection Officer exam

ISO 27001 Internal Auditor exam + ISO 9001 Internal Auditor exam

ISO 27001 Lead Auditor exam + ISO 9001 Lead Auditor exam

ISO 27001 Lead Implementer exam + ISO 9001 Lead Implementer exam

Take the ISO 9001 course exam and get the ISO 14001, ISO 13485, or 45001 course exam for free

Take ISO 27001 course exam and get the EU GDPR course exam for Free

Take the ISO 27001 course exam and get the EU GDPR course exam for free

Tags: EU GDPR, ISO 13485, ISO 14001, iso 27001, ISO 45001, iso 9001


Sep 19 2022

ISO 27001 Internal Audit

Category: Information Security,ISO 27kDISC @ 12:40 pm

DISC LLC presents a phase approach to deliver ISO 27001 Internal Audit services to SaaS businesses. 

ISO27001 Internal Audit Service - iTGRC security and compliance advisory  group

The Engagement:

We understand that your core business is your SaaS application and you desire an audit.  The audit is to be an independent assessment of the company’s ISMS, to measure the maturity of the program, to identify if the program is ready to pass the certification audit for ISO 27001:2013 certification, and provide strategic guidance for achieving the certification.  Our focus will be your application which is hosted at AWS/Azure and you have xxx employees who create, maintain, and manage the application.

The audit will be conducted remotely and we will have a dedicated contact person assigned to our audit team to facilitate access to documentation, records, and select staff for interviews.  We will complete your standard audit process documentation according to the ISO 27001 standard. 

The Plan:

Below is our high-level audit plan for your ISO 27001internal audit.  We propose a staged and flexible approach so we may progressively tune our audit process to deliver maximum business value to you.

Phase 1: This phase starts within a week one of signing of an engagement contract.  First step is a kickoff meeting to discuss the overall audit engagement, to finalize the formal audit plan, and to establish access to documents to be reviewed. We will review the available documents based on the ISO27001 standard. At the end of this phase we will present our findings in a briefing session.

Phase2: Phase 2 kickoff will be based on the document review and coordinate scheduling interviews that focus on critical processes to establishing the degree that the various control procedures have been activated. This is a critical part of the audit process. We will measure the maturity of required controls that has been implemented and present the findings for review within another review session (schedule subject to availability for interviews). 

Phase 3: Recommendations will be the focus of this phase.  This will also start with a kickoff meeting to establish a coordinated plan for what measures are already planned and what new measures are required to actually pass (to-be state) the certification audit.  This final step can save you a lot of effort as we can help you navigate to the end goal of passing the audit and also create the precise measures that have maximum business value.  The closing meeting of this phase will present our collective recommendations.

All of the efforts outlined above are aligned to a compliant internal audit process with a few enhancements that are value-add.  These audit records will likely be a primary target of the certification audit so they need to be well executed.  Your controls also have to be tailored to your business. We can help get you certified but that doesn’t mean you are actually secure.  We can help you do both.  Missing the secure part would be devastating to you and to all of your customers. This is our value-add. 

If you have a question about ISO 27001 internal audit:

LIST OF Materials for ISO Internal Audit

Checkout our latest articles on ISO 27001/2

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

email: Info@DeuraInfoSec.com

Tags: Internal audit, iso 27001, ISO 27001 2013 Gap Assessment, ISO 27001 Internal Audit


Sep 18 2022

Tool for defining the ISO 27001 ISMS scope

Category: ISO 27k,Security ToolsDISC @ 8:42 am
No alternative text description for this image

Free tool | *Tool for defining the ISO 27001 ISMS scope*

What is ISO 27001 Information Classification?

IMPLEMENT ISO 27001 AND ISO 22301 EFFORTLESSLY

What is ISO 27001 Information Classification?

ISO 27001 & ISO 27017 & ISO 27018 CLOUD DOCUMENTATION TOOLKIT

The challenges of achieving ISO 27001

Risk Management document templates

Tags: ISO 27001 ISMS scope


Sep 14 2022

Risk Management document templates

Risk Assessment and Risk Treatment Methodology

The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately

Risk Assessment Table

The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Treatment Table

The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Risk Assessment and Treatment Report

The purpose of this document is to give a detailed overview of the process and documents used during risk assessment and treatment.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

This document is an appendix. The main document is not included in the price of this document and can be purchased separately

Statement of Applicability

The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Risk Treatment Plan

The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.

The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.

Toolkit below contains all the documents above

Tags: Risk Assessment, Security Risk Assessment


Sep 12 2022

The challenges of achieving ISO 27001

Category: ISO 27kDISC @ 8:31 am

ISO 27001 is a widely-known international standard on how to manage information security.

In this Help Net Security video, Nicky Whiting, Director of Consultancy, Defense.com, talks about the challenges of achieving ISO 27001, a widely-known international standard.

ISO 27001 certification is not obligatory. Some organizations choose to implement it in order to benefit from the best practice it contains. Others decide they want to get certified to reassure customers and clients.

ISO 27001 & ISO 27017 & ISO 27018 CLOUD DOCUMENTATION TOOLKIT

What is ISO 27001 Information Classification?

IMPLEMENT ISO 27001 AND ISO 22301 EFFORTLESSLY

ITG is offering bestselling implementation guides free with each toolkit purchase

What are the differences between the 2013 and 2022 editions of ISO/IEC 27002?

How to Maintain ISO 27001 Certification: 7 Top Tips

Enroll for free in ISO 27001 online courses

Tags: iso 27001, iso 27002, ISO/IEC 27001


Sep 07 2022

ISO 27001 & ISO 27017 & ISO 27018 CLOUD DOCUMENTATION TOOLKIT

Category: ISO 27k,Security ToolsDISC @ 10:26 am

Implement ISO 27001 & ISO 27017 & ISO 27018 yourself, and do it easily and efficiently with our Documentation Toolkit.

a close up of text on a white background

Step-by-step guidance with LIVE EXPERT SUPPORT

  • 47 document templates – unlimited access to all documents required for ISO 27001 & 27017 & ISO 27018 certification, plus commonly used non-mandatory documents 
  • Access to video tutorials 
  • Email support 
  • Expert review of a document 
  • One hour of live one-on-one online consultations
    with an ISO 27001 & ISO 27017 & ISO 27018 expert 
  • Upcoming: free toolkit update for the new ISO 27001 2022 revision 

Fully optimized for small and medium-sized companies

TOOLKIT DOCUMENTS

Look at EVERY template in the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit – for free! – before making a purchase.

Tags: iso 27001, iso 27017, ISO 27018, toolkit


Sep 02 2022

What is ISO 27001 Information Classification?

Category: Information Classification,ISO 27kDISC @ 10:50 am

Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.

Organisations usually classify information in terms of confidentiality – i.e. who is granted access to view it. A typical system contains four levels of confidentiality:

  • Confidential (only senior management have access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public information (everyone has access)

As you might expect, larger and more complex organisations will need more levels, with each one accounting for specific groups of employees who need access to certain information.

The levels shouldn’t be based on employees’ seniority but on the information that’s necessary to perform certain job functions.

Take the healthcare sector for example. Doctors and nurses need access to patients’ personal data, including their medical histories, which is highly sensitive.

However, they shouldn’t have access to other types of sensitive information, such as financial records.

In these cases, a separate classification should be created to distinguish between sensitive medical information and sensitive administrative information.


Where does ISO 27001 fit in?

Organizations that are serious about data protection should follow ISO 27001.

The Standard describes best practices for creating and maintaining an ISMS (information security management system), and the classification of information plays a crucial role.

Control objective A.8.2 is titled ‘Information Classification’, and instructs that organisations “ensure that information receives an appropriate level of protection”.

ISO 27001 doesn’t explain how you should do that, but the process is straightforward. You just need to follow four simple steps.

1) Enter your assets into an inventory

The first step is to collate all your information into an inventory (or asset register).

You should also note who is responsible for it (who owns it) and what format it’s in (electronic documents, databases, paper documents, storage media, etc.).

2) Classification

Next, you need to classify the information.

Asset owners are responsible for this, but it’s a good idea for senior management to provide guidelines based on the results of the organization’s ISO 27001 risk assessment.

Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isn’t always the case.

There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if it’s confidentiality is compromised, but the organisation must make it widely available in order to function.

3) Labelling

Once you’ve classified your information, the asset owner must create a system for labelling it.

You’ll need different processes for information that’s stored digitally and physically, but it should be consistent and clear.

For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.

For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.

4) Handling

Finally, you must establish rules for how to protect each information asset based on its classification and format.

For example, you might say that internal paper documents can be kept in an unlocked cabinet that all employees can access.

By contrast, restricted information should be placed in a locked cabinet, and confidential information stored in a secure location.

Additional rules should be established for data in transit – whether it’s being posted, emailed or employees carry it with them.

You can keep track of all these rules by using a table like this:

Information classification table example

Use a table to simplify the data handling documentation process.

Source: What is ISO 27001 Information Classification

Introduction to Cataloging and Classification

Tags: classification, Introduction to Cataloging and Classification


Next Page »