Feb 28 2023

Transition plan from ISO 27001 2013 to ISO 27001 2022

Category: ISO 27kDISC @ 11:10 pm

How to create a transition plan from ISO 27001 2013 to ISO 27001 2022

Transitioning from ISO 27001:2013 to ISO 27001:2022 involves updating your Information Security Management System (ISMS) to meet the new requirements specified in the latest version. Here are some steps you can take to help ensure a smooth transition:

  1. Review the changes: The first step is to familiarize yourself with the changes made in the 2022 version. Some of the key changes include a more risk-based approach, more emphasis on leadership, and greater alignment with other ISO management system standards. You can find a detailed list of changes on the ISO website.
  2. Identify gaps: Once you have reviewed the changes, identify any gaps between your current ISMS and the new requirements. This may involve reviewing your policies, procedures, and controls to ensure they align with the new standard.
  3. Develop an action plan: Based on the gaps you identified, develop an action plan to address them. This may involve updating policies and procedures, implementing new controls, or conducting additional training.
  4. Train staff: It is important to ensure that all relevant staff members are trained on the new requirements and how they impact their roles and responsibilities.
  5. Conduct internal audits: Conduct internal audits to ensure that your updated ISMS is effectively implemented and meets the new requirements.
  6. Seek certification: Once you are confident that your updated ISMS meets the new requirements, seek certification from an accredited certification body.
  7. Monitor and continually improve: Finally, monitor your ISMS and continually improve it to ensure that it remains effective and aligned with the latest best practices.

Overall, transitioning to the new version of ISO 27001 requires careful planning and execution. By following these steps, you can help ensure a successful transition and maintain the security of your organization’s information assets.

ISO 27001 2022 strategy

ISO 27001 2022 Changes

Previous posts on ISO 27k

Certified ISO 27001:2022 ISMS Transition Self-Paced Online Training Course

Detailed explanation of 11 new security controls in ISO 27001:2022

6 Pocket eBooks every ISO professional should read | ISO 27001/2 Titles

We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.

Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: ISO 27001 2013, ISO 27001 2022

Nov 12 2021

Implementing and auditing an Information Security Management System in small and medium-sized businesses

Category: Information Security,ISO 27kDISC @ 11:02 pm

ISO 27001 Handbook

If you want to understand ISO 27001, this handbook is all you need. It not only explains in a clear way what to do, but also the reasons why.

This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.

An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an ‘information security management system’ must be set up. A what?

This handbook is intended to help small and medium-sized businesses establish, implement, maintain and continually improve an information security management system in accordance with the requirements of the international standard ISO/IEC 27001. At the same time, this handbook is also intended to provide information to auditors who must investigate whether an information security management system meets all requirements and has been effectively implemented.

This handbook assumes that you ultimately want your information security management system to be certified by an accredited certification body. The moment you invite a certification body to perform a certification audit, you must be ready to demonstrate that your management system meets all the requirements of the Standard. In this book, you will find detailed explanations, more than a hundred examples, and sixty-one common pitfalls. It also contains information about the rules of the game and the course of a certification audit.

ISO 27001 Certification

ISO 27001 Gap Assessment

DISC InfoSec vCISO as a Service

Tags: iso 27001, ISO 27001 2013, ISO 27001 2013 Gap Assessment, iso 27001 certification

Aug 03 2021

ISO 27001 vs. ISO 27002: What’s the difference?

Category: Information Security,ISO 27kDISC @ 11:09 am

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.

What is ISO 27001?

ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.

This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.

To meet these requirements, organisations must:

What is ISO 27002?

ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

This is because the Standard explains how each control works, what its objective is, and how you can implement it.

The differences between ISO 27001 and ISO 27002

There are three main differences between ISO 27001 and ISO 27001:

  • Detail

If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

  • Certification

You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

  • Applicability

A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

When you should use each standard

ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.

Learn the basics of information security

You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.

Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.

You’ll learn from expert information security consultants, as they explain:

  • ISO 27001 management system documentation;.
  • How to plan, scope and communicate throughout your ISO 27001 project; and
  • The key steps involved in an ISO 27001 risk assessment.

Source: ISO 27001 vs. ISO 27002

Previous blog posts on ISO27k

Pentests are required for ISO 27001 or SOC2 audits

ISO 27002 major revision

With ISO27001 how you should choose the controls needed to manage the risks

The importance of the Statement of Applicability in ISO 27001 – with template

Steps to implement ISMS (ISO 27001)

How FAIR & ISO 27001 Work Together

ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, ISO 27001 Auditing, iso 27001 certification, ISO 27001 Handbook, ISO 27001 implementation, ISO 27001 Lead Implementer, iso 27002, Statement of Applicability in ISO 27001

Jul 11 2020

Ten Steps to Reduce Your Cyber Risk

Category: Information Security,ISO 27kDISC @ 4:19 pm

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2020/07/Ten-Steps-to-Reduce-Your-Cyber-Risk.pdf” title=”Ten Steps to Reduce Your Cyber Risk”]



Reduce your cyber risk with ISO 27001

Contact DISC InfoSec if you have a question regarding ISO 27001 implementation.





Explore the subject of Cyber Attack

Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

Sep 16 2018

Download ISO27k standards

Category: ISO 27kDISC @ 7:23 pm

 

 

Download ISO27000 family of information security standards today!

‱ ISO27001 2013 ISMS Requirement (Download now)

‱ ISO27002 2013 Code of Practice for ISM (Download now)

ISO 27001 Do It Yourself Package (Download)

 

ISO 27001 Training Courses –  Browse the ISO 27001 training courses

ISO 27001 Training Courses

 

 ISO 27001 Risk Assessment and Gap Assessment





Tags: ISO 27001 2013, ISO 27001 2013 Toolkit

Feb 11 2018

Pinpoint your current cyber security gaps

Category: ISO 27kDISC @ 9:07 pm

A comprehensive information security management system (as defined by the requirements contained in ISO 27001) details the steps required for the effective management of information security (and cyber security) risks.

An ISO 27001 gap analysis is a sensible starting point for assessing the gaps in your information security regime.

Even if you aren’t considering certification to ISO 27001, an in-person gap analysis against the requirements of a leading information security standard offers the following benefits:

 

  • A high-level review of the efficacy of your policies, procedures, processes and controls
  • Interviews with key managers
  • Assistance defining the scope of a proposed information security management system (ISMS)
  • A detailed compliance status report against the clauses and controls described in ISO 27001

 

Description

Our ISO27001 Gap Analysis will provide you with an informed assessment of:

  • Your compliance gaps against ISO 27001
  • The proposed scope of your information security management system (ISMS)
  • Your internal resource requirements; and
  • The potential timeline to achieve certification readiness.

 

What to expect:

An ISO 27001 specialist will interview key managers and perform an analysis of your existing information security arrangements and documentation.

Following this, you will receive a gap analysis report collating the findings of these investigations. The report will detail areas of compliance and areas requiring improvement, and provide further recommendations for the proposed ISO 27001 compliance project.

 

The report includes:

  • The overall state and maturity of your information security arrangements
  • The specific gaps between these arrangements and the requirements of ISO 27001
  • Options for the scope of an ISMS, and how they help to meet your business and strategic objectives
  • An outline action plan and indications of the level of internal management effort required to implement an ISO 27001 ISMS; and
  • A compliance status report (red/amber/green) against the management system clauses (clause-by-clause), as well as the information security controls (control-by-control) described in ISO 27001:2013.

 

Please contact us for further information or to speak to an infosec expert.





Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment

Jan 06 2014

IT Governance Top 5 Bestsellers of 2013

Category: Information Security,ISO 27kDISC @ 11:24 am

With 2013 coming to a close, ITG is reflecting on what a year it’s been for the IT governance, risk management and compliance (IT-GRC) industry. In 2013  we’ve seen the highly-awaited release of ISO 27001:2013, the requirements for PCI DSS v3.0 and the Adobe breach which affected at least 38 million users.
Throughout it all, IT Governance has been there to serve IT professionals in America and assist them in implementing management systems, protecting their organizations and making their IT departments run more efficiently by implementing IT-GRC frameworks.
Below we have listed the top 5 IT Governance USA bestsellers from 2013:

ISO IEC 27001 2013 and ISO IEC 27002 2013
ISO 27001

Cyber Risks for Business Professionals: A Management Guide
CyberRisks

No 3 Comprehensive ISO27001 2005 ISMS Toolkit

ISMS toolkit

The True Cost of Information Security Breaches and Cyber Crime

Security Breaches

ITIL Foundation Handbook (Little ITIL) – 2011 Edition

ITIL

 

 

 

 

Related articles




Tags: Corporate governance of information technology, Information Security Management System, Information Technology Infrastructure Library, ISO 27001 2013

Dec 04 2013

ISO27001 2013 high level review for making the transition

Category: ISO 27kDISC @ 3:06 pm

ISO 27001 2013

ISO 27001 2013 high level review for making the transition from ISO 27001 2005

The Case for ISO 27001 (2013) Second Edition (Download the latest book in Adobe)

It’s been several months now that highly anticipated release of the latest information security standard ISO 27001 2013 for the organization who have vested interest due to previous compliance or certification in ISO 27001 2005. ISO 27001 2013 has 114 controls defined within 14 security control clauses (domains) collectively containing a total of 35 main security categories and introductory clauses including introduction, scope, normative references.

0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The new standard no longer require organizations to adopt the Plan-Do-Check-Act (P-D-C-A) model to develop and introduce the ISMS, but leave it to each organization to determine and adopt a continual improvement model (corrective action) that works for them.

The scope in new standard requires every organization to make sure the external and internal issues, (vendor assessment) and information security requirements of these parties are addressed in the contract. This clause will ensure that an ISMS is relevant to the organization’s activity which include external partners and provides an assurance that appropriate controls are in place for external parties as well. In risk assessment area, risks are treated and residual risk accepted by risk owners rather than asset owners, which may require organizations to build a risk register, which will ultimately become an auditable document.

There is another important requirements relating to the setting of information security objectives (strategy), which include the evaluation of the information security performance and measuring the effectiveness of the ISMS.

Annex A has also been restructured into fewer controls (114) and three new domains
A.5. Information security policies
A.6. Organisation of information security
A.7. Human resources security
A.8. Asset management
A.9. Access control
A.10. Cryptography – new
A.11. Physical and environmental security
A.12. Operations security – new
A.13. Communications security
A.14. System acquisition, development and maintenance
A.15. Supplier relationships – new
A.16. Information security incident management
A.17. Information security aspects of business continuity management

The Standard now covers what was previously referred to as ‘control of documents’ and ‘control of records’ under the description of ‘documented information’.

There is no longer a summary of the mandated documents required by the Standard in this section, relying on the organization to identify the requirements for what is now referred to as ‘documented information’ for itself. They are listed below

The scope (4.3)
The information security policy (5.2 e)
The information security risk assessment process (6.1.2)
The information security risk treatment process (6.1.3)
Statement of Applicability (6.1.3 d)
The information security objectives (6.2)
Evidence of competence (7.2)
That documentation ‘determined by the organisation as being necessary for the effectiveness of the information security management system’ (7.5.1 b)
The documentation necessary to have confidence that the processes required for operational planning and control have been carried out as planned (8.1)
The results of information security risk assessments (8.2)
The results of information security risk treatment (8.3)
Evidence of the information security performance monitoring and measurement results (9.1)
Internal audit programme(s) and the audit results (9.2 g)
Evidence of the results of management reviews (9.3)
Evidence of the nature of the non-conformities and any subsequent actions taken, and the results of any corrective actions (10.1)

Summary of new controls in ISO 27001 2013 Annex A

A.6.1.5 – Information security in project management
All projects will address information security, regardless of the nature of the project. This ensures that information security is dealt with from the bottom up.
A.14.2.1 – Secure development policy
Rules for development of software and systems are established and applied to developments. This acts as a sort of precursor control to 14.1.1 and 14.1.3, which relate to controlling the data and applications developed under this control.
14.2.6 – Secure development environment
The organisation ensures an appropriately secure development environment for system development and integration, across the whole development lifecycle. This is deliberately broad to allow input from the earliest stages of the ISMS (identifying the nature of the organisation), rather than restrictively demanding measures that may not be relevant.
14.2.8 – System security testing
The organisation establishes acceptance testing programs and related criteria for new information systems, upgrades and new versions.
15.1.3 – Information and communication technology supply chain
This control requires agreements with suppliers to address information security risks associated with information and communications technology services and products supply chain.
16.1.4 – Assessment of and decision on information security events
Information security events are examined and assessed to determine whether they qualify as information security incidents. This control applies an additional step in the incident management process.

Contact DISC for a Free Gap Assessment for any domain of your choice based on location

Start your ISMS project with ISO27001 2013 Documentation Toolkit

Mapping of ISO/IEC 27001:2013 to ISO/IEC 27001:2005 for $6.99  

  

 Download ISO27000 family of information security standards!
‱ ISO 27001 2013 ISMS Requirement (Download now)
‱ ISO 27002 2013 Code of Practice for ISM (Download now)

 

Related articles




Tags: Information Security Management System, isms, ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, iso 27001 certification, ISO 27001 Lead Implementer

Dec 01 2013

ISO27001 2013 ISMS Standalone Documentation Toolkit

Category: ISO 27kDISC @ 9:53 pm

ISO27001 2013

Start your ISMS project with ISO27001: 2013

With the publication of the new version of the ISO27001 standard, there has never been a better time to start an ISMS implementation project to look after your information security.

 

ITGP toolkits – ISO27001: 2013 ISMS Documentation Toolkit

This new Toolkit provides you with a comprehensive set of pre-written ISMS documents compliant with the newly released ISO27001: 2013 Standard, built from the necessary policies, procedures, work instructions and records that will save you months of work as you get your information security system up to speed, including:

* Information Security Manual

* Visio Documentation Map and Structure

* Information Security Policy

* vsRisk risk assessment tool Integration Templates (not vsRisk itself)

* Business Continuity Management for information security

* Gap analysis ISO27001: 2013 and ISO27002: 2013 Audit tool

* Asset Management documentation templates such as, Asset Inventory, Information Hardware Assets, Software log, etc.

* Supplier Relationships documentation templates such as, External Parties Information Security Procedure and Third Party Service Contracts

* Operations and Communications Security document templates dealing with, Anti-Virus Software, Vulnerability Management, Systems Auditing, System Planning & Acceptance, etc.

 

Benefits of the ISO27001: 2013 ISMS Documentation Toolkit:

  • Fully customisable and editable templates inclusive of:
    7 Policies, 55 Procedures, 23 Work Instructions, 25 Records, guidance documents as well as Blank Templates that will enable you to bring in your exisitng documentation in-line with a consistent management system
  • Pre-written to be compliant with the standard
  • Saves you time on research
  • Saves you time on writing
  • Provides document guidance as you go
  • Cheaper than one day of consultancy
  • After sales support service
  • 12 months of automatic updates

 

Related articles




Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit