How Does the New ISO 27001 Impact Your IT Risk Management Processes?
-
Upload
lars-neupart -
Category
Business
-
view
724 -
download
1
description
Transcript of How Does the New ISO 27001 Impact Your IT Risk Management Processes?
![Page 1: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/1.jpg)
How Does the new ISO 27001 Impact Your IT Risk Management Processes?
Presented by Lars Neupart Founder, CEO of Neupart – The ERP of Security [email protected] twiBer @neupart
![Page 2: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/2.jpg)
The ISO 2700x standards ISO 27000 • Overview and vocabulary
ISO27001 • InformaKon Security Management Systems – Requirements
ISO27002 • Code of pracKce for informaKon security management
ISO 27003 • ISMS ImplementaKon Guidelines
ISO 27004 • InformaKon Security Management -‐ Measurement.
ISO27005 • InformaKon Security Risk Management
ISO27006 • Requirements for bodies providing audit and cerKficaKon + + + +
![Page 3: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/3.jpg)
New drafts available ISO 27000 • Overview and vocabulary
ISO27001 • InformaKon Security Management Systems – Requirements
ISO27002 • Code of pracKce for informaKon security management
ISO 27003 • ISMS ImplementaKon Guidelines
ISO 27004 • InformaKon Security Management -‐ Measurement
ISO27005 • InformaKon Security Risk Management
ISO27006 • Requirements for bodies providing audit and cerKficaKon + + + +
![Page 4: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/4.jpg)
Information Security Management Systems –
Requirements ISO 27001 – the 2013 edition ISO/IEC DIS 27001 = draft.
I.e. changes are likely to happen
Aim of todays webinar is to give you a head start preparing for the new standard so you can have a smoother transition.
![Page 5: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/5.jpg)
What’s new? • A lot! • New content • New requirements
numbering • Still short: 9 pages of
requirements to an ISMS • Controls are still listed in
Annex A, and referring to ISO 27002 (the new)
• Maintaining a fair portion of backwards compatibility
![Page 6: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/6.jpg)
Poll: How do you use ISO 27001 today?
• We are certified • We plan to certify • We plan to comply; no
certification • Best practice
inspiration • Don't know
![Page 7: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/7.jpg)
Still risk oriented:
• The first requirement in the new ISO 27001 refers to an Enterprise Risk Management Standard: ISO 31000
![Page 8: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/8.jpg)
ISO 31000 Enterprise Risk Management
Plan
Do
Check
Act
![Page 9: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/9.jpg)
Enterprise Risk Management (ISO
31000)
InformaKon Security Risk
Management (ISO 27005)
ISMS Requirements (ISO 27001)
![Page 10: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/10.jpg)
ISO 27005 recap
![Page 11: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/11.jpg)
IT Risk Management -‐ Explained
Risk
Incident Likelihood
Incident Consequence
Threat Frequency
Threat Effect
Threats
Preventive Measures
Corrective Measures
![Page 12: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/12.jpg)
Reduce Likelihood Proactive
Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus
Reactive Security
Reduce Consequence
IT Service Continuity Teams IT Service Continuity Strategy
IT Service Continuity Plans Disaster Recovery Procedures
Emergency Operations Flexibility
Standby Equipment Virtualization
Backup
IT Risk Management -‐ Explained
Risk
Prioritization
Incident Likelihood
Incident Consequence
Threat Frequency
Threat Effect
Threats
Preventive Measures
Corrective Measures
![Page 13: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/13.jpg)
Vulnerability & control environment assessment
AdministraKve Measures
Physical / Technical Measures
PrevenKve Measures
CorrecKve Measures
Firewall AnKvirus
Server Cluster
RAID Backup
Standby Equipment
VirtualizaKon
Security Policy
System DocumentaKon
Awareness
Compliance Checks
Alarm System
Fire Suppression
Logging Change
Management
IT Service ConKnuity Plan
Disaster Recovery Procedures
Business ConKnuity Strategy
Redundancy
Access Control System
Standby Site
Server snapshots
Assessments based on Capability Maturity
Model
Monitoring
![Page 14: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/14.jpg)
Assets: Dependency Hierarchy Business Impact values are inherited downwards
Vulnerability values are inherited upwards
Server 01 Virtual Server
SAN 01 Data Staorage
HP DL380 Hardware unit
Data Center Oslo Datacenter
Finance DB Database
ERP IT Service
Dynamics AOS Business system
HP DL380 Hardware unit
Server 02 Virtual Server
Finance
Business Process
![Page 15: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/15.jpg)
Comparing ISO 27005, NIST SP800-‐30 ISO 27005 NIST SP800-‐30
Context establishment
Identification of assets System Characterization Identification of threats Threat Identification
Identification of existing controls Vulnerability Identification Identification of vulnerabilities Control Analysis Identification of consequences
Assessment of consequences Likelihood Determination
Assessment of incident likelihood Impact Analysis Risk estimation Risk Determination
Risk evaluation
Risk treatment Control Recommendations Risk acceptance
Risk communication Results Documentation
![Page 16: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/16.jpg)
Examples of how the 27001 update will impact your risk management
processes
![Page 17: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/17.jpg)
27001: Not only downside risks • 6.1 Actions to address risks
and opportunities
• Quote ISO 31000: “Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is “risk”.
![Page 18: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/18.jpg)
Risk Owner • Risk Owner approves risk treatment plan and accepts residual risks • Note: Asset ownership is formally no longer a ISO 27001 requirement, but it’s still in the annex A Control
List. Practically same requirement, as you can’t expect it to not be in your Statement of Applicability
![Page 19: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/19.jpg)
Increased flexibility in your choice of risk method
The organization shall define an information security risk assessment process that: 1. establishes and maintains information security
risk criteria, including the risk acceptance criteria;
2. determines the criteria for performing information security risk assessments; and
3. ensures that repeated information security risk assessments produce consistent, valid and comparable results.
(section 6.1 )
![Page 20: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/20.jpg)
Time to vote
• What IT risk assessment method or framework do you use today? – ISO 27005 – NIST SP 800 series – IRAM – OCTAVE – Some other threat based
approach – Some other control based
approach – Don’t know
![Page 21: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/21.jpg)
The organization shall apply an information security risk treatment
process
![Page 22: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/22.jpg)
Treating Risks
Accept Reduce
Share Avoid Treatment opKons according to ISO 27001:2005 and ISO 27005. ISO 27001:2013, do not require these specific treatment opKons; but you are free to choose these.
![Page 23: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/23.jpg)
SoA linked even closer to Risk Treatment
Risk treatment
SoA = Statement of Applicability
• Select treatment options • Determine controls • Check controls with Annex A,
verify no necessary controls are omitted
• Make SoA and justify exclusions AND inclusions (new)
• Clearly worded that you must determine all necessary controls
![Page 24: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/24.jpg)
Review of Neuparts well known 4 responsible short-‐cuts – do they still apply?
Assess your most important assets first (you can add more
later)
1: Not all assets
Do not use complete threat catalogue on each of your assets (relevant threats
depends on asset type)
2: Not all threats
• Inheritance: Business impact values inherits downwards
• Vulnerability scores inherits upwards
• Asset dependencies / Hierarchy
3: Inheritance
• Make overall assessment first – refine later
• Example: Assess threats combined first – individually later
4: Fewer assessments
![Page 25: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/25.jpg)
Oh, what happened to PDCA? Plan -‐ Do – Check -‐ Act is still there, now called continual improvement
![Page 26: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/26.jpg)
Risk Management
• Risk Owner • (Assets) • Threats • Business Impact
Assessment • Vulnerability Assessment • Reporting & evaluating • Treating (Accept, Reduce, Share,
Avoid)
![Page 27: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/27.jpg)
Time to vote
• Will the new ISO improve your risk management processes? – Yes – the update is easy to
understand and makes sense
– Not much – nothing really new here
– I’m concerned of the introduced flexibility
– Don’t know
![Page 28: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/28.jpg)
About Neupart • ISO 27001 certified company
• Provides SecureAware®, an all-‐in-‐one, efficient IT GRC solution allowing organizations to automate IT governance, risk and compliance management
• “The ERP of Security”
• HQ in Denmark, subsidiary in Germany and a 200+ customer portfolio covering a wide range of private enterprises and governmental agencies
IT GRC = IT Governance,
Risk & Compliance Management
![Page 29: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/29.jpg)
SecureAware Risk TNG Benefits • Less specialist knowledge
needed to conduct professional risk management
• Know your IT related business risks
• Fast results • Saves time for you and your
organization • ISO 27005 based methodology –
and fully compatible with NIST SP800-‐30
• Cloud or on-‐premise software
![Page 30: How Does the New ISO 27001 Impact Your IT Risk Management Processes?](https://reader033.fdocuments.us/reader033/viewer/2022051513/546c985eaf795976298b507c/html5/thumbnails/30.jpg)
Try ISO 27001 compliant IT GRC soluKon at www.neupart.com
Presented by Lars Neupart Founder, CEO of Neupart – The ERP of Security [email protected] twiBer @neupart