Introduction to ISO 27001:2013 to 2022 Transition
Wil serves as CEO for Securadin. His technology, security and compliance expertise spans over 15 years of success leveraging technology and leadership best practices in the design and operation of secure enterprise IT initiatives. Wil is described by his peers as an insightful technical authority, critical thinker, and problem solver who identifies technical infrastructure and organizational opportunities to improve availability, security, and efficiency of systems.
Wil serves as the CEO of Securadin. In that role, he manages a team, and multiple client ISMS Managers. In this role he led the organization to profitability and a flawless record of ISO/IEC 27001 certification. These initiatives provided the overall operational strategic development and execution of compliant Information Security Management Systems (ISMS) in lines with a specific focus on enhancing technology, security, and governance operations for multiple industry verticals.
Some of Wil’s major accomplishments include:100% Success rate for implementing compliant Information / Privacy Management Systems (ISMS,PIMS) against the ISO/IEC 27001,22301, and 27701 Standards up to and including certification. (Well over 100 individual engagements.)
Oversight, integration, and dissemination of cultural cybersecurity changes that provide a significant return on investment. These efforts leading to both sides of the materials and acquisition lifecycle.
Strategically defined, developed and executed comprehensive strategic and technical solutions to support the continual improvement and risk management and most importantly growth of technology, security, compliance and organizational needs. These efforts streamlined the daily operations of multiple organizations and their impact to confidentiality, integrity and availability of organizational assets.
Wil’s combined enterprise technology, security, and compliance experience have made him an invaluable resource to the organizations that Securadin serves ~Wil Seiler Wil@securadin.com https://www.linkedin.com/in/wil-seiler/
- Bio
Wil Seiler
Introduction to / and ISO 27001
Refresher
Adam Introductions
The only Internationally recognized Information Security Standard Helps show stakeholders that your organization has best practices for cybersecurity in place
Transition ROI
Why are we here?
1.) Discuss Information Security Program and Document Organizational Risk Stakeholders, Objectives, and Key Results
Relevant to the Outcome of the ISMS
2.) What is an ISMS? (Information Security Management System)
3.) Why is ISO 27001 Important? ROI?
4.) Review Visual Examples of an effective information security management system.
Guiding Principles
The way you secure your organization and assets should be based on your risks - not fear, hype, hysteria or tradition Cybersecurity risks are continuous, so should be the solutions Security is about defense in depth in people, processes and technology Today most organizations operate in a state of continuous compromise
People Process Product Process Product People Risk
Example Process for Risk Management
Risk Management Risk Assessment Awareness Vulnerability Assessment Penetration Testing vCISO Incident Response
Example ISMS
People
Governance (Leadership)
Risk Owners
Controls/Asset Managers
Compliance
Repeatable “Proven Process”
Cybersecurity as a Differentiator (CaaD)
Objectives
Howwillwedoit?Whatdowewant?Whowillberesponsible?
Whatmustwedo?
ISM S
Policies
Leadership Direction
Consistency in Taxonomy
Effective Documentation
Workflows
Consistency in Execution
Functional Role Specific
Processes
An Information Security Management System (ISMS) is a risk-based, business friendly framework that manages people, policies and processes that interact to meet the objective of confidentiality, integrity and availability of information assets.
ISO 27001 Audit Cycle
Year One
Internal Audit Certification Audit Stage 1/ Stage 2
Year Four Re-certification
Year Two
Internal Audit Surveillance Audit
Year Three
Internal Audit Surveillance Audit (Certification Body)
Internal Audit Certification Body Audit Stage 1 Stage 2
Similarities Mandatory Clauses 4-10
3-year Certification Cycle
Same Relationship as other ISO Standards (that are certifiable)
Differences
Mandatory Clauses
Clause 4 Interested Parties / Climate change
Clause 6 Risk Assessment and Treatment
Clause 7 Documentation (Consolidated)
Clause 8 Risk Assessment and Treatment
Clause 9 Performance Evaluation (Consolidated)
Annex Controls
From 14 Domains to 4 Domains
11 New Controls
Transition Plan
1.) Purchase the ISO 27001:2022 and 27002:2022 Standards
2.) Transitional Audit/Gap assessment – Organizations have until October 2025 to perform an Internal Transitional audit against all of the controls of the ISO 27001:2022 Standard.
3.) Discuss and Document Transition Plan to Internal and (applicable) External Interested Parties
4.) Perform Risk Assessment to reflect applicable Annex A Controls
5.) Include Threat Intelligence in Risk Assessment, Business Continuity, and Disaster Recovery planning/exercises.
6.) Throw away your old Statement of Applicability.
7.) Make a new Statement of Applicability (As a result of the Transitional and Risk assessments.)
Significant Mandatory Changes
• Clause 4.2 Understanding the Needs and Expectations of Interested Parties: A new subclause was added requiring an analysis of which of the interested party requirements are going to be addressed through the ISMS.
• Clause 4.4 Information Security Management System: New language was added, which requires organizations to identify necessary processes and their interactions within the ISMS. Essentially the ISMS must include the processes underpinning the ISMS, not just the ones specifically called out in the Standard.
• Clause 6.2 Information Security Objectives and Planning to Achieve Them: Now includes additional guidance on the information security objectives. This gives more clarity about how objectives should be monitored regularly and formally documented.
• Clause 6.3 Planning of Changes: This clause was added to set a standard around planning for changes. It states that if changes are needed to the ISMS, they shall be adequately planned for.
• Clause 8.1 Operational Planning and Control: Additional guidance was added for operational planning and control. The ISMS now needs to establish criteria for actions identified in Clause 6 and control those actions in accordance with the criteria.
Examples of Interested Parties
“as
determined by the
External
ISMS”
Awareness (Strategic Internal Interested Parties)
ExternalInterestedParties
Customers RegulatoryBodies
Suppliers/Vendors
AuditTargetGroup
Needs&Expectations
Customers:Ensuringconfidentiality,integrityandavailabilityof informationentrustedtoyourorganization.
RegulatoryBodies:Ensuringcompliancetospecified regulatoryrequirementsorstandards.
Suppliers/Vendors:Clarityaroundtheirresponsibilitiesasit pertainstoconfidentiality,integrityandavailabilityof informationentrustedtothem. SignedoffviaServiceLevel AgreementorMemorandaofUnderstanding.
AuditTargetGroup:Clarityaroundhowtheirinformationis protected.
Examples of Interested Parties “as determined by the ISMS” Internal Awareness (Strategic Internal Interested Parties)
StrategicInternalInterestedParties (Governance)
Needs&Expectations
Trustinyourorganizationalbrandremainsstrong. Ensuresecurityprogramvisionalignstothebusinessvision. Ensuretheconfidentiality,integrityandavailabilityof informationassets.
Ensurelegal,regulatory&contractualrequirementsaremet. Ensureemployees&contractorsunderstandtheir responsibilitiesasitpertainstoinformationsecurity. Ensurewecanmakeinformeddecisionsforeffective investmentintothesecurityprogram.
CFO CCO CTO CIO COO CHRO
CRO
CEO
GeneralCounsel
Example Risk Owners Internal Awareness (Tactical)
ISMSManagementCommittee(Risk) Needs&Expectations
InformationSecuritydelegate(s)
I.T.delegate(s)
HRdelegate
Facilities/PhysicalSecurity
Vendor/SupplierManagement
InternalAudit
DataPrivacy
BusinessContinuity
RiskOwnersoftenhaveauthorityovertheindividuals responsibleforimplementingandoperationalizingacontrol (ControlOwners). WheretheRiskOwnerwouldmostlikelybe theaccountableparty,theControlOwnerwouldbethe responsibleparty. ControlOwnersoftenreportintoRisk Owners NOTEonRiskOwners
Clarityaroundtherisksidentifiedthroughtherisk managementprocesssotheycanmakeaninformeddecision basedontheriskacceptancecriteria.
Accountableforidentifiedrisksandensuringcontrolowners areheldresponsiblefortheimplementationand operationalizationofcontrols.
Sharethevisionforinformationsecuritysotheculturebegins toshift(i.e.softengovernanceandmovetowardsharedvision instead),therebycreatinganawareculture
Significant Annex Changes
Changes to the Annex A control “structure”
Control groups were re-organized and the overall number of controls has decreased. At a high level:
• 11 new controls were introduced
• 57 controls were merged
• 23 controls were renamed
• 3 controls were removed
In ISO 27001:2013, controls were organized into 14 different domains. In the new update, controls are better organized into the following four themes instead:
• People controls (8 controls)
• Organizational controls (37 controls)
• Technological controls (34 controls)
• Physical controls (14 controls)
This nomenclature change promotes a better understanding of how Annex A controls help secure information, and make for better scheduling of your people’s time during an audit.
Additional Annex A Controls
A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
Questions? Concerns? Issues?
