ISO/IEC 27001:2022

Information security
management system
 ISO/IEC 27001:2022
INFORMATION SECURITY MANAGEMENT SYSTEM

Course structure

Introductive part

Requirements of ISO/IEC 27001:2022

(ISMS requirements)
Information security controls
(Organizational controls, People controls,
Physical controls, Technological controls)
Certification to ISO/IEC 27001
INFORMATION SECURITY

Confidentiality
Integrity
Availability

Information security management

Coordinated activities to achieve, maintain
and improve information security, by
identifying security risks and applying suitable
controls to address them.
INFORMATION SECURITY
MANAGEMENT SYSTEM

An ISMS consist of policies, procedures, guidelines,

resources and activities that are managed by an
organization with the aim of protecting its
information assets.
PRINCIPLES FOR THE SUCCESSFUL
IMPLEMENTATION OF AN ISMS

Awareness of the need for information security.

Assignment of responsibility for information security.
Incorporating management commitment and the interests of
stakeholders.
Enhancing societal values.
Risk assessments and determining appropriate controls.
Security incorporated as an essential element of information
networks and systems.
Active prevention and detection of security incidents.
Comprehensive approach to information security management.
Continual reassessment of information security and making
modifications, as appropriate.
 ISO/IEC 27000 SERIES OF STANDARDS

ISO/I EC 27001
Requirements for an I SMS.

ISO/I EC 27000 ISO/I EC 27002 ISO/I EC 27003 ISO/I EC 27005

Overview of the ISMS, Information security Explanation and Guidance on information

plus terms and controls and guidance on the security risk
definitions. implementation requirements in ISO/IEC management.
guidance. 27001.

Sector-sp ecific sta ndards

ISO/IEC 27011; ISO/IEC 27019;

ISO/IEC 27701 …
ABOUT ISO/IEC 27001

International standard.

First edition published in 2005.

Defines the requirements for an ISMS.

Can be used by any organization.

Suitable for certification.

 STRUCTURE OF ISO/IEC 27001:2022
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organization
(4.1 Understanding the organization and its context. 4.2 Understanding the needs and expectations of
interested parties. 4.3 Determining the scope of the ISMS. 4.4 Information security management system.)
5 Leadership
(5.1 Leadership and commitment. 5.2 Policy. 5.3 Organizational roles, responsibilities and authorities)
6 Planning
(6.1 Actions to address risks and opportunities. 6.2 Information security objectives and planning to
achieve them)
7 Support
(7.1 Resources. 7.2 Competence. 7.3 Awareness. 7.4 Communication. 7.5 Documented information)
8 Operation
(8.1 Operational planning and control. 8.2 Information security risk assessment. 8.3 Information security
risk treatment)
9 Performance evaluation
(9.1 Monitoring, measurement, analysis and evaluation. 9.2 Internal audit. 9.3 Management review)
10 Improvement
(10.1 Continual improvement. 10.2 Nonconformity and corrective action)
Annex A – Information security controls reference
UNDERSTANDING THE
ORGANIZATION AND ITS CONTEXT

Determine the external and internal issues

that are relevant to the purpose of the
organization and that affect its ability to
achieve the intended outcome(s) of the ISMS.
EXTERNAL AND INTERNAL ISSUES

External issues - outside the organization’s control (e.g., political,

legal, technological, social, cultural, competitive or natural factors,
etc.).

Internal issues – under the control of the organization (e.g., resources,

knowledge, contractual relationships, objectives, etc.).
NEEDS AND EXPECTATIONS OF
INTERESTED PARTIES
- Determine the interested parties relevant for the
ISMS.
- Determine the requirements of interested parties.
- Determine which requirements will be addressed
through the ISMS.
 SCOPE OF THE ISMS

Determine the boundaries and applicability

of the ISMS to establish its scope (what is
covered by the ISMS).

The scope shall be

documented.
INFORMATION SECURITY MANAGEMENT SYSTEMS

Establish, implement, maintain and

continually improve an ISMS in accordance
with the requirements of ISO/IEC 27001.

Integrate the ISMS into the processes and the

business activities of the organization.
Don’t forget about the continual improvement
of the ISMS.
 LEADERSHIP AND COMMITMENT

Ensure that an information security policy and

information security objectives are established.
Ensure the ISMS is integrated into the processes of
the organization.
Ensure the necessary resources for the ISMS.
Communicate about the need for information
security.
Ensure that the ISMS achieves its intended outcomes.
Promote continual improvement.
Direct and support persons to contribute to the ISMS.
Support managers to demonstrate their leadership.
INFORMATION SECURITY
POLICY

The top management shall establish an

information security policy.
INFORMATION SECURITY
POLICY
Appropriate to the purpose of the organization.
Includes the information security objectives, or provides a
framework for setting those objectives.
Includes commitments to satisfy applicable requirements and for
continual improvement.

Communicated inside the organization.

Available to interested parties, as
appropriate.

Documented
ROLES, RESPONSIBILITIES, AUTHORITIES
The top management shall ensure that responsibilities
and authorities for roles relevant to information
security are assigned and communicated.

Ensure the ISMS conforms to requirements.

Report to the top management on the performance of the ISMS.
 ACTIONS TO ADDRESS RISKS
AND OPPORTUNITIES

Determine risks and opportunities

and plan actions to address them.
INFORMATION SECURITY
RISK ASSESSMENT

Risk - the effect of uncertainty on objectives.

Information security risks – associated with the
potential that threats will exploit the
vulnerabilities of an information asset and cause
harm to an organization.
INFORMATION SECURITY RISK
ASSESSMENT

Define and apply a process for the information security risk

assessment.

RISK = Consequences x Likelihood

Criteria for risk acceptance and for performing risk assessments.

 CONSEQUENCES AND LIKELIHOOD
Consequences Description
Catastrophic Disastrous consequences that threaten the existence of the organization, or impair its activities
for a significant period, or put at risk the life and safety of the people, or bring a major
environmental degradation.
Critical Incapacity of the organization to continue all or part of its activities possibly with significant
consequences for persons and property. Full recovery is possible but not likely.
Serious Substantial consequences involving high degradation of activities, significant losses, breaches to
legal, regulatory or contractual requirements. The organization will overcome the situation but
with serious difficulties.
Significant Significant but limited consequences with a degradation in performance or losses or breaches of
requirements or damage to reputation or public trust. The organization will overcome the
situation despite some difficulties.
Minor Negligible consequences. The organization will overcome the situation without much difficulties.

Likelihood Description
Almost certain The risk source will most certainly reach its objective by using one of the considered methods of
attack. The likelihood of this risk scenario is very high.
Very likely The risk source will probably reach its objective by using one of the considered methods of
attack. The likelihood of this risk scenario is high.
Likely The risk source is able to reach its objective by using one of the considered methods of attack.
The likelihood of this risk scenario is significant.
Rather unlikely The risk source has relatively little chance of reaching its objective by using one of the considered
methods of attack. The likelihood for this risk scenario is low.
Unlikely The risk source has very little chance of reaching its objective by using one of the considered
methods of attack. The likelihood for this risk scenario is very low.
INFORMATION SECURITY RISK ASSESSMENT

Likelihood Consequences
Catastrophic Critical Serious Significant Minor
Almost certain Very high Very high High High Medium
Very likely Very high High High Medium Medium
Likely High High Medium Medium Medium
Rather unlikely Medium Medium Medium Medium Low
Unlikely Medium Medium Medium Low Low
INFORMATION SECURITY
RISK ASSESSMENT
Repeated information security risk assessments
should produce consistent, valid and comparable
results.
Risk identification approaches: event-based and
asset-based.
 THREATS AND VULNERABILITIES
Threat Threat description Vulnerability Vulnerability description
category category
Fire Insufficient maintenance/ faulty installation of storage media
Physical threats Water Hardware Insufficient periodic replacement schemes for equipment
Pollution, harmful radiation Susceptibility to humidity, dust, soiling
Climatic phenomenon No or insufficient software testing
Natural threats Seismic phenomenon Well-known flaws in the software
Volcanic phenomenon Software
No “logout” when leaving the workstation
Failure of a supply system Disposal or reuse of storage media without proper erasure
Infrastructure
Failure of cooling or ventilation system Insufficient mechanisms for the proof of sending or receiving a
failures
Loss of power supply message
Failure of device or system Network
Unprotected communication lines
Technical Saturation of the information system Unprotected sensitive traffic
failures Violation of information system Absence of personnel
maintainability Personnel Inadequate recruitment procedures
Terror attack, sabotage Insufficient security training
Social engineering Inadequate or careless use of physical access control to
Interception of radiation of a device buildings and rooms
Human actions
Remote spying Location in an area susceptible to flood
Eavesdropping Site
Unstable power grid
Theft of media or documents Insufficient physical protection of the building, doors and
Error in use windows
Compromise of
Abuse of rights or permissions Formal procedure for user registration and de-registration not
functions or
Forging of rights or permissions
services developed, or its implementation ineffective
Denial of actions
Formal process for access rights review not developed, or its
Lack of staff Organization
implementation is ineffective
Organizational Lack of resources
Insufficient security provisions in contracts with customers
threats Failure of service providers
and third parties
Violation of laws or regulations

Source: ISO/IEC 27005:2022

RISK OWNERS

Identify risk owners (persons or

entities with the accountability
and authority to manage risks).
 RISK ANALYSIS AND EVALUATION

Risk analysis Risk evaluation

Assess possible consequences and Compare the results of the risk analysis
realistic likelihood for the risks with the acceptance criteria.
identified to determine the level of risk.

Retain documented information on the

information security risk assessment
INFORMATION SECURITY
RISK TREATMENT

Risk treatment process:

- select appropriate treatment options;
- determine the appropriate controls;
- formulate a risk treatment plan;
- obtain the approval of risk owners for the plan, and acceptance for residual risks.

Risk treatment options:

Avoidance
Modification
Sharing
Retention
INFORMATION
SECURITY
CONTROLS

Preventive

Detective

Corrective
 STATEMENT OF APPLICABILITY (SoA)

The statement of applicability contains:

- necessary controls (including justification for inclusion and implementation status);
- justification for the controls excluded.

Information security control Included or not Justification for inclusion Implementation Justification for exclusion
status
5.1 Policies for information Included The control is needed to Implemented //
security treat the information
security risks identified
5.2 Information security Included The control is needed to Implemented //
roles, responsibilities and treat the information
authorities security risks identified
5.3 Segregation of duties Included The control is needed to Partially //
treat the information implemented
security risks identified
…
8.30 Outsourced Not included // // All development is done in
development house. No outsourcing of
system development.
RISK TREATMENT
PLAN
For each information security risk:
- treatment option(s);
- actions to treat the risk;
- status of implementation;
- responsibilities, resources, timeframes.
INFORMATION SECURITY
RISK TREATMENT

Residual risk - the risk that remains after

treatment (accepted by the risk owner).

Retain documented information

about the risk treatment process.
INFORMATION SECURITY OBJECTIVES
Establish information security objectives at relevant functions and levels.

Consistent with the policy.

Measurable (if practicable).
Take into consideration applicable requirements.
Monitored, communicated and updated (as appropriate).
INFORMATION SECURITY OBJECTIVES
Plan for the achievement of information security objectives.

What will be done? Retain documented information on

the information security objectives.
What resources are necessary?
Who will be responsible?
When each objective will be completed?
How the results will be evaluated?
PLANNING OF
CHANGES

Changes to the ISMS shall be carried out in

a planned manner, to avoid unwanted
consequences.
RESOURCES

Determine and provide the resources needed for the

establishment, implementation, maintenance and
continual improvement of the ISMS.
 COMPETENCE

Define requirements.
Ensure competency (education, training, experience).
Act to improve or maintain competence.
Evaluate the effectiveness of actions.

Retain documented
information (evidence of
competence)
AWARENESS

Personnel shall be aware of:

- the information security policy;

- their contribution to the ISMS and the benefits of improved security
performance;
- the implications of not conforming to requirements.
COMMUNICATION

Determine the need for internal and external

communications relevant for the ISMS.

On what?
When?
With whom?
How?
DOCUMENTED INFORMATION

The ISMS documentation includes:

- documents required by ISO/IEC 27001;

- documents not required by the standard
but necessary for the ISMS.
CREATING AND UPDATING ISMS
DOCUMENTS

Identification and description

Format
Review and approval
CONTROL OF DOCUMENTED
INFORMATION

Documents shall be controlled to protect them from

improper use, from loss of confidentiality or integrity,
and to ensure that they are available and suitable for
use where and when needed.
CONTROLS FOR DOCUMENTED INFORMATION

Distribution
Access
Retrieval
Use
Storage and preservation
Version control
Retention
Secure disposition
OPERATIONAL
PLANNING AND
CONTROL
The organization shall plan, implement
and control the processes needed to
meet requirements.
Control changes.
Control externally provided processes,
products or services.
INFORMATION SECURITY
RISK ASSESSMENT AND TREATMENT
Conduct information security risk assessments at planned
intervals (possibly once per year), and in case of
significant changes.

Implement the information security risk treatment plan.

MONITORING, MEASUREMENT,
ANALYSIS AND EVALUATION
Determine: ISO/IEC 27004
- what needs to be monitored and measured; Monitoring, measurement,
- methods; analysis and evaluation
- when to monitor and measure;
- responsibilities;
- when the results are analyzed and evaluated.

Documented information as
evidence of the results.
INTERNAL AUDIT

Conduct internal audits of the

ISMS at planned intervals.
AUDIT PROGRAMME

Plan, establish, implement and maintain

an internal audit programme.

Consider the importance of processes and

the results of previous audits.
 THE INTERNAL AUDIT OF THE ISMS

Select objective auditors.

Elaborate an audit plan for each audit.
ISO 19011 – Guidelines for Report the results to the relevant management
auditing management systems

Documented information as
evidence of internal audits.
MANAGEMENT REVIEW

Conduct management reviews at planned

intervals, to ensure that the ISMS continues to
be suitable, adequate and effective.
INPUTS AND RESULTS

INPUTS RESULTS
Status of actions from previous reviews. Decisions related to continual improvement.
Changes to the context of the organization. Changes to the ISMS.
Feedback on the information security performance.
Feedback from interested parties.
Results of the risk assessment and risk treatment plan.
Opportunities for improvement.

Documented information on the

results of management reviews.
CONTINUAL IMPROVEMENT

Improve continually the suitability,

adequacy and effectiveness of the ISMS
NONCONFORMITY
AND CORRECTIVE
ACTION

Nonconformity – non-fulfilment
of a requirement.
 MANAGING NONCONFORMITIES

React Correct and control the situation, deal with the consequences.

Investigate Evaluate the need for corrective action(s).

Identify cause Propose corrective action(s).

Evaluate Evaluate the effectiveness of corrective action(s).

Documented information on
nonconformities and corrective actions
INFORMATION SECURITY CONTROLS

Annex A of ISO/IEC 27001:2022

93 information security controls in
4 themes (or categories):

Organizational controls
People controls
Physical controls
Technological controls
POLICIES FOR INFORMATION SECURITY

Organizational control 5.1 Policies for information security

Define, approve by management, publish, communicate and
acknowledge by relevant personnel and interested parties an information
security policy and topic-specific policies. The policies must be reviewed
at planned intervals and in case of significant changes.

A high-level information security policy supported by topic-

specific policies on different subjects (e.g., incident
management, access control, backup, asset management, etc.)
INFORMATION SECURITY ROLES AND RESPONSIBILITIES

Organizational control 5.2 Information security roles and

responsibilities
Define and allocate roles and responsibilities for information security,
according to the needs of the organization.

Communicate roles and responsibilities for

information security and ensure they are understood.
SEGREGATION OF DUTIES

Organizational control 5.3 Segregation of duties

Segregate conflicting duties and areas of responsibility.

Avoid the situation where a single person has full control.

Consider key transactions, relationships or activities.
 MANAGEMENT RESPONSIBILITIES

Organizational control 5.4 Management responsibilities

All personnel shall be required by management to apply information security
according to the policies and procedures of the organization.

Top management plays a key role for information security.

 CONTACT WITH AUTHORITIES

Organizational control 5.5 Contact with authorities

Establish and maintain contact with relevant authorities.

To prepare for upcoming legal changes, to

improve legal and regulatory compliance and to
be of use in case of security incidents.
CONTACT WITH SPECIAL INTEREST GROUPS

Organizational control 5.6 Contact with special interest groups

Establish and maintain contacts with special interest groups, security
forums or professional associations.

To stay informed about threats or security best practices and to

get support when dealing with a security incident.
THREAT INTELLIGENCE

Organizational control 5.7 Threat intelligence

Collect and analyze information relating to information security threats
to produce threat intelligence.

Produce threat intelligence or rely on external parties (consultants,

governmental agencies, etc.). Share threat intelligence with others.
INFORMATION SECURITY IN PROJECT MANAGEMENT

Organizational control 5.8 Information security in project management

Integrate information security into project management.

Treat information security as an integral part of any kind of

project undertaken by the organization.
 INVENTORY OF INFORMATION
AND OTHER ASSOCIATED ASSETS

Organizational control 5.9 Inventory of information and other associated assets

Develop and maintain an inventory of information and other associated assets,
including owners.

Assets shall be included in one or several inventories and owned.

ACCEPTABLE USE OF INFORMATION
AND OTHER ASSOCIATED ASSETS

Organizational control 5.10 Acceptable use of information and other associated assets
Identify, document and implement rules for the acceptable use and procedures for handling
information and other associated assets.

Consider a topic-specific policy on the acceptable use of

information and other associated assets.
 RETURN OF ASSETS

Organizational control 5.11 Return of assets

Ensure personnel and other interested parties return the assets in their possession and
belonging to the organization, when their employment, contract or agreement is terminated or
changed.

Prevent confidential information being left on devices and restrict access to

data for those ending or changing their relationship with the organization.
CLASSIFICATION OF INFORMATION

Organizational control 5.12 Classification of information

Classify information in accordance with the information security needs of the organization, based
on confidentiality, integrity, availability and the relevant requirements of interested parties.

Consider a topic-specific policy on information classification.

Adopt a classification scheme (e.g., Confidential, Restricted, Internal use, Public)
LABELLING OF INFORMATION

Organizational control 5.13 Labelling of information

Develop and implement an appropriate set of procedures for information
labelling, in accordance with the classification scheme adopted.

Labelling ensures that persons in the organization are

aware of the classification of the information they use.

For information
on any support.
INFORMATION TRANSFER
Organizational control 5.14 Information transfer
Ensure that rules, procedures or agreements are in place for the transfer
of information within the organization and between the organization and
other parties, for all types of transfer facilities.

Apply controls in line with the classification of the information

transferred.
Consider the transfer of information on electronic and paper
support, as well as the verbal transfer of information.
 ACCESS CONTROL
Organizational control 5.15 Access control
Rules to control the physical and logical access to information and other
associated assets shall be established and implemented based on business and
information security requirements.

Consider a topic-specific policy on access control to define principles,

generic provisions, rules or responsibilities.
MAC – Mandatory Access Control. DAC – Discretionary Access Control
RBAC – Role-Based Access Control. ABAC – Attribute-Based Access Control
 IDENTITY MANAGEMENT

Organizational control 5.16 Identity management

The full life cycle of identities shall be managed.

Identity management should allow for the unique identification

of persons and systems accessing information assets, and it
should enable the appropriate assignment of access rights.
AUTHENTICATION INFORMATION

Organizational control 5.17 Authentication information

Control the allocation and management of authentication information with a management
process, including advising personnel on appropriate handling of authentication information.

Consider the allocation of authentication information, the responsibilities of users

and a password management system.
ACCESS RIGHTS
Organizational control 5.18 Access rights
Provide, review, modify and remove access rights to information and other associated
assets in accordance with the topic-specific policy and rules on access control.

Ensure that only authorized users have access to information and associated assets.
Separate the approval of access rights from their implementation.
Review access rights periodically and make the necessary adjustments.
 INFORMATION SECURITY IN
SUPPLIER RELATIONSHIPS
Organizational control 5.19 Information security in supplier relationships
Define and implement processes and procedures to manage the information
security risks that are associated with the use of products and services obtained
from suppliers.

Consider a topic-specific policy to describe principles,

requirements and basic security controls that suppliers are
expected to apply.
 INFORMATION SECURITY WITHIN
SUPPLIER AGREEMENTS
Organizational 5.20 Addressing information security within
control supplier agreements
Establish and agree with each supplier relevant information security
requirements based on the type of supplier relationship.

Include information security requirements in the

contracts or agreements.
 INFORMATION SECURITY IN
THE ICT SUPPLY CHAIN

Organizational control 5.21 Managing information security in the information and

communication technology (ICT) supply chain
Define and implement processes and procedures to manage the information security risks associated
with the ICT products and services supply chain.

Require suppliers to propagate appropriate security practices

throughout the supply chain.
Work with suppliers to solve issues and share information about
products and services.
MONITORING, REVIEW AND CHANGE
MANAGEMENT OF SUPPLIER SERVICES

Organizational control 5.22 Monitoring, review and change management of supplier services
Regularly monitor, review, evaluate and manage change in supplier information security practices and
service delivery.

Ensure that services maintain an agreed level and changes to

services do not come with a negative impact on information security.
INFORMATION SECURITY FOR USE OF
CLOUD SERVICES
Organizational control 5.23 Information security for use of cloud services
Establish processes for the acquisition, use, management and exit from cloud services in
accordance with the information security requirements of the organization.

Consider a topic-specific policy for principles and generic requirements

on the use of cloud services.
As necessary, do a risk assessment and implement controls to address the
security risks in relation to the use of cloud services.
INCIDENT MANAGEMENT
PLANNING AND PREPARATION
Organizational control 5.24 Information security incident management
planning and preparation
Plan and prepare for managing information security incidents by defining, establishing and
communicating information security incident management processes, roles and responsibilities.

Event ≠ Incident
Method for reporting information security events.
Process for managing information security incidents.
 ASSESSMENT AND DECISION

Organizational control 5.25 Assessment and decision on information security events

Assess information security events and decide if they will be categorized as incidents.

Triage of events to determine which events

represent information security incidents.
RESPONSE TO INCIDENTS

Organizational control 5.26 Response to information security incidents

Respond to information security incidents in accordance with documented
procedures.

ISO/IEC 27035 – Information

Limit the impact. security incident management
Coordinate with other parties.
Escalate, if necessary.
Collect evidence.
Document the incident.
Identify weaknesses and vulnerabilities.
 LEARNING FROM SECURITY INCIDENTS
Organizational control 5.27 Learning from information security incidents
Use the knowledge gained from information security incidents to strengthen and
improve the information security controls.

The lessons learned while dealing with security incidents can prove
useful for preventing future incidents and for improving the response of
the organization.
COLLECTION OF EVIDENCE

Organizational control 5.28 Collection of evidence

Establish and implement procedures for the identification, collection,
acquisition and preservation of evidence related to information security events.

Collected evidence may help the organization in case of a

contractual dispute or investigation.
Consider the competence of those involved in the collection
and protection of evidence.

ISO/IEC 27037 – Guidelines for

identification, collection, acquisition
and preservation of digital evidence
INFORMATION SECURITY DURING DISRUPTION

Organizational control 5.29 Information security during disruption

Plan how to maintain information security at an appropriate level during disruption.

Prepare to maintain an adequate level of

information security in case of a major incident.
ICT READINESS FOR BUSINESS CONTINUITY

Organizational control 5.30 ICT readiness for business continuity

Plan, implement, maintain and test ICT readiness based on the business continuity
objectives and ICT continuity requirements.

Key activities rely on ICT (Information and Communication Technology).

Understand ICT readiness requirements and address the risks of prioritized
activities being disrupted.
LEGAL, STATUTORY, REGULATORY AND
CONTRACTUAL REQUIREMENTS

Organizational control 5.31 Legal, statutory, regulatory and contractual

requirements
Identify, document and keep up to date the legal, statutory, regulatory and
contractual requirements relevant for information security along with the
organization’s approach to meet them.

Assign responsibilities for identifying and keeping up to date legal, statutory,

regulatory and contractual requirements that refer to information security.
 INTELLECTUAL PROPERTY RIGHTS
Organizational control 5.32 Intellectual property rights
Implement appropriate procedures to protect intellectual property rights.

Consider a topic-specific policy to outline the commitment

for the protection of intellectual property rights.
 PROTECTION OF RECORDS

Organizational control 5.33 Protection of records

Protect records from loss, destruction, falsification, unauthorized access and
unauthorized release.

Establish a retention schedule for the records generated.

Implement rules for the storage, handling or disposal of records.
PRIVACY AND PROTECTION OF PII

Organizational control 5.34 Privacy and protection of personally

identifiable information (PII)
Identify and meet the requirements regarding the preservation of privacy and protection of
PII according to applicable laws, regulations and contractual requirements.

Identify the applicable legislation, regulations and contractual

requirements and ensure compliance.
INDEPENDENT REVIEW OF INFORMATION SECURITY

Organizational control 5.35 Independent review of information security

Review independently at planned intervals and whenever significant changes
occur, the approach to managing information security and its
implementation, including people, processes and technology.

The reviews should be conducted by competent persons who are

independent from the activities reviewed.
 COMPLIANCE WITH POLICIES,
RULES AND STANDARDS

Organizational control 5.36 Compliance with policies, rules and standards

for information security
Review regularly compliance with the organization’s information security policy, topic-
specific policies, rules and standards.

The reviews should be conducted by managers, product, service or information

owners. Consider inspections, observation or the use of automated tools.
 DOCUMENTED OPERATING PROCEDURES

Organizational control 5.37 Documented operating procedures

Document and make available to the personnel who need them operating
procedures for information processing facilities.

Consider documenting procedures for activities to be performed

by many employees in the same way, for activities performed
rarely, when activities are transferred to new personnel or for
new activities.
SCREENING
People control 6.1 Screening
Carry out background checks on all candidates to become personnel before joining the
organization and on an ongoing basis, considering the applicable laws, regulations and
ethics. The checks must be proportional to the business requirements, the perceived risks and
the classification of information to be accessed.

To prevent hiring the wrong person and to ensure personnel remain suitable for the job.
The screening applies to all who work for the company (employees, consultants, free-
lancers, temporary staff, etc.).
 TERMS AND CONDITIONS FOR EMPLOYMENT

People control 6.2 Terms and conditions of employment

Include in the employment contractual agreements the personnel’s and the
organization’s responsibilities for information security.

Consider for inclusion in contracts the rules for access control, return of assets,
protection of information in accordance with its classification level, the transfer
of information, the relationship with suppliers, non-disclosure requirements or a
mention of the disciplinary process.
 AWARENESS, TRAINING AND EDUCATION
People control 6.3 Information security awareness, training and education
Ensure that personnel and relevant interested parties receive appropriate information security
awareness, education and training, and regular updates of the organization’s information
security policy, topic-specific policies and procedures, as relevant for their job functions.

Awareness refers to all who work for the organization, and it should focus also
on “why” and not only on “what”.
The education and training refer mainly to the technical personnel who need
specific knowledge and skills.
DISCIPLINARY PROCESS
People control 6.4 Disciplinary process
Establish and communicate a disciplinary process to take actions against personnel and other
interested parties who have committed an information security policy violation.

Everyone in the organization should be aware of the disciplinary process.

It may also include rewards for those who demonstrate excellent
information security behavior.
 TERMINATION OR CHANGE OF EMPLOYMENT
People control 6.5 Responsibilities after termination or change of employment
Define, enforce and communicate to relevant personnel and interested parties the information
security responsibilities and duties that remain valid after termination or change of
employment.

Determine if there are confidentiality requirements that extend beyond

the period of employment .
Apply a similar process for the change of employment.
CONFIDENTIALITY OR NON-
DISCLOSURE AGREEMENTS

People control 6.6 Confidentiality or non-disclosure agreements

Personnel and other interested parties shall sign confidentiality or non-disclosure
agreements that reflect the organization’s needs for protecting information.

Consider that there may be different confidentiality requirements for the

different positions in the organization.
 REMOTE WORKING

People control 6.7 Remote working

Implement security measures when personnel are working remotely to protect the
information accessed, processed or stored outside the organization’s premises.

Consider a topic-specific policy for remote working, supported by

procedure(s) to detail how the security risks associated with working
remotely are to be managed.
 EVENT REPORTING
People control 6.8 Information security event reporting
Provide a mechanism for personnel to report observed or suspected information
security events in a timely manner, through appropriate channels.

Establish an accessible and easy to understand system for

personnel to report information security events.
PHYSICAL SECURITY PERIMETERS

Physical control 7.1 Physical security perimeters

Define and use security perimeters to protect areas that contain
information and other associated assets.

Not all areas of the organization have the same importance in terms
of information security.
PHYSICAL ENTRY

Physical control 7.2 Physical entry

Protect secure areas by appropriate entry controls and access points.

Control physical access to the organization’s premises.

SECURING OFFICES,
ROOMS AND FACILITIES

Physical control 7.3 Securing offices, rooms and facilities

Design and implement physical security for offices, rooms and facilities.

The controls intended to protect information and

associated assets from unauthorized access should be
appropriate to the specifics of the organization.
 PHYSICAL SECURITY MONITORING
Physical control 7.4 Physical security monitoring
Monitor premises continuously for unauthorized physical access.

Choose the appropriate monitoring solutions (e.g., guards,

intruder alarms, video monitoring, etc.).
PHYSICAL AND ENVIRONMENTAL THREATS

Physical control 7.5 Protecting against physical and environmental threats

Design and implement protection against physical and environmental threats like natural
disasters and other intentional or unintentional physical threats to infrastructure.

Consider a risk assessment focused on physical and environmental threats before

starting critical operations in a new location.
WORK IN SECURE AREAS

Physical control 7.6 Working in secure areas

Design and implement security measures for working in secure areas.

Secure areas require special protection measures because of

sensitive, critical or confidential activities undertaken.
CLEAR DESK AND CLEAR SCREEN

Physical control 7.7 Clear desk and clear screen

Define and enforce clear desk rules for papers and removable storage
media, and clear screen rules for information processing facilities.

Consider a topic-specific policy for clear desk and clear screen.

 EQUIPMENT SITING
AND PROTECTION
Physical control 7.8 Equipment siting and protection
Equipment must be sited securely and protected.

Protect equipment from unauthorized access, from

physical and environmental threats.
 SECURITY OF ASSETS OFF-PREMISES

Physical control 7.9 Security of assets off-premises

Protect assets off-site.

Apply protection measures for equipment that is intended to work

outside (e.g., antennas, ATMs, etc.).
Implement rules for taking assets outside the organization.
 STORAGE MEDIA
Physical control 7.10 Storage media
Manage storage media through their life cycle of acquisition, use, transportation and disposal in
accordance with the organization’s classification scheme and handling requirements.

Consider a topic-specific policy on the use and handling of removable media.

Address the risks associated with the use of removable storage media (theft , loss,
damage, confidential information being disclosed, malware infestation, etc.).
 SUPPORTING UTILITIES
Physical control 7.11 Supporting utilities
Protect information processing facilities from power failures and other
disruptions caused by failures in supporting utilities.

Configure and maintain utility systems in

accordance with the legislation and regulations.
Inspect utility systems periodically.
Implement redundancy, whenever possible.
CABLING SECURITY

Physical control 7.12 Cabling security

Protect cables carrying power, data or supporting information services from
interception, interference or damage.

Prevent interruptions to operations, the theft or loss

of important information, by protecting cables.
EQUIPMENT MAINTENANCE
Physical control 7.13 Equipment maintenance
Maintain equipment correctly to ensure the availability, integrity and
confidentiality of information.

Equipment maintenance should be done at specified intervals, in

accordance with specifications by authorized personnel.
SECURE DISPOSAL OR
RE-USE OF EQUIPMENT

Physical control 7.14 Secure disposal or re-use of equipment

Verify items of equipment containing storage media to ensure that any sensitive
data and licensed software has been removed or securely overwritten prior to
disposal or re-use.

Physically destroy storage media, encrypt or wipe any information so

that it cannot be retrieved.
USER END POINT DEVICES
Technological control 8.1 User end point devices
Protect the information that is stored on, processed by or accessible via
user end point devices.

Consider a topic-specific policy on the use of end point devices.

User awareness on security aspects (related to the use of end point devices).
Establish BYOD (Bring Your Own Device) rules and requirements.
 PRIVILEGED ACCESS RIGHTS

Technological control 8.2 Privileged access rights

Restrict and manage the allocation and use of privileged access rights.

The uncontrolled allocation of access privileges may lead to security

breaches.
Periodically (and in case of significant changes) do a review of privileged
access rights.
INFORMATION ACCESS RESTRICTION

Technological control 8.3 Information access restriction

Restrict access to information and other associated assets in accordance
with the topic-specific policy on access control.

Allow only authorized access to information and prevent unauthorized

access.
Consider dynamic access management techniques and processes.
ACCESS TO SOURCE CODE

Technological control 8.4 Access to source code

Manage appropriately the read and write access to source code,
development tools and software libraries.

Establish rules for managing access to program source code.

SECURE AUTHENTICATION

Technological control 8.5 Secure authentication

Implement secure authentication technologies and procedures based on the
information access restrictions and the topic-specific policy on access control.

Authenticate users who request access to information and correlate the strength
of authentication with the classification of the information to be accessed.
CAPACITY MANAGEMENT
Technological control 8.6 Capacity management
Monitor and adjust the use of resources in line with current and expected
capacity requirements.

Maintain availability, avoid bottlenecks and support growth.

Test systems and services to confirm there is sufficient capacity for peak periods.
Document a capacity plan for critical systems.
PROTECTION AGAINST MALWARE

Technological control 8.7 Protection against malware

Protection against malware must be implemented and supported by
appropriate user awareness.

Prevention and detection software + user awareness +

system access rules + change management controls.
MANAGEMENT OF TECHNICAL
VULNERABILITIES
Technological control 8.8 Management of technical vulnerabilities
Obtain information about technical vulnerabilities of information systems in
use, evaluate exposure to such vulnerabilities and take appropriate measures.

Obtain information from reliable sources about technical

vulnerabilities and address them, as appropriate.
 CONFIGURATION MANAGEMENT
Technological control 8.9 Configuration management
Establish, document, implement, monitor and review configurations (including
security configurations) of hardware, software, services and networks.

Maintain assets in a desired, consistent state, working as

intended with the appropriate security settings and features.
Define standard templates for security configurations
of hardware, software, networks or services.
INFORMATION DELETION
Technological control 8.10 Information deletion
Ensure that information stored on information systems, devices and in
any other storage media is deleted when no longer required.

Consider a topic-specific policy on data retention.

Select an appropriate deletion method.
Pass the information deletion requirements to subcontractors and
other third parties, as appropriate.
 DATA MASKING
Technological control 8.11 Data masking
Use data masking in accordance with the topic-specific policy on access control
and other related topic-specific policies and business requirements, considering the
applicable legislation.

Consider pseudonymization, anonymization and other data

masking techniques, depending on the requirements applicable.
DATA LEAKAGE PREVENTION
Technological control 8.12 Data leakage prevention
Apply data leakage prevention measures to systems, networks and any
devices that process, store or transmit sensitive information.

Identify sensitive information that can be subject to leakage,

monitor potential data leakage channels, and apply tools to
detect and prevent data leakage.
INFORMATION BACKUP

Technological control 8.13 Information backup

Maintain and regularly test backup copies of information, software and
systems, in accordance with the topic-specific policy on backup.

Establish a topic-specific policy on information backup.

Define requirements for types of backups, frequency or backup storage location(s).
 REDUNDANCY OF INFORMATION
PROCESSING FACILITIES

Technological control 8.14 Redundancy of information processing facilities

Implement sufficient redundancy for information processing facilities to meet
availability requirements.

Ensure a similar level of protection for redundant components.

Test periodically the functioning of redundant components.
LOGGING
Technological control 8.15 Logging
Produce, store, protect and analyze logs that record activities, exceptions,
faults and other relevant events.

Consider a topic-specific policy on logging.

Ensure sufficient storage space and protection measures for logs .
Analyze logs for indications of compromised security.
 MONITORING ACTIVITIES

Technological control 8.16 Monitoring activities

Monitor networks, systems and applications for anomalous behavior and act, as
appropriate, to evaluate potential information security incidents.

Establish a baseline to determine anomalous behavior.

Decide what to monitor and how.
CLOCK SYNCHRONIZATION

Technological control 8.17 Clock synchronization

Ensure that the clocks of information processing systems used are
synchronized to approved time sources.

Establish a standard reference time.

PRIVILEGED UTILITY PROGRAMS

Technological control 8.18 Use of privileged utility programs

Restrict and control tightly the use of utility programs that can be
capable to override system and application controls.

Control the use of file managers, system diagnostic tools, disk

checkers and cleaners, patching tools, etc.
INSTALLATION OF SOFTWARE ON
OPERATIONAL SYSTEMS
Technological control 8.19 Installation of software on
operational systems
Implement procedures and measures to securely manage software
installation on operational systems.

Protect operational systems from the negative consequences that may be

associated with the uncontrolled installation of software.
 NETWORKS SECURITY
Technological control 8.20 Networks security
Secure, manage and control networks and network devices to protect information
in systems and applications.

Assign responsibilities for networks security. Maintain up to

date documentation on networks configuration. Protect data
passing through public, wireless and third-party networks.

ISO/IEC 27033 –
Network security
 SECURITY OF NETWORK SERVICES

Technological control 8.21 Security of network services

Identify, implement and maintain security mechanisms, service levels and
service requirements of network services.

Ensure that network services providers manage agreed

services in a secure way.
SEGREGATION OF NETWORKS

Technological control 8.22 Segregation of networks

Segregate groups of information services, users and information systems,
in the organization’s networks.

Split large networks into separate domains and control the traffic
between the domains.
Wireless networks require special attention.
WEB FILTERING

Technological control 8.23 Web filtering

Access to external websites shall be managed to reduce exposure to
malicious content.

User awareness and technical controls.

Establish rules for the safe and appropriate use of online resources.
 USE OF CRYPTOGRAPHY
Technological control 8.24 Use of cryptography
Define and implement rules for the effective use of cryptography, including
cryptographic key management.

Consider a topic-specific policy on the use of cryptography to

define principles and requirements for using encryption to
protect information.
Establish procedures and methods for the management of
cryptographic keys.
SECURE DEVELOPMENT LIFE CYCLE

Technological control 8.25 Secure development life cycle

Establish and apply rules for the secure development of software and
systems.

Information security should be an integral part in the

development of software and systems.
APPLICATION SECURITY REQUIREMENTS
Technological control 8.26 Application security requirements
Identify, specify and approve information security requirements when
developing or acquiring applications.

Consider a risk assessment focused on the security of applications in use

(developed in-house or acquired) and establish appropriate controls.
SECURE SYSTEM ARCHITECTURE AND
ENGINEERING PRINCIPLES
Technological control 8.27 Secure system architecture and engineering principles
Establish, document, maintain and apply principles for engineering secure systems to any
information system development activities.

Treat information security as an integral part of every system architecture layer.

Develop and apply principles for secure system engineering.
Consider “zero trust” principles.
SECURE CODING

Technological control 8.28 Secure coding

Apply secure coding principles to software development.

Ensure that code is written securely, so the number of potential

security vulnerabilities is reduced.
Establish controls for planning and before coding, during coding and
after the code has been made operational.
 SECURITY TESTING IN DEVELOPMENT
AND ACCEPTANCE

Technological control 8.29 Security testing in development and acceptance

Define and implement security testing processes in the development life cycle.

Validate through testing that information

security requirements have been met.
OUTSOURCED DEVELOPMENT

Technological control 8.30 Outsourced development

Direct, monitor and review the activities related to outsourced system
development.

Consider and address the risks related to the product (obtained from
outsourced development arrangements) as well as the risks in
relation to the provider of outsourced development.
SEPARATION OF ENVIRONMENTS

Technological control 8.31 Separation of development, test

and production environments
Separate and secure the development, testing and production environments.

Main objective is to protect the production environment.

Consider the physical or virtual separation of environments.
CHANGE MANAGEMENT

Technological control 8.32 Change management

Changes to information processing facilities and information systems shall be
subject to change management procedures.

Procedures to control changes should be documented and applied.

The procedures should cover aspects like the planning of changes,
authorization, communication, testing, implementation, fall back
arrangements or records to be kept.
 TEST INFORMATION
Technological control 8.33 Test information
Select, protect and manage appropriately test information.

Operational information used for testing should remain confidential.

Sensitive data should not be copied to development or testing
environments.
PROTECTION OF INFORMATION SYSTEMS
DURING AUDIT TESTING
Technological control 8.34 Protection of information systems
during audit testing
Plan and agree audit tests and other assurance activities that involve the
assessment of operational systems between the tester and appropriate
management.

Reduce the impact that audits and other assurance activities may
have on operational systems and business processes.
ISO/IEC 27001 CERTIFICATION
FOR ORGANIZATIONS

Obtained after passing an audit.

Valid for 3 years with annual surveillance audits.
Can be suspended or withdrawn.
CERTIFICATION FOR PERSONS

Involves an examination.
Usually different levels – practitioner,
implementer, auditor, etc.
THANK YOU!