SlideShare a Scribd company logo

How Does the New ISO 27001 Impact Your IT Risk Management Processes?

Lars Neupart, profile picture
Lars Neupart

The document discusses changes to the new ISO 27001 standard for information security management systems. Some key changes include new content and requirements numbering, while maintaining backwards compatibility. It emphasizes the importance of risk management, referencing ISO 31000 for enterprise risk management. The new standard provides more flexibility in choosing a risk assessment method. It also requires identifying risks and opportunities, and designating a risk owner to approve treatment plans and accept residual risks.

BusinessTechnology
Related topics:
ISO 27001 Overview
1 of 30
Downloaded 160 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
How  Does  the  new  ISO  27001  Impact   Your  IT  Risk  Management  Processes?   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   LN@neupart.com   twiBer  @neupart    
The  ISO  2700x  standards   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement.     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
New  drafts  available   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
Information  Security   Management  Systems  –   Requirements   ISO  27001  –  the  2013  edition  ISO/IEC  DIS  27001  =  draft.     I.e.  changes  are  likely  to  happen     Aim  of  todays  webinar  is  to  give  you  a  head  start  preparing  for   the  new  standard  so  you  can  have  a  smoother  transition.  
What’s  new?   •  A  lot!   •  New  content   •  New  requirements   numbering   •  Still  short:  9  pages  of   requirements  to  an  ISMS   •  Controls  are  still  listed  in   Annex  A,  and  referring   to  ISO  27002  (the  new)   •  Maintaining  a  fair   portion  of  backwards   compatibility  
Poll:  How  do  you  use  ISO  27001   today?   •  We  are  certified   •  We  plan  to  certify   •  We  plan  to  comply;  no   certification   •  Best  practice   inspiration   •  Don't  know  
Still  risk  oriented:   •  The  first  requirement   in  the  new  ISO  27001   refers  to  an  Enterprise   Risk  Management   Standard:  ISO  31000  
ISO  31000  Enterprise  Risk  Management   Plan   Do   Check   Act  
Enterprise  Risk   Management  (ISO   31000)   InformaKon   Security  Risk   Management  (ISO   27005)   ISMS   Requirements   (ISO  27001)    
ISO  27005  recap  
IT  Risk  Management  -­‐  Explained   Risk Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
Reduce LikelihoodProactive Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus Reactive Security Reduce Consequence IT Service Continuity Teams IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Emergency Operations Flexibility Standby Equipment Virtualization Backup IT  Risk  Management  -­‐  Explained   Risk Prioritization Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
Vulnerability  &  control  environment  assessment   AdministraKve   Measures   Physical  /  Technical   Measures   PrevenKve   Measures   CorrecKve   Measures   Firewall   AnKvirus   Server   Cluster   RAID   Backup   Standby   Equipment   VirtualizaKon   Security   Policy   System   DocumentaKon   Awareness   Compliance   Checks   Alarm   System   Fire   Suppression   Logging   Change   Management   IT  Service   ConKnuity  Plan   Disaster  Recovery   Procedures   Business   ConKnuity   Strategy   Redundancy   Access  Control   System   Standby  Site   Server  snapshots   Assessments  based  on   Capability  Maturity   Model   Monitoring  
Assets:  Dependency  Hierarchy   Business  Impact  values   are  inherited  downwards   Vulnerability  values   are  inherited  upwards   Server  01   Virtual  Server   SAN  01   Data  Staorage   HP  DL380   Hardware    unit   Data  Center  Oslo   Datacenter   Finance  DB   Database   ERP   IT  Service   Dynamics  AOS   Business  system   HP  DL380   Hardware  unit   Server  02   Virtual  Server   Finance   Business  Process  
Comparing  ISO  27005,  NIST  SP800-­‐30   ISO  27005   NIST  SP800-­‐30   Context  establishment               Identification  of  assets   System  Characterization   Identification  of  threats   Threat  Identification   Identification  of  existing  controls   Vulnerability  Identification   Identification  of  vulnerabilities   Control  Analysis   Identification  of  consequences               Assessment  of  consequences   Likelihood  Determination   Assessment  of  incident  likelihood   Impact  Analysis   Risk  estimation   Risk  Determination           Risk  evaluation               Risk  treatment   Control  Recommendations   Risk  acceptance       Risk  communication   Results  Documentation  
Examples  of  how  the  27001  update   will  impact  your  risk  management   processes  
27001:  Not  only  downside  risks   •  6.1  Actions  to  address  risks   and  opportunities     •  Quote  ISO  31000:   “Organizations  of  all  types   and  sizes  face  internal  and   external  factors  and   influences  that  make  it   uncertain  whether  and   when  they  will  achieve   their  objectives.  The  effect   this  uncertainty  has  on  an   organization's  objectives  is   “risk”.  
Risk  Owner   •  Risk  Owner  approves  risk  treatment  plan  and  accepts  residual  risks   •  Note:  Asset  ownership  is  formally  no  longer  a  ISO  27001  requirement,  but  it’s  still  in  the  annex  A  Control   List.  Practically  same  requirement,  as  you  can’t  expect  it  to  not  be  in  your  Statement  of  Applicability  
Increased  flexibility  in  your  choice     of  risk  method   The  organization  shall  define  an  information   security  risk  assessment  process  that:     1.  establishes  and  maintains  information  security   risk  criteria,  including  the  risk  acceptance   criteria;     2.  determines  the  criteria  for  performing   information  security  risk  assessments;  and     3.  ensures  that  repeated  information  security  risk   assessments  produce  consistent,  valid  and   comparable  results.     (section  6.1  )    
Time  to  vote   •  What  IT  risk  assessment   method  or  framework   do  you  use  today?   –  ISO  27005   –  NIST  SP  800  series   –  IRAM     –  OCTAVE   –  Some  other  threat  based   approach   –  Some  other  control  based   approach   –  Don’t  know  
The  organization  shall  apply  an   information  security  risk  treatment   process    
Treating  Risks   Accept   Reduce   Share   Avoid   Treatment  opKons  according  to  ISO  27001:2005  and  ISO  27005.   ISO  27001:2013,  do  not  require  these  specific  treatment  opKons;  but   you  are  free  to    choose  these.  
SoA  linked  even  closer  to  Risk  Treatment   Risk  treatment   SoA  =   Statement  of   Applicability   •  Select  treatment  options   •  Determine  controls   •  Check  controls  with  Annex  A,     verify  no  necessary  controls  are   omitted   •  Make  SoA  and  justify  exclusions   AND  inclusions  (new)   •  Clearly  worded  that  you  must   determine  all  necessary  controls  
Review  of  Neuparts  well  known  4   responsible  short-­‐cuts  –  do  they  still  apply?   Assess  your  most   important  assets  first     (you  can  add  more   later)   1:  Not  all  assets   Do  not  use  complete   threat  catalogue  on   each  of  your  assets   (relevant  threats   depends  on  asset  type)   2:  Not  all  threats   • Inheritance:  Business   impact  values  inherits   downwards   • Vulnerability  scores   inherits  upwards   • Asset  dependencies  /   Hierarchy   3:  Inheritance   • Make  overall   assessment  first  –   refine  later   • Example:  Assess   threats  combined  first   –  individually  later   4:  Fewer  assessments  
Oh,  what  happened  to  PDCA?   Plan  -­‐  Do  –  Check  -­‐  Act  is  still  there,  now  called  continual   improvement  
Risk  Management   •  Risk  Owner   •  (Assets)   •  Threats   •  Business  Impact   Assessment   •  Vulnerability  Assessment   •  Reporting  &  evaluating   •  Treating  (Accept,  Reduce,  Share,   Avoid)  
Time  to  vote   •  Will  the  new  ISO  improve   your  risk  management   processes?   –  Yes  –  the  update  is  easy  to   understand  and  makes   sense   –  Not  much  –  nothing  really   new  here   –  I’m  concerned  of  the   introduced  flexibility   –  Don’t  know  
About  Neupart   •  ISO  27001  certified  company   •  Provides  SecureAware®,    an  all-­‐in-­‐one,   efficient  IT  GRC  solution  allowing   organizations  to  automate  IT  governance,   risk  and  compliance  management     •  “The  ERP  of  Security”   •  HQ  in  Denmark,  subsidiary  in  Germany  and   a  200+  customer  portfolio  covering  a  wide   range  of  private  enterprises  and   governmental  agencies     IT  GRC  =   IT  Governance,     Risk  &  Compliance   Management  
SecureAware  Risk  TNG  Benefits   •  Less  specialist  knowledge   needed  to  conduct  professional   risk  management   •  Know  your  IT  related  business   risks   •  Fast  results   •  Saves  time  for  you  and  your   organization   •  ISO  27005  based  methodology  – and  fully  compatible  with  NIST   SP800-­‐30     •  Cloud  or  on-­‐premise  software  
Try  ISO  27001  compliant  IT  GRC  soluKon  at  www.neupart.com   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   LN@neupart.com   twiBer  @neupart    

More Related Content

PDF
ISO 27001 How to accelerate the implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
NQA ISO 27001 Implementation Guide
NQA
 
PDF
What is ISO 27001 ISMS
Business Beam
 
PPTX
Control interno-informatico
richycc7
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PDF
Infosec Audit Lecture_4
Obrina Candra, CISA, ISMS-LA
 
DOCX
Iso 27001 2013 Standard Requirements
Uppala Anand
 
PPTX
Iso 27001 isms presentation
Midhun Nirmal
 
ISO 27001 How to accelerate the implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NQA ISO 27001 Implementation Guide
NQA
 
What is ISO 27001 ISMS
Business Beam
 
Control interno-informatico
richycc7
 
27001 awareness Training
Dr Madhu Aman Sharma
 
Infosec Audit Lecture_4
Obrina Candra, CISA, ISMS-LA
 
Iso 27001 2013 Standard Requirements
Uppala Anand
 
Iso 27001 isms presentation
Midhun Nirmal
 

What's hot (20)

PDF
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
PDF
Gobierno de TI - COBIT 5 y TOGAF
Carlos Francavilla
 
PDF
NQA - ISO 27001 Implementation Guide
NA Putra
 
PPTX
PCI PIN Security & Key Management Compliance
ControlCase
 
PDF
ISO 27001 Certification - The Benefits and Challenges
Certification Europe
 
PDF
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Implementing ISO27001 2013
scttmcvy
 
PPT
ITSM Foundation Course Material
stefanhenry
 
PPTX
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
PDF
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
PDF
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
PDF
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Anti bribery management system iso 37001 fauziah sulaiman lpktn 20022020 (1)
italpktn
 
PPTX
What is iso 27001 isms
Craig Willetts ISO Expert
 
PDF
Auditoria de seguridad informatica
Adan Ernesto Guerrero Mocadan
 
PPTX
Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour Consultancy
 
PDF
ITIL Incident Management Workflow - Process Guide
Flevy.com Best Practices
 
PPTX
Iso27001 Risk Assessment Approach
tschraider
 
PDF
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
Gobierno de TI - COBIT 5 y TOGAF
Carlos Francavilla
 
NQA - ISO 27001 Implementation Guide
NA Putra
 
PCI PIN Security & Key Management Compliance
ControlCase
 
ISO 27001 Certification - The Benefits and Challenges
Certification Europe
 
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Implementing ISO27001 2013
scttmcvy
 
ITSM Foundation Course Material
stefanhenry
 
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001 (v2013) Checklist
Ivan Piskunov
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Anti bribery management system iso 37001 fauziah sulaiman lpktn 20022020 (1)
italpktn
 
What is iso 27001 isms
Craig Willetts ISO Expert
 
Auditoria de seguridad informatica
Adan Ernesto Guerrero Mocadan
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour Consultancy
 
ITIL Incident Management Workflow - Process Guide
Flevy.com Best Practices
 
Iso27001 Risk Assessment Approach
tschraider
 
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Ad

Viewers also liked (17)

DOCX
ISO 27001:2013 Implementation procedure
Uppala Anand
 
PDF
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
PDF
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
KMD
 
PDF
Enterprise risk & risk management - I
Dr. Shiv S Tripathi
 
PPT
The best way to use ISO 27001
powertech
 
PDF
How the the 2013 update of ISO 27001 Impacts your Risk Management
Lars Neupart
 
PPT
Enterprise Risk Management
Croydon Consulting, LLC
 
PPTX
ISO Annex SL Clause 4: Context of the Organisation
Robert Clements
 
PDF
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
PPTX
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
PPTX
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
PDF
ISO 27005 Risk Assessment
Smart Assessment
 
PPTX
Iso 27001 transition to 2013 03202014
DQS Inc.
 
PDF
ISO 27001
n|u - The Open Security Community
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
PPTX
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
PPT
Risk mangement
college
 
ISO 27001:2013 Implementation procedure
Uppala Anand
 
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
Neupart Bright Talk - How Does the New ISO 27001 Impact Your IT Risk Manageme...
KMD
 
Enterprise risk & risk management - I
Dr. Shiv S Tripathi
 
The best way to use ISO 27001
powertech
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
Lars Neupart
 
Enterprise Risk Management
Croydon Consulting, LLC
 
ISO Annex SL Clause 4: Context of the Organisation
Robert Clements
 
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
ISO 27005 Risk Assessment
Smart Assessment
 
Iso 27001 transition to 2013 03202014
DQS Inc.
 
ISO 27001
n|u - The Open Security Community
 
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Risk mangement
college
 
Ad

Similar to How Does the New ISO 27001 Impact Your IT Risk Management Processes? (20)

PDF
Auditing Information Security Management System Using ISO 27001 2013
Andrea Porter
 
PDF
Neupart webinar 1: Four shortcuts to better risk assessments
Lars Neupart
 
PDF
Implementing ISO 27001: A Step-by-Step Guide
Ahad
 
PPT
University iso 27001 bgys intro and certification lami kaya may2012
Hakem Filiz
 
PPTX
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
SIS Certifications Pvt Ltd
 
PDF
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
PPT
Developing A Risk Based Information Security Program
Tammy Clark
 
PDF
NQA Your Complete Guide to ISO 27001
NA Putra
 
PDF
NQA Your Complete Guide to ISO 27001
NQA
 
PPTX
The Importance of ISO 27001 Certification in Today's Cybersecurity Landscape....
udyam registration
 
PDF
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
PDF
Risk Management for Medical Devices - ISO 14971 Overview
Greenlight Guru
 
PPTX
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPT
4 System For Information Security
Ana Meskovska
 
DOC
ISO27001
Ruchit Ahuja
 
PDF
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
PPTX
english_bok_ismp_202306.pptx
ssuser00d6eb
 
PPT
Overview of ISO 27001 ISMS
Akhil Garg
 
PDF
G12: Implementation to Business Value
HyTrust
 
Auditing Information Security Management System Using ISO 27001 2013
Andrea Porter
 
Neupart webinar 1: Four shortcuts to better risk assessments
Lars Neupart
 
Implementing ISO 27001: A Step-by-Step Guide
Ahad
 
University iso 27001 bgys intro and certification lami kaya may2012
Hakem Filiz
 
ISO 27001 Compliance Checklist 9 Step Implementation Guide.pptx
SIS Certifications Pvt Ltd
 
GDPR compliance and information security: Reducing data breach risks
IT Governance Ltd
 
Developing A Risk Based Information Security Program
Tammy Clark
 
NQA Your Complete Guide to ISO 27001
NA Putra
 
NQA Your Complete Guide to ISO 27001
NQA
 
The Importance of ISO 27001 Certification in Today's Cybersecurity Landscape....
udyam registration
 
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
Risk Management for Medical Devices - ISO 14971 Overview
Greenlight Guru
 
the role of 27001 in cybersecurity pp.pptx
floresmika308
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
4 System For Information Security
Ana Meskovska
 
ISO27001
Ruchit Ahuja
 
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
english_bok_ismp_202306.pptx
ssuser00d6eb
 
Overview of ISO 27001 ISMS
Akhil Garg
 
G12: Implementation to Business Value
HyTrust
 

More from Lars Neupart (6)

PDF
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Lars Neupart
 
PPTX
Til ledelsen it-sikkerhed for forretningen
Lars Neupart
 
PPTX
Dansk It Neupart Cloud Sikkerhed Risikovurdering
Lars Neupart
 
PDF
Neupart Isaca April 2012
Lars Neupart
 
PPTX
Muligheder for sikker cloud computing
Lars Neupart
 
PPTX
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Lars Neupart
 
Neupart indlæg om den ny iso 27001 hos dansk it i århus 2013 05-22
Lars Neupart
 
Til ledelsen it-sikkerhed for forretningen
Lars Neupart
 
Dansk It Neupart Cloud Sikkerhed Risikovurdering
Lars Neupart
 
Neupart Isaca April 2012
Lars Neupart
 
Muligheder for sikker cloud computing
Lars Neupart
 
Tror du stadig du kan sige nej tak til Web 2.0 og skyen?
Lars Neupart
 

Recently uploaded (20)

PDF
A Brief Introduction About - Stacey Soans
Stacey Soans
 
PDF
Leading with Vision_ How Mohit Bansal Is Shaping Chandigarh’s Real Estate Ren...
mohitbansalchandigar4
 
PDF
Minnesota’s New Lane-Sharing Law for Motorcycles.pdf
Knowyourright
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PPT
How to Protect Your New York Business from the Unexpected
Sam Vohra
 
PDF
Mastering Social Media Marketing: Grow Your Brand Online
LuvCite Technology Private Limited
 
PPTX
Unlocking Creativity Top Adobe Tools for Content Creators Buy Adobe Software...
PI Software
 
PDF
How to Value Virtual Machines and other IP Stuff.pdf
Brij Consulting, LLC
 
PDF
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
PPTX
How to best Address your professional Training Program - August 2025.pptx
PaulYoung221210
 
PDF
Why Is MCP Server Development Trending Now.pdf
SoluLab1231
 
PPTX
Communications Recruiter Melbourne.pptx
ReithGordon
 
PDF
FOHO: The Rental Platform Transforming Housing for Asian Renters in the U.S.
Evan Han
 
PPTX
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
PPTX
GenAI at FinSage Financial Wellness Platform
SUBHANKARGHOSH126678
 
PDF
Employnova Global Services : Outsourcing
Employnova Global Services
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PPTX
Latest Blogs, Presentations, and other News - June 2025 to July 2025
PaulYoung221210
 
PDF
KornFerry Presentation hbkjbkjbk bjkbkbk.pdf
chatgptshare786
 
PPTX
Is Your Brand Ready for Expansion? A Strategic Guide to Scaling Successfully
RUPAL AGARWAL
 
A Brief Introduction About - Stacey Soans
Stacey Soans
 
Leading with Vision_ How Mohit Bansal Is Shaping Chandigarh’s Real Estate Ren...
mohitbansalchandigar4
 
Minnesota’s New Lane-Sharing Law for Motorcycles.pdf
Knowyourright
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
How to Protect Your New York Business from the Unexpected
Sam Vohra
 
Mastering Social Media Marketing: Grow Your Brand Online
LuvCite Technology Private Limited
 
Unlocking Creativity Top Adobe Tools for Content Creators Buy Adobe Software...
PI Software
 
How to Value Virtual Machines and other IP Stuff.pdf
Brij Consulting, LLC
 
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
How to best Address your professional Training Program - August 2025.pptx
PaulYoung221210
 
Why Is MCP Server Development Trending Now.pdf
SoluLab1231
 
Communications Recruiter Melbourne.pptx
ReithGordon
 
FOHO: The Rental Platform Transforming Housing for Asian Renters in the U.S.
Evan Han
 
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
GenAI at FinSage Financial Wellness Platform
SUBHANKARGHOSH126678
 
Employnova Global Services : Outsourcing
Employnova Global Services
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
Latest Blogs, Presentations, and other News - June 2025 to July 2025
PaulYoung221210
 
KornFerry Presentation hbkjbkjbk bjkbkbk.pdf
chatgptshare786
 
Is Your Brand Ready for Expansion? A Strategic Guide to Scaling Successfully
RUPAL AGARWAL
 

How Does the New ISO 27001 Impact Your IT Risk Management Processes?

  • 1. How  Does  the  new  ISO  27001  Impact   Your  IT  Risk  Management  Processes?   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   [email protected]   twiBer  @neupart    
  • 2. The  ISO  2700x  standards   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement.     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
  • 3. New  drafts  available   ISO  27000   • Overview  and   vocabulary   ISO27001   • InformaKon  Security   Management  Systems  –   Requirements   ISO27002   • Code  of  pracKce  for   informaKon  security   management   ISO  27003     • ISMS  ImplementaKon   Guidelines   ISO  27004   • InformaKon  Security   Management  -­‐   Measurement     ISO27005   • InformaKon  Security   Risk  Management   ISO27006   • Requirements  for   bodies  providing  audit   and  cerKficaKon     +  +  +  +    
  • 4. Information  Security   Management  Systems  –   Requirements   ISO  27001  –  the  2013  edition  ISO/IEC  DIS  27001  =  draft.     I.e.  changes  are  likely  to  happen     Aim  of  todays  webinar  is  to  give  you  a  head  start  preparing  for   the  new  standard  so  you  can  have  a  smoother  transition.  
  • 5. What’s  new?   •  A  lot!   •  New  content   •  New  requirements   numbering   •  Still  short:  9  pages  of   requirements  to  an  ISMS   •  Controls  are  still  listed  in   Annex  A,  and  referring   to  ISO  27002  (the  new)   •  Maintaining  a  fair   portion  of  backwards   compatibility  
  • 6. Poll:  How  do  you  use  ISO  27001   today?   •  We  are  certified   •  We  plan  to  certify   •  We  plan  to  comply;  no   certification   •  Best  practice   inspiration   •  Don't  know  
  • 7. Still  risk  oriented:   •  The  first  requirement   in  the  new  ISO  27001   refers  to  an  Enterprise   Risk  Management   Standard:  ISO  31000  
  • 8. ISO  31000  Enterprise  Risk  Management   Plan   Do   Check   Act  
  • 9. Enterprise  Risk   Management  (ISO   31000)   InformaKon   Security  Risk   Management  (ISO   27005)   ISMS   Requirements   (ISO  27001)    
  • 11. IT  Risk  Management  -­‐  Explained   Risk Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
  • 12. Reduce LikelihoodProactive Security IT Security Policy Compliance & Awareness Change Management Operating Procedures Access Control Monitoring System Redundancy Firewall Antivirus Reactive Security Reduce Consequence IT Service Continuity Teams IT Service Continuity Strategy IT Service Continuity Plans Disaster Recovery Procedures Emergency Operations Flexibility Standby Equipment Virtualization Backup IT  Risk  Management  -­‐  Explained   Risk Prioritization Incident Likelihood Incident Consequence Threat Frequency Threat Effect Threats Preventive Measures Corrective Measures
  • 13. Vulnerability  &  control  environment  assessment   AdministraKve   Measures   Physical  /  Technical   Measures   PrevenKve   Measures   CorrecKve   Measures   Firewall   AnKvirus   Server   Cluster   RAID   Backup   Standby   Equipment   VirtualizaKon   Security   Policy   System   DocumentaKon   Awareness   Compliance   Checks   Alarm   System   Fire   Suppression   Logging   Change   Management   IT  Service   ConKnuity  Plan   Disaster  Recovery   Procedures   Business   ConKnuity   Strategy   Redundancy   Access  Control   System   Standby  Site   Server  snapshots   Assessments  based  on   Capability  Maturity   Model   Monitoring  
  • 14. Assets:  Dependency  Hierarchy   Business  Impact  values   are  inherited  downwards   Vulnerability  values   are  inherited  upwards   Server  01   Virtual  Server   SAN  01   Data  Staorage   HP  DL380   Hardware    unit   Data  Center  Oslo   Datacenter   Finance  DB   Database   ERP   IT  Service   Dynamics  AOS   Business  system   HP  DL380   Hardware  unit   Server  02   Virtual  Server   Finance   Business  Process  
  • 15. Comparing  ISO  27005,  NIST  SP800-­‐30   ISO  27005   NIST  SP800-­‐30   Context  establishment               Identification  of  assets   System  Characterization   Identification  of  threats   Threat  Identification   Identification  of  existing  controls   Vulnerability  Identification   Identification  of  vulnerabilities   Control  Analysis   Identification  of  consequences               Assessment  of  consequences   Likelihood  Determination   Assessment  of  incident  likelihood   Impact  Analysis   Risk  estimation   Risk  Determination           Risk  evaluation               Risk  treatment   Control  Recommendations   Risk  acceptance       Risk  communication   Results  Documentation  
  • 16. Examples  of  how  the  27001  update   will  impact  your  risk  management   processes  
  • 17. 27001:  Not  only  downside  risks   •  6.1  Actions  to  address  risks   and  opportunities     •  Quote  ISO  31000:   “Organizations  of  all  types   and  sizes  face  internal  and   external  factors  and   influences  that  make  it   uncertain  whether  and   when  they  will  achieve   their  objectives.  The  effect   this  uncertainty  has  on  an   organization's  objectives  is   “risk”.  
  • 18. Risk  Owner   •  Risk  Owner  approves  risk  treatment  plan  and  accepts  residual  risks   •  Note:  Asset  ownership  is  formally  no  longer  a  ISO  27001  requirement,  but  it’s  still  in  the  annex  A  Control   List.  Practically  same  requirement,  as  you  can’t  expect  it  to  not  be  in  your  Statement  of  Applicability  
  • 19. Increased  flexibility  in  your  choice     of  risk  method   The  organization  shall  define  an  information   security  risk  assessment  process  that:     1.  establishes  and  maintains  information  security   risk  criteria,  including  the  risk  acceptance   criteria;     2.  determines  the  criteria  for  performing   information  security  risk  assessments;  and     3.  ensures  that  repeated  information  security  risk   assessments  produce  consistent,  valid  and   comparable  results.     (section  6.1  )    
  • 20. Time  to  vote   •  What  IT  risk  assessment   method  or  framework   do  you  use  today?   –  ISO  27005   –  NIST  SP  800  series   –  IRAM     –  OCTAVE   –  Some  other  threat  based   approach   –  Some  other  control  based   approach   –  Don’t  know  
  • 21. The  organization  shall  apply  an   information  security  risk  treatment   process    
  • 22. Treating  Risks   Accept   Reduce   Share   Avoid   Treatment  opKons  according  to  ISO  27001:2005  and  ISO  27005.   ISO  27001:2013,  do  not  require  these  specific  treatment  opKons;  but   you  are  free  to    choose  these.  
  • 23. SoA  linked  even  closer  to  Risk  Treatment   Risk  treatment   SoA  =   Statement  of   Applicability   •  Select  treatment  options   •  Determine  controls   •  Check  controls  with  Annex  A,     verify  no  necessary  controls  are   omitted   •  Make  SoA  and  justify  exclusions   AND  inclusions  (new)   •  Clearly  worded  that  you  must   determine  all  necessary  controls  
  • 24. Review  of  Neuparts  well  known  4   responsible  short-­‐cuts  –  do  they  still  apply?   Assess  your  most   important  assets  first     (you  can  add  more   later)   1:  Not  all  assets   Do  not  use  complete   threat  catalogue  on   each  of  your  assets   (relevant  threats   depends  on  asset  type)   2:  Not  all  threats   • Inheritance:  Business   impact  values  inherits   downwards   • Vulnerability  scores   inherits  upwards   • Asset  dependencies  /   Hierarchy   3:  Inheritance   • Make  overall   assessment  first  –   refine  later   • Example:  Assess   threats  combined  first   –  individually  later   4:  Fewer  assessments  
  • 25. Oh,  what  happened  to  PDCA?   Plan  -­‐  Do  –  Check  -­‐  Act  is  still  there,  now  called  continual   improvement  
  • 26. Risk  Management   •  Risk  Owner   •  (Assets)   •  Threats   •  Business  Impact   Assessment   •  Vulnerability  Assessment   •  Reporting  &  evaluating   •  Treating  (Accept,  Reduce,  Share,   Avoid)  
  • 27. Time  to  vote   •  Will  the  new  ISO  improve   your  risk  management   processes?   –  Yes  –  the  update  is  easy  to   understand  and  makes   sense   –  Not  much  –  nothing  really   new  here   –  I’m  concerned  of  the   introduced  flexibility   –  Don’t  know  
  • 28. About  Neupart   •  ISO  27001  certified  company   •  Provides  SecureAware®,    an  all-­‐in-­‐one,   efficient  IT  GRC  solution  allowing   organizations  to  automate  IT  governance,   risk  and  compliance  management     •  “The  ERP  of  Security”   •  HQ  in  Denmark,  subsidiary  in  Germany  and   a  200+  customer  portfolio  covering  a  wide   range  of  private  enterprises  and   governmental  agencies     IT  GRC  =   IT  Governance,     Risk  &  Compliance   Management  
  • 29. SecureAware  Risk  TNG  Benefits   •  Less  specialist  knowledge   needed  to  conduct  professional   risk  management   •  Know  your  IT  related  business   risks   •  Fast  results   •  Saves  time  for  you  and  your   organization   •  ISO  27005  based  methodology  – and  fully  compatible  with  NIST   SP800-­‐30     •  Cloud  or  on-­‐premise  software  
  • 30. Try  ISO  27001  compliant  IT  GRC  soluKon  at  www.neupart.com   Presented  by  Lars  Neupart     Founder,  CEO  of   Neupart  –  The  ERP  of  Security   [email protected]   twiBer  @neupart