Isms - Iso 27001-2022

IS, Cybersecurity & Privacy
Protection - ISMS According to ISO

27001-2022 Requirements
PDF created with pdfFactory Pro trial version www.pdffactory.com

Course Objectives
At the end of this course you will understand
• The meaning of ISMS
• The requirements of ISO 27001/2022
• The ISMS documents

Introduction
§ Quality dimensions ( Product / Service – Organization – Business )
§ Processes / Management System
§ Flow of information / material
Suppliers Organization Customers
Upstream Downstream
Other Interested Parties

Organizations of all types and sizes:
§ Collect, process, store, and transmit information.
§ Information can be in many forms and may be transmitted / processed by
different means
§ Organizations recognize that information, and related equipment, systems,
networks and people are important assets.
§ Assets face a range of Threats.

§ The term information security is generally based on information being
considered as an asset which has a value requiring appropriate protection by
implementing information security controls 4

Information Security !!!!!!
§ Information Security is the preservation of (CIA)
Confidentiality of information
Property that information is not made available or disclosed to unauthorized
individuals, entities, or process
Integrity of information
Property of accuracy and completeness
Availability of information
Property of being accessible and usable upon demand by an authorized entity
5

§ Information security is achieved through the implementation of an applicable set of
controls including:
1. Policies
2. Processes
3. Procedures
4. Organizational structures
5. Software and Hardware
§ These controls need to be specified, implemented, monitored, reviewed and
improved

Common Practice For IS Controls
• Information security policy document
• Allocation of information security responsibilities
• Information security awareness, education, and training
• Correct processing in applications
• Technical vulnerability management
• Business continuity management
• Management of information security incidents and improvements

How to Identify the Security Requirements?
1) The risk assessment results - (RMP)
2) The legal and contractual requirements
3) The objectives and business requirements for information processing that an
organization has developed to support its operations.

What is an ISMS?
An Information Security Management System (ISMS) consists of the policies,
procedures, guidelines , resources , organizational structures, software
,hardware and activities, collectively managed by an organization, in the pursuit of
protecting its information assets.

IT Assets
§ Asset is anything that has value to the organization

§ The Information system related assets to be protected are :
1. Data & information
2. Software application
3. Hardware (equipment – cable- etc.)
4. Services (internet – power-maintenance- etc.)
5. HR
6. Physical location (building – site –etc.)
10

Examples of Typical Threats
§ Threats may be D (Deliberate), A (Accidental), E (Environmental- Natural)
Threats Origin
Fire A, D, E
Flood E
Failure of air-conditioning or water supply system A,D
Loss of power supply A, D, E
Theft of media or documents D
Theft of equipment D
Equipment failure A
Unauthorized use of Equipment D

Examples of Vulnerabilities
Type Examples of Vulnerabilities Examples of Threats
Hardware Lack of efficient configuration change control Error in use
Lack of care at disposal Theft of media or document
Uncontrolled copying Theft of media or document
Software Poor password management Forging of rights
Lack of effective change control Software malfunction
Network Poor joint cabling Failure of telecommunication
equipment
Personnel Lack of security training / awareness Error in use
Organization Lack of physical protection Theft of equipment

Management
Is a set of activities including planning, organizing, steering, and controlling an
organization’s resources with the aim of achieving organizational goals in an
efficient and effective manner.
13

System
1) Structure
2) Procedures/ Processes
3) Resources
Resources
Structure
Procedures/Processes
14

1-Structure
Organization
Chart
Structure
Job
Description
15

1-1 Organization Chart
Chairman
Assistant
Sector Head Sector Head Sector Head
16

1-2 Job Description
• Privilege to do certain job
Authority
Responsibility
• Responsibility about
certain job or process
17

2- Procedures / Processes
Procedure:
Set of activities connected together to describe the interaction between a set of
processes.
Process:
Detailed steps that describe the method of doing a certain task to convert a certain
I/Ps to a certain O/Ps
18

Value added Value added
I/Ps
Process Process
Internal Customer
Feed Back
19

3- Resources
Financial Physical
Human Information
Resources
20

Definition of Standards
Standards are documented agreements contains:
• Technical Specifications
• Management System Requirements
• Guidelines
• Definitions
• Others
21

International Organization for Standardization
(ISO)
§ "ISO", derived from the Greek ISOS, meaning "EQUAL".
§ Is the world's largest developer and publisher of International Standards.
§ It is a non-governmental organization.
§ Officially began operations on 23 February 1947 by 25 countries.
§ It is a network of the national standards institutes of 167 countries, one member per
country.
22

Managerial Standards
• ISO 9001/2015 Quality management system requirements
• ISO 14001/2015 Environmental management system requirements
• ISO 27001/2022 ISMS requirements
23

Evolution of ISO 27001:2022 Standard
§ It outlines an auditable framework for a robust Information Security Management
System (ISMS)

ISMS Family of Standards
§ The ISMS family of standards is intended to assist organizations of all types
and sizes to implement and operate an ISMS
§ The general title “Information technology — Security techniques” indicates that
these standards were prepared by Joint Technical Committee ISO / JTC 1,
Information technology, Subcommittee SC 27, IS Cybersecurity& Privacy
Protection.
25

Reasons for Implementing ISMS
• Agree with the relevant requirements of a contract
• Consistence with the client demand
• Image improvement
• Business problem prevention
• Protect information assets and give confidence to interested parties

Roadmap Towards ISO 27001 Implementation
Understanding the Identify
Create the Gap Information
Context & Define the
Security Team Assessment Assets
Scope
Risk Treatment: Risk

• Identify & Selection of Security Controls
Assets
• Apply Security Controls
Assessment Evaluation
Creation of Policies, Monitor,

Procedures and Implementation
Check and Improve
Standards

IS, Cybersecurity & Privacy Protection - ISMS
According to ISO 27001-2022 Requirements

ISO ???? Clauses
1) Scope
2) Normative reference
3) Terms & definitions
4) Context of the organization (Plan)
5) Leadership (Plan)
6) Planning (Plan)
7) Support (Plan)
8) Operation (Do)
9) Performance evaluation (Check)
10) Improvement (Act)
30

The Structure of ISO 27001:2022
9 Performance
4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 10 Improvement
Evaluation
4.1 Understanding 7.1 8.1 Operational 10.1 Continual

5.1 Leadership and 6.1 Actions to 9.1 Monitoring,
context commitment address Risks and Resources planning and measurement, analysis improvement
control and evaluation
opportunities
4.2 Interested parties 6.2 IS Objectives 7.2 8.2 IS risk 9.2 Internal 10.2 Nonconformity and
Competence corrective action
5.2 Policy and Planning to assessment audit
achieve them
4.3 Scope 9.3 Management

8.3 IS risk
6.3 Planning of 7.3 review
5.3 Organizational treatment
roles, responsibilities change Awareness
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
31

(Annex A)
Information Security Controls Reference
§ The information security controls listed in Table A.1 are directly derived from and
aligned with those listed in ISO/IEC 27002:2022 - Clauses 5 to 8 and are to be
used in context with Clause 6.1.3.
§ Section 5 – includes 37 (Organizational Controls)
§ Section 6 – includes 8 (People Controls)

ISO/TC 176/SC 2/ N1267
§ Section 7 – includes 14 (Physical Controls)
§ Section 8 – includes 34 (Technological Controls)
32

ISO 27001:2022 Requirements

1- Scope
§ This International Standard specifies requirements for ISMS
§ All the requirements of this International Standard are generic and are intended to
be applicable to any organization, regardless of its type or size, or the products and
services it provides.
§ The exclusion of the requirement is not acceptable
34

2 - Normative references
§ For dated references, only the edition cited applies.
§ For undated references, the latest edition of the referenced document (including any
amendments) applies.
§ ISO/IEC 27000, Information Technology — Security Techniques — Information
Security Management Systems — Overview and Vocabulary
35

3. Terms and Definitions
For the purposes of this document, the terms and definitions given in ISO 27000
apply
36

Risk
Effect of uncertainty on objectives
Threat
Potential cause of an unwanted incident, which may result in harm to a system or
organization
Risk assessment
Overall process of risk identification risk analysis and risk evaluation
Risk acceptance
Informed decision to take a particular risk
Risk criteria
Terms of reference against which the significance of risk is evaluated

Risk treatment
Process to modify risk
Risk treatment can involve:

• Avoiding the risk by deciding not to start or continue with the activity that gives
rise to the risk;
• Taking or increasing risk in order to pursue an opportunity;
• Removing the risk source;
• Changing the likelihood;
• Changing the consequences;
• Sharing the risk with another party E.g. Insurers, suppliers.
Risk owner
Person or entity with the accountability and authority to manage a risk

Vulnerability
Weakness of an asset or control that can be exploited by one or more threats
Residual risk
Risk remaining after risk treatment
Control
Measure that is modifying risk
Controls may include any process, policy, device, practice, or other actions
which modify / maintain the risk.
Control objective
Statement describing what is to be achieved as a result of implementing controls

Information Security Incident
a single or a series of unwanted or unexpected information security events that have a
significant probability of compromising business operations and threatening information
security.
Risk Management
Coordinated activities to direct and control an organization with regard to risk.

Confidentiality
Property that information is not made available or disclosed to unauthorized individuals,

entities, or process
Availability
Property of being accessible and usable upon demand by an authorized entity
Integrity
Property of accuracy and completeness

ISO 27001:2022
9 Performance
Evaluation

opportunities
achieve them

8.3 IS risk
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
42

Clause 4 Context of the organization
4 Clause 4.1 Understanding the organization and its context
Context of organization
4.1
The organization shall determine external and internal issues
Understanding context
4.2 that are relevant to its purpose and its strategic direction and
Interested parties
4.3
Scope that affect its ability to achieve the intended result(s) of its
4.4
ISMS
ISMS
ISO/TC 176/SC 2/ N1267
43

Clause 4.2 Understanding the needs and expectations of
4
interested parties
4.1
Understanding context the organization shall determine:
4.2 a) the interested parties that are relevant to the ISMS
Interested parties
4.3 b) the requirements of these interested parties that are

Scope
4.4
ISMS
relevant to the ISMS
The organization shall monitor and review information about these interested parties
ISO/TC 176/SC 2/ N1267
and their relevant requirements that may include legal & other requirements /
contractual obligations
44

4
Clause 4.3 Determining the scope of the ISMS
The organization shall determine the boundaries and applicability of
4.1
the ISMS to establish its scope.
4.2
Interested parties When determining this scope, the organization shall consider:
4.3
Scope a) the external and internal issues referred to in 4.1;
4.4
ISMS b) the requirements of relevant interested parties referred to in 4.2;
c) The outsourced activities
ISO/TC 176/SC 2/ N1267
The scope of the organization’s ISMS shall be available and be

maintained as documented information.
45

4 Clause 4.4 ISMS
4.1 The organization shall establish, implement, maintain and

4.2
Interested parties
continually improve an ISMS including the processes
4.3
Scope needed and their interactions, in accordance with the
4.4
ISMS
requirements of this International Standard.
ISO/TC 176/SC 2/ N1267
46

ISO 27001:2022
9 Performance
Evaluation

opportunities
achieve them

8.3 IS risk
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
47

5 Clause 5 Leadership
Leadership
5.1
5.1 Leadership and commitment
Leadership and commitment
5.2 Top management shall demonstrate leadership and commitment

Policy
5.3 with respect to the ISMS

Organizational roles,
responsibilities and authorities
ISO/TC 176/SC 2/ N1267
48

5
Clause 5.2 Policy
Leadership
The IS Policy shall
5.1
• Be maintained as documented information;
5.2
Policy
5.3
• Be communicated, understood and applied within the
Organizational roles,
organization;
• Be available to relevant interested parties, as appropriate.

ISO/TC 176/SC 2/ N1267
49

Clause 5.3 Organizational roles, responsibilities &
5
Leadership authorities
5.1
Top management shall ensure that the responsibilities and
5.2
Policy
authorities for relevant roles are assigned, communicated and
5.3
Organizational roles, understood within the organization.
Top management shall assign the responsibility and authority for:
• Ensuring that the ISMS conforms to the requirements of this

International Standard;
ISO/TC 176/SC 2/ N1267
• Reporting on the performance of the ISMS and on

opportunities for improvement
50

ISO 27001:2022
9 Performance
Evaluation

opportunities
achieve them

8.3 IS risk
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
51

Clause 6 Planning
6
Planning
6.1 Actions to Address Risks and Opportunities
6.1
6.1.1 General
Actions to address risks and
opportunities When planning for the ISMS, the organization shall consider the
6.2
Objectives and planning issues referred to in 4.1 and the requirements referred to in 4.2
and determine the risks and opportunities that need to be
6.3 Planning of change
addressed
The organization shall plan:

ISO/TC 176/SC 2/ N1267
a) ACTIONS to address these RISKS and OPPORTUNITIES;
b) How to INTEGRATE and IMPLEMENT the actions into its

ISMS , EVALUATE the EFFECTIVENESS of these actions.
52

6
Planning 6.1.2 Information Security Risk Assessment
6.1
opportunities The organization shall define and apply an information security risk
6.2
Objectives and planning
assessment process including :

• Risk acceptance criteria
• Identify risks for CIA

ISO/TC 176/SC 2/ N1267
• Identify risk owner
See ISO 31000

53

6
Planning 6.1.3 Information Security Risk Treatment
6.1
opportunities • The organization shall define and apply an information security
6.2
risk treatment process

• Annex A and more can be included
• Produce Statement of applicability

ISO/TC 176/SC 2/ N1267
• Produce Risk treatment plan
See ISO 31000

54

6
Planning
Clause 6.2 IS objectives and planning to achieve
them
6.1
opportunities The organization shall establish IS objectives at relevant functions,
6.2 levels and processes needed for the ISMS
When planning how to achieve its IS objectives, the organization

shall determine:
a) WHAT will be done;
b) WHAT resources will be required;
ISO/TC 176/SC 2/ N1267
c) WHO will be responsible;

d) WHEN it will be completed;
e) HOW the results will be evaluated.
55

6
Planning
Clause 6.3 Planning of Change
6.1 The organization shall plan the changed to the IS MS
opportunities
6.2

ISO/TC 176/SC 2/ N1267
56

ISO 27001:2022
9 Performance
Evaluation

opportunities
achieve them

8.3 IS risk
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
57

Clause 7 Support
7
Support
7.1
7.1 Resources
Resources
7.2 The organization shall DETERMINE and PROVIDE the

Competence
7.3
RESOURCES needed for the ISMS.
Awareness
7.4
Communication
7.5
Documented information
ISO/TC 176/SC 2/ N1267
58

7 7.2 Competence
Support
7.1 The organization shall:

Resources
7.2 a) determine the necessary competence of person(s) doing

Competence
work under its control that affects the performance and
7.3
Awareness effectiveness of the ISMS
7.4
Communication b) ensure that these persons are competent on the basis of
7.5 appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary
competence, and evaluate the effectiveness of the actions
taken;
d) retain appropriate documented information as evidence of
ISO/TC 176/SC 2/ N1267
competence
59

7 7.3 Awareness
Support The organization shall ensure that persons doing work under the
7.1 organization’s control are aware of:
Resources
a) the IS policy;
7.2 b) relevant IS objectives;
Competence
7.3
c) their contribution to the effectiveness of the ISMS
Awareness d) the implications of not conforming with the ISMS requirements.
7.4
Communication 7.4 Communication
7.5 The organization shall determine the internal and external communications
relevant to the ISMS including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
ISO/TC 176/SC 2/ N1267
d) how to communicate;
60

7
Support
7.5 Documented information
7.1
Resources
7.5.1 General
7.2
Competence
7.3
The organization’s ISMS shall include:
Awareness
7.4 a) documented information required by this International

Communication
7.5
Standard;
b) documented information determined by the organization
as being necessary for the effectiveness of ISMS
ISO/TC 176/SC 2/ N1267
The extent of documented information for a ISMS can differ

from one organization to another
61

7.5.2 Creating and updating
When creating and updating documented information, the organization shall ensure
appropriate
a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper,
electronic);
c) review and approval for suitability and adequacy.
ISO/TC 176/SC 2/ N1267
62

7.5.3 Control of documented information
Documented information shall be controlled to ensure:

A) it is available and suitable for use
B) it is adequately protected
C) distribution, access, retrieval and use;
D) storage and preservation, including preservation of legibility;
E) control of changes (e.g. version control);
F) retention and disposition
• Documented information of external origin

ISO/TC 176/SC 2/ N1267
• Documented information retained as evidence of conformity shall be protected

from unintended alterations.
63

ISO 27001:2022
9 Performance
Evaluation

opportunities
achieve them

8.3 IS risk
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
64

Clause 8 Operation
8.1 Operational planning and control
• The organization shall plan, implement and control the processes needed to meet
information security requirements, and to implement the actions determined in 6.1.
• The organization shall also implement plans to achieve information security
objectives determined in 6.2.
• The organization shall keep documented information to the extent necessary to have
confidence that the processes have been carried out as planned.
• The organization shall control planned changes and review the consequences of
ISO/TC 176/SC 2/ N1267
unintended changes, taking action to mitigate any adverse effects, as necessary.

• The organization shall ensure that outsourced processes are determined and
controlled.
65

8.2 Information Security Risk Assessment
• The organization shall perform information security risk assessments at planned
intervals or when significant changes are proposed or occur, taking account of the
criteria established in 6.1.2
• Retain documented information
8.3 Information Security Risk Treatment

• The organization shall implement information security risk treatment plan
ISO/TC 176/SC 2/ N1267
• Retain documented information
66

ISO 27001:2022
9 Performance
Evaluation

opportunities
achieve them

8.3 IS risk
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
67

Clause 9 Performance evaluation
9
Performance evaluation 9.1 Monitoring, measurement, analysis and
9.1
Monitoring, measurement,
analysis and evaluation
evaluation
9.2 § The organization shall determine:
Internal audit
a) what needs to be monitored and measured;
9.3
Management review b) the methods for monitoring, measurement, analysis and
evaluation needed to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the results from monitoring and measurement shall
be analyzed and evaluated.
ISO/TC 176/SC 2/ N1267
§ The organization shall evaluate the performance

§ Retain appropriate documented information as evidence of the
results.
68

9 9.2 Internal audit
Performance Evaluation
9.1
The organization shall conduct internal audits at planned intervals
to provide information on whether the ISMS conforms to:
9.2
Internal audit
1) the organization’s own requirements for its ISMS
9.3
2) the requirements of this International Standard;
Management review
3) is effectively implemented and maintained.
ISO/TC 176/SC 2/ N1267
69

9
The organization shall:
Performance Evaluation a) plan, establish, implement and maintain an audit
9.1 program(s) including the frequency, methods,
analysis and evaluation responsibilities, planning requirements and reporting, which
shall take into consideration the importance of the
9.2
Internal audit processes concerned, changes affecting the organization,
and the results of previous audits;
9.3
Management review b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity
and the impartiality of the audit process;
d) ensure that the results of the audits are reported to
ISO/TC 176/SC 2/ N1267
relevant management;
e) take appropriate correction and corrective actions without
undue delay;
f) retain documented information as evidence of the
implementation of the audit program and the audit results.
70

9 9.3 Management review
Performance Evaluation
9.1
Top management shall review the organization’s ISMS at planned
intervals, to ensure its continuing suitability, adequacy,
9.2
Internal audit effectiveness and alignment with the strategic direction of the
9.3
Management review organization.
ISO/TC 176/SC 2/ N1267
71

Management review inputs
The management review shall be planned and carried out taking into consideration:
§ The status of actions from previous management reviews;
§ Changes in external and internal issues that are relevant to the ISMS
§ Feedback from relevant interested parties;
§ The extent to which IS objectives have been met;
§ Nonconformities and corrective actions;
§ Monitoring and measurement results;
§ Audit results;
§ The adequacy of resources;
§ The effectiveness of actions taken to address risks and opportunities
§ Opportunities for improvement.
ISO/TC 176/SC 2/ N1267
72

Management review outputs
The outputs of the management review shall include decisions and actions related to:
a) opportunities for improvement;
b) any need for changes to the ISMS;
c) resource needs.
ISO/TC 176/SC 2/ N1267
The organization shall retain documented information as evidence of the results of
management reviews.
73

ISO 27001:2022
9 Performance
Evaluation

opportunities
achieve them

8.3 IS risk
and authorities
4.4 IS MS
ISO/TC 176/SC 2/ N1267
7.4
Communication
7.5
Documented
information
74

10
Improvement 10.1 Continual improvement
10.1 Continual
improvement The organization shall continually improve the suitability, adequacy
10.2 Nonconformity and

and effectiveness of the ISMS.
corrective action
The organization shall consider the results of analysis and
evaluation, and the outputs from management review, to
determine if there are needs or opportunities that shall be
addressed as part of continual improvement.
ISO/TC 176/SC 2/ N1267
75

Clause 10 Improvement
10
10.2 Nonconformity and corrective action
Improvement When a nonconformity occurs, the organization shall:
a) react to the nonconformity and, as applicable:
10.1 Continual
improvement 1) take action to control and correct it;
2) deal with the consequences
10.2 Nonconformity and
corrective action
b) evaluate the need for action to eliminate the cause(s) of the
nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing and analyzing the nonconformity;
2) determining the causes of the nonconformity; determining if similar
nonconformities exist, or could potentially occur
c) implement any action needed;

ISO/TC 176/SC 2/ N1267
d) review the effectiveness of any corrective action taken;

e) update risks and opportunities determined during planning, if necessary;
f) make changes to the ISMS , if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities

encountered. 76

Management System Documentation
IS Policy Statement /IS Objectives Statement
Manual
Management
Procedures/plans
Work Instruction
Forms / Records

Statement of Applicability
A Statement of Applicability shall be prepared that includes the following:
1) The control objectives and controls selected and the reasons for their selection;
2) The control objectives and controls currently implemented and
3) The exclusion of any control objectives and controls in Annex A and the justification for
their exclusion.
NOTES:
• The Statement of Applicability provides a summary of decisions concerning risk treatment.
• Justifying exclusions provides a cross-check that no controls have been inadvertently
omitted.

Risk Treatment Plan
The organization shall do the following:
a) Formulate a risk treatment plan that identifies the appropriate management action,
resources, responsibilities and priorities for managing information security risks.
b) Implement the risk treatment plan in order to achieve the identified control objectives,
which includes consideration of funding and allocation of roles and responsibilities.

Annex A
Information Security Controls Reference

1) Information Security Policy
Objective:
To provide management direction and support for information security in accordance with business
requirements and relevant laws and regulations.
2) Internal and External Organization of Information Security Within the Organization
Objectives :
1. To manage information security activities within the organization.
2. To maintain the security of the organization’s information and information processing facilities that are
accessed, processed, communicated to, or managed by external parties.
3) Assets Management
Objective:
To achieve and maintain appropriate protection of organizational assets

4) Information Classification
Objective:
To ensure that information receives an appropriate level of protection.
5) Human Resources Security (Prior to Employment)

Objective:
To ensure that employees, contractors and third party users understand their responsibilities to
reduce the risk.
6) Human Resources Security (During Employment)

Objective:
To ensure that all employees, contractors and third party users are aware of information security
threats and their responsibilities.

7) Human Resources Security (Termination or Change of Employment)
Objective:
To ensure that employees, contractors and third party users exit an organization or change
employment in an orderly manner.
8) Physical and Environmental Security (Secure Areas)

Objective:
To prevent unauthorized physical access, damage and interference to the organization’s

premises and information.
9) Physical and Environmental Security (Equipment Security)

Objective:
To prevent loss, damage, or theft of assets and interruption to the organization’s activities.

10) Third Party Service Delivery Management
Objective:
To implement and maintain the appropriate level of information security and service delivery in
line with third party service delivery agreements.
11) System Planning and Acceptance

Objective:
To minimize the risk of system failures.
12) Back-up
Objective:
To maintain the integrity and availability of information and information processing facilities.

13) Network Security Management
Objective:
To ensure the protection of information in networks and the protection of the supporting
infrastructure.
14) Media Handling

Objective:
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption

to business activities.
15) Exchange of Information

Objective:
To maintain the security of information and software exchanged within an organization and with any
external entity.

16) Electronic Commerce Services
Objective:
To ensure the security of electronic commerce services, and their secure use.
17) User Access Management

Objective:
To ensure authorized user access and to prevent unauthorized access to information.
18) Management of Information Security Incidents and Improvements

Objective:
To ensure a consistent and effective approach is applied to the management of information security
incidents

19) Compliance With Legal Requirements
Objective:
To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security
requirements.
20) Compliance with Security Policies and Standards, and Technical Compliance
Objective:
To ensure compliance of systems with organizational security policies and standards.
21) Information Systems Audit Considerations
Objective:
To maximize the effectiveness of the information systems audit process

88

Isms - Iso 27001-2022

Uploaded by

Copyright:

Available Formats

Isms - Iso 27001-2022

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Isms - Iso 27001-2022

Uploaded by

Copyright:

Available Formats

IS, Cybersecurity & Privacy

Protection - ISMS According to ISO

PDF created with pdfFactory Pro trial version www.pdffactory.com

• The meaning of ISMS

• The requirements of ISO 27001/2022

• The ISMS documents

PDF created with pdfFactory Pro trial version www.pdffactory.com

§ Quality dimensions ( Product / Service – Organization – Business )

§ Processes / Management System

§ Flow of information / material

Suppliers Organization Customers

Other Interested Parties

PDF created with pdfFactory Pro trial version www.pdffactory.com

§ Assets face a range of Threats.

PDF created with pdfFactory Pro trial version www.pdffactory.com

PDF created with pdfFactory Pro trial version www.pdffactory.com

PDF created with pdfFactory Pro trial version www.pdffactory.com

• Information security policy document

• Allocation of information security responsibilities

• Information security awareness, education, and training

• Correct processing in applications

• Technical vulnerability management

• Business continuity management

• Management of information security incidents and improvements

PDF created with pdfFactory Pro trial version www.pdffactory.com

1) The risk assessment results - (RMP)

2) The legal and contractual requirements

3) The objectives and business requirements for information processing that an

organization has developed to support its operations.

PDF created with pdfFactory Pro trial version www.pdffactory.com

procedures, guidelines , resources , organizational structures, software

,hardware and activities, collectively managed by an organization, in the pursuit of

protecting its information assets.

PDF created with pdfFactory Pro trial version www.pdffactory.com

§ Asset is anything that has value to the organization

PDF created with pdfFactory Pro trial version www.pdffactory.com

PDF created with pdfFactory Pro trial version www.pdffactory.com

Organization Lack of physical protection Theft of equipment

PDF created with pdfFactory Pro trial version www.pdffactory.com

Is a set of activities including planning, organizing, steering, and controlling an

organization’s resources with the aim of achieving organizational goals in an

efficient and effective manner.

PDF created with pdfFactory Pro trial version www.pdffactory.com

PDF created with pdfFactory Pro trial version www.pdffactory.com

PDF created with pdfFactory Pro trial version www.pdffactory.com

Sector Head Sector Head Sector Head

PDF created with pdfFactory Pro trial version www.pdffactory.com

• Privilege to do certain job

PDF created with pdfFactory Pro trial version www.pdffactory.com

Set of activities connected together to describe the interaction between a set of

I/Ps to a certain O/Ps

PDF created with pdfFactory Pro trial version www.pdffactory.com

PDF created with pdfFactory Pro trial version www.pdffactory.com

PDF created with pdfFactory Pro trial version www.pdffactory.com

• Management System Requirements

PDF created with pdfFactory Pro trial version www.pdffactory.com

§ Is the world's largest developer and publisher of International Standards.

§ Officially began operations on 23 February 1947 by 25 countries.