SlideShare uma empresa Scribd logo

Information Security between Best Practices and ISO Standards

PECB
PECB

Main points covered: • Information Security best practices (ESA, COBIT, ITIL, Resilia) • NIST security publications (NIST 800-53) • ISO standards for information security (ISO 20000 and ISO 27000 series) - Information Security Management in ISO 20000 - ISO 27001, ISO 27002 and ISO 27005 • What is best for me: Information Security Best Practices or ISO standards? Presenter: This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE. Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU

Educação
1 de 32
Mohamed Gohar Instructor-Consultant Mr.Mohamed Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation.He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840
Information Security between Best Practices and ISO Standards Presented by: Mohamed Gohar - 10 years of experience in ISM/ITSM Training and Consultation - Gohar is one of the expert reviewers of CISA RM 26th edition (2016) - Certified in/as ISO 27001, ISO 27034, ISO 38500, ISO 24762, Resilia, CISA, CISM, TOGAF, COBIT, ITIL and PMP - ISM Senior Trainer/Consultant at EGYBYTE
Agenda The webinar will cover the following areas:  Information Security best practices (ESA, COBIT, ITIL, Resilia)  Information Security Governance frameworks  Cobit 5 for information security  Enterprise Security Architecture (ESA) frameworks (O-ESA and SABSA)  Information Security in ITIL 2011 framework  Resilia Cyber Security framework  NIST security publications  NIST 800-100  Framework for Improving Critical Infrastructure Cybersecurity  NIST 800-53  ISO standards for information security (ISO 38500, ISO 20000 and ISO 27000 series)  ISO 38500  Information Security Management in ISO 20000  ISO 27001, ISO 27002, ISO 27005 and ISO 27034  What is best for me Information Security Best Practices or ISO standards?
Information Security Governance Frameworks  Information Security Governance is a subset from the corporate governance (Enterprise Risk Management and Internal Controls) and in parallel with or subset from the governance of enterprise IT (Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization)  Information security governance is the system by which an organization directs and controls information security.  Information security governance should not be confused with information security management. Information Security Governance Information Security Management • Accountability • Authorizes decision rights • Enact policy • Oversight • Resource allocation • Strategic planning • Doing the right thing • Responsibility • Authorized to make decisions • Enforce policy • Implementation • Resource utilization • Project planning • Doing the things right
Information Security Governance Frameworks  NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.  Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care. The five general governance areas are:  Govern the operations of the organization and protect its critical assets  Protect the organization's market share and stock price (perhaps not appropriate for education)  Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)  Protect the reputation of the organization  Ensure compliance requirements are met "Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business."
Cobit 5 for Information Security
Cobit 5 for Information Security
Cobit 5 for Information Security
Publications for Information Security Governance Frameworks  IT Governance Institute (ITGI) publications:  Information Security Governance: Guidance for Board of Directors and Executive Management  Information Security Governance: Guidance for Information Security Managers  Cobit 5 for Information Security
Enterprise Security Architecture Frameworks  The Open Group, O-ESA  Corporate Governance Task Force report states: “The road to information security goes through corporate governance”  To simplify security management, there must be a direct linkage between governance and the security architecture itself.  Policy-driven security architecture where the policy is the link between governance and security architecture.  The functions of the O-ESA components and processes:  Governance (Principles, Policies, Standards/Guidelines/Procedures, Audit, Enforcement)  Technology Architecture (Conceptual framework, Conceptual architecture, Logical architecture, Physical architecture, Design/Development)  Security Operations (Deployment, Services, Devices and applications, Administration, Event management, Incident management, Vulnerability management, Compliance)
Enterprise Security Architecture Frameworks  Objectives of O-ESA  Preserving Confidentiality, Integrity and Availability (CIA) of an organization’s information  Effective information security management through accountability and assurance  Satisfying the security demands placed on the IT service organization by its customers
Enterprise Security Architecture Frameworks  Sherwood Applied Business Security Architecture SABSA  SABSA is a proven framework and methodology for enterprise security architecture and service management.  It is used successfully around the globe to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management.  SABSA key benefits  ensures that the needs of your Enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure.  Although copyright protected, SABSA is an open-use methodology, not a commercial product.  ESA or EISA can be a powerful development, implementation and integration tool for the development and implementation of a strategy.  ESA or EISA should be an integral part of EA to be effective, as the integration of EISA and EA helps to ensure that proper controls are implemented and integrated throughout the organization infrastructure, processes and technologies.
Enterprise Security Architecture Frameworks
Information Security in ITIL 2011  ITIL is a best practice framework in ITSM  ITIL consists of 26 processes and 4 functions  Information Security Management is one of the ITIL processes resides in the Design stage of ITIL lifecycle  Information Security Management process  Information security is a management process within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved.  It further ensures that the information security risks are appropriately managed and that enterprise information resources are used responsibly.  The purpose and objectives of the information security management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business.  Scope, the information security management process should be the focal point for all IT security issues, and must ensure that an information security policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services.
Information Security in ITIL 2011
Resilia Cybersecurity Framework  RESILIA™ is a framework of best practice, developed by AXELOS  Based on the Cyber Resilience Best Practices guide, it offers practical knowledge to enhance existing management strategies and help align cyber resilience with IT operations, security and incident management.  Using the ITIL lifecycle it develops the skills and insight needed to detect, respond to and recover from cyber-attacks.
Resilia Cybersecurity Framework
NIST Security Publications  NIST Publications are usually used by Federal Agencies or Governmental Organizations and can be used by non-governmental organizations too  NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing adequate information security for all agency operations and assets  NIST 800-100 (Information Security Handbook: A Guide for Managers)  Covers topics like; Information Security Governance, Performance Measures, Security Planning, IT Contingency Planning, Risk Management, Incident Response and Configuration Management  Framework for Improving Critical Infrastructure Cybersecurity  The Framework focuses on using business drivers to guide Cybersecurity activities and considering Cybersecurity risks as part of the organization’s risk management processes  The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.  The Framework Core is a set of Cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.
NIST Security Publications  Through use of the Profiles, the Framework will help the organization align its Cybersecurity activities with its business requirements, risk tolerances, and resources.  The Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing Cybersecurity risk.  NIST 800-53 r4  Security and Privacy Controls for Federal Information Systems and Organizations.  This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.  285 controls and 19 family of controls.  The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk.
ISO Standards for Information Security  ISO 38500  ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.  It also provides guidance to those advising, informing, or assisting governing bodies. They include the following: — executive managers; — members of groups monitoring the resources within the organization; — external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies; — internal and external service providers (including consultants); — auditors.
ISO Standards for Information Security  ISO 38500  The purpose of this International Standard is to promote effective, efficient, and acceptable use of IT in all organizations by — assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization's governance of IT, — informing and guiding governing bodies in governing the use of IT in their organization, and — establishing a vocabulary for the governance of IT.  ISO 20000  ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
ISO Standards for Information Security  ISO 20000  ISO/IEC 20000-1:2011 can be used by:  an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;  an organization that requires a consistent approach by all its service providers, including those in a supply chain;  a service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfil service requirements;  a service provider to monitor, measure and review its service management processes and services;  a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;  an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011.
ISO Standards for Information Security  ISO 20000  Information Security Management Process  The information security management (ISM) process should ensure that security controls are in place to protect information assets and that information security requirements are incorporated into the design and transition of new or changed services.  Deals with issues like; Information Security Policy, Information Security Controls, Risk Assessment, Managing Information Security Risks, Information Security Changes and Incidents, Documentation and Authorities and Responsibilities.
ISO Standards for Information Security
ISO 27000 series  ISO 27001 Information Security Management Systems  The ISO 27000 family of standards helps organizations keep information assets secure.  Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.  ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).  This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.  114 controls, 14 groups of controls and 35 control objectives
ISO 27000 series  ISO 27002:2013 Code of practice for information security controls  This International Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).  It is designed to be used by organizations that intend to:  select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;  implement commonly accepted information security controls;  develop their own information security management guidelines.
ISO 27000 series  ISO 27005:2011 Information Security Risk Management  It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.  Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.  ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
ISO 27000 series  ISO 27034-1:2011 Application Security – Overview and Concepts  ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications.  ISO/IEC 27034-1:2011 presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security.  ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.  ISO 27034-2:2015 Application Security – Organization Normative Framework  ISO/IEC 27034-2:2015 provides a detailed description of the Organization Normative Framework and provides guidance to organizations for its implementation.
What is best for me Information Security Best Practices or ISO standards?  Conclusion  Whenever it is applicable start with GEIT  GEIT is a subset of Corporate Governance  Policy is the linkage between Governance and EISA  EISA is an integral part of EA  The main objective of EA is to strategically align the business objectives with the enterprise IT objectives and to effectively and efficiently respond to the changing needs of the business  Policies define the necessary standards to implement and comply with  ISM/ITSM best practices frameworks are important steps on the way to successfully implement ISO standards. Generally, ISO standards are auditable while best practices frameworks are not.  Solid business case should be developed to adopt any best practices framework and/or standards  Cybersecurity is more than just protecting information assets, it is about preventing, detecting and correcting the adverse impact of the incidents on the information assets required to do business  Auditing is the governance powerful tool to enforce compliance with policies and standards
About EGYBYTE  ISM/ITSM and Project Management Training  ITIL 2011, PRINCE2, AgilePM, COBIT 5, SDI, Business Analysis, ISO/IEC 20000, ISO/IEC 27001, ISO/IEC 38500, ISO 22301, ISO 21500, CPDE and CLoudSchool  ISM/ITSM Consultation  ISM/ITSM projects, assessment and development  Company Website  www.egybyte.net  For inquiries contact us:  INFO@EGYBYTE.NET
? QUESTIONS THANK YOU +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840

Recomendados

Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 

Recomendados

Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
Pranay Kumar
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
Global Manager Group
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk management
Ramana K V
 

Mais conteúdo relacionado

Mais procurados

Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 

Mais procurados (20)

Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 

Destaque

Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
PECB
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 

Destaque (20)

ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk management
 
Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Integration of ICT Standards
Integration of ICT StandardsIntegration of ICT Standards
Integration of ICT Standards
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial Institutions
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Framework for a business process management competency centre
Framework for a business process management competency centreFramework for a business process management competency centre
Framework for a business process management competency centre
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
ISO 27014 et 38500
ISO 27014 et 38500ISO 27014 et 38500
ISO 27014 et 38500
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOV
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 

Semelhante a Information Security between Best Practices and ISO Standards

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
Apoorva Ajmani
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
Prashant Singh
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
healdkathaleen
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
360 BSI
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
 

Semelhante a Information Security between Best Practices and ISO Standards (20)

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketing
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smkiBim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 

Mais de PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
PECB
 

Mais de PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Último

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 

Último (20)

Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 

Information Security between Best Practices and ISO Standards

  • 1.
  • 2. Mohamed Gohar Instructor-Consultant Mr.Mohamed Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation.He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840
  • 3. Information Security between Best Practices and ISO Standards Presented by: Mohamed Gohar - 10 years of experience in ISM/ITSM Training and Consultation - Gohar is one of the expert reviewers of CISA RM 26th edition (2016) - Certified in/as ISO 27001, ISO 27034, ISO 38500, ISO 24762, Resilia, CISA, CISM, TOGAF, COBIT, ITIL and PMP - ISM Senior Trainer/Consultant at EGYBYTE
  • 4. Agenda The webinar will cover the following areas:  Information Security best practices (ESA, COBIT, ITIL, Resilia)  Information Security Governance frameworks  Cobit 5 for information security  Enterprise Security Architecture (ESA) frameworks (O-ESA and SABSA)  Information Security in ITIL 2011 framework  Resilia Cyber Security framework  NIST security publications  NIST 800-100  Framework for Improving Critical Infrastructure Cybersecurity  NIST 800-53  ISO standards for information security (ISO 38500, ISO 20000 and ISO 27000 series)  ISO 38500  Information Security Management in ISO 20000  ISO 27001, ISO 27002, ISO 27005 and ISO 27034  What is best for me Information Security Best Practices or ISO standards?
  • 5. Information Security Governance Frameworks  Information Security Governance is a subset from the corporate governance (Enterprise Risk Management and Internal Controls) and in parallel with or subset from the governance of enterprise IT (Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization)  Information security governance is the system by which an organization directs and controls information security.  Information security governance should not be confused with information security management. Information Security Governance Information Security Management • Accountability • Authorizes decision rights • Enact policy • Oversight • Resource allocation • Strategic planning • Doing the right thing • Responsibility • Authorized to make decisions • Enforce policy • Implementation • Resource utilization • Project planning • Doing the things right
  • 6. Information Security Governance Frameworks  NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.  Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care. The five general governance areas are:  Govern the operations of the organization and protect its critical assets  Protect the organization's market share and stock price (perhaps not appropriate for education)  Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)  Protect the reputation of the organization  Ensure compliance requirements are met "Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business."
  • 7. Cobit 5 for Information Security
  • 8. Cobit 5 for Information Security
  • 9. Cobit 5 for Information Security
  • 10. Publications for Information Security Governance Frameworks  IT Governance Institute (ITGI) publications:  Information Security Governance: Guidance for Board of Directors and Executive Management  Information Security Governance: Guidance for Information Security Managers  Cobit 5 for Information Security
  • 11. Enterprise Security Architecture Frameworks  The Open Group, O-ESA  Corporate Governance Task Force report states: “The road to information security goes through corporate governance”  To simplify security management, there must be a direct linkage between governance and the security architecture itself.  Policy-driven security architecture where the policy is the link between governance and security architecture.  The functions of the O-ESA components and processes:  Governance (Principles, Policies, Standards/Guidelines/Procedures, Audit, Enforcement)  Technology Architecture (Conceptual framework, Conceptual architecture, Logical architecture, Physical architecture, Design/Development)  Security Operations (Deployment, Services, Devices and applications, Administration, Event management, Incident management, Vulnerability management, Compliance)
  • 12. Enterprise Security Architecture Frameworks  Objectives of O-ESA  Preserving Confidentiality, Integrity and Availability (CIA) of an organization’s information  Effective information security management through accountability and assurance  Satisfying the security demands placed on the IT service organization by its customers
  • 13. Enterprise Security Architecture Frameworks  Sherwood Applied Business Security Architecture SABSA  SABSA is a proven framework and methodology for enterprise security architecture and service management.  It is used successfully around the globe to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management.  SABSA key benefits  ensures that the needs of your Enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure.  Although copyright protected, SABSA is an open-use methodology, not a commercial product.  ESA or EISA can be a powerful development, implementation and integration tool for the development and implementation of a strategy.  ESA or EISA should be an integral part of EA to be effective, as the integration of EISA and EA helps to ensure that proper controls are implemented and integrated throughout the organization infrastructure, processes and technologies.
  • 15. Information Security in ITIL 2011  ITIL is a best practice framework in ITSM  ITIL consists of 26 processes and 4 functions  Information Security Management is one of the ITIL processes resides in the Design stage of ITIL lifecycle  Information Security Management process  Information security is a management process within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved.  It further ensures that the information security risks are appropriately managed and that enterprise information resources are used responsibly.  The purpose and objectives of the information security management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business.  Scope, the information security management process should be the focal point for all IT security issues, and must ensure that an information security policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services.
  • 17. Resilia Cybersecurity Framework  RESILIA™ is a framework of best practice, developed by AXELOS  Based on the Cyber Resilience Best Practices guide, it offers practical knowledge to enhance existing management strategies and help align cyber resilience with IT operations, security and incident management.  Using the ITIL lifecycle it develops the skills and insight needed to detect, respond to and recover from cyber-attacks.
  • 19. NIST Security Publications  NIST Publications are usually used by Federal Agencies or Governmental Organizations and can be used by non-governmental organizations too  NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing adequate information security for all agency operations and assets  NIST 800-100 (Information Security Handbook: A Guide for Managers)  Covers topics like; Information Security Governance, Performance Measures, Security Planning, IT Contingency Planning, Risk Management, Incident Response and Configuration Management  Framework for Improving Critical Infrastructure Cybersecurity  The Framework focuses on using business drivers to guide Cybersecurity activities and considering Cybersecurity risks as part of the organization’s risk management processes  The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.  The Framework Core is a set of Cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.
  • 20. NIST Security Publications  Through use of the Profiles, the Framework will help the organization align its Cybersecurity activities with its business requirements, risk tolerances, and resources.  The Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing Cybersecurity risk.  NIST 800-53 r4  Security and Privacy Controls for Federal Information Systems and Organizations.  This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.  285 controls and 19 family of controls.  The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk.
  • 21. ISO Standards for Information Security  ISO 38500  ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.  It also provides guidance to those advising, informing, or assisting governing bodies. They include the following: — executive managers; — members of groups monitoring the resources within the organization; — external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies; — internal and external service providers (including consultants); — auditors.
  • 22. ISO Standards for Information Security  ISO 38500  The purpose of this International Standard is to promote effective, efficient, and acceptable use of IT in all organizations by — assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization's governance of IT, — informing and guiding governing bodies in governing the use of IT in their organization, and — establishing a vocabulary for the governance of IT.  ISO 20000  ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
  • 23. ISO Standards for Information Security  ISO 20000  ISO/IEC 20000-1:2011 can be used by:  an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;  an organization that requires a consistent approach by all its service providers, including those in a supply chain;  a service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfil service requirements;  a service provider to monitor, measure and review its service management processes and services;  a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;  an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011.
  • 24. ISO Standards for Information Security  ISO 20000  Information Security Management Process  The information security management (ISM) process should ensure that security controls are in place to protect information assets and that information security requirements are incorporated into the design and transition of new or changed services.  Deals with issues like; Information Security Policy, Information Security Controls, Risk Assessment, Managing Information Security Risks, Information Security Changes and Incidents, Documentation and Authorities and Responsibilities.
  • 25. ISO Standards for Information Security
  • 26. ISO 27000 series  ISO 27001 Information Security Management Systems  The ISO 27000 family of standards helps organizations keep information assets secure.  Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.  ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).  This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.  114 controls, 14 groups of controls and 35 control objectives
  • 27. ISO 27000 series  ISO 27002:2013 Code of practice for information security controls  This International Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).  It is designed to be used by organizations that intend to:  select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;  implement commonly accepted information security controls;  develop their own information security management guidelines.
  • 28. ISO 27000 series  ISO 27005:2011 Information Security Risk Management  It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.  Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.  ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
  • 29. ISO 27000 series  ISO 27034-1:2011 Application Security – Overview and Concepts  ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications.  ISO/IEC 27034-1:2011 presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security.  ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.  ISO 27034-2:2015 Application Security – Organization Normative Framework  ISO/IEC 27034-2:2015 provides a detailed description of the Organization Normative Framework and provides guidance to organizations for its implementation.
  • 30. What is best for me Information Security Best Practices or ISO standards?  Conclusion  Whenever it is applicable start with GEIT  GEIT is a subset of Corporate Governance  Policy is the linkage between Governance and EISA  EISA is an integral part of EA  The main objective of EA is to strategically align the business objectives with the enterprise IT objectives and to effectively and efficiently respond to the changing needs of the business  Policies define the necessary standards to implement and comply with  ISM/ITSM best practices frameworks are important steps on the way to successfully implement ISO standards. Generally, ISO standards are auditable while best practices frameworks are not.  Solid business case should be developed to adopt any best practices framework and/or standards  Cybersecurity is more than just protecting information assets, it is about preventing, detecting and correcting the adverse impact of the incidents on the information assets required to do business  Auditing is the governance powerful tool to enforce compliance with policies and standards
  • 31. About EGYBYTE  ISM/ITSM and Project Management Training  ITIL 2011, PRINCE2, AgilePM, COBIT 5, SDI, Business Analysis, ISO/IEC 20000, ISO/IEC 27001, ISO/IEC 38500, ISO 22301, ISO 21500, CPDE and CLoudSchool  ISM/ITSM Consultation  ISM/ITSM projects, assessment and development  Company Website  www.egybyte.net  For inquiries contact us:  INFO@EGYBYTE.NET
  • 32. ? QUESTIONS THANK YOU +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840