ISO 27001 and 27002

ISO 27001 & 27002 Notes

DISCLAIMER:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.

  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

REFERENCES:

  • ISO/IEC 27001: 2013 & 27002: 2013
  • ISO/IEC 27001: 2022 & 27002: 2022
  • Lead implementer Professional ISO /IEC 27001:2013
******************************************************************************************

What key insights can be gained from learning about ISO 27001:

  • How to create and implement the Information System Management within the organization.
  • Discuss on the Framework based on the ISO 27001
  • Three pillars: Confidentiality, Integrity and Availability

Two words on Knowledge and Skill. 

Learning Objectives 

Knowledge
  • ISM
  • Benefits of ISM
  • Requirements of 27001

Skill
  • Conduct baseline review: we will get the skills to conduct GAP analysis
  • Will have Implementation skills
  • Explain the concepts of Project management

Information Security management 


What is Information Security management?

Three pillars: [CIA]
  • Confidentiality, 
  • Integrity and 
  • Availability 

Non- Repudiation: 
  • Means cannot be challenged by anybody.
Integrity: of information: 
  • Means unaltered information. Information cannot be changed in-between end to end.
Information processing facility: 
  • Also need to secure the in-between facility which is processing the information. 
Business Continuity:
  • Business Continuity to some extent will be part of the Information Security Management system. And there will be separate Business continuity and Disaster management.
Life cycle of information:
  • How the information should be discarded. 
Other Benefits Information Security Management [ISM] 
  • Reduce Security incidents, increase staff retention, Protection of brand and reputation, reduce costs of correction, customer retention, etc
Background of ISO 27001 / ISO 27002
  • Framework: Sets of Principle, policy’s, rules, guidelines make a whole framework.
Background of ISO 27001 / ISO 27002
  • Framework: Sets of Principle, policy’s, rules, guidelines make a whole framework.
History of ISO 27001 and ISO 27002

  • BSI started in 1901, wanted to start Tube railways and floated in tender. The big problem was getting 5 different plans which had different dimensions. This created the problem that they are not compatible within each other. 
  • BS7799 :1995: - British standards published in 1995 
  • 2005: ISO re- nomenclature and published the 27001 by getting from BS.

Difference b/w to 27001 and 27002:
  • 27001: What has to be done.
  • 27002: How it has to be done: - Implementation guideline:

ISO 27001

Clause 4: Context of the organization

  • What are: - Internal Issue, External issue and Interested parties?
  • Interested parties: Promoters or Shareholders, Employees, Government, neighbours, customers, vendors, etc.
  • Internal issue: When there are internal strikes. 
  • External issue: Government regulatory compliance
  • Here boundaries are set for the rules and boundaries. 
  • e.g.: in Some countries security guards will be present to collect the ID proof and registry entry is made. The same company operating in JAPAN has no security guard. Since there is no practice of security guards in JAPAN. 

PDCA and ISMS:

  • Plan : requirements: - Clause 4 Context of the org. / 5 leadership / 6 Planning / 7 Support
  • DO : implement: - Clause 8 Operation
  • Check : Audits/ gaps/ managements review: - Clause 9 Performance evaluation
  • Act : Results/ improvement: - Clause 10 Improvement

Legal, regulatory and contractual:

  • Regulatory Body: - RBI is the regulatory Body, SEBI regulatory for Stock exchanges
  • Legal: Requirements from the government
  • Contract: requirements which are passed on by working with clients which are laid upon by the regulatory body. 
  • Statutory and regulatory requirements: As an ISMS manager: just telling them to follow. Do not be a SME in Statutory field to implement ISMS. Show what are the list of Statutory and regulatory requirements you are adhered to. 

Captive environment: 

working under other organization: - Policies, regulation, contractual terms will be passed on to the vendor organization also. 

Shall means mandatory
May means optional

Clause 4 Context of the organization

4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system

Clause 5 Leadership

5.1 Leadership and commitment 
5.2 Policy
5.3 Organizational roles, responsibilities and authorities

Top management should create and provide resources,
Create security Policy, security objectives 

Clause 6 Planning

6.1 Actions to address risks and opportunities
6.1.1 General
6.1.2 Information security risk assessment

6.1.3 Information security risk treatment
  • NOTE 1 Organizations can design controls as required, or identify them from any source.
  • NOTE 2 Annex A contains a list of possible information security controls. Users of this document are
  • directed to Annex A to ensure that no necessary information security controls are overlooked.
  • NOTE 3 The information security controls listed in Annex A are not exhaustive and additional information
  • security controls can be included if needed.

6.2 Information security objectives and planning to achieve them

Objective should be Measurable or quantitative and Monitored year on year basis 
E.g., Objective 
  • Zero security data breach
  • 100 % compliance to infosec audit
  • As per policy all the employees will change the password every 90 days
  • 100% of pen-testing to happen for all the projects in every quarter.
  • 98% of awareness of Infosec training has to be completed by the vendors

6.3 Planning of changes

Clause 7 Support

7.1 Resources
7.2 Competence
  • By three ways: Education arranging training and Experience
7.3 Awareness
  • Senior management has to create awareness about Information security among the employees. 
7.4 Communication
7.5 Documented information

Clause 8 Operation 

Clause 8 is also the DO part from PDCA
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment

Clause 9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review

  • Here Monitoring and measurement is done. 
  • The Objectives which are identified earlier will be monitored and measured.
  • These audits internal and external are conducted
  •  Documentation must be maintained
Internal Audit
  • Conformance and non – conformance 
  • As an external auditor will look into the internal NC’s are reported and closed. 

Clause 10 Improvement 

10.1 Nonconformity and corrective action
10.2 Continual improvement

PDCA: Matrix

PLAN:
4 Context of the organization
  • Understanding of context.
  • Expectations of interested parties.
  • Scope and ISMS.
5 Leadership
  • Management commitment.
  • IS policy.
  • Roles, responsibilities and authorities.
6 Planning
  • Actions to address risk and opportunity.
  • Infosec objectives.
7 Support
  • Resources.
  • Competence.
  • Awareness.
  • Communication.
  • Documented Information.

DO:
8 Operation
  • Operational planning and control.
  • Risk assessment.
  • Risk treatment.
CHECK:
9 Performance and Evaluation
  • Monitoring, measurement, analysis and evaluation.
  • Internal audit.
  • Management review.

ACT:
10 Improvement
  • Nonconformity and corrective action.
  • Continual improvement.

ISO 27002 2022


Controls are Grouped Under:
  • Organizational controls
  • People controls
  • Physical controls
  • Technological controls


5. Organizational controls 
5.1. Policies for information security
5.2. Information security roles and responsibilities
5.3. Segregation of duties
5.4. Management responsibilities
5.5. Contact with authorities
5.6. Contact with special interest groups
5.7. Threat intelligence
5.8. Information security in project management
5.9. Inventory of information and other associated assets
5.10. Acceptable use of information and other associated assets
5.11. Return of assets
5.12. Classification of information
5.13. Labelling of information
5.14. Information transfer
5.15. Access control
5.16. Identity management
5.17. Authentication information
5.18. Access rights
5.19. Information security in supplier relationships
5.20. Addressing information security within supplier agreements
5.21. Managing information security in the ICT supply chain
5.22. Monitoring, review and change management of supplier services 
5.23. Information security for use of cloud services
5.24. Information security incident management planning and preparation
5.25. Assessment and decision on information security events
5.26. Response to information security incidents
5.27. Learning from information security incidents
5.28. Collection of evidence
5.29. Information security during disruption
5.30.  Information and communication technology (ICT) readiness for business continuity
5.31. Legal, statutory, regulatory and contractual requirements
5.32. Intellectual property rights
5.33. Protection of records
5.34. Privacy and protection of personally identifiable information (PII)
5.35. Independent review of information security
5.36. Compliance with policies, rules and standards for information security
5.37. Documented operating procedures

6. People controls 

6.1. Screening
6.2. Terms and conditions of employment
6.3. Information security awareness, education and
training
6.4. Disciplinary process
6.5. Responsibilities after termination or change of
employment
6.6. Confidentiality or non-disclosure agreements
6.7. Remote working
6.8. Information security event reporting

7. Physical controls 

7.1. Physical security perimeter
7.2. Physical entry
7.3. Securing offices, rooms and facilities
7.4. Physical security monitoring
7.5. Protecting against physical and environmental
threats
7.6. Working in secure areas
7.7. Clear desk and clear screen
7.8. Equipment siting and protection
7.9. Security of assets off-premises 
7.10. Storage media
7.11. Supporting utilities
7.12. Cabling security
7.13. Equipment maintenance
7.14. Secure disposal or re-use of equipment 

8. Technological controls 

8.1. User endpoint devices
8.2. Privileged access rights
8.3. Information access restriction
8.4. Access to source code
8.5. Secure authentication
8.6. Capacity management
8.7. Protection against malware
8.8. Management of technical vulnerabilities
8.9. Configuration management
8.10. Information deletion
8.11. Data masking
8.12. Data leakage prevention
8.13. Information backup
8.14. Redundancy of information processing facilities
8.15. Logging
8.16. Monitoring activities
8.17. Clock synchronization
8.18. Use of privileged utility programs
8.19. Installation of software on operational systems
8.20. Network security
8.21. Security of network services
8.22. Segregation of networks 
8.23. Web filtering
8.24. Use of cryptography
8.25. Secure development life cycle
8.26. Application security requirements
8.27. Secure system architecture and engineering
principles
8.28. Secure coding
8.29. Security testing in development and acceptance
8.30. Outsourced development
8.31. Separation of development, test and production
environments
8.32. Change management
8.33. Test information
8.34. Protection of information systems during audit
testing 

Annexes Contains as below:


  • The matrix control of attributes is available in Annex Table "A.1", which can be filtered based on specific requirements. For instance, Table A.2 demonstrates an example of creating a view by filtering with a particular attribute value, such as #Corrective.
    • Control types (#Preventive, #Detective, #Corrective)
    • Information security properties (#Confidentiality, #Integrity, #Availability)
    • Cybersecurity concepts (#Identify, #Protect, #Detect, #Respond, #Recover)
    • Operational capabilities (#Governance, #Asset_management, #Information_protection, #Human_resource_security,   #Physical_security,   #System_and_network_security, #Application_security, #Secure_configuration, #Identity_and_access_management,           #Threat_and_vulnerability_management, #Continuity, #Supplier_relationships_security, #Legal_and_compliance, #Information_security_event_management, #Information_security_assurance)
    • Security domains (#Governance_and_Ecosystem, #Protection, #Defence, #Resilience)

  • Mapping of 2022 controls are mapped with 2013 under Annex B of the document Table B.1.
  • mapping of 2013 controls are mapped with 2022 under Annex B of the document Table B.2


Comments

Post a Comment

Popular Posts

Chennai :MTC complaint cell 044-23455858, 9445030516 and 9383337639

MTC  website :  https://mtcbus.tn.gov.in/ Phone : +91 9445030516 / 044 23455888 Route Information : https://mtcbus.tn.gov.in//Home/routewiseinfo Bus timing search : https://mtcbus.tn.gov.in/Home/bustimingsearch Route wise info :https://mtcbus.tn.gov.in/Home/routewiseinfo The Metropolitan Transport Corporation’s (MTC) complaint cell has received over 100 complaints ever since it was upgraded from a 12-hour facility to a 24-hour service.   The numbers — 044-23455858, 9445030516 and 9383337639 — have been functioning as MTC’s helpline for the past couple of years.
Read more

Marriage Registration Online steps [Tamil Nadu]

Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/  2. Click on "User Registration"   under " LOGIN " section 3. Now Login with UserID & Password  Hindu Marriage Registration 4. After Log in then select  Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details     1. Husband details           A.  Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name "         B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person.      2. Wife Details          A. same as above, have all the information to fill in details  3. Witness Options     A. 3 Witness are required as mandate.     B. Select from the Drop down Witness Option s 4. Other Details     A.  Details of person who solemnized - the Priest name           or Any other
Read more

Fraud Practice by JBL India Harman India

Image
 #BoycottJBLSoundIn  #HarmanIndia products for selling poor quality and refusing to service products. Harman India JBL  #RightToRepair Grievance Details : Respected Sir Madam The Product JBL quantum 300 was purchased from Amazon India on 6 Aug 2020 for a price off 4999 rupees and has one year warranty. The Issue with the product, the mike function stopped working from 7 July 2021. The same was issue was raised with JBL customer care india_escalations@harman.com, on 7/10/2021 10:27 AM They have refused to do after sales repair services or replace the product, citing volume button is broken which is present at the side of the headphone. The customer care team has responded with refusal of product replacement and repair. They have provided with 10% discount coupon on purchase of their new product, as a resolution. I'm attaching the invoice, customer care refusal email and JBL headphone photo as references Reference number from customer care Harman International Case 08388082 Respons
Read more

Enable additional Security layer for Logging into: Google, Facebook and Twitter

Image
How to keep your  Accounts safe From online frauds/ hacks.  The most important part is to secure your Login password . There is an additional security step to certify your login. Known as “2-Step Authentication”. Let us go through the steps how enable them, before that you have to download two apps as mentioned below. Download -> “Authenticator” app from Google Play Store. -> “Barcode Scanner” app from Google Play store. Google: Login into account: -> Select “ MY Account ” -> Under “ Sign-in & Security ” -> Under “Signing in to Google” -> Under “ Password & sign-in method ” -> Select “2-Step Verification” -> Click to enable them and flow through the steps provided. -> Open “Authenticator” app, Scan the code and complete the workflow. Twitter: Login into Account -> Select “ Settings and Privacy ” -> Under Security -> “ Select a code generator app ”, follow the steps as followed. -> Open “Authe
Read more

How to get Canadian PR

# Alert : Dont get fooled but consulting agents/ agency. All the forms and paper work has to be done by self and there is no agent is allowed to create Express entry account from Canadian government website. # How to get Canadian PR: ****************** General Info:-  "For PR : only way in is express entry" 1. Express entry profile:  It Has a score called CRS  Calculate your score roughly and if it crosses 450 ( now late 2020 it should be 460-470) then there is a good chance of getting a PR if not to be plain there might be chances but difficult.  2. For express entry profile:  Profile cost is free online gov profile  Eligibility to have a profile;:  IELTS score card (13500₹)  WES : world education system  education credentials to be accredited (15000₹) 3. Website  https://www.cic.gc.ca/english/immigrate/skilled/crs-tool.asp 4. Calculate your score through the above tool link:- Under question 5 give your test results recent within 2 years a yes  Test as IELTS  Score as follow
Read more

Whatsapp privacy check-up May 2023

Image
Whatsapp update May 2023 Whatsapp's privacy check-up features provide users with the ability to review and customize various aspects of their privacy settings. Choose who can contact you Control your personal info Add more privacy to your chats Add more protection to your account Privacy-checkup Choose who can contact you Control your personal info Add more privacy to your chats Add more protection to your account
Read more