New data protection regulations have significantly impacted the way that businesses collect, store, and handle clients’ personal information.
Considering the continuously increasing importance of data protection and privacy in today’s world, businesses should be up to speed with their data privacy policies and procedures.
The webinar covers:
1. ISO/IEC 27001 – Information Security Framework Key requirements under CCPA, CPRA, GDPR
• ISO/IEC 27005 – Information Security Risk Management
• ISO/IEC 27035 – Information Security Incident Management
• ISO/IEC 22301 & 27031 - Business Continuity Management (BCM)
2. Alternative Frameworks
• CMMC - Cybersecurity Maturity Model Certification
• NIST CSF Cybersecurity Framework
• ISO/IEC 27032 – Guidelines for Cybersecurity
3. Supplier Management
Date: April 21, 2021
Recorded Webinar: https://youtu.be/bi3tvvhGV1s
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
1.
2. 1. ISO/IEC 27001 – Information Security Framework
• ISO/IEC 27005 – Information Security Risk Management
• ISO/IEC 27035 – Information Security Incident Management
• ISO/IEC 22301 & 27031 - Business Continuity Management (BCM)
2. Alternative Frameworks
• NIST CSF Cybersecurity Framework
• CMMC - Cybersecurity Maturity Model Certification
• ISO/IEC 27032 – Guidelines for Cybersecurity
3. Supplier Management
4. Conclusion
5. Questions
Agenda
3. Links to other standards
1. ISO/IEC 27001
Business Continuity &
Disaster Recovery
ISO/IEC 27031
ISO/IEC 22301
Security Incident
Management
Information Security
Risk Management
ISO/IEC 27005
Cyberspace / Ecosystem
ISO/IEC 27032
Cybersecurity
framework (CSF)
CMMC
ISO/IEC 27035
4. ISO/IEC 27001 Security framework
1. Define and establish
1.1 Context
establishment
1.2 Leadership and roles
1.4 Security
Requirements
1.3 Risk Management
1.5 Organization
1.6 Statement of
applicability
2. Deploy and operate
2.1 Treatment plan
definition
2.2 Controls deployment
2.3 Documentation
management
2.4 Communication
2.5 Awareness and
training
2.6 Operations
management
2.7 Security incident
management
3. Monitor and review
3.1 Monitoring, analysis
and assessment
3.2 Internal audit
3.3 Accreditation
4. Maintain and improve
4.1 Non-conformity
management
4.2 Continuous
improvement
5. Information Security Risk Management
• Version:
• Current: 2018 (small update of 2011)
• Revision ongoing (12/2022)
• Context establishment
• Scope, stakeholders, criteria
• Risk assessment
• Define what to protect (Primary/supporting assets)
• Against what (threats, vulnerabilities, current controls)
• Risk Treatment
• Risk retention, avoidance, modification, sharing
• Risk Acceptance
• Acceptable residual risk level
• Maturity: Risk-based decisions allow to provide justifications to
other cyber activities (audit, pentest, incident, requirements, etc.)
ISO/IEC 27005
6. Information Security Incident Management
• Security Event vs Security Incident
• Event:
Occurrence indicating a possible breach of information security or failure of controls
• Incident:
One or multiple related and identified information security events meeting established
criteria and can harm organization’s assets or compromise its operations
ISO/IEC 27035
• Versions:
• Part 1: Principles of incident management
Current: 2016 Revision ongoing (06/2023)
• Part 2: Guidelines to plan and prepare for incident management
Current: 2016 Revision ongoing (06/2023)
• Part 3: Guidelines for ICT incident response operations (Technical)
Current: 2020
• Part 4: Coordination (ongoing – based on a Chinese CERT initiative)
Planned: 05/2024
• Designed to fulfil ISO/IEC 27001 Annex A, control 16 (IS Incident Management)
7. Business Continuity Management (BCM) & ITC Service Continuity (ITSCM)
• Version:
• ISO/IEC 22301 – Current: 2019 (minor update of 2012)
• ISO/IEC 27031 – Current: 2011 (new version under development)
• Context establishment
• Scope, stakeholders, criteria
• Business Impact Analyses (BIAs)
• Based on IS Risk Assessments (ISO/IEC 27005)
• Priorities, objectives
• Key for a well working BCMS
• Business Continuity Strategies & Solutions
• Priorities, resources, mitigation
• Training & awareness plans, preparation plans
• Disaster Recovery Plans (DRP) ISO/IEC 27031 for ITC
• Business Continuity Procedures
• Business Continuity Plans (BCP), Incident Response Plans (IRP), Recovery Plans (RP), Transportation Plans,
Communication Procedures etc.
ISO/IEC 22301 and 27031
8. • NIST CSF – Cybersecurity Framework
• CMMC – Cybersecurity Maturity Model Certification
• ISO/IEC 27032 – Guidelines for Cybersecurity
2. Alternative Frameworks
9. NIST Cybersecurity Framework
• Tier Degree of rigor
• 1 (Partial) to 4 (Adaptative)
• Cybersecurity based risk decisions
• Stakeholders Cybersecurity integration
• Core (link to COBIT, NIST, ISO etc.)
• 5 Functions : Identify/Protect/Detect/Respond/Recover
• 23 Categories: Risk assessment, Security Monitoring, etc.
• 108 Subcategories: Requirement detail
• Profile
• Current status
• Target profile
• More information: https://www.nist.gov/cyberframework/online-learning
NIST CSF
10. Cybersecurity Maturity Model Certification
• Release: Version 1.0 - 31/01/2020
• US Department of Defense (DoD) contractors: DoD's response to significant compromises of
sensitive defense information located on contractors' information systems.
• CMMC levels:
• Level 1: 17 Controls
• Level 2: 72 Controls (includes Level 1 controls)
• Level 3: 130 Controls (includes Level 2 controls)
• Level 4: 156 Controls (includes Level 3 controls)
• Level 5: 171 Controls (includes Level 4 controls)
• Link to security controls from NIST SP 800-171, NIST SP 800-53, ISO/IEC 27001 and
ISO/IEC 27032, among others.
• Difference to ISO/IEC 27001: ISMS perimeter vs whole organization
• Difference to NIST CSF:
• Same objective: protect CUI (Controlled Unclassified Information)
• NFO (Non-Federal Organization) are out of scope (not for the US DoD)
CMMC
11. Guidelines for Cybersecurity
• Version:
• Current: 2012
• Revision ongoing (10/2022)
• Change of perimeter: Cybersecurity – Guidelines for Internet security
• Cyberspace: space resulting from the emergence of the Internet, plus the people, organizations,
and activities on all sort of technology devices and networks that are connected to it
It can be seen as the assets (primary/supporting + stakeholders/ecosystem)
• Supplier Management
• Education, Awareness & Training
• Malware Protection
• Change Management
• Cryptography
• Asset Management
• Cybersecurity Incident Management
• Vulnerability Management
• Business Continuity
ISO/IEC 27032
12. Secure Ecosystem
3. Supplier Management
Examples:
• SolarWinds
• Stuxnet
How to reduce stakeholders’ threat?
• Increase the cybersecurity
maturity level
• Decrease the exposition
13. There are Different Information & Cyber Security Approaches
• Choose the framework corresponding to your business needs
• Customer requirements
• Regulation requirements (Finance, Energies, Telecom, NIS, SOX etc.)
• Legal requirements (EU, US, etc.)
• Remain in one framework
• Mixing frameworks will result mainly in an uncontrollable nightmare
• You can include some parts of other frameworks as “best practices”
• Assessing maturity level or benchmarks are easier within one framework
• Secure your whole perimeter
• Define the scope properly and completely
• Include all your stakeholders
• Limit not only to your organization
4. Conclusion