SlideShare une entreprise Scribd logo

Information Security between Best Practices and ISO Standards

PECB
PECB

Main points covered: • Information Security best practices (ESA, COBIT, ITIL, Resilia) • NIST security publications (NIST 800-53) • ISO standards for information security (ISO 20000 and ISO 27000 series) - Information Security Management in ISO 20000 - ISO 27001, ISO 27002 and ISO 27005 • What is best for me: Information Security Best Practices or ISO standards? Presenter: This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE. Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU

Formation
1  sur  32
Mohamed Gohar Instructor-Consultant Mr.Mohamed Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation.He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840
Information Security between Best Practices and ISO Standards Presented by: Mohamed Gohar - 10 years of experience in ISM/ITSM Training and Consultation - Gohar is one of the expert reviewers of CISA RM 26th edition (2016) - Certified in/as ISO 27001, ISO 27034, ISO 38500, ISO 24762, Resilia, CISA, CISM, TOGAF, COBIT, ITIL and PMP - ISM Senior Trainer/Consultant at EGYBYTE
Agenda The webinar will cover the following areas:  Information Security best practices (ESA, COBIT, ITIL, Resilia)  Information Security Governance frameworks  Cobit 5 for information security  Enterprise Security Architecture (ESA) frameworks (O-ESA and SABSA)  Information Security in ITIL 2011 framework  Resilia Cyber Security framework  NIST security publications  NIST 800-100  Framework for Improving Critical Infrastructure Cybersecurity  NIST 800-53  ISO standards for information security (ISO 38500, ISO 20000 and ISO 27000 series)  ISO 38500  Information Security Management in ISO 20000  ISO 27001, ISO 27002, ISO 27005 and ISO 27034  What is best for me Information Security Best Practices or ISO standards?
Information Security Governance Frameworks  Information Security Governance is a subset from the corporate governance (Enterprise Risk Management and Internal Controls) and in parallel with or subset from the governance of enterprise IT (Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization)  Information security governance is the system by which an organization directs and controls information security.  Information security governance should not be confused with information security management. Information Security Governance Information Security Management • Accountability • Authorizes decision rights • Enact policy • Oversight • Resource allocation • Strategic planning • Doing the right thing • Responsibility • Authorized to make decisions • Enforce policy • Implementation • Resource utilization • Project planning • Doing the things right
Information Security Governance Frameworks  NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.  Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care. The five general governance areas are:  Govern the operations of the organization and protect its critical assets  Protect the organization's market share and stock price (perhaps not appropriate for education)  Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)  Protect the reputation of the organization  Ensure compliance requirements are met "Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business."
Cobit 5 for Information Security
Cobit 5 for Information Security
Cobit 5 for Information Security
Publications for Information Security Governance Frameworks  IT Governance Institute (ITGI) publications:  Information Security Governance: Guidance for Board of Directors and Executive Management  Information Security Governance: Guidance for Information Security Managers  Cobit 5 for Information Security
Enterprise Security Architecture Frameworks  The Open Group, O-ESA  Corporate Governance Task Force report states: “The road to information security goes through corporate governance”  To simplify security management, there must be a direct linkage between governance and the security architecture itself.  Policy-driven security architecture where the policy is the link between governance and security architecture.  The functions of the O-ESA components and processes:  Governance (Principles, Policies, Standards/Guidelines/Procedures, Audit, Enforcement)  Technology Architecture (Conceptual framework, Conceptual architecture, Logical architecture, Physical architecture, Design/Development)  Security Operations (Deployment, Services, Devices and applications, Administration, Event management, Incident management, Vulnerability management, Compliance)
Enterprise Security Architecture Frameworks  Objectives of O-ESA  Preserving Confidentiality, Integrity and Availability (CIA) of an organization’s information  Effective information security management through accountability and assurance  Satisfying the security demands placed on the IT service organization by its customers
Enterprise Security Architecture Frameworks  Sherwood Applied Business Security Architecture SABSA  SABSA is a proven framework and methodology for enterprise security architecture and service management.  It is used successfully around the globe to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management.  SABSA key benefits  ensures that the needs of your Enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure.  Although copyright protected, SABSA is an open-use methodology, not a commercial product.  ESA or EISA can be a powerful development, implementation and integration tool for the development and implementation of a strategy.  ESA or EISA should be an integral part of EA to be effective, as the integration of EISA and EA helps to ensure that proper controls are implemented and integrated throughout the organization infrastructure, processes and technologies.
Enterprise Security Architecture Frameworks
Information Security in ITIL 2011  ITIL is a best practice framework in ITSM  ITIL consists of 26 processes and 4 functions  Information Security Management is one of the ITIL processes resides in the Design stage of ITIL lifecycle  Information Security Management process  Information security is a management process within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved.  It further ensures that the information security risks are appropriately managed and that enterprise information resources are used responsibly.  The purpose and objectives of the information security management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business.  Scope, the information security management process should be the focal point for all IT security issues, and must ensure that an information security policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services.
Information Security in ITIL 2011
Resilia Cybersecurity Framework  RESILIA™ is a framework of best practice, developed by AXELOS  Based on the Cyber Resilience Best Practices guide, it offers practical knowledge to enhance existing management strategies and help align cyber resilience with IT operations, security and incident management.  Using the ITIL lifecycle it develops the skills and insight needed to detect, respond to and recover from cyber-attacks.
Resilia Cybersecurity Framework
NIST Security Publications  NIST Publications are usually used by Federal Agencies or Governmental Organizations and can be used by non-governmental organizations too  NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing adequate information security for all agency operations and assets  NIST 800-100 (Information Security Handbook: A Guide for Managers)  Covers topics like; Information Security Governance, Performance Measures, Security Planning, IT Contingency Planning, Risk Management, Incident Response and Configuration Management  Framework for Improving Critical Infrastructure Cybersecurity  The Framework focuses on using business drivers to guide Cybersecurity activities and considering Cybersecurity risks as part of the organization’s risk management processes  The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.  The Framework Core is a set of Cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.
NIST Security Publications  Through use of the Profiles, the Framework will help the organization align its Cybersecurity activities with its business requirements, risk tolerances, and resources.  The Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing Cybersecurity risk.  NIST 800-53 r4  Security and Privacy Controls for Federal Information Systems and Organizations.  This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.  285 controls and 19 family of controls.  The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk.
ISO Standards for Information Security  ISO 38500  ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.  It also provides guidance to those advising, informing, or assisting governing bodies. They include the following: — executive managers; — members of groups monitoring the resources within the organization; — external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies; — internal and external service providers (including consultants); — auditors.
ISO Standards for Information Security  ISO 38500  The purpose of this International Standard is to promote effective, efficient, and acceptable use of IT in all organizations by — assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization's governance of IT, — informing and guiding governing bodies in governing the use of IT in their organization, and — establishing a vocabulary for the governance of IT.  ISO 20000  ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
ISO Standards for Information Security  ISO 20000  ISO/IEC 20000-1:2011 can be used by:  an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;  an organization that requires a consistent approach by all its service providers, including those in a supply chain;  a service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfil service requirements;  a service provider to monitor, measure and review its service management processes and services;  a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;  an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011.
ISO Standards for Information Security  ISO 20000  Information Security Management Process  The information security management (ISM) process should ensure that security controls are in place to protect information assets and that information security requirements are incorporated into the design and transition of new or changed services.  Deals with issues like; Information Security Policy, Information Security Controls, Risk Assessment, Managing Information Security Risks, Information Security Changes and Incidents, Documentation and Authorities and Responsibilities.
ISO Standards for Information Security
ISO 27000 series  ISO 27001 Information Security Management Systems  The ISO 27000 family of standards helps organizations keep information assets secure.  Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.  ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).  This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.  114 controls, 14 groups of controls and 35 control objectives
ISO 27000 series  ISO 27002:2013 Code of practice for information security controls  This International Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).  It is designed to be used by organizations that intend to:  select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;  implement commonly accepted information security controls;  develop their own information security management guidelines.
ISO 27000 series  ISO 27005:2011 Information Security Risk Management  It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.  Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.  ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
ISO 27000 series  ISO 27034-1:2011 Application Security – Overview and Concepts  ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications.  ISO/IEC 27034-1:2011 presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security.  ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.  ISO 27034-2:2015 Application Security – Organization Normative Framework  ISO/IEC 27034-2:2015 provides a detailed description of the Organization Normative Framework and provides guidance to organizations for its implementation.
What is best for me Information Security Best Practices or ISO standards?  Conclusion  Whenever it is applicable start with GEIT  GEIT is a subset of Corporate Governance  Policy is the linkage between Governance and EISA  EISA is an integral part of EA  The main objective of EA is to strategically align the business objectives with the enterprise IT objectives and to effectively and efficiently respond to the changing needs of the business  Policies define the necessary standards to implement and comply with  ISM/ITSM best practices frameworks are important steps on the way to successfully implement ISO standards. Generally, ISO standards are auditable while best practices frameworks are not.  Solid business case should be developed to adopt any best practices framework and/or standards  Cybersecurity is more than just protecting information assets, it is about preventing, detecting and correcting the adverse impact of the incidents on the information assets required to do business  Auditing is the governance powerful tool to enforce compliance with policies and standards
About EGYBYTE  ISM/ITSM and Project Management Training  ITIL 2011, PRINCE2, AgilePM, COBIT 5, SDI, Business Analysis, ISO/IEC 20000, ISO/IEC 27001, ISO/IEC 38500, ISO 22301, ISO 21500, CPDE and CLoudSchool  ISM/ITSM Consultation  ISM/ITSM projects, assessment and development  Company Website  www.egybyte.net  For inquiries contact us:  INFO@EGYBYTE.NET
? QUESTIONS THANK YOU +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840

Recommandé

ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 

Recommandé

ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListSriramITISConsultant
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
It governance
It governanceIt governance
It governanceMahetab Khan
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentationjmcarden
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveSayyed Zakir Ali Rizwe
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
IT Governance
IT GovernanceIT Governance
IT GovernanceCarlos Chalico
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 

Contenu connexe

Tendances

IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentationjmcarden
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 

Tendances (20)

IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
It governance
It governanceIt governance
It governance
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
IT Governance Presentation
IT Governance PresentationIT Governance Presentation
IT Governance Presentation
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT Perspective
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 

En vedette

Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 
Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Marc-Andre Heroux
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 
Integration of ICT Standards
Integration of ICT StandardsIntegration of ICT Standards
Integration of ICT StandardsAna Meskovska
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsMark Curphey
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Framework for a business process management competency centre
Framework for a business process management competency centreFramework for a business process management competency centre
Framework for a business process management competency centreMartin Moore
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyPECB
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Smart Assessment
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 

En vedette (20)

ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk management
 
Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0Enterprise Security Critical Security Functions version 1.0
Enterprise Security Critical Security Functions version 1.0
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Integration of ICT Standards
Integration of ICT StandardsIntegration of ICT Standards
Integration of ICT Standards
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial Institutions
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Framework for a business process management competency centre
Framework for a business process management competency centreFramework for a business process management competency centre
Framework for a business process management competency centre
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
ISO 27014 et 38500
ISO 27014 et 38500ISO 27014 et 38500
ISO 27014 et 38500
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
 
Security Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOVSecurity Governance Primer - Eric Vanderburg - JURINNOV
Security Governance Primer - Eric Vanderburg - JURINNOV
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 

Similaire à Information Security between Best Practices and ISO Standards

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxkevlekalakala
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationWilliam McBorrough
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE360 BSI
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketingNavneet Singh
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 

Similaire à Information Security between Best Practices and ISO Standards (20)

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketing
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smkiBim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 

Plus de PECB

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 

Plus de PECB (20)

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Dernier

Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleCeline George
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsPooky Knightsmith
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 

Dernier (20)

Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP Module
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young minds
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 

Information Security between Best Practices and ISO Standards

  • 1.
  • 2. Mohamed Gohar Instructor-Consultant Mr.Mohamed Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation.He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840
  • 3. Information Security between Best Practices and ISO Standards Presented by: Mohamed Gohar - 10 years of experience in ISM/ITSM Training and Consultation - Gohar is one of the expert reviewers of CISA RM 26th edition (2016) - Certified in/as ISO 27001, ISO 27034, ISO 38500, ISO 24762, Resilia, CISA, CISM, TOGAF, COBIT, ITIL and PMP - ISM Senior Trainer/Consultant at EGYBYTE
  • 4. Agenda The webinar will cover the following areas:  Information Security best practices (ESA, COBIT, ITIL, Resilia)  Information Security Governance frameworks  Cobit 5 for information security  Enterprise Security Architecture (ESA) frameworks (O-ESA and SABSA)  Information Security in ITIL 2011 framework  Resilia Cyber Security framework  NIST security publications  NIST 800-100  Framework for Improving Critical Infrastructure Cybersecurity  NIST 800-53  ISO standards for information security (ISO 38500, ISO 20000 and ISO 27000 series)  ISO 38500  Information Security Management in ISO 20000  ISO 27001, ISO 27002, ISO 27005 and ISO 27034  What is best for me Information Security Best Practices or ISO standards?
  • 5. Information Security Governance Frameworks  Information Security Governance is a subset from the corporate governance (Enterprise Risk Management and Internal Controls) and in parallel with or subset from the governance of enterprise IT (Strategic Management, Benefits Realization, Risk Optimization and Resource Optimization)  Information security governance is the system by which an organization directs and controls information security.  Information security governance should not be confused with information security management. Information Security Governance Information Security Management • Accountability • Authorizes decision rights • Enact policy • Oversight • Resource allocation • Strategic planning • Doing the right thing • Responsibility • Authorized to make decisions • Enforce policy • Implementation • Resource utilization • Project planning • Doing the things right
  • 6. Information Security Governance Frameworks  NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.  Enterprise security governance results from the duty of care owed by leadership towards fiduciary requirements. This position is based on judicial rationale and reasonable standards of care. The five general governance areas are:  Govern the operations of the organization and protect its critical assets  Protect the organization's market share and stock price (perhaps not appropriate for education)  Govern the conduct of employees (educational AUP and other policies that may apply to use of technology resources, data handling, etc.)  Protect the reputation of the organization  Ensure compliance requirements are met "Governing for enterprise security means viewing adequate security as a non-negotiable requirement of being in business."
  • 7. Cobit 5 for Information Security
  • 8. Cobit 5 for Information Security
  • 9. Cobit 5 for Information Security
  • 10. Publications for Information Security Governance Frameworks  IT Governance Institute (ITGI) publications:  Information Security Governance: Guidance for Board of Directors and Executive Management  Information Security Governance: Guidance for Information Security Managers  Cobit 5 for Information Security
  • 11. Enterprise Security Architecture Frameworks  The Open Group, O-ESA  Corporate Governance Task Force report states: “The road to information security goes through corporate governance”  To simplify security management, there must be a direct linkage between governance and the security architecture itself.  Policy-driven security architecture where the policy is the link between governance and security architecture.  The functions of the O-ESA components and processes:  Governance (Principles, Policies, Standards/Guidelines/Procedures, Audit, Enforcement)  Technology Architecture (Conceptual framework, Conceptual architecture, Logical architecture, Physical architecture, Design/Development)  Security Operations (Deployment, Services, Devices and applications, Administration, Event management, Incident management, Vulnerability management, Compliance)
  • 12. Enterprise Security Architecture Frameworks  Objectives of O-ESA  Preserving Confidentiality, Integrity and Availability (CIA) of an organization’s information  Effective information security management through accountability and assurance  Satisfying the security demands placed on the IT service organization by its customers
  • 13. Enterprise Security Architecture Frameworks  Sherwood Applied Business Security Architecture SABSA  SABSA is a proven framework and methodology for enterprise security architecture and service management.  It is used successfully around the globe to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management.  SABSA key benefits  ensures that the needs of your Enterprise are met completely and that security services are designed, delivered and supported as an integral part of your business and IT management infrastructure.  Although copyright protected, SABSA is an open-use methodology, not a commercial product.  ESA or EISA can be a powerful development, implementation and integration tool for the development and implementation of a strategy.  ESA or EISA should be an integral part of EA to be effective, as the integration of EISA and EA helps to ensure that proper controls are implemented and integrated throughout the organization infrastructure, processes and technologies.
  • 15. Information Security in ITIL 2011  ITIL is a best practice framework in ITSM  ITIL consists of 26 processes and 4 functions  Information Security Management is one of the ITIL processes resides in the Design stage of ITIL lifecycle  Information Security Management process  Information security is a management process within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved.  It further ensures that the information security risks are appropriately managed and that enterprise information resources are used responsibly.  The purpose and objectives of the information security management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business.  Scope, the information security management process should be the focal point for all IT security issues, and must ensure that an information security policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services.
  • 17. Resilia Cybersecurity Framework  RESILIA™ is a framework of best practice, developed by AXELOS  Based on the Cyber Resilience Best Practices guide, it offers practical knowledge to enhance existing management strategies and help align cyber resilience with IT operations, security and incident management.  Using the ITIL lifecycle it develops the skills and insight needed to detect, respond to and recover from cyber-attacks.
  • 19. NIST Security Publications  NIST Publications are usually used by Federal Agencies or Governmental Organizations and can be used by non-governmental organizations too  NIST is responsible for developing standards and guidelines, including minimum requirements, and for providing adequate information security for all agency operations and assets  NIST 800-100 (Information Security Handbook: A Guide for Managers)  Covers topics like; Information Security Governance, Performance Measures, Security Planning, IT Contingency Planning, Risk Management, Incident Response and Configuration Management  Framework for Improving Critical Infrastructure Cybersecurity  The Framework focuses on using business drivers to guide Cybersecurity activities and considering Cybersecurity risks as part of the organization’s risk management processes  The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.  The Framework Core is a set of Cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles.
  • 20. NIST Security Publications  Through use of the Profiles, the Framework will help the organization align its Cybersecurity activities with its business requirements, risk tolerances, and resources.  The Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing Cybersecurity risk.  NIST 800-53 r4  Security and Privacy Controls for Federal Information Systems and Organizations.  This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.  285 controls and 19 family of controls.  The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk.
  • 21. ISO Standards for Information Security  ISO 38500  ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.  It also provides guidance to those advising, informing, or assisting governing bodies. They include the following: — executive managers; — members of groups monitoring the resources within the organization; — external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies; — internal and external service providers (including consultants); — auditors.
  • 22. ISO Standards for Information Security  ISO 38500  The purpose of this International Standard is to promote effective, efficient, and acceptable use of IT in all organizations by — assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization's governance of IT, — informing and guiding governing bodies in governing the use of IT in their organization, and — establishing a vocabulary for the governance of IT.  ISO 20000  ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
  • 23. ISO Standards for Information Security  ISO 20000  ISO/IEC 20000-1:2011 can be used by:  an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;  an organization that requires a consistent approach by all its service providers, including those in a supply chain;  a service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfil service requirements;  a service provider to monitor, measure and review its service management processes and services;  a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;  an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011.
  • 24. ISO Standards for Information Security  ISO 20000  Information Security Management Process  The information security management (ISM) process should ensure that security controls are in place to protect information assets and that information security requirements are incorporated into the design and transition of new or changed services.  Deals with issues like; Information Security Policy, Information Security Controls, Risk Assessment, Managing Information Security Risks, Information Security Changes and Incidents, Documentation and Authorities and Responsibilities.
  • 25. ISO Standards for Information Security
  • 26. ISO 27000 series  ISO 27001 Information Security Management Systems  The ISO 27000 family of standards helps organizations keep information assets secure.  Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.  ISO/IEC 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).  This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.  114 controls, 14 groups of controls and 35 control objectives
  • 27. ISO 27000 series  ISO 27002:2013 Code of practice for information security controls  This International Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).  It is designed to be used by organizations that intend to:  select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;  implement commonly accepted information security controls;  develop their own information security management guidelines.
  • 28. ISO 27000 series  ISO 27005:2011 Information Security Risk Management  It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.  Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.  ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
  • 29. ISO 27000 series  ISO 27034-1:2011 Application Security – Overview and Concepts  ISO/IEC 27034 provides guidance to assist organizations in integrating security into the processes used for managing their applications.  ISO/IEC 27034-1:2011 presents an overview of application security. It introduces definitions, concepts, principles and processes involved in application security.  ISO/IEC 27034 is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.  ISO 27034-2:2015 Application Security – Organization Normative Framework  ISO/IEC 27034-2:2015 provides a detailed description of the Organization Normative Framework and provides guidance to organizations for its implementation.
  • 30. What is best for me Information Security Best Practices or ISO standards?  Conclusion  Whenever it is applicable start with GEIT  GEIT is a subset of Corporate Governance  Policy is the linkage between Governance and EISA  EISA is an integral part of EA  The main objective of EA is to strategically align the business objectives with the enterprise IT objectives and to effectively and efficiently respond to the changing needs of the business  Policies define the necessary standards to implement and comply with  ISM/ITSM best practices frameworks are important steps on the way to successfully implement ISO standards. Generally, ISO standards are auditable while best practices frameworks are not.  Solid business case should be developed to adopt any best practices framework and/or standards  Cybersecurity is more than just protecting information assets, it is about preventing, detecting and correcting the adverse impact of the incidents on the information assets required to do business  Auditing is the governance powerful tool to enforce compliance with policies and standards
  • 31. About EGYBYTE  ISM/ITSM and Project Management Training  ITIL 2011, PRINCE2, AgilePM, COBIT 5, SDI, Business Analysis, ISO/IEC 20000, ISO/IEC 27001, ISO/IEC 38500, ISO 22301, ISO 21500, CPDE and CLoudSchool  ISM/ITSM Consultation  ISM/ITSM projects, assessment and development  Company Website  www.egybyte.net  For inquiries contact us:  INFO@EGYBYTE.NET
  • 32. ? QUESTIONS THANK YOU +2 01061281600 mohamed.gohar@egybyte.net www.egybyte.net eg.linkedin.com/in/mohamed-gohar-89253840