Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats.
How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701?
In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another.
The webinar will cover:
• A quick recap of the topics covered in ISO27001/ISO27701
• Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800)
• Main differences and mappings between NIST guidance and ISO27001
• About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations)
• Implementing information & cyber-security best practices
Date: October 14, 2020
YouTube presentation: https://youtu.be/zfsxSaaErqg
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
5. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard -
(2019-12-09)
2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29)
3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
(2020-04-15)
4. Key Data Privacy Roles Explained: Data Protection Officer, Information
Security Manager, and Information Security Auditor (2020-06-24)
• Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Find all sessions with Q&A + collaterals (decks, recording) at:
http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page)
Previous sessions
6. • Best practices ≠ regulations
• ISO Requirements (ref. audit) vs guidelines
• Privacy ≠ Data Protection
• Data protection ≠ Information Security
• PII vs Personal Data
• International vs. Regional
Quick Recap
8. ISO or NIST deep dive
• Course material reference see later
• NIST document reference see later
The nuts and bolts of ISMS
Just know that it has
• 10 chapters, 7 clauses (Clause 4..10, built on PDCA)
• Annex with
• 14 main categories (A5..A18)
• 35 subcategories
• 114 controls / measures
• Course material reference, see later
What this session is not about
9. ISO/IEC 27000 series
• ISO27001 and ISO27701 = certifiable
• Total 59 documents
ISO27000 series including
• Code of practices
• Guidance
• Auditing (ISO27006)
• Incident management (ISO27035)
• Cybersecurity (ISO27032)
• Business continuity, Communications security, Application Security, Supply Chain,
Storage, …
• More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0
And also
10. The nuts and bolts of PIMS
Just know that it
• Is certifiable like ISMS
• Is Privacy & GDPR add-on to ISMS
• Add specifications to interpretation of information security
• Now including PII/personal data
• Extra requirements from GDPR & other legislation
• Interesting annex
• GDPR mapping
• ISO29100 (Privacy) mapping
What this session is not about
12. Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values
About
• Founded in 1901
• Now part of US Department of Commerce
Mission
“To promote U.S. innovation and industrial competitiveness by advancing measurement science,
standards, and technology in ways that enhance economic security and improve our quality of life.”
Core competencies
• Measurement science
• Rigorous traceability
• Development and use of standards
NIST
14. This session focus
• NIST Special publications (SP)
• https://csrc.nist.gov/publications/sp
• Computer security (SP800)
• https://csrc.nist.gov/publications/sp800
• 188 docs
Also check (not covered today)
• SP1800 (Cybersecurity practice guides)
• https://csrc.nist.gov/publications/sp1800
• Not covered in detail today
• 25 documents
NIST – Privacy, Cyber & Information security
15. ISO27001 NIST SP800-53
Management Clauses 7 Incl.
Control Categories 15 20
Subcategories 35 321
Total Controls 114 1189
Pages 23+80 464
Additional ISO27x standards NIST SP800 series
59 188
NIST SP1800 (Cyber)
25
NIST – SP800 level of detail
16. SP800 Series
• 800-53 rev 5 (dd 2020-09-23, fresh !)
• Security and Privacy Controls for Information Systems and Organizations
• (FYI, 464 pag.)
But also
• 800-12: Intro to Information Security
• 800-39: Information Security Risk
• 800-55: Performance management,
And
• Patch management, Firewalls, electronic mail, TLS, PKI, Bluetooth, …
NIST – SP800
19. Abstract
• Catalog of security and privacy control
• For information systems and organizations
• To protect organizational operations and assets, individuals, other
organizations
• Against from a diverse set of threats and risks,
• including hostile attacks, human errors, natural disasters, structural failures,
foreign intelligence entities, and privacy risks.
• Controls are flexible and customizable
• Implemented as part of an organization-wide process to manage risk
• Derived from mission and business needs, regulations, legal requirement …
• Functionality (effectiveness) and assurance perspective (trust)
NIST SP800-53 rev.5
20. Add-ons
• [SP 800-30] provides guidance on the risk assessment process.
• [IR 8062] introduces privacy risk concepts.
• [SP 800-39] provides guidance on risk management processes and strategies.
• [SP 800-37] provides a comprehensive risk management process.
• [SP 800-53A] provides guidance on assessing the effectiveness of controls.
• [SP 800-53B] provides guidance for tailoring security and privacy control
baselines and for developing overlays to support the specific protection needs
and requirements of stakeholders and their organizations.
NIST SP800-53 rev.5
22. Chapter 1 (quick check)
• The need to protect information, systems, organization & individuals
• Purpose & applicability
• Audience
• Organization responsibilities
• Relation to other publications
• Revision & extensions
• Rev 5 (2020) vs Rev 4 (2016)
NIST SP800-53 rev.5
23. Chapter 2
• Fundamental concepts
• Associated with security and privacy
• Controls, including
• The structure of the controls,
• How the controls are organized in the consolidated catalog,
• Control implementation approaches,
• The relationship between
• Security and privacy controls, and
• Trustworthiness and assurance
NIST SP800-53 rev.5
24. Chapter 3 (full catalog)
• Consolidated catalog of security and privacy controls
• Incl. discussion section to explain the purpose of each control and
• Provide useful information regarding
• control implementation and
• assessment,
• A list of related controls to show
• The relationships and dependencies among controls, and
• A list of references to supporting
• Publications that may be helpful to organizations
NIST SP800-53 rev.5
26. Detail provided on every security control/measure
• Control identifier
• Control name
• Base control
• Security measure definition
• Organization tasks (org defined parameter)
• Control enhancement
• Additional sources
• Links to other controls
NIST SP800-53 rev.5
28. Control implementation & classification
• Implementation approaches
• Common implementation (applies to multiple system)
• System Specific
• Hybrid (mix of both)
• Security vs Privacy
• Trustworthiness
• Important part of risk management strategy
• Impact on trustworthiness
• Functionality (effectiveness of security)
• Assurance (measure of confidence)
NIST SP800-53 rev.5
31. The essentials
• ISMS
• high level approach
• Part 1 = clauses (Management responsibilities)
• Part 2 = operational security measures (ref ISO27002)
• ISO27002
• Advisory & suggestions on ISMS (& PIMS)
• PIMS
• Turns “information security”
• Into “information security & data protection (PII)”
• Add-on to ISO27001, ISO27002 & ISO29100
• NIST
• Highly detailed on all categories
ISMS, PIMS & NIST
32. Attention points
• ISMS
• No practical advise, or implementation guidance
• Lots of freedom & choice
• 114 control points / measures
• You can plug in any technical / implementation framework to achieve
ISO27001
• International level
• NIST
• US level
• Extremely detailed, very extended
• Well organized, super practical guidance & reference
ISMS, PIMS & NIST
33. And also
• ISO
• Limited set publicly Available Standards: http://ffwd2.me/FreeISO
• Subscription/License model
• NIST
• Free
ISMS, PIMS & NIST
37. NIST
• NIST does not offer certification and accreditation methods to
certify information security management systems
• No equivalent process to ISO
Certification
38. NIST Alternatives
• assessment and authorization (A&A) process that is part of the NIST
Risk Management Framework (RMF)
• As part of control assessment, the organization selects the appropriate
assessor or assessment team
• Fully described in NIST SP800-37, Rev.2
[https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final].
• Guidance for assessing
• Controls: NIST SP 800-53A,
• Risk: NIST SP 800-30
• Infosec Continuous monitoring: NIST SP 800-137A
Certification
40. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM
43. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda
46. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor
47. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
48. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
51. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager
52. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
53. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events