Just a few days ago NIST published a complete refresh of the SP800-53, which provides a catalog of security measure to protect an organization against a variety of risks and threats. How might NIST guidance fit in an information security management system like ISO/IEC 27001 and its privacy extension ISO/IEC 27701? In this session, we will make a quick walk-through the standards and best practices, compare them, and find out how they map and differ from one another. The webinar will cover: • A quick recap of the topics covered in ISO27001/ISO27701 • Discovering the NIST guidelines for Information & cyber Security (SP800-SP1800) • Main differences and mappings between NIST guidance and ISO27001 • About the latest publication (sep/2020) on NIST SP800-53 (Security and Privacy Controls for Information Systems and Organizations) • Implementing information & cyber-security best practices Date: October 14, 2020 YouTube presentation: https://youtu.be/zfsxSaaErqg ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701 Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION

2. • Introduction
• ISO/IEC 27001 & 27701- quick recap (prev. sessions)
• Introduction to NIST
• NIST SP800-53 Walk-through
• Comparing ISMS, PIMS & NIST
• What about certification?
• Q & A
Agenda

3. Introduction

4. Before we start…
Previous session recap

5. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard -
(2019-12-09)
2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29)
3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
(2020-04-15)
4. Key Data Privacy Roles Explained: Data Protection Officer, Information
Security Manager, and Information Security Auditor (2020-06-24)
• Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Find all sessions with Q&A + collaterals (decks, recording) at:
http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page)
Previous sessions

6. • Best practices ≠ regulations
• ISO Requirements (ref. audit) vs guidelines
• Privacy ≠ Data Protection
• Data protection ≠ Information Security
• PII vs Personal Data
• International vs. Regional
Quick Recap

7. • ISO27001 = ISMS
• ISO27701 = PIMS
Quick Recap

8. ISO or NIST deep dive
• Course material reference see later
• NIST document reference see later
The nuts and bolts of ISMS
Just know that it has
• 10 chapters, 7 clauses (Clause 4..10, built on PDCA)
• Annex with
• 14 main categories (A5..A18)
• 35 subcategories
• 114 controls / measures
• Course material reference, see later
What this session is not about

9. ISO/IEC 27000 series
• ISO27001 and ISO27701 = certifiable
• Total 59 documents
ISO27000 series including
• Code of practices
• Guidance
• Auditing (ISO27006)
• Incident management (ISO27035)
• Cybersecurity (ISO27032)
• Business continuity, Communications security, Application Security, Supply Chain,
Storage, …
• More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0
And also

10. The nuts and bolts of PIMS
Just know that it
• Is certifiable like ISMS
• Is Privacy & GDPR add-on to ISMS
• Add specifications to interpretation of information security
• Now including PII/personal data
• Extra requirements from GDPR & other legislation
• Interesting annex
• GDPR mapping
• ISO29100 (Privacy) mapping
What this session is not about

11. Introduction to NIST
National Institute of Standards and Technology
(US Dept of Commerce)

12. Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values
About
• Founded in 1901
• Now part of US Department of Commerce
Mission
“To promote U.S. innovation and industrial competitiveness by advancing measurement science,
standards, and technology in ways that enhance economic security and improve our quality of life.”
Core competencies
• Measurement science
• Rigorous traceability
• Development and use of standards
NIST

13. Publications (dd 2020-10-13)
Source: https://www.nist.gov/publications
NIST

14. This session focus
• NIST Special publications (SP)
• https://csrc.nist.gov/publications/sp
• Computer security (SP800)
• https://csrc.nist.gov/publications/sp800
• 188 docs
Also check (not covered today)
• SP1800 (Cybersecurity practice guides)
• https://csrc.nist.gov/publications/sp1800
• Not covered in detail today
• 25 documents
NIST – Privacy, Cyber & Information security

15. ISO27001 NIST SP800-53
Management Clauses 7 Incl.
Control Categories 15 20
Subcategories 35 321
Total Controls 114 1189
Pages 23+80 464
Additional ISO27x standards NIST SP800 series
59 188
NIST SP1800 (Cyber)
25
NIST – SP800 level of detail

16. SP800 Series
• 800-53 rev 5 (dd 2020-09-23, fresh !)
• Security and Privacy Controls for Information Systems and Organizations
• (FYI, 464 pag.)
But also
• 800-12: Intro to Information Security
• 800-39: Information Security Risk
• 800-55: Performance management,
And
• Patch management, Firewalls, electronic mail, TLS, PKI, Bluetooth, …
NIST – SP800

17. NIST SP800-53 Walk-through
Security and Privacy Controls for
Information Systems and Organizations

18. Info
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Downloads
• SP 800-53 Rev. 5 (DOI)
• Local Download
Supplements
• Spreadsheet of 800-53 Rev. 5 Controls (xls)
• SP 800-53 Collaboration Index Template (xls)
• SP 800-53 Collaboration Index Template (word)
NIST SP800-53 rev.5

19. Abstract
• Catalog of security and privacy control
• For information systems and organizations
• To protect organizational operations and assets, individuals, other
organizations
• Against from a diverse set of threats and risks,
• including hostile attacks, human errors, natural disasters, structural failures,
foreign intelligence entities, and privacy risks.
• Controls are flexible and customizable
• Implemented as part of an organization-wide process to manage risk
• Derived from mission and business needs, regulations, legal requirement …
• Functionality (effectiveness) and assurance perspective (trust)
NIST SP800-53 rev.5

20. Add-ons
• [SP 800-30] provides guidance on the risk assessment process.
• [IR 8062] introduces privacy risk concepts.
• [SP 800-39] provides guidance on risk management processes and strategies.
• [SP 800-37] provides a comprehensive risk management process.
• [SP 800-53A] provides guidance on assessing the effectiveness of controls.
• [SP 800-53B] provides guidance for tailoring security and privacy control
baselines and for developing overlays to support the specific protection needs
and requirements of stakeholders and their organizations.
NIST SP800-53 rev.5

21. Setup
• Chapter 1: Introduction (p1..6)
• Chapter 2: the fundamentals (p7..14)
• Chapter 3: The controls (p16..363)
• Reference
• Appendixes
• Glossary
• Acronyms
• Control summaries (p.427..464) (!)
NIST SP800-53 rev.5

22. Chapter 1 (quick check)
• The need to protect information, systems, organization & individuals
• Purpose & applicability
• Audience
• Organization responsibilities
• Relation to other publications
• Revision & extensions
• Rev 5 (2020) vs Rev 4 (2016)
NIST SP800-53 rev.5

23. Chapter 2
• Fundamental concepts
• Associated with security and privacy
• Controls, including
• The structure of the controls,
• How the controls are organized in the consolidated catalog,
• Control implementation approaches,
• The relationship between
• Security and privacy controls, and
• Trustworthiness and assurance
NIST SP800-53 rev.5

24. Chapter 3 (full catalog)
• Consolidated catalog of security and privacy controls
• Incl. discussion section to explain the purpose of each control and
• Provide useful information regarding
• control implementation and
• assessment,
• A list of related controls to show
• The relationships and dependencies among controls, and
• A list of references to supporting
• Publications that may be helpful to organizations
NIST SP800-53 rev.5

25. Control Structure
NIST SP800-53 rev.5

26. Detail provided on every security control/measure
• Control identifier
• Control name
• Base control
• Security measure definition
• Organization tasks (org defined parameter)
• Control enhancement
• Additional sources
• Links to other controls
NIST SP800-53 rev.5

27. Detail provided on every security control/measure
NIST SP800-53 rev.5

28. Control implementation & classification
• Implementation approaches
• Common implementation (applies to multiple system)
• System Specific
• Hybrid (mix of both)
• Security vs Privacy
• Trustworthiness
• Important part of risk management strategy
• Impact on trustworthiness
• Functionality (effectiveness of security)
• Assurance (measure of confidence)
NIST SP800-53 rev.5

29. Control Structure - Focus
NIST SP800-53 rev.5

30. Comparing ISMS, PIMS & NIST
How do they map (or not)?

31. The essentials
• ISMS
• high level approach
• Part 1 = clauses (Management responsibilities)
• Part 2 = operational security measures (ref ISO27002)
• ISO27002
• Advisory & suggestions on ISMS (& PIMS)
• PIMS
• Turns “information security”
• Into “information security & data protection (PII)”
• Add-on to ISO27001, ISO27002 & ISO29100
• NIST
• Highly detailed on all categories
ISMS, PIMS & NIST

32. Attention points
• ISMS
• No practical advise, or implementation guidance
• Lots of freedom & choice
• 114 control points / measures
• You can plug in any technical / implementation framework to achieve
ISO27001
• International level
• NIST
• US level
• Extremely detailed, very extended
• Well organized, super practical guidance & reference
ISMS, PIMS & NIST

33. And also
• ISO
• Limited set publicly Available Standards: http://ffwd2.me/FreeISO
• Subscription/License model
• NIST
• Free
ISMS, PIMS & NIST

34. What about certification?
ISO vs NIST

35. Context
Certification
Certification ISO international
ISO27001, ISO27701 (and also ISO9001, …)
GDPR, NIS, Cyber Act & requirements by other
international legislation or sectors

36. ISO27001
• International,
• Standardized
• Mutual recognition
• Linked to other standards & process references (like ISO9001)
• PDCA cycle
Why is this important?

37. NIST
• NIST does not offer certification and accreditation methods to
certify information security management systems
• No equivalent process to ISO
Certification

38. NIST Alternatives
• assessment and authorization (A&A) process that is part of the NIST
Risk Management Framework (RMF)
• As part of control assessment, the organization selects the appropriate
assessor or assessment team
• Fully described in NIST SP800-37, Rev.2
[https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final].
• Guidance for assessing
• Controls: NIST SP 800-53A,
• Risk: NIST SP 800-30
• Infosec Continuous monitoring: NIST SP 800-137A
Certification

39. Ramping up…
Relevant PECB Training courses

40. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM

41. Relevant Training
Data protection
• PECB Certified Data protection Officer (GDPR)
Privacy
• PECB ISO29100 LI

42. Other Relevant Training
Incident Management
• PECB ISO 27035 LI
Risk Management
• PECB ISO 27005 LI

43. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda

44. Q&A

45. Appendix

46. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor

47. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor

48. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager

49. Relevant Training
PECB GDPR
https://pecb.com/en/education-and-certification-for-individuals/gdpr
CDPO
https://pecb.com/en/education-and-certification-for-individuals/gdpr/certified-
data-protection-officer

50. Relevant Training
PECB ISO29100
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-29100-
privacy-implementer/iso-29100-lead-privacy-implementer

51. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager

52. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager

53. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events

54. THANK YOU
?
info@cyberminute.com CyberMinute
hello@shiftleftsecurity.eu Shift Left Security