Phiên bản mới của tiêu chuẩn ISO/IEC27001:2022 được ban hành 10.2022.
Các dịch vụ mà HQC Company cung cấp cho quý khách hàng:
- Tư vấn triển khai ISO/IEC27001:2022
- Tư vấn chuyển đổi phiên bản ISO/IEC27001:2022
- Đào tạo Nhận thức ISO/IEC27001:2022
- Đào tạo chuyên gia đánh giá nội bộ ISO/IEC27001:2022
- Đánh giá thử ISO/IEC27001:2022 (pre-adudit)
Liên hệ để lại thông tin được báo giá phù hợp nhất.
Truy cập đường dẫn : https://hqc-company.com/bao-gia-dich-vu-hqc-company/
Hotline: 0777.174.471
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
1. 3/10/2023
1
Transition To
ISO27001:2022
Tien Duong
(Principal consultant)
HCM, 10.03.2023
Welcome and introduction
2
Duong Dung Tien
(B.S, PMP ®, Scrum Master, ISO27001:2013 Lead Auditor, ISO9001:2015
Lead Auditor, ITIL4 Managing Professional)
• 27+ years working for ICT firms in Vietnam
• Outsourcing, product, service operations in software industries
• Developer, Tester, Architect, Technical Director, Project
Manager, Program/Senior Manager, Quality Director, PMO
• University lecturer (freelance), trainer and consultant in
Software Engineering, PMBOK, ISO9001:2015, ISO27001:2013,
ISO22301:2019, CMMI, Scrum/Agile, ITIL4
HQC CO. Ltd
2. 3/10/2023
2
Welcome and introduction
Mr. Nguyen Dang Quang
(ISO/IEC27001:2022 Lead Auditor by NQA Global)
• 15+ years for ISMS Consultant (VNA, VCN, P&Q, AMSs, ….)
• 10+ years for ISMS Lead Auditor (NQA, ….)
• 20+ IT Manager for 5S Office - Business Center
• Lead Auditor ISO9001-14001-45001-50001, ISO22301-27001, …
Đào tạo
và Đánh
giá
Tư vấn
và Huấn
luyện
Nghiên
cứu &
Chia sẻ
LĨNH VỰC HOẠT ĐỘNG
CÁC LĨNH VỰC ĐÀO TẠO
Lãnh đạo
Quản lý
Quản lý
sản xuất
Năng suất
Chất lượng
An toàn
Thông tin
Kỹ năng
mềm
Văn hóa
doanh
nghiệp
Quản lý
dịch vụ
4. 3/10/2023
4
Goals of 2022 Update
Higher
Effectiveness
Higher
Effectiveness
Embracing Latest
Context
Embracing Latest
Context
Aligned to
Technology
Aligned to
Technology
ISO commitment to continuous improvement
ISO/IEC 27001:2005 ISO/IEC 27001:2013 ISO/IEC 2701:2022
Over 25% of the workforce
worked remotely during 2021, &
may still work remotely in 2025
Majority of enterprises rely on
cloud services
Using mobile devices at work
Higher support for business needs
HQC CO. Ltd 7
Transition Timeline
July 2025 is deadline for
Upgrade Audit
ISO 27001 Information Security | US |
TÜV Rheinland (tuv.com)
HQC CO. Ltd 8
5. 3/10/2023
5
New/ First-time Certification
May begin during 2nd half of 2023
After Oct 2023, not new certification for 2013 version is issued!
HQC CO. Ltd 9
ISO 27001:2022 vs ISO 27002:2022
10
ISO 27001 and ISO 27002 are seen as a “consistent” pair
• Requirements for establishing, operating, monitoring,
reviewing and improving ISMS
• Requirements of implementing Security Controls
(ISO27002)
• Strictly used for certification!
• Code of Practice for Information Security
Controls
• Guidance for best practices
• Not used for certification
HQC CO. Ltd
6. 3/10/2023
6
What is the relationship between ISO 27001 & ISO 27002?
11
ISO 27001 ISO 27002
Information Security Management System (ISMS)
It is fundamentally about information security risk
management
- Identify
- Assess
- Treat
Identify information-related risks to
determine which ISO 27002
controls are needed
The impact of risks
are mitigated
HQC CO. Ltd
Changes In
27001:2022
12
13. 3/10/2023
13
Changes In
27002:2022
HQC CO. Ltd 25
26
ISO 27002:2022
• ISO 27002 specials control techniques that are intended to address specific issues discovered
during the risk assessment process.
• It also serves as a roadmap for creating and implementing effective Information security/ Cyber
security/ Privacy protection management procedures
HQC CO. Ltd
14. 3/10/2023
14
27
ISO 27002:2022 Structure – 93 controls
ISO27002
5.
Organizational
controls
37 controls
8.
Technological
controls
34 controls
7. Physical
controls
14 controls
6. People
controls
8 controls
0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Structure of this standard
HQC CO. Ltd
28
ISO27001:2013 Structure
Ref Domains Sub-domains Control
5 Information security policies 1 2
6 Organization of information security 2 6
7 Human resource security 3 6
8 Asset management 3 10
9 Access control 4 14
10 Cryptography 1 2
11 Physical and environmental security 2 15
12 Operations security 7 14
13 Communications security 2 7
14 System acquisition, development and maintenance 3 13
15 Supplier relationships 2 5
16 Information security incident management 1 7
17 Information security aspects of business continuity management 2 4
18 Compliance 2 8
Total 14 35 114
HQC CO. Ltd
15. 3/10/2023
15
29
Going from 114 to 93 (1/4)
27001:2013 27001:2022
5.1.1 Policies for information security
5.1 Policies for information security
5.1.2 Review of the policies for information security
6.2.1 Mobile device policy
8.1 User end point devices
11.2.8 Unattended user equipment
8.1.1 Inventory of assets
5.9
Inventory of information and other associated
assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
5.10
Acceptable use of information and other
associated assets
8.2.3 Handling of assets
8.3.1 Management of removable media
7.10 Storage media
8.3.2 Disposal of media
8.3.3 Physical media transfer
9.1.1 Access control policy
5.15 Access control
9.1.2 Access to networks and network services
HQC CO. Ltd
30
Going from 114 to 93 (2/4)
27001:2013 27001:2022
9.2.4 Management of secret authentication information of user
5.17 Authentication information
9.3.1 Use of secret authentication information
9.4.3 Password management system
9.2.5 Review of user access rights
5.18 Access rights
9.2.6 Removal or adjustment of access rights
10.1.1 Policy on the use of cryptographic controls
8.24 Use of cryptography
10.1.2 Key management
12.4.1 Event logging
8.15 Logging
12.4.2 Protection of log information
12.4.3 Administrator and operator logs
13.2.1 Information transfer policies and procedures
5.14 Information transfer
13.2.2 Agreements on information transfer
13.2.3 Electronic messaging
HQC CO. Ltd
16. 3/10/2023
16
31
Going from 114 to 93 (3/4)
27001:2013 27001:2022
12.1.2 Change management
8.32 Change management
14.2.2 System change control procedures
14.2.3 Technical review of applications after operating platform changes
14.2.4 Restrictions on changes to software packages
14.2.8 System security testing
8.29 Security testing in development and acceptance
14.2.9 System acceptance testing
15.2.1 Monitoring and review of supplier services
5.22
Monitoring, review and change management of supplier
services
15.2.2 Managing changes to supplier services
16.1.2 Reporting information security events
6.8 Information security event reporting
16.1.3 Reporting information security weaknesses
17.1.1 Planning information security continuity
5.29 Information security during disruption
17.1.2 Implementing information security continuity
17.1.3 Verify, review and evaluate information security continuity
HQC CO. Ltd
32
Going from 114 to 93 (4/4)
27001:2013 27001:2022
18.1.1
Identification of applicable legislation and contractual
requirement 5.31 Legal, statutory, regulatory and contractual requirements.
18.1.5 Regulation of cryptographic controls
18.2.2 Compliance with security policies and standards
5.36
Compliance with policies, rules and standards for information
security
18.2.3 Technical compliance review
12.5.1 Installation of software on operational systems
8.19 Installation of software on operational systems
12.6.2 Restrictions on software installation
14.1.2 Securing application services on public networks
8.26 Application security requirements
14.1.3 Protecting application services transactions
12.1.4
Separation of development, testing and operational
environments 8.31 Separation of development, test and production environments
14.2.6 Secure development environment
HQC CO. Ltd
17. 3/10/2023
17
The New 11 Controls
• To keep ISMS synergized with other cybersecurity best practices and standards:
Cloud Security
Business Continuity Management (BCM)
Data Leakage Prevention (DLP)
PII Protection
Control ID Control Name
5.7 Threat Intelligence
5.23 Information security for use of cloud
services
5.30 ICT readiness for business continuity
7.4 Physical security monitoring
8.9 Configuration management
8.10 Information deletion
8.11 Data masking
8.12 Data leakage prevention
8.16 Monitoring activities
8.23 Web filtering
8.28 Secure coding
HQC CO. Ltd 33
34
Control Measures Structure
• Addition of selectable and
searchable Attributes
o Attributes are optional
o An organization can
create its own attributes
to meet its needs
• Use "Purpose" instead of the
“Objective" control
HQC CO. Ltd
20. 3/10/2023
20
39
5. Organizational controls – 5.23
HQC CO. Ltd
Processes with Cloud Services
• Procurement
selection criteria
• Associated risks
of acquisition
Acquisition
Acquisition
• Acceptable use
(per user class,
per application,
…)
Usage
Usage
• Permission
control
• Data control
Management
Management
• Control of
backup
performed by
Cloud service
• Recovery test
Backup &
Recovery
Backup &
Recovery
• Data Export
• Data Deletion
Exit
Exit
HQC CO. Ltd 40
21. 3/10/2023
21
41
5. Organizational controls – 5.30
HQC CO. Ltd
Relationship with BIA
ICT DRP
Business Impact
Analysis
(BIA)
Categories & Criteria of Continuity Impact
Prioritized activities
Minimum Business Scale for Recovery
RTOs, RPOs
Constraints to 3rd
parties & vendors
Prioritized and
critical resources
Redundant resources
Recovery
procedures
Tests and exercises
criteria
HQC CO. Ltd 42
22. 3/10/2023
22
43
7. Physical controls - 7.4
HQC CO. Ltd
Physical Access Control
Priorities of physical controls are
dependent to business
operations.
Functionality of physical controls
should be appropriate to risk level
at security perimeter where they
are implemented.
HQC CO. Ltd 44
23. 3/10/2023
23
45
8. Technological controls – 8.9
HQC CO. Ltd
CMDB
• Configuration Management
Database (CMDB) offers
centralized management of
configuration data across all
operational components – where
their functionality are dependent
together.
HQC CO. Ltd 46
24. 3/10/2023
24
Configuration Management Sample
HQC CO. Ltd 47
Configuration management is
crucial in change management:
• Determine spreading of change
impact across system
components
• Ensure successful fallback of
impacted system components
when change is failed.
Data Governance Model
Operational Data
Unused data remains
uncontrolled
Disposing sensitive
information
Inaccessible when being
needed
Data owner
Data owner
Data owner
Recovery after disastrous
events
HQC CO. Ltd 48
Quality of data
25. 3/10/2023
25
Data Management Plan (Sample)
HQC CO. Ltd 49
Data Created in
Function
Endpoints Data
Owner
Permitted
Authors
Retention
policy
Masking
requirement
Employee social
insurance
Employment
management
• Social insurance
bookkeeper
• External contacts of
tax
• labor committees
HR HR CnB
Executive
10 years after
employment
ends
• Social
Insurance No.
• Past
companies &
salaries
50
8. Technological controls – 8.10
HQC CO. Ltd
26. 3/10/2023
26
Situations for information deletion
Offboarding
Work reallocation
User deregistration
Equipment reuse / discarding
Disposal of records
Constraints from contracts, regulation, laws,…
Etc.
Challenges in deletion information controlled by
external parties (e.g., cloud, 3rd party vendors, etc.)
HQC CO. Ltd 51
52
8. Technological controls – 8.11
HQC CO. Ltd
27. 3/10/2023
27
Data Encryption vs Data Masking
Data encryption
❑ Always unreadable
❑ Reversable
❑ Performance impact
❑ Topic independent
❑ High cost
❑ Heavy key management
Data masking
❑ Readable
❑ Irreversible
❑ No performance impact
❑ Topic dependent
❑ Medium or low cost
❑ Light key management
PII
PII PHI
PHI
Payment Card
Information
(PCI DSS)
Payment Card
Information
(PCI DSS)
IP
IP
Static data
masking
Static data
masking
Dynamic data
masking
Dynamic data
masking
On-the-fly
data masking
On-the-fly
data masking
HQC CO. Ltd 53
Example of Auto-Data Masking
Ref: https://docs.cossacklabs.com/acra/
HQC CO. Ltd 54
28. 3/10/2023
28
8. Technological controls – 8.12
55
HQC CO. Ltd
Concerns for DLP
Prioritized data and information
Prioritized data and information
Costs of data leakage
Costs of data leakage
DLP threats at users’ endpoint devices
DLP threats at users’ endpoint devices
DLP threats from external endpoints
DLP threats from external endpoints
DLP threats from internal operations
DLP threats from internal operations
Needs Cost
Effort
Effort
System
System
Internal
Internal
External
External
HQC CO. Ltd 56
29. 3/10/2023
29
57
8. Technological controls – 8.16
8.16 is for monitoring of ICT assets
7.4 is for monitoring of physical assets
HQC CO. Ltd
Purposes of Monitoring
Availability
Availability
• Detect symptom of
potential
interruption
Performance
Performance
• Evaluate
performance vs
load
Breaching
Breaching
• Detect/ prevent
initial breaching/
attacking actions
Discover
Respond
Detect
Prevent
HQC CO. Ltd 58
31. 3/10/2023
31
The Three Pillars of Secure Coding
People
• Fostering security culture
enables design secure
software from ground up,
and threat model to
sustain
People
• Fostering security culture
enables design secure
software from ground up,
and threat model to
sustain
Process
• Secure Software
Development life cycle
(SSDLC) implement
measures throughout all
stages of software
development
Process
• Secure Software
Development life cycle
(SSDLC) implement
measures throughout all
stages of software
development
Tools
• Tools ensure adoption and
improvement of
developers’ productivity
Tools
• Tools ensure adoption and
improvement of
developers’ productivity
HQC CO. Ltd 61
Planning
and analysis
Design
Implementa
tion
Testing &
Deployment
Maintenanc
e
Secure Coding in all Stages of Software Lifecycle
HQC CO. Ltd 62