Gen AI in Business - Global Trends Report 2024.pdf
All you wanted to know about iso 27000
1. ALL YOU WANTED TO KNOW
ABOUT ISO 27000 SERIES
Ramana Krothapalli
2. TOGETHER WE WILL LEARN..
• What is ISO?
• History of ISO 27001
• ISO 27001 family of standards
• Overview of ISO 27001
3. WHAT IS ISO?
• International Organization for Standardization
• World’s largest developer of voluntary International Standards
• Founded in 1947
• In 1951, the first ISO standard (called Recommendations at this
time), ISO/R 1:1951Standard reference temperature for industrial
length measurements, is published
• Published more than 21000 International Standards covering
almost all aspects of technology and business
• Head Quartered in Geneva
• Membership – 163 countries
4. HISTORY OF ISO 27000
• The first seeds – UK Govt’s DTI initiatives
• To create security evaluation criteria (ITSEC) - 1990
• Creation of good security practice for information security (PD 0003 – Organized into 10 sections) -1989
• BS7799:1995 - A code of practice for information security management
• BS7799-2:1998 – A specification of an Information Security Management System
• BS7799:1999 – The first revision of the standard
• ISO/IEC 17799:2000 – Part – 1 was proposed as an ISO Standard
• BS 7799-2:2002 – Launched in Sep 2002
• BS 7799 Part 3 – Published in 2005 covering risk analysis and management
• ISO 27001: 2005 – BS 7799-2:2002 became 27001 in 2005
• ISO 27002: 2005 – ISO 17799 numbered as ISO 27002
• ISO 27001: 2013 - The first revision of ISO 27001: 2005
5. ISO 27000 FAMILY
Standard Standard description
ISO 27000: 2016 Information technology -- Security techniques -- Information security management
systems -- Overview and vocabulary
ISO 27001: 2013 Information technology -- Security techniques -- Information security management
systems -- Requirements
ISO 27002: 2013 Information technology -- Security techniques -- Code of practice for information
security controls
ISO 27003: 2010 Information technology -- Security techniques -- Information security management
system implementation guidance
ISO 27004: 2009 Information technology -- Security techniques -- Information security management --
Measurement
ISO 27005: 2011 Information technology -- Security techniques -- Information security risk
management
6. ISO 27000 FAMILY
Standard Standard Description
ISO 27006: 2015 Information technology -- Security techniques -- Requirements for bodies providing
audit and certification of information security management systems
ISO 27007: 2011 Information technology -- Security techniques -- Guidelines for information security
management systems auditing
ISO 27008: 2011 Information technology -- Security techniques -- Guidelines for auditors on
information security controls
ISO 27009: 2016 Information technology -- Security techniques -- Sector-specific application of ISO/IEC
27001 -- Requirements
ISO 27010: 2015 Information technology -- Security techniques -- Information security management for
inter-sector and inter-organizational communications
7. ISO 27000 FAMILY
Standard Standard Description
ISO 27011: 2008 Information technology -- Security techniques -- Information security management
guidelines for telecommunications organizations based on ISO/IEC 27002
ISO 27013: 2015 Information technology -- Security techniques -- Guidance on the integrated
implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO 27014: 2013 Information technology -- Security techniques -- Governance of information security
ISO 27015: 2012 Information technology -- Security techniques -- Information security management
guidelines for financial services
ISO 27016: 2014 Information technology -- Security techniques -- Information security management --
Organizational economics
8. ISO 27000 FAMILY
Standard Standard Description
ISO 27017: 2015 Information technology -- Security techniques -- Code of practice for information
security controls based on ISO/IEC 27002 for cloud services
ISO 27018: 2014 Information technology -- Security techniques -- Code of practice for protection of
personally identifiable information (PII) in public clouds acting as PII processors
ISO 27019: 2013 Information technology -- Security techniques -- Information security management
guidelines based on ISO/IEC 27002 for process control systems specific to the energy
utility industry
ISO 27021: Under development - Information technology -- Security techniques -- Competence
requirements for information security management systems professionals
ISO 27023: 2015 Information technology -- Security techniques -- Mapping the revised editions of
ISO/IEC 27001 and ISO/IEC 27002
9. ISO 27000 FAMILY
Standard Standard Description
ISO 27031: 2011 Information technology -- Security techniques -- Guidelines for information and
communication technology readiness for business continuity
ISO 27032: 2012 Information technology -- Security techniques -- Guidelines for cybersecurity
ISO 27033: 2010 Information technology -- Security techniques -- Network security -- Part 3: Reference
networking scenarios -- Threats, design techniques and control issues
ISO/IEC 27033-
1:2015
Information technology -- Security techniques -- Network security -- Part 1: Overview
and concepts
ISO/IEC 27033-
2:2012
Information technology -- Security techniques -- Network security -- Part 2: Guidelines
for the design and implementation of network security
10. ISO 27000 FAMILY
Standard Standard Description
ISO/IEC 27033-
3:2010
Information technology -- Security techniques -- Network security -- Part 3: Reference
networking scenarios -- Threats, design techniques and control issues
ISO/IEC 27033-
4:2014
Information technology -- Security techniques -- Network security -- Part 4: Securing
communications between networks using security gateways
ISO/IEC 27033-
5:2013
Information technology -- Security techniques -- Network security -- Part 5: Securing
communications across networks using Virtual Private Networks (VPNs)
ISO/IEC 27033-
6:2016
Information technology -- Security techniques -- Network security -- Part 6: Securing
wireless IP network access
11. ISO 27000 FAMILY
Standard Standard Description
ISO 27034-1:
2011
Information technology -- Security techniques -- Application security -- Part 1:
Overview and concepts
ISO 27034-2:
2015
Information technology -- Security techniques -- Application security -- Part 2:
Organization normative framework
ISO 27035: 2011 Information technology -- Security techniques -- Information security incident
management
ISO 27036-1:
2014
Information technology -- Security techniques -- Information security for supplier
relationships -- Part 1: Overview and concepts
ISO/IEC 27036-
2:2014
Information technology -- Security techniques -- Information security for supplier
relationships -- Part 2: Requirements
ISO/IEC 27036-
3:2013
Information technology -- Security techniques -- Information security for supplier
relationships -- Part 3: Guidelines for information and communication technology
supply chain security
12. ISO 27000 FAMILY
Standard Standard Description
ISO 27037: 2012 Information technology -- Security techniques -- Guidelines for identification,
collection, acquisition and preservation of digital evidence
ISO 27038: 2014 Information technology -- Security techniques -- Specification for digital redaction
ISO 27039: 2015 Information technology -- Security techniques -- Selection, deployment and
operations of intrusion detection and prevention systems (IDPS)
ISO 27040: 2015 Information technology -- Security techniques -- Storage security
ISO 27041: 2015 Information technology -- Security techniques -- Guidance on assuring suitability and
adequacy of incident investigative method
13. ISO 27000 FAMILY
Standard Standard Description
ISO 27042: 2015 Information technology -- Security techniques -- Guidelines for the analysis and
interpretation of digital evidence
ISO 27043:2015 Information technology -- Security techniques -- Incident investigation principles and
processes
ISO 27789:2013 Health informatics -- Audit trails for electronic health records
ISO 27790:2009 Health informatics -- Document registry framework
ISO 27799:2016 Health informatics -- Information security management in health using ISO/IEC 27002
14.
15. ISO 27001: 2013 INTRODUCTION
• The official complete name of this standard is ISO/IEC
27001:2013 Information technology - Security techniques -
Information security management systems – Requirements
• Certification is given for ISO 27001 Only
• Requirements are found in sections:
4. Context
5. Leadership
6. Planning
7. Support
8. Operation
9. Evaluation
10. Improvement
• Every requirement is mandatory
• The standard is generic
16. ANNEX A AND ISO IEC 27002 2013
• The standard includes a section called Annex A
• This Annex lists information security control objectives and information
security controls and is taken directly from ISO IEC 27002 2013 sections 5 to 18
• The controls are grouped under control objectives, which in turn are grouped under
Domains
• There are14 Domains, 35 control objectives and 114 controls
• Selection and control implementation depends on the risk assessment
20. Learn from yesterday, live for
today, hope for tomorrow. The
important thing is not to stop
questioning. Albert Einstein
http://www.brainyquote.com/quotes/keywords/questi
oning.html
Ramana Krothapalli
kvramana.hyd@gmail.com