RECAP: Last Week - NIST

What is ISO?

• ISO = International Organization for Standardization
• Independent, non-governmental body
• Develops international standards across industries
• Aim: ensure quality, safety, efficiency, and interoperability worldwide
  

What is IEC?

• IEC = International Electrotechnical Commission
• Specialises in electrical, electronic, and IT standards
• Works closely with ISO on global standards
• Together: cover technology + management systems

Why ISO/IEC?

• Provides a common framework for managing information security.
• Aligns security with business governance.
• Widely adopted by organisations for certification and assurance.
• Basis for audit, compliance, and continual improvement.

Examples of ISO Standards

• ISO 9001 - Quality Management
• ISO 14001 - Environmental Management
• ISO 22000 - Food Safety Management
• ISO 31000 - Risk Management
• ISO/IEC 27000: best practice for information security management (TODAY)

ISO/IEC 27000 Series

A family of standards that define how organisations manage and protect information through an ISMS.

Standard	Purpose	Key Points	Cert?
27001	ISMS requirements	Mandatory requirements, Annex A controls
27002	Security controls	Guidance for implementing 93 controls
27005	Risk management	Methods for identifying and treating risk

In short:

• 27001 = what (Today)
• 27002 = how (Today)
• 27005 = risk basis

In a nutshell

• ISO 27001 = what you must do to build an ISMS

  • (clauses + Annex A control list)

• ISO 27002 = how to do it

  • (detailed guidance for each control)

ISO and the PDCA Cycle

Most ISO standards follow the Plan-Do-Check-Act approach: Plan → define activities as required Do → carry out the activities Check → measure effectiveness Act → fix inefficiencies and improve Seen across many industries Ensures ongoing improvement rather than one-time compliance

ISO/IEC 27001 - What is it?

• Core standard in the ISO/IEC 27000 family
• Defines the requirements for an Information Security Management System (ISMS)
• An ISMS is a managed framework of:
  • Policies, procedures, resources, activities
• Purpose: protect information assets and support business objectives
• Forms the basis for certification

ISO/IEC 27001 - ISMS Approach

• Uses a systematic, risk driven method:
  • Establish → Implement → Operate
  • Monitor → Review → Maintain → Improve
• Ensures risks are identified, assessed and treated in a way that fits the organisation

ISO/IEC 27001 ISMS - Requirements

• Specifies requirements for:
  • Establishing, implementing, maintaining, and improving an ISMS
• Introductory clauses:
  • (1)Scope
  • (2)Normative references
  • (3)Terms and definitions
• Actual ISMS requirements = Clauses 4-10:
  • Context ; Leadership ; Planning ; Support; Operation; Evaluation; Improvement
• Organisations can be certified by showing they meet all requirements

ISO/IEC 27001 Clauses

Clauses 1-3 (Scope, Normative References, Terms) are introductory.

Clause 4 - Context of the Organisation

• Identify internal and external factors that affect information security
• Understand stakeholder needs and expectations
• Define the scope of the ISMS (what is included and why)
• Provides the foundation for establishing and improving the ISMS

Quick activity (3 minutes)

Scenario:
A small private clinic stores patient records in a cloud system and has 20 staff.

Task:
List one internal factor and one external factor that would influence the ISMS for this clinic

Clause 5 - Leadership

• Senior management must:

  • Show leadership and commitment
  • Define an information security policy
  • Ensure resources are available
  • Assign and communicate roles & responsibilities
  • Monitor ISMS results

  

Example

The clinic is starting its ISMS project and needs visible support from senior management to ensure staff take the process seriously.

Example actions:

• Senior management approves the new security policy.
• They appoint an ISMS lead to coordinate the work.
• They provide a small training budget so staff can meet basic security requirements.

These actions show real leadership commitment, which is essential for the ISMS to be accepted and followed across the organisation.

Clause 6 - Planning

• Plan how risks will be managed:
  • Choose a risk assessment method
  • Set risk acceptance criteria
  • Define how risks will be treated
• Produce the Statement of Applicability (SoA):
  • List Annex A controls
  • Justify what is included or excluded
  • Record implementation status

Example

The clinic needs to plan how it will manage risks within its new ISMS.

Example actions:

• It selects a simple risk assessment method based on likelihood and impact.
• It sets risk acceptance criteria so staff know which risks require action.
• In the SoA, the clinic includes controls such as access control and logging, and explains why others are not relevant.
• It sets a measurable objective: reduce access control incidents by 20 percent in the next year.

These steps ensure the organisation has a clear and structured plan for treating risks and choosing appropriate controls.

Clause 7 - Support

• Provide adequate resources for ISMS
• Ensure competence of staff
• Promote awareness of policies & consequences
• Maintain communication plan (internal & external)
• Keep required documentation for effectiveness

Clause 8 - Operation

• Plan, implement, and manage security controls
• Conduct risk assessments:
  • Identify assets, threats, vulnerabilities
  • Estimate likelihood and impact
  • Calculate risk levels
• Apply risk treatment:
  • Reduce, transfer, accept, or avoid risks
• Keep documented evidence of risk treatment

Clause 9 - Performance Evaluation

• Monitor, measure, analyse, and evaluate the ISMS
• Use valid and reproducible methods
• Conduct internal audits at intervals
• Senior management must:
  • Review ISMS periodically
  • Assess status of previous actions, risks, and treatments
  • Identify improvement opportunities
• Document management reviews

Clause 10 - Improvement

• Ensure continual improvement of the ISMS
• Identify and correct nonconformities
• Address consequences of weaknesses
• Take action to prevent recurrence of issues
• Enhance ISMS effectiveness over time

ISMS Process Cycle

• ISO/IEC 27001 Clauses 4-10 are not written as a logical flow
• They are a complete set of requirements, but not sequential
• To aid understanding, they are often arranged in a process cycle
• Activities in the cycle run concurrently in parallel

ISMS Process Cycle - NIST integration

ISO/IEC 27002 - Information Security Controls

• Companion to ISO/IEC 27001
• Describes a set of security controls for reducing risks
• Explains:
  • How each control works
  • Its purpose
  • How it can be implemented
• Not all controls are relevant → organisations select based on risk and context

ISO/IEC 27002: Information Security Controls

• Defines 93 security controls
• Organised into four domains:
  • Organisational - 37 controls
  • People - 8 controls
  • Physical - 14 controls
  • Technological - 34 controls
    

All controles are in Annex A

Attributes in ISO/IEC 27002:2022

• All controls are described in a uniform way for easy use
• Each control includes attributes (#tags) to support categorisation
• Purpose: make it easier to select controls based on specific needs
• Attributes can be used to map to frameworks like:
  • NIST CSF (Identify, Protect, Detect, Respond, Recover)

Attribute Categories in ISO/IEC 27002:2022

Attributes help organisations categorise controls and map them to frameworks (e.g. NIST CSF, CIS Controls).

Each control in ISO/IEC 27002:2022 is described using these attributes.

Example: Control 8.13 - Information Backup

• Backup copies of information, software, and systems should be maintained and regularly tested.
• Enable recovery from loss of data or systems.

Another Example:

• Access to information and systems should be granted only on the basis of business need and authorised approval.
• Ensure that only appropriate users can access sensitive information.

Data States and Security Controls

Information exists in different states → each requires specific security controls

Data/information must be protected in all states

27000 Family of Standards (selection)

Lab

• Short ISO-Quiz

• Please review you lab and activities from here