ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
- 2. • Introduction
• ISO/IEC 27001 & 27701- quick recap (prev. sessions)
• Introduction to NIST
• NIST SP800-53 Walk-through
• Comparing ISMS, PIMS & NIST
• What about certification?
• Q & A
Agenda
- 5. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard -
(2019-12-09)
2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29)
3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
(2020-04-15)
4. Key Data Privacy Roles Explained: Data Protection Officer, Information
Security Manager, and Information Security Auditor (2020-06-24)
• Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Find all sessions with Q&A + collaterals (decks, recording) at:
http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page)
Previous sessions
- 6. • Best practices ≠ regulations
• ISO Requirements (ref. audit) vs guidelines
• Privacy ≠ Data Protection
• Data protection ≠ Information Security
• PII vs Personal Data
• International vs. Regional
Quick Recap
- 8. ISO or NIST deep dive
• Course material reference see later
• NIST document reference see later
The nuts and bolts of ISMS
Just know that it has
• 10 chapters, 7 clauses (Clause 4..10, built on PDCA)
• Annex with
• 14 main categories (A5..A18)
• 35 subcategories
• 114 controls / measures
• Course material reference, see later
What this session is not about
- 9. ISO/IEC 27000 series
• ISO27001 and ISO27701 = certifiable
• Total 59 documents
ISO27000 series including
• Code of practices
• Guidance
• Auditing (ISO27006)
• Incident management (ISO27035)
• Cybersecurity (ISO27032)
• Business continuity, Communications security, Application Security, Supply Chain,
Storage, …
• More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0
And also
- 10. The nuts and bolts of PIMS
Just know that it
• Is certifiable like ISMS
• Is Privacy & GDPR add-on to ISMS
• Add specifications to interpretation of information security
• Now including PII/personal data
• Extra requirements from GDPR & other legislation
• Interesting annex
• GDPR mapping
• ISO29100 (Privacy) mapping
What this session is not about
- 14. This session focus
• NIST Special publications (SP)
• https://csrc.nist.gov/publications/sp
• Computer security (SP800)
• https://csrc.nist.gov/publications/sp800
• 188 docs
Also check (not covered today)
• SP1800 (Cybersecurity practice guides)
• https://csrc.nist.gov/publications/sp1800
• Not covered in detail today
• 25 documents
NIST – Privacy, Cyber & Information security
- 15. ISO27001 NIST SP800-53
Management Clauses 7 Incl.
Control Categories 15 20
Subcategories 35 321
Total Controls 114 1189
Pages 23+80 464
Additional ISO27x standards NIST SP800 series
59 188
NIST SP1800 (Cyber)
25
NIST – SP800 level of detail
- 16. SP800 Series
• 800-53 rev 5 (dd 2020-09-23, fresh !)
• Security and Privacy Controls for Information Systems and Organizations
• (FYI, 464 pag.)
But also
• 800-12: Intro to Information Security
• 800-39: Information Security Risk
• 800-55: Performance management,
And
• Patch management, Firewalls, electronic mail, TLS, PKI, Bluetooth, …
NIST – SP800
- 19. Abstract
• Catalog of security and privacy control
• For information systems and organizations
• To protect organizational operations and assets, individuals, other
organizations
• Against from a diverse set of threats and risks,
• including hostile attacks, human errors, natural disasters, structural failures,
foreign intelligence entities, and privacy risks.
• Controls are flexible and customizable
• Implemented as part of an organization-wide process to manage risk
• Derived from mission and business needs, regulations, legal requirement …
• Functionality (effectiveness) and assurance perspective (trust)
NIST SP800-53 rev.5
- 20. Add-ons
• [SP 800-30] provides guidance on the risk assessment process.
• [IR 8062] introduces privacy risk concepts.
• [SP 800-39] provides guidance on risk management processes and strategies.
• [SP 800-37] provides a comprehensive risk management process.
• [SP 800-53A] provides guidance on assessing the effectiveness of controls.
• [SP 800-53B] provides guidance for tailoring security and privacy control
baselines and for developing overlays to support the specific protection needs
and requirements of stakeholders and their organizations.
NIST SP800-53 rev.5
- 21. Setup
• Chapter 1: Introduction (p1..6)
• Chapter 2: the fundamentals (p7..14)
• Chapter 3: The controls (p16..363)
• Reference
• Appendixes
• Glossary
• Acronyms
• Control summaries (p.427..464) (!)
NIST SP800-53 rev.5
- 22. Chapter 1 (quick check)
• The need to protect information, systems, organization & individuals
• Purpose & applicability
• Audience
• Organization responsibilities
• Relation to other publications
• Revision & extensions
• Rev 5 (2020) vs Rev 4 (2016)
NIST SP800-53 rev.5
- 23. Chapter 2
• Fundamental concepts
• Associated with security and privacy
• Controls, including
• The structure of the controls,
• How the controls are organized in the consolidated catalog,
• Control implementation approaches,
• The relationship between
• Security and privacy controls, and
• Trustworthiness and assurance
NIST SP800-53 rev.5
- 24. Chapter 3 (full catalog)
• Consolidated catalog of security and privacy controls
• Incl. discussion section to explain the purpose of each control and
• Provide useful information regarding
• control implementation and
• assessment,
• A list of related controls to show
• The relationships and dependencies among controls, and
• A list of references to supporting
• Publications that may be helpful to organizations
NIST SP800-53 rev.5
- 26. Detail provided on every security control/measure
• Control identifier
• Control name
• Base control
• Security measure definition
• Organization tasks (org defined parameter)
• Control enhancement
• Additional sources
• Links to other controls
NIST SP800-53 rev.5
- 28. Control implementation & classification
• Implementation approaches
• Common implementation (applies to multiple system)
• System Specific
• Hybrid (mix of both)
• Security vs Privacy
• Trustworthiness
• Important part of risk management strategy
• Impact on trustworthiness
• Functionality (effectiveness of security)
• Assurance (measure of confidence)
NIST SP800-53 rev.5
- 31. The essentials
• ISMS
• high level approach
• Part 1 = clauses (Management responsibilities)
• Part 2 = operational security measures (ref ISO27002)
• ISO27002
• Advisory & suggestions on ISMS (& PIMS)
• PIMS
• Turns “information security”
• Into “information security & data protection (PII)”
• Add-on to ISO27001, ISO27002 & ISO29100
• NIST
• Highly detailed on all categories
ISMS, PIMS & NIST
- 32. Attention points
• ISMS
• No practical advise, or implementation guidance
• Lots of freedom & choice
• 114 control points / measures
• You can plug in any technical / implementation framework to achieve
ISO27001
• International level
• NIST
• US level
• Extremely detailed, very extended
• Well organized, super practical guidance & reference
ISMS, PIMS & NIST
- 33. And also
• ISO
• Limited set publicly Available Standards: http://ffwd2.me/FreeISO
• Subscription/License model
• NIST
• Free
ISMS, PIMS & NIST
- 37. NIST
• NIST does not offer certification and accreditation methods to
certify information security management systems
• No equivalent process to ISO
Certification
- 38. NIST Alternatives
• assessment and authorization (A&A) process that is part of the NIST
Risk Management Framework (RMF)
• As part of control assessment, the organization selects the appropriate
assessor or assessment team
• Fully described in NIST SP800-37, Rev.2
[https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final].
• Guidance for assessing
• Controls: NIST SP 800-53A,
• Risk: NIST SP 800-30
• Infosec Continuous monitoring: NIST SP 800-137A
Certification
- 40. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM
- 43. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda
- 46. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor
- 47. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
- 48. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
- 51. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager
- 52. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
- 53. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events
Editor's Notes
- Peter
- Peter
- Peter
- Peter
- Peter
https://www.linkedin.com/pulse/pecb-webinar-collaterals-iso27001iso27701-series-peter-geelen-/
- Peter
- Peter
- Peter
- Peter
- Peter
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Erwin
- Peter
- peter
- peter
- Peter
- Peter
- peter
- peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- Peter
- peter
- Peter
- Peter
- Peter
- Lead Auditor for
ISO27001
ISO27701 (to be launched)