2. Agenda
ISO 27002 & ISO 27032
Information Security vs Cyber
ISO vs NIST (and other)
Cybersecurity Maturity Model Certification (CMMC)
Evolution of CMMC
Proposed Rule
Certification Levels
Applicable NIST Cybersecurity Standards
Documentation
Assessment & Certification
Risk Assessment and Selection of Framework
Executive Sponsorship/Support
Program and Framework Automation
GRC Sample
Summary of Actions
4. The essentials
• ISO 27001
ISMS
Clauses & Annex
Certification
• ISO 27002
2013 vs 2022
• ISO 27032
Information security
Cybersecurity
ISO 27002 & ISO 27032
ISO27001
Clauses
Annex
ISO27002
Cyber
5. The essentials
• ISO 27001
ISMS
Clauses & Annex
Certification
• ISO 27002
2013 vs 2022
• ISO 27032
Information security
Cybersecurity
• Other frameworks
NIST
NIST CSF
ISO 27002 & ISO 27032
6. ISO27001
ISO 27002
(ISO 27001 Annex)
ISO27701 (PIMS)
ISO27001
#Legal_and_
compliance #Governanc
e
#Human_res
ource_secur
ity
#Asset_man
agement
#Identity_an
d_access_m
anagement
#Secure_co
nfiguration
#Physical_se
curity
#Threat_and
_vulnerabilit
y_managem
ent
#Application
_security
#Supplier_re
lationships_
security
#Informatio
n_security_
event_mana
gement
#Continuity
#Informatio
n_protectio
n
#System_an
d_network_
security
ISO 27034
Application
Security
ISO 27035
Incident
Mgmt
ISO 27014
IS
Governance
ISO 22301
BCM
ISO 55001
Asset Mgmt
ISO 27032
Cyber
ISO 27099
PKI
ISO 21502
Project
Mgmt
ISO 38500
IT Gov
ISO 37301
Compl
Mgmt
ISO/IEC
29146
Access mgt
ISO 22361
Crisis Mgtm
ISO 22316
Resilience
ISO 27031
ISO 27033
Network
ISO 27017
Cloud
ISO 27018
PII in Cloud
ISO 27021
Competence
ISO 20000
IT
operations
ISO 22317
BIA
ISO27701 (PIMS)
ISO27001
4. Context
ISO9001
Quality
5.
Leadership
ISO 31000
Risk
6 Planning
8. Operation
9.Perfor-
mance
10. Improve-
ment
7. Support
ISO 27005
Risk Mgmt
ISO 27014
IS
Governance
ISO 38500
IT Gov
ISO 27006
ISMS Audit
Reqs
ISO 17021-1
MS Audit ISO 19011
Audit
Guidance
ISO 26000
Social Resp.
ISO 27103
ISMS Cyber
ISO 27110
Cyber
Framework
ISO 29100
Privacy
Framework
ISO 275xx
Privacy
operations
#Informatio
n_security_
assurance
ISO 27007
ISMS Audit
guidelines
ISO 291xx
Privacy
guidelines
ISO 28000
Supply
Chain
Security
ISO 27036
ICT supply
chain &
cloud
ISO 27001:2022
ISO 27016
IS
Governance
ISO 27022
ISMS
Processes
ISO 27002 & ISO 27032
7. ISO27002
ISO 27002 & ISO 27032
ISO 27002
(ISO 27001 Annex)
ISO27001
#Legal_and_
compliance #Governanc
e
#Human_res
ource_secur
ity
#Asset_man
agement
#Identity_an
d_access_m
anagement
#Secure_co
nfiguration
#Physical_se
curity
#Threat_and
_vulnerabilit
y_managem
ent
#Application
_security
#Supplier_re
lationships_
security
#Informatio
n_security_
event_mana
gement
#Continuity
#Informatio
n_protectio
n
#System_an
d_network_
security
ISO 27034
Application
Security
ISO 27035
Incident
Mgmt
ISO 27014
IS
Governance
ISO 22301
BCM
ISO 55001
Asset Mgmt
ISO 27032
Cyber
ISO 27099
PKI
ISO 21502
Project
Mgmt
ISO 38500
IT Gov
ISO 37301
Compl
Mgmt
ISO/IEC
29146
Access mgt
ISO 22361
Crisis Mgtm
ISO 22316
Resilience
ISO 27031
ISO 27033
Network
ISO 27017
Cloud
ISO 27018
PII in Cloud
ISO 27021
Competence
ISO 20000
IT
operations
ISO 22317
BIA
ISO 31000
Risk
ISO 27103
ISMS Cyber
ISO 27110
Cyber
Framework
ISO 29100
Privacy
Framework
ISO 275xx
Privacy
operations
#Informatio
n_security_
assurance
ISO 291xx
Privacy
guidelines
ISO 28000
Supply
Chain
Security
ISO 27036
ICT supply
chain &
cloud
ISO 27002:2022
ISO 27022
ISMS
Processes
8. ISO27032 - Cybersecurity
The focus today
ISO 27002
(ISO 27001 Annex)
ISO27701 (PIMS)
ISO27001
#Legal_and_
compliance #Governanc
e
#Human_res
ource_secur
ity
#Asset_man
agement
#Identity_an
d_access_m
anagement
#Secure_co
nfiguration
#Physical_se
curity
#Threat_and
_vulnerabilit
y_managem
ent
#Application
_security
#Supplier_re
lationships_
security
#Informatio
n_security_
event_mana
gement
#Continuity
#Informatio
n_protectio
n
#System_an
d_network_
security
ISO 27034
Application
Security
ISO 27035
Incident
Mgmt
ISO 27032
Cyber
ISO 27031
ISO 27033
Network
ISO 27017
Cloud
ISO 27018
PII in Cloud
ISO 31000
Risk
ISO 27005
Risk Mgmt
ISO 27103
ISMS Cyber
ISO 27110
Cyber
Framework
#Informatio
n_security_
assurance
ISO 27036
ICT supply
chain &
cloud
Cybersecurity
9. New framework emerging
• ISO27100 series
ISO standards and cybersecurity
ISO 27002
(ISO 27001 Annex)
ISO27001
#Threat_and
_vulnerabilit
y_managem
ent
#System_an
d_network_
security
ISO 27032
Cyber
ISO 27033
Network
ISO 27017
Cloud
ISO 27103
ISMS Cyber
ISO 27110
Cyber
Framework
#Informatio
n_security_
assurance
10. Secure Controls framework
• CSF
https://securecontrolsframework.com/
https://securecontrolsframework.com/scf-download/
More inf
11. Maturity
• ISO 27001
ISMS
Clauses & Annex
Certification
• ISO 27002
2013 vs 2022
• ISO 27032
Information security
Cybersecurity
• Other frameworks
NIST
NIST CSF
ISO 27002 & ISO 27032
12. ISO, NIST & EU cyberprograms
• ISO
Global best practices & standards
• NIST
US standards
CMMC (DOD)
• EU
NIS 2
Emerging frameworks
(BE) CCB Cyberfundamentals
• More info:
PECB Lead Cybersecurity manager
PECB NIS 2 Lead Implementer
Before we dive into CMMC
13. ISO & NIST CSF
Act Plan
Do
Check
Act Plan
Do
Check
Security
Improvement
Time
14. • NIST SP 800-53 Rev. 5
Security and privacy standard for U.S. federal information systems,
except for those related to national security
Used for FedRAMP Moderate baseline (Federal Risk and Authorization
Management Program)
• NIST SP 800-171 Rev. 2, and 800-171A
Security standard for non-federal (contractor) systems handling CUI
14 security families; 110 controls
800-171A: Assessment guide for the 800-171
• NIST SP 800-172, and 800-172A
Security standard for non-federal (contractor) systems handling high-
value CUI in critical programs
14 security families; NIST SP 800-171 + 35 enhanced controls
800-172A: Assessment guide for the 800-172
Applicable NIST Cybersecurity Standards
15. Evolution of CMMC
DFARS 252.204-
7012
• Controlled
Technical
Information (CTI)
• Covered Defense
Information (CDI)
• DoD contractor to
comply with NIST
SP 800-171 or
FedRAMP
moderate
• Cyber Incident
Reporting
• Flow-down
CMMC v1.0
• Certification
required before
contract
• 3rd party
certification
• Level 1- Level 5
DFARS 252.204-
7019-7020
• Basic assessment
Score to report on
SPRS
• System Security
Plan (SSP)
• Score to be current
during the contract
• DoD assessment
requirement for
Medium and High
assessments
• Flow-down
DFARS 252.204-
7021
• CMMC v2.0 is
active (proposed
rule) in 2024
• Level 1 - Level 3
16. • DoD cybersecurity assessment model, which will be mandatory in most contracts by 1H 2025
• Published in Dec 2023. Updates Title 32 CFR by adding Cybersecurity Maturity Model Certification
(CMMC) Program
• Replaces the prior practices of “self-assessment” with third-party assessment and government
assessment for most of contracts
• Introduces 3 certification levels
• Includes guidance on
CMMC Ecosystem (i.e., PMO, DCMA DIBCAC, Cyber AB, CAICO, C3PAO, CCP, CCA, LTP, LPP, etc.)
Scoping
Assessment
Hashing
CMMC 2.0 Proposed Rule
17. CMMC 2.0 Certification Levels
Level 1
To receive, store, handle, and generate Federal Contract Information (FCI)
Self-assessment
Contractors and subcontractors to implement all applicable requirements in FAR
clause 52.204–21 (17 practices)
Level 2
To receive, store, handle, and generate Controlled Unclassified Information (CUI)
Self-certification in some cases, C3PAO certification in all other cases (Triennial)
All applicable requirements of NIST SP 800–171 Rev 2 (110 practices)
and DFARS clause 252.204–7012
Level 3
To receive, store, handle, and generate sensitive (high-value) Controlled
Unclassified Information (CUI)
DoD certification (Triennial)
24 selected security requirements of NIST SP 800–172 in addition to Level 2
requirements
Senior officials of prime contractor and all subcontractors are required to affirm continuing
compliance, initially, and annually on SPRS
18. • System Security Plan (SSP)
Describes the security controls in alignment with the NIST SP 800-171/172
standard, including scope, system environment, boundaries, and the CUI
asset inventory
No SSP for Level 1
Use NIST 800-171A objectives for Level 2
Use NIST 800-172A objectives for Level 3
• Plan of Actions & Milestones (POA&M)
Describes the plan for implementing the gaps
No POA&M for Level 1
Only allowed if minimal score is 0.8/1 (or 88/110)
Not allowed for controls that have weight > 1 or listed as ineligible
Must be closed out within 180 days of the initial assessment
• Senior leadership approval on documents
• Separate procedures to support SSP is ok and encouraged
CMMC Documentation
19. • Define Boundary and Scope
What is In-scope & Out-of-scope?
CUI Flow
System Environment
• Identify Assets
FCI & CUI assets
Security protection assets
Contractor risk managed assets
Specialized assets
Out-of-scope assets
• Certification by C3PAO / DoD
• POA&M (if needed)
• Submit score to SPRS & Affirmation
Assessment & Certification
20. Risk Assessment and
Selection of Framework
CMMC, ISO, and other
Get Executive Support – Tops Down
Risk Assessment
Explaining Functional GRC
Summary of Actions
21. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
The Three-Slide Executive “Why” x2
◼ Cyber Laws
◼ Getting Hacked
◼ Executive Accountability
22. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
CYBER LAWS ARE
“Looming”
CYBERSECURITY
CYBER LAWS
23. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
GETTING HACKED
IS A MATTER OF
“When”
24. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
ALL EXECUTIVES
“Accountable”
25. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
In 2023, there were
7 new state
privacy laws
introduced; now
there are eleven
signed with
enforcement dates
looming.
GROWING US DATA PRIVACY LAWS BY STATE
★
Source IAPP: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
26. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
European Union - GDPR
UK (Brexit Note) - DPA
Australia – APP/PA
Brazil - LGPD
Canada - PIPEDA
China - PIPL
Hong Kong – PDPO S1
Singapore - PDPA
South Korea - PIPA
Turkey - PDPL
INTERNATIONAL DATA PRIVACY LAWS
★
Key Countries
to Note:
Source DLA Piper: https://www.dlapiperdataprotection.com/
27. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
CYBERSECURITY GROUND WAR vs CYBER RISK AIR
WAR
The cybersecurity “ground war”
that patrol and stop hackers from
crashing into your business.
The Tech
The “air war” you must prove to prepare
for when customers, regulators, and
lawmakers pursue you for cyber
regulatory violations.
The Business
28. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
EXPLAINING THE DIFFERENCE & SOLUTION
Cybersecurity
◼ Technical Protection From Hackers
(Applying Framework Controls)
◼ “The Cybersecurity Compliance of Tech”
Data Privacy Laws, Risk, & Regulations
◼ Privacy Rights of Individuals &
Confidentiality of Contracts and Secrets of
Businesses (Framework[s] Governance)
◼ “The Governance & Risk of Business"
R C
G
Compliance Program Deployment, Automation, & Upkeep
29. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
Get CISO Certification Training
Slide from new PECB
Certified CISO course
launched October 2023
30. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
Get Cybersecurity Certification Training
Slide from new PECB
Cybersecurity Lead
Manager
(ISO27032:2023)
31. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
Use a Compliance Automation Tool With Cross-Mapping Sample
Framework Implementation, Risk Register, Audits, Basic Third Party Management with team/executive reports
32. NOTICE: All slides are for COPYRIGHT Omnistruct Inc, 2023 and may not be used without permission.
SUMMARY OF ACTIONS
Risk
Assessment
& Treatment
1
Onboard
Framework(s)
2
Address
Ground War
CONTROLS
3
Address Air
War
GOVERNANCE
4
✔ GRC to
keep Fresh
5