SlideShare ist ein Scribd-Unternehmen logo
1 von 58
Downloaden Sie, um offline zu lesen
ISO 27001:2022.
What has changed?
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov
for ISACA Bangalore Chapter
2.0, 12.11.2022
Andrey Prozorov
CISM, CIPP/E, CDPSE, LA 27001
Technical Compliance Manager at Finnplay
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
2
Agenda
3
About ISO 27001 Changes in the new revision If we have time…
1. ISO 27002/27001
History
2. The ISMS family
of standards
3. ISO Survey 2021
4. General information (purchasing,
new name, abstract, content,
terminology databases)
5. Changes in the main body (4-10)
6. NEW Annex A. IS Controls
7. Recommendations for migration
to the new revision
8. Transition period
9. ISMS Implementation steps
10. New revision of
ISO 27005:2022
I will answer questions and comments after each part
My comments :)))
4
ISO 27002/27001 History
5
advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002
The ISMS family of standards
6
The ISMS family of standards
includes standards that:
a) define requirements for an
ISMS and for those certifying
such systems;
b) provide direct support, detailed
guidance and/or interpretation
for the overall process to
establish, implement, maintain,
and improve an ISMS;
c) address sector-specific
guidelines for ISMS; and
d) address conformity assessment
for ISMS.
70+ standards - www.patreon.com/posts/65866414
Why is ISO 27001 so popular?
1. It is simple (ISMS + IS controls)
2. It is aligned with other management systems (e.g., QMS, PIMS, SMS, BCMS)
3. It is time-tested
4. It contains simple but valuable principles (e.g., continual improvement,
process-based approach, risk-based approach)
5. Many recommendations, guidelines (including the ISMS Family) and courses
6. You can certify your ISMS (for some countries/industries this is a mandatory
requirement)
7. Many other IS standards and framework are inspired by ISO 27001
7
8
ISO 27001 is the Coach
ISO Survey 2021
The latest results of the Survey shows an
estimation of the number of valid
certificates as of 31 December 2021.
Global 2020: 44486 (+32%) / 84166
Finland 2020: 102 (+76%) / 185
www.iso.org/the-iso-survey.html
Total valid certificates Total number of sites
ISO 9001:2015 1,077,884 1,447,080
ISO 14001:2015 420,433 610,924
ISO 45001:2018 294,420 369,897
ISO IEC 27001:2013 58,687 99,755
ISO 22000:2005&2018 36,124 42,937
ISO 13485:2016 27,229 38,503
ISO 50001:2011&2018 21,907 54,778
ISO 20000-1:2011&2018 11,769 13,998
ISO 37001:2016 2,896 7,982
ISO 22301:2012&2019 2,559 5,969
ISO 39001:2012 1,285 2,357
ISO 28000:2007 584 1,106
ISO 55001:2014 488 1,993
ISO 20121:2012 253 712
ISO 29001:2020 157 795
ISO 44001:2017 136 186
TOP 15 Countries
Certificates Sites
China 18446 18569
Japan 6587 17784
United Kingdom of Great Britain
and Northern Ireland
5256 8647
India 2775 6024
Italy 1924 3474
United States of America 1742 4504
Germany 1673 3486
Netherlands 1508 2421
Taiwan, Province of China 1129 3147
Israel 1056 1083
Romania 951 1211
Spain 949 1444
Poland 876 2210
Australia 775 2311
Turkey 706 1169
TOP 15 sectors
Unknown 38009
Information technology 10644
Transport, storage and communication 6909
Other Services 1693
Financial intermediation, real estate, renting 645
Engineering services 630
Wholesale & retail trade, repairs of motor vehicles,
motorcycles & personal & household goods
562
Construction 527
Electrical and optical equipment 477
Health and social work 393
Public administration 338
Education 262
Other social services 219
Printing companies 172
Electricity supply 120
Machinery and equipment 113
Life cycle
12
13
www.iso.org/standard/82875.html
≈119 Euro
New Name
14
ISO/IEC 27001:2013 ISO/IEC 27001:2022
Information technology —
Security techniques —
Information security management
systems — Requirements
Information security, cybersecurity
and privacy protection —
Information security management
systems — Requirements
15
www.iso.org
This document specifies the requirements for establishing,
implementing, maintaining and continually improving an
information security management system within the
context of the organization.
This document also includes requirements for the assessment
and treatment of information security risks tailored to the
needs of the organization.
The requirements set out in this document are generic and
are intended to be applicable to all organizations, regardless
of type, size or nature.
Excluding any of the requirements specified in Clauses 4 to 10
is not acceptable when an organization claims conformity to
this document. [New 2022]
16
Abstract
ISO 27000:2018. What is an ISMS?
An ISMS consists of the policies, procedures, guidelines,
and associated resources and activities, collectively
managed by an organization, in the pursuit of protecting its
information assets.
An ISMS is a systematic approach for establishing,
implementing, operating, monitoring, reviewing,
maintaining and improving an organization’s information
security to achieve business objectives.
It is based on a risk assessment and the organization’s risk
acceptance levels designed to effectively treat and manage
risks.
…
17
https://standards.iso.org/ittf/PubliclyAvailableStandards
Number of pages
18
ISO/IEC 27001:2013 ISO/IEC 27001:2022
23 19
Content
19
• New 6.3 Planning of changes
(missing from the table of contents J)
• 10.1 and 10.2 have been swapped
New terminology databases
20
ISO/IEC 27001:2013 ISO/IEC 27001:2022
3 Terms and definitions
For the purposes of this document, the
terms and definitions given in ISO/IEC
27000 apply.
3 Terms and definitions
For the purposes of this document, the
terms and definitions given in ISO/IEC
27000 apply.
ISO and IEC maintain terminology databases
for use in standardization at the following
addresses:
— ISO Online browsing platform: available
at https://www.iso.org/obp
— IEC Electropedia: available at
https://www.electropedia.org
New relevant requirements, 4.2
21
ISO/IEC 27001:2013 ISO/IEC 27001:2022
4.2 Understanding the needs and
expectations of interested parties
The organization shall determine:
a) interested parties that are relevant to the
information security management system;
and
b) the requirements of these interested
parties relevant to information security.
4.2 Understanding the needs and
expectations of interested parties
The organization shall determine:
a) interested parties that are relevant to the
information security management system;
b) the relevant requirements of these
interested parties;
c) which of these requirements will be
addressed through the information
security management system.
More focus on processses, 4.4 ISMS
22
ISO/IEC 27001:2013 ISO/IEC 27001:2022
4.4 Information security management
system
The organization shall establish, implement,
maintain and continually improve an
information security management system, in
accordance with the requirements of this
International Standard.
4.4 Information security management
system
The organization shall establish, implement,
maintain and continually improve an
information security management system,
including the processes needed and
their interactions, in accordance with the
requirements of this document.
New requirements for 6.2 IS objectives
23
ISO/IEC 27001:2013 ISO/IEC 27001:2022
6.2 Information security objectives and
planning to achieve them
The organization shall establish information
security objectives at relevant functions and
levels.
The information security objectives shall:
a) be consistent with the information security
policy;
b) be measurable (if practicable);
c) take into account applicable information
security requirements, and results from risk
assessment and risk treatment;
d) be communicated; and
e) be updated as appropriate.
6.2 Information security objectives and
planning to achieve them
The organization shall establish information
security objectives at relevant functions and
levels.
The information security objectives shall:
a) be consistent with the information security
policy;
b) be measurable (if practicable);
c) take into account applicable information
security requirements, and results from risk
assessment and risk treatment;
d) be monitored;
e) be communicated;
f) be updated as appropriate;
g) be available as documented information.
Requirements for documented information
24
Requirements ISO 27001 ISO 27701
1. Scope of the ISMS / PIMS 4.3 5.2.3
2. Information security policy (ISMS Policy) / PIMS policy 5.2 5.3.2
3. Information security risk assessment process 6.1.2 5.4.1.2
4. Information security risk treatment process 6.1.3 5.4.1.3
5. Statement of Applicability (SoA) 6.1.3 d) 5.4.1.3
6. Information security objectives / Privacy objectives 6.2 5.4.2
7. Evidence of competence 7.2 d) 5.5.2
8. Documented information determined by the organization as being necessary for the
effectiveness of the ISMS / PIMS
7.5.1 b) 5.5.5.1
9. Operational planning and control 8.1 5.6.1
10. Results of the information security risk assessments 8.2 5.6.2
11. Results of the information security risk treatment 8.3 5.6.3
12. Evidence of the monitoring and measurement results 9.1 5.7.1
13. Evidence of the audit programme(s) and the audit results 9.2 g) 5.7.2
14. Evidence of the results of management reviews 9.3 5.7.3
15. Evidence of the nature of the nonconformities and any subsequent actions taken 10.1 f) 5.8.1
16. Evidence of the results of any corrective action 10.1 g) 5.8.2
ISO 27007:2020
www.patreon.com/posts/53206865
Planning for changes (NEW)
25
ISO/IEC 27001:2013 ISO/IEC 27001:2022
-
6.3 Planning of changes
When the organization determines the need
for changes to the information security
management system, the changes shall be
carried out in a planned manner.
New requirements for 7.4 Communication
26
ISO/IEC 27001:2013 ISO/IEC 27001:2022
7.4 Communication
The organization shall determine the need
for internal and external communications
relevant to the information security
management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication
shall be effected.
7.4 Communication
The organization shall determine the need
for internal and external communications
relevant to the information security
management system including:
a) on what to communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate.
New requirements for 8.1 Planning
27
ISO/IEC 27001:2013 ISO/IEC 27001:2022
8.1 Operational planning and control
The organization shall plan, implement and control
the processes needed to meet information security
requirements, and to implement the actions
determined in 6.1. The organization shall also
implement plans to achieve information security
objectives determined in 6.2.
The organization shall keep documented information
to the extent necessary to have confidence that the
processes have been carried out as planned.
The organization shall control planned changes and
review the consequences of unintended changes,
taking action to mitigate any adverse effects, as
necessary.
The organization shall ensure that outsourced
processes are determined and controlled.
8.1 Operational planning and control
The organization shall plan, implement and control
the processes needed to meet requirements, and to
implement the actions determined in Clause 6, by:
— establishing criteria for the processes;
— implementing control of the processes in
accordance with the criteria.
Documented information shall be available to the
extent necessary to have confidence that the
processes have been carried out as planned.
The organization shall control planned changes and
review the consequences of unintended changes,
taking action to mitigate any adverse effects, as
necessary.
The organization shall ensure that externally provided
processes, products or services that are relevant to
the information security management system are
controlled.
New requirements for 9.1 Monitoring
28
ISO/IEC 27001:2013 ISO/IEC 27001:2022
9.1 Monitoring, measurement, analysis
and evaluation
…
The organization shall retain appropriate
documented information as evidence of the
monitoring and measurement results.
9.1 Monitoring, measurement, analysis
and evaluation
…
Documented information shall be available
as evidence of the results.
The organization shall evaluate the
information security performance and the
effectiveness of the information security
management system.
New structure of 9.2 and 9.3
29
ISO/IEC 27001:2013 ISO/IEC 27001:2022
9.2 Internal audit
9.3 Management review
9.2 Internal audit
9.2.1 General
9.2.2 Internal audit programme
9.3 Management review
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review results
+new input for Management review:
c) changes in needs and expectations of
interested parties that are relevant to the
information security management system
New structure of 10 Improvement
30
ISO/IEC 27001:2013 ISO/IEC 27001:2022
10.1 Nonconformity and corrective action
10.2 Continual improvement
10.1 Continual improvement
10.2 Nonconformity and corrective action
NEW Annex A. IS Controls
31
Information security controls reference (Annex A)
32
ISO/IEC 27001:2013 ISO/IEC 27001:2022
Total number of controls – 114 Total number of controls – 93, 11 new
Domains:
A.5 Information security policies
A.6 Organisation of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development, and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity
management
A.18 Compliance
Controls are categorized as:
a) People, if they concern individual people
b) Physical, if they concern physical objects
c) Technological, if they concern technology
d) otherwise they are categorized as Organizational
Five attributes only in ISO 27002:2022 (#):
1. Control type (Preventive, Detective, Corrective)
2. Information security properties (CIA)
3. Cybersecurity concepts (Identify, Protect, Detect,
Respond and Recover)
4. Operational capabilities
5. Security domains
33
34
NEW 2022:
A.5.7 Threat intelligence
A.5.23 Information security for use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.8.16 Monitoring activities
A.8.23 Web filtering
A.8.28 Secure coding
patreon.com/posts/iso-27001-2013-73584456
ISO 27002:2022. Example of Attributes
35
You can create mapping tables with other standards
36
Let's sum up the main changes
• The main part of ISO 27001 (the body, clauses 4 to 10) has changed
slightly. No new requirements, just minor clarifications
• The changes in Annex A (information security controls) are moderate.
All past controls in place but regrouped, some were merged,
11 new controls were added
• 5 Control attributes (#) were added in ISO 27002:2022
37
38
If you have the ISMS, you will need to do:
1. Review the Risk Treatment Plan (RTP), align it with the new structure and numbering of
controls.
2. Review and update the Statement of Applicability (SoA). I recommend using 2 spreadsheets
(2013 and 2022) in the next 1-2 years.
3. Review and update the ISMS Management review procedure (inputs).
4. Review and update IS objectives and the Monitoring, measurement, analysis and evaluation
procedure.
5. Review and update the ISMS Communication Plan.
6. Review and update other policies, standards and procedures (if necessary).
7. Review and update checklists and questionnaires used for audits (internal and external).
8. Evaluate and possibly adapt third-party security tools (e.g., GRC, SIEM, VM) to ensure the
records you are using to demonstrate compliance support the new requirements.
39
New SoA (template)
40
www.patreon.com/posts/62806755
41
New ISMS Management Review Report
www.patreon.com/posts/44877830
Communication plan (example)
42
www.patreon.com/posts/62937551
Transition period
43
advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002
44
My ISMS Implemantation Plan
45
46
www.patreon.com/posts/iso-27005-2022-73952552
47
www.iso.org/standard/80585.html
≈180 Euro
New Name
48
ISO/IEC 27005:2018 ISO/IEC 27005:2022
Information technology —
Security techniques —
Information security risk management
Information security, cybersecurity and
privacy protection —
Guidance on managing information
security risks
Introduction
This document provides guidance on:
• implementation of the information security risk requirements specified in ISO/IEC 27001;
• essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information
security risk management activities;
• actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8);
• implementation of risk management guidance in ISO 31000 in the context of information security.
This document contains detailed guidance on risk management and supplements
the guidance in ISO/IEC 27003.
This document is intended to be used by:
• organizations that intend to establish and implement an information security management system
(ISMS) in accordance with ISO/IEC 27001;
• persons that perform or are involved in information security risk management
(e.g. ISMS professionals, risk owners and other interested parties);
• organizations that intend to improve their information security risk management process.
49
Main changes
1. All guidance text has been aligned with ISO/IEC 27001:2022,
and ISO 31000:2018
2. The terminology has been aligned with the terminology in
ISO 31000:2018
3. The structure of the clauses has been adjusted to the layout
of ISO/IEC 27001:2022
4. Risk scenario concepts have been introduced
5. The event-based approach is contrasted with the asset-based
approach to risk identification
6. The content of the annexes has been revised and restructured
into a single annex. + More examples and models
Contents
51
ISO/IEC 27005:2018 ISO/IEC 27005:2022
Foreword
Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Structure of this document
5. Background
6. Overview of the information security risk management process
7. Context establishment
8. Information security risk assessment
9. Information security risk treatment
10. Information security risk acceptance
11. Information security risk communication and consultation
12. Information security risk monitoring and review
Annex A. Defining the scope and boundaries of the information
security risk management process
Annex B. Identification and valuation of assets and impact assessment
Annex C. Examples of typical threats
Annex D. Vulnerabilities and methods for vulnerability assessment
Annex E. Information security risk assessment approaches
Annex F. Constraints for risk modification
Bibliography
Foreword
Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Structure of this document
5. Information security risk management
6. Context establishment
7. Information security risk assessment process
8. Information security risk treatment process
9. Operation
10. Leveraging related ISMS processes
Annex A. (informative) Examples of techniques in support of the risk
assessment process
Bibliography
5. IS risk management
Risk management process - systematic application of
management policies, procedures and practices to the activities of
communicating, consulting, establishing the context, and
identifying, analysing, evaluating, treating, monitoring and
reviewing risk.
• Classic scheme (2018) + Documented Information (2022)
• Many changes in the activity descriptions, additional
recommendations.
52
Approaches to perform risk identification
53
Event-based (scenarios) Asset-based
Identify strategic scenarios through a consideration of
risk sources, and how they use or impact interested
parties to reach those risk’s desired objective.
Identify operational scenarios, which are detailed in
terms of assets, threats and vulnerabilities.
The underlying concept is that risks can be identified
and assessed through an evaluation of events and
consequences.
The underlying concept is that risks can be identified
and assessed through an inspection of assets, threats
and vulnerabilities.
• An event-based approach can establish high level
or strategic scenarios without spending a
considerable amount of time in identification of
assets on a detailed level.
• This allows the organization to focus its risk
treatment efforts on the critical risks.
• Interviews with top management
• Top-down
• An asset is anything that has value to the
organization and therefore requires protection.
• If all valid combinations of assets, threats and
vulnerabilities can be enumerated within the scope
of the ISMS, then, in theory, all the risks would be
identified.
• The asset-based approach can identify asset-
specific threats and vulnerabilities and allows the
organization to determine specific risk treatment on
a detailed level.
• Bottom-up
Annexes
54
ISO/IEC 27005:2018, pages 24-52 ISO/IEC 27005:2022, pages 41-61
Annex A. Defining the scope and boundaries of the
information security risk management process
• A.1 Study of the organization
• A.2 List of the constraints affecting the organization
• A.3 List of the constraints affecting the scope
Annex B. Identification and valuation of assets and impact
assessment
• B.1 Examples of asset identification (primary and
supporting)
• B.2 Asset valuation
• B.3 Impact assessment
Annex C. Examples of typical threats (+ Origin of threat)
Annex D. Vulnerabilities and methods for vulnerability
assessment
• D.1 Examples of vulnerabilities
• D.2 Methods for assessment of technical vulnerabilities
Annex E. Information security risk assessment approaches
• E.1 High-level information security risk assessment
• E.2 Detailed information security risk assessment
Annex F. Constraints for risk modification
Annex A. (informative) Examples of techniques in support of
the risk assessment process
A.1 Information security risk criteria
• A.1.1 Criteria related to risk assessment
• A.1.2 Risk acceptance criteria
A.2 Practical techniques
• A.2.1 Information security risk components
• A.2.2 Assets
• A.2.3 Risk sources and desired end state
• A.2.4 Event-based approach
• A.2.5 Asset-based approach
• A.2.6 Examples of scenarios applicable in both approaches
• A.2.7 Monitoring risk-related events
Annexes. Tables
55
ISO/IEC 27005:2018 ISO/IEC 27005:2022
Examples of typical threats
Origin of threats
Examples of typical vulnerabilities
Table E.1 — The asset values, and the threat and vulnerability
levels
Table E.2 — Results from the consideration of the likelihood
of an incident scenario, mapped against the estimated
business impact
Table E.3 — The factors of consequences (asset value) and
likelihood of threat occurrence (taking account of vulnerability
aspects)
Table E.3 — Combination of the likelihood of the threat
occurring and the ease of exploitation of the vulnerability
Table E.4 — The intersection of asset value and likelihood
value
Table A.1 — Example of consequence scale
Table A.2 — Example of likelihood scale
Table A.3 — Example of qualitative approach to risk criteria
Table A.4 — Example logarithmic likelihood scale
Table A.5 — Example logarithmic consequence scale
Table A.6 — Example of evaluation scale combined with
three-colour risk matrix
Table A.7 — Examples and usual methods of attack
Table A.8 — Example classification of motivations to express
the DES
Table A.9 — Examples of target objectives
Table A.10 — Examples of typical threats
Table A.11 — Examples of typical vulnerabilities
Table A.12 — Examples of risk scenarios in both approaches
Table A.13 — Example of risk scenario and monitoring risk-
related events relationship
56
Instead of a conclusion:
1. General procedures (Assessment and Treatment)
are OK, as usual. J J
2. Two approaches: asset-based and event-based
(scenarios), finally J
3. «9.Operation» and «10.Leveraging related ISMS
processes» are useful for the ISMS
implementation. J J
4. Tables «A.10 Examples of typical threats», and
«A.11 Examples of typical vulnerabilities»,
likelihood and consequence scales can be used
for inspiration. J
5. «A.2 Practical techniques» are poorly designed
and described. New figures and the examples of
scenarios are useless. L L
6. ISO 27005:2022 is a very complicated standard
and every new version makes it more difficult. L
In my opinion, the ISACA IT Risk and IRAM2 are
much more useful and practical. I recommend using
them.
Thanks!
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
57
My ISMS Implementation Toolkit (ISO 27001)
58
www.patreon.com/posts/47806655

Weitere ähnliche Inhalte

Was ist angesagt?

ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISONIKELtd
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 

Was ist angesagt? (20)

ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition Arragements
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 

Ähnlich wie ISO 27001_2022 What has changed 2.0 for ISACA.pdf

541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdfSharudinBoriak1
 
ISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version PresentationISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version Presentationyogaallworks
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certificationramya119
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA
 
Microsoft azure, dynamics 365, and other online services iso27001, 27018, 2...
Microsoft azure, dynamics 365, and other online services   iso27001, 27018, 2...Microsoft azure, dynamics 365, and other online services   iso27001, 27018, 2...
Microsoft azure, dynamics 365, and other online services iso27001, 27018, 2...VidipOlhyan
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingNguyễn Đăng Quang
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdftoncik
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018Wervyan Shalannanda
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013  Lead Auditor Course CQI-IRCA 27001:2013  Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course Desmond Muchetu
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...ITIL Indonesia
 

Ähnlich wie ISO 27001_2022 What has changed 2.0 for ISACA.pdf (20)

541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version PresentationISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version Presentation
 
Iso 27001 certification
Iso 27001 certificationIso 27001 certification
Iso 27001 certification
 
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013  ChecklistISO/IEC 27001:2005 naar ISO 27001:2013  Checklist
ISO/IEC 27001:2005 naar ISO 27001:2013 Checklist
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
NQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap GuideNQA ISO 9001 to ISO 27001 Gap Guide
NQA ISO 9001 to ISO 27001 Gap Guide
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
Microsoft azure, dynamics 365, and other online services iso27001, 27018, 2...
Microsoft azure, dynamics 365, and other online services   iso27001, 27018, 2...Microsoft azure, dynamics 365, and other online services   iso27001, 27018, 2...
Microsoft azure, dynamics 365, and other online services iso27001, 27018, 2...
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013  An Overview ISO/IEC 27001:2013  An Overview
ISO/IEC 27001:2013 An Overview
 
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC ConsultingTư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdf
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018ET4045-Information Security Management System-2018
ET4045-Information Security Management System-2018
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
CQI-IRCA 27001:2013 Lead Auditor Course
CQI-IRCA 27001:2013  Lead Auditor Course CQI-IRCA 27001:2013  Lead Auditor Course
CQI-IRCA 27001:2013 Lead Auditor Course
 
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
(ONLINE) ITIL Indonesia Community - Manfaat Penerapan Sistem Manajemen Keaman...
 

Mehr von Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

Mehr von Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
pr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdfpr Privacy Principles 230405 small.pdf
pr Privacy Principles 230405 small.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
GDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdfGDPR EU Institutions and bodies.pdf
GDPR EU Institutions and bodies.pdf
 
Data protection RU vs EU
Data protection RU vs EUData protection RU vs EU
Data protection RU vs EU
 
IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10IS Awareness in practice, isaca moscow 2019 10
IS Awareness in practice, isaca moscow 2019 10
 
Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)Про работу на Западе (Прозоров)
Про работу на Западе (Прозоров)
 

Kürzlich hochgeladen

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 

Kürzlich hochgeladen (20)

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 

ISO 27001_2022 What has changed 2.0 for ISACA.pdf

  • 1. ISO 27001:2022. What has changed? by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov for ISACA Bangalore Chapter 2.0, 12.11.2022
  • 2. Andrey Prozorov CISM, CIPP/E, CDPSE, LA 27001 Technical Compliance Manager at Finnplay www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 2
  • 3. Agenda 3 About ISO 27001 Changes in the new revision If we have time… 1. ISO 27002/27001 History 2. The ISMS family of standards 3. ISO Survey 2021 4. General information (purchasing, new name, abstract, content, terminology databases) 5. Changes in the main body (4-10) 6. NEW Annex A. IS Controls 7. Recommendations for migration to the new revision 8. Transition period 9. ISMS Implementation steps 10. New revision of ISO 27005:2022 I will answer questions and comments after each part
  • 6. The ISMS family of standards 6 The ISMS family of standards includes standards that: a) define requirements for an ISMS and for those certifying such systems; b) provide direct support, detailed guidance and/or interpretation for the overall process to establish, implement, maintain, and improve an ISMS; c) address sector-specific guidelines for ISMS; and d) address conformity assessment for ISMS. 70+ standards - www.patreon.com/posts/65866414
  • 7. Why is ISO 27001 so popular? 1. It is simple (ISMS + IS controls) 2. It is aligned with other management systems (e.g., QMS, PIMS, SMS, BCMS) 3. It is time-tested 4. It contains simple but valuable principles (e.g., continual improvement, process-based approach, risk-based approach) 5. Many recommendations, guidelines (including the ISMS Family) and courses 6. You can certify your ISMS (for some countries/industries this is a mandatory requirement) 7. Many other IS standards and framework are inspired by ISO 27001 7
  • 8. 8 ISO 27001 is the Coach
  • 9. ISO Survey 2021 The latest results of the Survey shows an estimation of the number of valid certificates as of 31 December 2021. Global 2020: 44486 (+32%) / 84166 Finland 2020: 102 (+76%) / 185 www.iso.org/the-iso-survey.html Total valid certificates Total number of sites ISO 9001:2015 1,077,884 1,447,080 ISO 14001:2015 420,433 610,924 ISO 45001:2018 294,420 369,897 ISO IEC 27001:2013 58,687 99,755 ISO 22000:2005&2018 36,124 42,937 ISO 13485:2016 27,229 38,503 ISO 50001:2011&2018 21,907 54,778 ISO 20000-1:2011&2018 11,769 13,998 ISO 37001:2016 2,896 7,982 ISO 22301:2012&2019 2,559 5,969 ISO 39001:2012 1,285 2,357 ISO 28000:2007 584 1,106 ISO 55001:2014 488 1,993 ISO 20121:2012 253 712 ISO 29001:2020 157 795 ISO 44001:2017 136 186
  • 10. TOP 15 Countries Certificates Sites China 18446 18569 Japan 6587 17784 United Kingdom of Great Britain and Northern Ireland 5256 8647 India 2775 6024 Italy 1924 3474 United States of America 1742 4504 Germany 1673 3486 Netherlands 1508 2421 Taiwan, Province of China 1129 3147 Israel 1056 1083 Romania 951 1211 Spain 949 1444 Poland 876 2210 Australia 775 2311 Turkey 706 1169
  • 11. TOP 15 sectors Unknown 38009 Information technology 10644 Transport, storage and communication 6909 Other Services 1693 Financial intermediation, real estate, renting 645 Engineering services 630 Wholesale & retail trade, repairs of motor vehicles, motorcycles & personal & household goods 562 Construction 527 Electrical and optical equipment 477 Health and social work 393 Public administration 338 Education 262 Other social services 219 Printing companies 172 Electricity supply 120 Machinery and equipment 113
  • 14. New Name 14 ISO/IEC 27001:2013 ISO/IEC 27001:2022 Information technology — Security techniques — Information security management systems — Requirements Information security, cybersecurity and privacy protection — Information security management systems — Requirements
  • 16. This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document. [New 2022] 16 Abstract
  • 17. ISO 27000:2018. What is an ISMS? An ISMS consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based on a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. … 17 https://standards.iso.org/ittf/PubliclyAvailableStandards
  • 18. Number of pages 18 ISO/IEC 27001:2013 ISO/IEC 27001:2022 23 19
  • 19. Content 19 • New 6.3 Planning of changes (missing from the table of contents J) • 10.1 and 10.2 have been swapped
  • 20. New terminology databases 20 ISO/IEC 27001:2013 ISO/IEC 27001:2022 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply. 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 27000 apply. ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp — IEC Electropedia: available at https://www.electropedia.org
  • 21. New relevant requirements, 4.2 21 ISO/IEC 27001:2013 ISO/IEC 27001:2022 4.2 Understanding the needs and expectations of interested parties The organization shall determine: a) interested parties that are relevant to the information security management system; and b) the requirements of these interested parties relevant to information security. 4.2 Understanding the needs and expectations of interested parties The organization shall determine: a) interested parties that are relevant to the information security management system; b) the relevant requirements of these interested parties; c) which of these requirements will be addressed through the information security management system.
  • 22. More focus on processses, 4.4 ISMS 22 ISO/IEC 27001:2013 ISO/IEC 27001:2022 4.4 Information security management system The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. 4.4 Information security management system The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.
  • 23. New requirements for 6.2 IS objectives 23 ISO/IEC 27001:2013 ISO/IEC 27001:2022 6.2 Information security objectives and planning to achieve them The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: a) be consistent with the information security policy; b) be measurable (if practicable); c) take into account applicable information security requirements, and results from risk assessment and risk treatment; d) be communicated; and e) be updated as appropriate. 6.2 Information security objectives and planning to achieve them The organization shall establish information security objectives at relevant functions and levels. The information security objectives shall: a) be consistent with the information security policy; b) be measurable (if practicable); c) take into account applicable information security requirements, and results from risk assessment and risk treatment; d) be monitored; e) be communicated; f) be updated as appropriate; g) be available as documented information.
  • 24. Requirements for documented information 24 Requirements ISO 27001 ISO 27701 1. Scope of the ISMS / PIMS 4.3 5.2.3 2. Information security policy (ISMS Policy) / PIMS policy 5.2 5.3.2 3. Information security risk assessment process 6.1.2 5.4.1.2 4. Information security risk treatment process 6.1.3 5.4.1.3 5. Statement of Applicability (SoA) 6.1.3 d) 5.4.1.3 6. Information security objectives / Privacy objectives 6.2 5.4.2 7. Evidence of competence 7.2 d) 5.5.2 8. Documented information determined by the organization as being necessary for the effectiveness of the ISMS / PIMS 7.5.1 b) 5.5.5.1 9. Operational planning and control 8.1 5.6.1 10. Results of the information security risk assessments 8.2 5.6.2 11. Results of the information security risk treatment 8.3 5.6.3 12. Evidence of the monitoring and measurement results 9.1 5.7.1 13. Evidence of the audit programme(s) and the audit results 9.2 g) 5.7.2 14. Evidence of the results of management reviews 9.3 5.7.3 15. Evidence of the nature of the nonconformities and any subsequent actions taken 10.1 f) 5.8.1 16. Evidence of the results of any corrective action 10.1 g) 5.8.2 ISO 27007:2020 www.patreon.com/posts/53206865
  • 25. Planning for changes (NEW) 25 ISO/IEC 27001:2013 ISO/IEC 27001:2022 - 6.3 Planning of changes When the organization determines the need for changes to the information security management system, the changes shall be carried out in a planned manner.
  • 26. New requirements for 7.4 Communication 26 ISO/IEC 27001:2013 ISO/IEC 27001:2022 7.4 Communication The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate; b) when to communicate; c) with whom to communicate; d) who shall communicate; and e) the processes by which communication shall be effected. 7.4 Communication The organization shall determine the need for internal and external communications relevant to the information security management system including: a) on what to communicate; b) when to communicate; c) with whom to communicate; d) how to communicate.
  • 27. New requirements for 8.1 Planning 27 ISO/IEC 27001:2013 ISO/IEC 27001:2022 8.1 Operational planning and control The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are determined and controlled. 8.1 Operational planning and control The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in Clause 6, by: — establishing criteria for the processes; — implementing control of the processes in accordance with the criteria. Documented information shall be available to the extent necessary to have confidence that the processes have been carried out as planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that externally provided processes, products or services that are relevant to the information security management system are controlled.
  • 28. New requirements for 9.1 Monitoring 28 ISO/IEC 27001:2013 ISO/IEC 27001:2022 9.1 Monitoring, measurement, analysis and evaluation … The organization shall retain appropriate documented information as evidence of the monitoring and measurement results. 9.1 Monitoring, measurement, analysis and evaluation … Documented information shall be available as evidence of the results. The organization shall evaluate the information security performance and the effectiveness of the information security management system.
  • 29. New structure of 9.2 and 9.3 29 ISO/IEC 27001:2013 ISO/IEC 27001:2022 9.2 Internal audit 9.3 Management review 9.2 Internal audit 9.2.1 General 9.2.2 Internal audit programme 9.3 Management review 9.3.1 General 9.3.2 Management review inputs 9.3.3 Management review results +new input for Management review: c) changes in needs and expectations of interested parties that are relevant to the information security management system
  • 30. New structure of 10 Improvement 30 ISO/IEC 27001:2013 ISO/IEC 27001:2022 10.1 Nonconformity and corrective action 10.2 Continual improvement 10.1 Continual improvement 10.2 Nonconformity and corrective action
  • 31. NEW Annex A. IS Controls 31
  • 32. Information security controls reference (Annex A) 32 ISO/IEC 27001:2013 ISO/IEC 27001:2022 Total number of controls – 114 Total number of controls – 93, 11 new Domains: A.5 Information security policies A.6 Organisation of information security A.7 Human resource security A.8 Asset management A.9 Access control A.10 Cryptography A.11 Physical and environmental security A.12 Operations security A.13 Communications security A.14 System acquisition, development, and maintenance A.15 Supplier relationships A.16 Information security incident management A.17 Information security aspects of business continuity management A.18 Compliance Controls are categorized as: a) People, if they concern individual people b) Physical, if they concern physical objects c) Technological, if they concern technology d) otherwise they are categorized as Organizational Five attributes only in ISO 27002:2022 (#): 1. Control type (Preventive, Detective, Corrective) 2. Information security properties (CIA) 3. Cybersecurity concepts (Identify, Protect, Detect, Respond and Recover) 4. Operational capabilities 5. Security domains
  • 33. 33
  • 34. 34 NEW 2022: A.5.7 Threat intelligence A.5.23 Information security for use of cloud services A.5.30 ICT readiness for business continuity A.7.4 Physical security monitoring A.8.9 Configuration management A.8.10 Information deletion A.8.11 Data masking A.8.12 Data leakage prevention A.8.16 Monitoring activities A.8.23 Web filtering A.8.28 Secure coding patreon.com/posts/iso-27001-2013-73584456
  • 35. ISO 27002:2022. Example of Attributes 35
  • 36. You can create mapping tables with other standards 36
  • 37. Let's sum up the main changes • The main part of ISO 27001 (the body, clauses 4 to 10) has changed slightly. No new requirements, just minor clarifications • The changes in Annex A (information security controls) are moderate. All past controls in place but regrouped, some were merged, 11 new controls were added • 5 Control attributes (#) were added in ISO 27002:2022 37
  • 38. 38
  • 39. If you have the ISMS, you will need to do: 1. Review the Risk Treatment Plan (RTP), align it with the new structure and numbering of controls. 2. Review and update the Statement of Applicability (SoA). I recommend using 2 spreadsheets (2013 and 2022) in the next 1-2 years. 3. Review and update the ISMS Management review procedure (inputs). 4. Review and update IS objectives and the Monitoring, measurement, analysis and evaluation procedure. 5. Review and update the ISMS Communication Plan. 6. Review and update other policies, standards and procedures (if necessary). 7. Review and update checklists and questionnaires used for audits (internal and external). 8. Evaluate and possibly adapt third-party security tools (e.g., GRC, SIEM, VM) to ensure the records you are using to demonstrate compliance support the new requirements. 39
  • 41. 41 New ISMS Management Review Report www.patreon.com/posts/44877830
  • 44. 44
  • 48. New Name 48 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management Information security, cybersecurity and privacy protection — Guidance on managing information security risks
  • 49. Introduction This document provides guidance on: • implementation of the information security risk requirements specified in ISO/IEC 27001; • essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information security risk management activities; • actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8); • implementation of risk management guidance in ISO 31000 in the context of information security. This document contains detailed guidance on risk management and supplements the guidance in ISO/IEC 27003. This document is intended to be used by: • organizations that intend to establish and implement an information security management system (ISMS) in accordance with ISO/IEC 27001; • persons that perform or are involved in information security risk management (e.g. ISMS professionals, risk owners and other interested parties); • organizations that intend to improve their information security risk management process. 49
  • 50. Main changes 1. All guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018 2. The terminology has been aligned with the terminology in ISO 31000:2018 3. The structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022 4. Risk scenario concepts have been introduced 5. The event-based approach is contrasted with the asset-based approach to risk identification 6. The content of the annexes has been revised and restructured into a single annex. + More examples and models
  • 51. Contents 51 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Background 6. Overview of the information security risk management process 7. Context establishment 8. Information security risk assessment 9. Information security risk treatment 10. Information security risk acceptance 11. Information security risk communication and consultation 12. Information security risk monitoring and review Annex A. Defining the scope and boundaries of the information security risk management process Annex B. Identification and valuation of assets and impact assessment Annex C. Examples of typical threats Annex D. Vulnerabilities and methods for vulnerability assessment Annex E. Information security risk assessment approaches Annex F. Constraints for risk modification Bibliography Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Information security risk management 6. Context establishment 7. Information security risk assessment process 8. Information security risk treatment process 9. Operation 10. Leveraging related ISMS processes Annex A. (informative) Examples of techniques in support of the risk assessment process Bibliography
  • 52. 5. IS risk management Risk management process - systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. • Classic scheme (2018) + Documented Information (2022) • Many changes in the activity descriptions, additional recommendations. 52
  • 53. Approaches to perform risk identification 53 Event-based (scenarios) Asset-based Identify strategic scenarios through a consideration of risk sources, and how they use or impact interested parties to reach those risk’s desired objective. Identify operational scenarios, which are detailed in terms of assets, threats and vulnerabilities. The underlying concept is that risks can be identified and assessed through an evaluation of events and consequences. The underlying concept is that risks can be identified and assessed through an inspection of assets, threats and vulnerabilities. • An event-based approach can establish high level or strategic scenarios without spending a considerable amount of time in identification of assets on a detailed level. • This allows the organization to focus its risk treatment efforts on the critical risks. • Interviews with top management • Top-down • An asset is anything that has value to the organization and therefore requires protection. • If all valid combinations of assets, threats and vulnerabilities can be enumerated within the scope of the ISMS, then, in theory, all the risks would be identified. • The asset-based approach can identify asset- specific threats and vulnerabilities and allows the organization to determine specific risk treatment on a detailed level. • Bottom-up
  • 54. Annexes 54 ISO/IEC 27005:2018, pages 24-52 ISO/IEC 27005:2022, pages 41-61 Annex A. Defining the scope and boundaries of the information security risk management process • A.1 Study of the organization • A.2 List of the constraints affecting the organization • A.3 List of the constraints affecting the scope Annex B. Identification and valuation of assets and impact assessment • B.1 Examples of asset identification (primary and supporting) • B.2 Asset valuation • B.3 Impact assessment Annex C. Examples of typical threats (+ Origin of threat) Annex D. Vulnerabilities and methods for vulnerability assessment • D.1 Examples of vulnerabilities • D.2 Methods for assessment of technical vulnerabilities Annex E. Information security risk assessment approaches • E.1 High-level information security risk assessment • E.2 Detailed information security risk assessment Annex F. Constraints for risk modification Annex A. (informative) Examples of techniques in support of the risk assessment process A.1 Information security risk criteria • A.1.1 Criteria related to risk assessment • A.1.2 Risk acceptance criteria A.2 Practical techniques • A.2.1 Information security risk components • A.2.2 Assets • A.2.3 Risk sources and desired end state • A.2.4 Event-based approach • A.2.5 Asset-based approach • A.2.6 Examples of scenarios applicable in both approaches • A.2.7 Monitoring risk-related events
  • 55. Annexes. Tables 55 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Examples of typical threats Origin of threats Examples of typical vulnerabilities Table E.1 — The asset values, and the threat and vulnerability levels Table E.2 — Results from the consideration of the likelihood of an incident scenario, mapped against the estimated business impact Table E.3 — The factors of consequences (asset value) and likelihood of threat occurrence (taking account of vulnerability aspects) Table E.3 — Combination of the likelihood of the threat occurring and the ease of exploitation of the vulnerability Table E.4 — The intersection of asset value and likelihood value Table A.1 — Example of consequence scale Table A.2 — Example of likelihood scale Table A.3 — Example of qualitative approach to risk criteria Table A.4 — Example logarithmic likelihood scale Table A.5 — Example logarithmic consequence scale Table A.6 — Example of evaluation scale combined with three-colour risk matrix Table A.7 — Examples and usual methods of attack Table A.8 — Example classification of motivations to express the DES Table A.9 — Examples of target objectives Table A.10 — Examples of typical threats Table A.11 — Examples of typical vulnerabilities Table A.12 — Examples of risk scenarios in both approaches Table A.13 — Example of risk scenario and monitoring risk- related events relationship
  • 56. 56 Instead of a conclusion: 1. General procedures (Assessment and Treatment) are OK, as usual. J J 2. Two approaches: asset-based and event-based (scenarios), finally J 3. «9.Operation» and «10.Leveraging related ISMS processes» are useful for the ISMS implementation. J J 4. Tables «A.10 Examples of typical threats», and «A.11 Examples of typical vulnerabilities», likelihood and consequence scales can be used for inspiration. J 5. «A.2 Practical techniques» are poorly designed and described. New figures and the examples of scenarios are useless. L L 6. ISO 27005:2022 is a very complicated standard and every new version makes it more difficult. L In my opinion, the ISACA IT Risk and IRAM2 are much more useful and practical. I recommend using them.
  • 58. My ISMS Implementation Toolkit (ISO 27001) 58 www.patreon.com/posts/47806655