SlideShare ist ein Scribd-Unternehmen logo

Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting

Nguyễn Đăng Quang
Nguyễn Đăng Quang

Phiên bản mới của tiêu chuẩn ISO/IEC27001:2022 được ban hành 10.2022. Các dịch vụ mà HQC Company cung cấp cho quý khách hàng: - Tư vấn triển khai ISO/IEC27001:2022 - Tư vấn chuyển đổi phiên bản ISO/IEC27001:2022 - Đào tạo Nhận thức ISO/IEC27001:2022 - Đào tạo chuyên gia đánh giá nội bộ ISO/IEC27001:2022 - Đánh giá thử ISO/IEC27001:2022 (pre-adudit) Liên hệ để lại thông tin được báo giá phù hợp nhất. Truy cập đường dẫn : https://hqc-company.com/bao-gia-dich-vu-hqc-company/ Hotline: 0777.174.471

Leadership & Management
1 von 34
3/10/2023 1 Transition To ISO27001:2022 Tien Duong (Principal consultant) HCM, 10.03.2023 Welcome and introduction 2 Duong Dung Tien (B.S, PMP ®, Scrum Master, ISO27001:2013 Lead Auditor, ISO9001:2015 Lead Auditor, ITIL4 Managing Professional) • 27+ years working for ICT firms in Vietnam • Outsourcing, product, service operations in software industries • Developer, Tester, Architect, Technical Director, Project Manager, Program/Senior Manager, Quality Director, PMO • University lecturer (freelance), trainer and consultant in Software Engineering, PMBOK, ISO9001:2015, ISO27001:2013, ISO22301:2019, CMMI, Scrum/Agile, ITIL4 HQC CO. Ltd
3/10/2023 2 Welcome and introduction Mr. Nguyen Dang Quang (ISO/IEC27001:2022 Lead Auditor by NQA Global) • 15+ years for ISMS Consultant (VNA, VCN, P&Q, AMSs, ….) • 10+ years for ISMS Lead Auditor (NQA, ….) • 20+ IT Manager for 5S Office - Business Center • Lead Auditor ISO9001-14001-45001-50001, ISO22301-27001, … Đào tạo và Đánh giá Tư vấn và Huấn luyện Nghiên cứu & Chia sẻ LĨNH VỰC HOẠT ĐỘNG CÁC LĨNH VỰC ĐÀO TẠO Lãnh đạo Quản lý Quản lý sản xuất Năng suất Chất lượng An toàn Thông tin Kỹ năng mềm Văn hóa doanh nghiệp Quản lý dịch vụ
3/10/2023 3 Agenda HQC CO. Ltd 5 Overview HQC CO. Ltd 6
3/10/2023 4 Goals of 2022 Update Higher Effectiveness Higher Effectiveness Embracing Latest Context Embracing Latest Context Aligned to Technology Aligned to Technology ISO commitment to continuous improvement ISO/IEC 27001:2005  ISO/IEC 27001:2013  ISO/IEC 2701:2022 Over 25% of the workforce worked remotely during 2021, & may still work remotely in 2025 Majority of enterprises rely on cloud services Using mobile devices at work Higher support for business needs HQC CO. Ltd 7 Transition Timeline July 2025 is deadline for Upgrade Audit ISO 27001 Information Security | US | TÜV Rheinland (tuv.com) HQC CO. Ltd 8
3/10/2023 5 New/ First-time Certification  May begin during 2nd half of 2023  After Oct 2023, not new certification for 2013 version is issued! HQC CO. Ltd 9 ISO 27001:2022 vs ISO 27002:2022 10 ISO 27001 and ISO 27002 are seen as a “consistent” pair • Requirements for establishing, operating, monitoring, reviewing and improving ISMS • Requirements of implementing Security Controls (ISO27002) • Strictly used for certification! • Code of Practice for Information Security Controls • Guidance for best practices • Not used for certification HQC CO. Ltd
3/10/2023 6 What is the relationship between ISO 27001 & ISO 27002? 11 ISO 27001 ISO 27002 Information Security Management System (ISMS) It is fundamentally about information security risk management - Identify - Assess - Treat Identify information-related risks to determine which ISO 27002 controls are needed The impact of risks are mitigated HQC CO. Ltd Changes In 27001:2022 12
3/10/2023 7 27001:2022 Changes High Level Structure unchanged Changes in subclause structure Changes in clause details HQC CO. Ltd 13 HQC CO. Ltd 14
3/10/2023 8 15 ISO 27001:2022 Structure PLAN DO CHECK ACT 4. Context of the organization Needs & Expectations of interested party Understanding the organization and its context Scope of ISMS ISMS 5. Leadership Leadership & commitment Policy Roles, responsibilities and authorities 6. Planning Actions to address risks & opportunities Objectives and planning to achieve Planning of changes 7. Support Resources Competence Awareness Communicatio n Documented information 8. Operation Operational planning & control Risk assessment Risk treatment 9. Performance evaluation Monitoring Measurement Analysis evaluation Internal audit Management review 10. Improvement Continual improvement NC & corrective action HQC CO. Ltd Clause 4.2 (Changed) HQC CO. Ltd 16
3/10/2023 9 Clause 4.4 (Changed) HQC CO. Ltd 17 Clause 6.2 HQC CO. Ltd 18
3/10/2023 10 Clause 6.3 (Added) HQC CO. Ltd 19 Clause 7.4 (Changed) HQC CO. Ltd 20
3/10/2023 11 Clause 8.1 (Changed) HQC CO. Ltd 21 Clause 9.1 (Changed) HQC CO. Ltd 22
3/10/2023 12 Clause 9.2 (Subclause Added) HQC CO. Ltd 23 Clause 9.3 (Subclauses Added) HQC CO. Ltd 24
3/10/2023 13 Changes In 27002:2022 HQC CO. Ltd 25 26 ISO 27002:2022 • ISO 27002 specials control techniques that are intended to address specific issues discovered during the risk assessment process. • It also serves as a roadmap for creating and implementing effective Information security/ Cyber security/ Privacy protection management procedures HQC CO. Ltd
3/10/2023 14 27 ISO 27002:2022 Structure – 93 controls ISO27002 5. Organizational controls 37 controls 8. Technological controls 34 controls 7. Physical controls 14 controls 6. People controls 8 controls 0. Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this standard HQC CO. Ltd 28 ISO27001:2013 Structure Ref Domains Sub-domains Control 5 Information security policies 1 2 6 Organization of information security 2 6 7 Human resource security 3 6 8 Asset management 3 10 9 Access control 4 14 10 Cryptography 1 2 11 Physical and environmental security 2 15 12 Operations security 7 14 13 Communications security 2 7 14 System acquisition, development and maintenance 3 13 15 Supplier relationships 2 5 16 Information security incident management 1 7 17 Information security aspects of business continuity management 2 4 18 Compliance 2 8 Total 14 35 114 HQC CO. Ltd
3/10/2023 15 29 Going from 114 to 93 (1/4) 27001:2013 27001:2022 5.1.1 Policies for information security 5.1 Policies for information security 5.1.2 Review of the policies for information security 6.2.1 Mobile device policy 8.1 User end point devices 11.2.8 Unattended user equipment 8.1.1 Inventory of assets 5.9 Inventory of information and other associated assets 8.1.2 Ownership of assets 8.1.3 Acceptable use of assets 5.10 Acceptable use of information and other associated assets 8.2.3 Handling of assets 8.3.1 Management of removable media 7.10 Storage media 8.3.2 Disposal of media 8.3.3 Physical media transfer 9.1.1 Access control policy 5.15 Access control 9.1.2 Access to networks and network services HQC CO. Ltd 30 Going from 114 to 93 (2/4) 27001:2013 27001:2022 9.2.4 Management of secret authentication information of user 5.17 Authentication information 9.3.1 Use of secret authentication information 9.4.3 Password management system 9.2.5 Review of user access rights 5.18 Access rights 9.2.6 Removal or adjustment of access rights 10.1.1 Policy on the use of cryptographic controls 8.24 Use of cryptography 10.1.2 Key management 12.4.1 Event logging 8.15 Logging 12.4.2 Protection of log information 12.4.3 Administrator and operator logs 13.2.1 Information transfer policies and procedures 5.14 Information transfer 13.2.2 Agreements on information transfer 13.2.3 Electronic messaging HQC CO. Ltd
3/10/2023 16 31 Going from 114 to 93 (3/4) 27001:2013 27001:2022 12.1.2 Change management 8.32 Change management 14.2.2 System change control procedures 14.2.3 Technical review of applications after operating platform changes 14.2.4 Restrictions on changes to software packages 14.2.8 System security testing 8.29 Security testing in development and acceptance 14.2.9 System acceptance testing 15.2.1 Monitoring and review of supplier services 5.22 Monitoring, review and change management of supplier services 15.2.2 Managing changes to supplier services 16.1.2 Reporting information security events 6.8 Information security event reporting 16.1.3 Reporting information security weaknesses 17.1.1 Planning information security continuity 5.29 Information security during disruption 17.1.2 Implementing information security continuity 17.1.3 Verify, review and evaluate information security continuity HQC CO. Ltd 32 Going from 114 to 93 (4/4) 27001:2013 27001:2022 18.1.1 Identification of applicable legislation and contractual requirement 5.31 Legal, statutory, regulatory and contractual requirements. 18.1.5 Regulation of cryptographic controls 18.2.2 Compliance with security policies and standards 5.36 Compliance with policies, rules and standards for information security 18.2.3 Technical compliance review 12.5.1 Installation of software on operational systems 8.19 Installation of software on operational systems 12.6.2 Restrictions on software installation 14.1.2 Securing application services on public networks 8.26 Application security requirements 14.1.3 Protecting application services transactions 12.1.4 Separation of development, testing and operational environments 8.31 Separation of development, test and production environments 14.2.6 Secure development environment HQC CO. Ltd
3/10/2023 17 The New 11 Controls • To keep ISMS synergized with other cybersecurity best practices and standards:  Cloud Security  Business Continuity Management (BCM)  Data Leakage Prevention (DLP)  PII Protection Control ID Control Name 5.7 Threat Intelligence 5.23 Information security for use of cloud services 5.30 ICT readiness for business continuity 7.4 Physical security monitoring 8.9 Configuration management 8.10 Information deletion 8.11 Data masking 8.12 Data leakage prevention 8.16 Monitoring activities 8.23 Web filtering 8.28 Secure coding HQC CO. Ltd 33 34 Control Measures Structure • Addition of selectable and searchable Attributes o Attributes are optional o An organization can create its own attributes to meet its needs • Use "Purpose" instead of the “Objective" control HQC CO. Ltd
3/10/2023 18 35 Control attributes (Annex A.1) Control Attributes Attribute Value Control type #Preventive #Detective #Corrective Information Security Property #Confidentiality #Integrity #Availability Cybersecurity Concepts #Identify #Protect #Detect #Respond #Recover Operational Capabilities #Governance #Asset_management #Information_protection #Human_resource_security #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability_management #Continuity #Supplier_relationships_security #Legal_and_compliance #Information_security_event_management #Information_security_assurance Security Domains #Governance_and_Ecosystem #Protection #Defence #Resilience HQC CO. Ltd 5. Organizational controls – 5.7 36 HQC CO. Ltd
3/10/2023 19 Relationship of Threat Intelligent HQC CO. Ltd 37 A Sample Data Flow of Threat Intelligence HQC CO. Ltd 38
3/10/2023 20 39 5. Organizational controls – 5.23 HQC CO. Ltd Processes with Cloud Services • Procurement selection criteria • Associated risks of acquisition Acquisition Acquisition • Acceptable use (per user class, per application, …) Usage Usage • Permission control • Data control Management Management • Control of backup performed by Cloud service • Recovery test Backup & Recovery Backup & Recovery • Data Export • Data Deletion Exit Exit HQC CO. Ltd 40
3/10/2023 21 41 5. Organizational controls – 5.30 HQC CO. Ltd Relationship with BIA ICT DRP Business Impact Analysis (BIA) Categories & Criteria of Continuity Impact Prioritized activities Minimum Business Scale for Recovery RTOs, RPOs Constraints to 3rd parties & vendors Prioritized and critical resources Redundant resources Recovery procedures Tests and exercises criteria HQC CO. Ltd 42
3/10/2023 22 43 7. Physical controls - 7.4 HQC CO. Ltd Physical Access Control  Priorities of physical controls are dependent to business operations.  Functionality of physical controls should be appropriate to risk level at security perimeter where they are implemented. HQC CO. Ltd 44
3/10/2023 23 45 8. Technological controls – 8.9 HQC CO. Ltd CMDB • Configuration Management Database (CMDB) offers centralized management of configuration data across all operational components – where their functionality are dependent together. HQC CO. Ltd 46
3/10/2023 24 Configuration Management Sample HQC CO. Ltd 47 Configuration management is crucial in change management: • Determine spreading of change impact across system components • Ensure successful fallback of impacted system components when change is failed. Data Governance Model Operational Data Unused data remains uncontrolled Disposing sensitive information Inaccessible when being needed Data owner Data owner Data owner Recovery after disastrous events HQC CO. Ltd 48 Quality of data
3/10/2023 25 Data Management Plan (Sample) HQC CO. Ltd 49 Data Created in Function Endpoints Data Owner Permitted Authors Retention policy Masking requirement Employee social insurance Employment management • Social insurance bookkeeper • External contacts of tax • labor committees HR HR CnB Executive 10 years after employment ends • Social Insurance No. • Past companies & salaries 50 8. Technological controls – 8.10 HQC CO. Ltd
3/10/2023 26 Situations for information deletion  Offboarding  Work reallocation  User deregistration  Equipment reuse / discarding  Disposal of records  Constraints from contracts, regulation, laws,…  Etc. Challenges in deletion information controlled by external parties (e.g., cloud, 3rd party vendors, etc.) HQC CO. Ltd 51 52 8. Technological controls – 8.11 HQC CO. Ltd
3/10/2023 27 Data Encryption vs Data Masking Data encryption ❑ Always unreadable ❑ Reversable ❑ Performance impact ❑ Topic independent ❑ High cost ❑ Heavy key management Data masking ❑ Readable ❑ Irreversible ❑ No performance impact ❑ Topic dependent ❑ Medium or low cost ❑ Light key management PII PII PHI PHI Payment Card Information (PCI DSS) Payment Card Information (PCI DSS) IP IP Static data masking Static data masking Dynamic data masking Dynamic data masking On-the-fly data masking On-the-fly data masking HQC CO. Ltd 53 Example of Auto-Data Masking Ref: https://docs.cossacklabs.com/acra/ HQC CO. Ltd 54
3/10/2023 28 8. Technological controls – 8.12 55 HQC CO. Ltd Concerns for DLP Prioritized data and information Prioritized data and information Costs of data leakage Costs of data leakage DLP threats at users’ endpoint devices DLP threats at users’ endpoint devices DLP threats from external endpoints DLP threats from external endpoints DLP threats from internal operations DLP threats from internal operations Needs Cost Effort Effort System System Internal Internal External External HQC CO. Ltd 56
3/10/2023 29 57 8. Technological controls – 8.16 8.16 is for monitoring of ICT assets 7.4 is for monitoring of physical assets HQC CO. Ltd Purposes of Monitoring Availability Availability • Detect symptom of potential interruption Performance Performance • Evaluate performance vs load Breaching Breaching • Detect/ prevent initial breaching/ attacking actions Discover Respond Detect Prevent HQC CO. Ltd 58
3/10/2023 30 59 8. Technological controls – 8.23 HQC CO. Ltd 60 8. Technological controls – 8.28 HQC CO. Ltd
3/10/2023 31 The Three Pillars of Secure Coding People • Fostering security culture enables design secure software from ground up, and threat model to sustain People • Fostering security culture enables design secure software from ground up, and threat model to sustain Process • Secure Software Development life cycle (SSDLC) implement measures throughout all stages of software development Process • Secure Software Development life cycle (SSDLC) implement measures throughout all stages of software development Tools • Tools ensure adoption and improvement of developers’ productivity Tools • Tools ensure adoption and improvement of developers’ productivity HQC CO. Ltd 61 Planning and analysis Design Implementa tion Testing & Deployment Maintenanc e Secure Coding in all Stages of Software Lifecycle HQC CO. Ltd 62
3/10/2023 32 Approach for Transition HQC CO. Ltd 63 Typical Annual ISMS Program Step 2 Step 2 Determine Scope Step 1 Step 1 Management Support Step 3 Step 3 InfoSec Policy Step 4 Step 4 Asset Inventory Step 5 Step 5 Risk Management Methodology Step 6 Step 6 Risk Assessment Step 7 Step 7 Risk Treatment Step 8 Step 8 Performance Evaluation Step 9 Step 9 Improvement Step 10 Step 10 Certification Audit HQC CO. Ltd 64
3/10/2023 33 Transition Approach Step 1 – Understanding the Changes • Skill Updates Step 1 – Understanding the Changes • Skill Updates Step 2 – Identifying changes to existing ISMS • Changed/new processes • Changed/new controls Step 2 – Identifying changes to existing ISMS • Changed/new processes • Changed/new controls Step 3 – Implement changes • Control setup • Process rollouts Step 3 – Implement changes • Control setup • Process rollouts Step 4 – Assess effectiveness • Internal audits • External assessments Step 4 – Assess effectiveness • Internal audits • External assessments Step 5 – Correct discrepancies • Correction plans & actions Step 5 – Correct discrepancies • Correction plans & actions HQC CO. Ltd 65 Key Changes to Existing ISMS Updating Organization Context • 4.2 Risk assessment • Integrate threat intelligence Risk treatment process & SOA • Annex 1 ISO27001:2022 Monitoring • Processes, Sec Objectives, performance of controls, threats evaluation ISMS Change Management Process • 6.3 Process for Internal Audit Program • 9.2.2 Process for Management Review • 9.3.2, 9.3.3 ISO27001:2022 ISO27002:2022 Address operational responsibilities • #Operational Capabilities Balancing of controls • #Information Security Property • #Control type Implement new controls • People, Process, Technology HQC CO. Ltd 66
3/10/2023 34 Upgrade Audit • Include verification of:  Gap analysis of ISO27001:2022  Changes to client’s ISMS  SOA Update  Risk Treatment  Effectiveness of implementation the new and changed clauses and controls HQC CO. Ltd 67 HQC Training Consultant Ltd. Trụ sở : Tầng 3, 96 Cao Thắng, P.4, Q.3, HCM Phone : (84) 777 174 471 Email : admin@hqc-company.com Website : https://hqc-company.com HQC CO. Ltd 68

Empfohlen

ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
TUV Southwest Training Programs
TUV Southwest Training ProgramsTUV Southwest Training Programs
TUV Southwest Training ProgramsTUV Southwest
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 

Empfohlen

ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
TUV Southwest Training Programs
TUV Southwest Training ProgramsTUV Southwest Training Programs
TUV Southwest Training ProgramsTUV Southwest
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ITSM Foundation Course Material
ITSM Foundation Course MaterialITSM Foundation Course Material
ITSM Foundation Course Materialstefanhenry
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdf
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdfHQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdf
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdfNguyễn Đăng Quang
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
27001.pptx
27001.pptx27001.pptx
27001.pptxAvniJain836319
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity ContextMiguel A. Amutio
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 ismsCraig Willetts ISO Expert
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfJhonGIg
 

Weitere ähnliche Inhalte

Was ist angesagt?

Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ITSM Foundation Course Material
ITSM Foundation Course MaterialITSM Foundation Course Material
ITSM Foundation Course Materialstefanhenry
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementationRalf Braga
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNA Putra
 
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdf
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdfHQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdf
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdfNguyễn Đăng Quang
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity ContextMiguel A. Amutio
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentationPranay Kumar
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 

Was ist angesagt? (20)

Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ITSM Foundation Course Material
ITSM Foundation Course MaterialITSM Foundation Course Material
ITSM Foundation Course Material
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdf
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdfHQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdf
HQC - MAPPING ISO27002 2022 vs 2012 vs TT09 2020 NHNN.pdf
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
European Cybersecurity Context
European Cybersecurity ContextEuropean Cybersecurity Context
European Cybersecurity Context
 
Isms awareness presentation
Isms awareness presentationIsms awareness presentation
Isms awareness presentation
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 

Ähnlich wie Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfJhonGIg
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdftoncik
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiBL4CKSWAN Srl
 
ISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version PresentationISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version Presentationyogaallworks
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?Alvin Integrated Services [AIS]
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças Fernando Palma
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information TechnologyKathirvel Ayyaswamy
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001powertech
 
MDRT Presentation Handout!
MDRT Presentation Handout! MDRT Presentation Handout!
MDRT Presentation Handout! Michelle Hoskin
 

Ähnlich wie Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting (20)

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
 
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdfNQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
NQA-Webinar-A-guide-to-the-changes-to-ISO-27002.pdf
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
Cyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdfCyber resolution ban-ana comparing to ana-nas.pdf
Cyber resolution ban-ana comparing to ana-nas.pdf
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdf
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
ISO/IEC 27001:2005
ISO/IEC 27001:2005ISO/IEC 27001:2005
ISO/IEC 27001:2005
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - Guasconi
 
ISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version PresentationISO 27701:2022 Data Privacy New Version Presentation
ISO 27701:2022 Data Privacy New Version Presentation
 
27001 2013 iso geek
27001 2013 iso geek27001 2013 iso geek
27001 2013 iso geek
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?ISO 27017 – What are the Business Advantages of Cloud Security?
ISO 27017 – What are the Business Advantages of Cloud Security?
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças ISO 27002 2013 Atualizações / mudanças
ISO 27002 2013 Atualizações / mudanças
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
The best way to use ISO 27001
The best way to use ISO 27001The best way to use ISO 27001
The best way to use ISO 27001
 
MDRT Presentation Handout!
MDRT Presentation Handout! MDRT Presentation Handout!
MDRT Presentation Handout!
 

Mehr von Nguyễn Đăng Quang

NQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdf
NQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdfNQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdf
NQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdfNguyễn Đăng Quang
 
Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018
Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018
Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018Nguyễn Đăng Quang
 
HQC Training Consultancy Company Limited
HQC Training Consultancy Company LimitedHQC Training Consultancy Company Limited
HQC Training Consultancy Company LimitedNguyễn Đăng Quang
 
Phiếu câu hỏi check list iso 9001 nqa viet nam
Phiếu câu hỏi check list iso 9001 nqa viet namPhiếu câu hỏi check list iso 9001 nqa viet nam
Phiếu câu hỏi check list iso 9001 nqa viet namNguyễn Đăng Quang
 
Tài liệu đào tạo Covid-19 Secure của NQA Việt Nam
Tài liệu đào tạo Covid-19 Secure của NQA Việt NamTài liệu đào tạo Covid-19 Secure của NQA Việt Nam
Tài liệu đào tạo Covid-19 Secure của NQA Việt NamNguyễn Đăng Quang
 
Phương pháp quản lý thời gian Eisenhower
Phương pháp quản lý thời gian EisenhowerPhương pháp quản lý thời gian Eisenhower
Phương pháp quản lý thời gian EisenhowerNguyễn Đăng Quang
 
Cost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bc
Cost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bcCost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bc
Cost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bcNguyễn Đăng Quang
 
MTBF - Thời gian trung bình giữa các lần hỏng hóc
MTBF - Thời gian trung bình giữa các lần hỏng hócMTBF - Thời gian trung bình giữa các lần hỏng hóc
MTBF - Thời gian trung bình giữa các lần hỏng hócNguyễn Đăng Quang
 
CTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng Điểm
CTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng ĐiểmCTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng Điểm
CTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng ĐiểmNguyễn Đăng Quang
 
Gemba Walk level 2 checklist - manager to team leaders
Gemba Walk level 2 checklist - manager to team leadersGemba Walk level 2 checklist - manager to team leaders
Gemba Walk level 2 checklist - manager to team leadersNguyễn Đăng Quang
 
Gemba Walk level 1 checklist - team leader to operators
Gemba Walk level 1 checklist - team leader to operatorsGemba Walk level 1 checklist - team leader to operators
Gemba Walk level 1 checklist - team leader to operatorsNguyễn Đăng Quang
 

Mehr von Nguyễn Đăng Quang (11)

NQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdf
NQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdfNQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdf
NQA Lợi ích Từ ISO và ESG Tăng Trưởng và Bền Vững ver01.pdf
 
Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018
Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018
Bản dịch tiêu chuẩn ISO/IEC 20000-1: 2018
 
HQC Training Consultancy Company Limited
HQC Training Consultancy Company LimitedHQC Training Consultancy Company Limited
HQC Training Consultancy Company Limited
 
Phiếu câu hỏi check list iso 9001 nqa viet nam
Phiếu câu hỏi check list iso 9001 nqa viet namPhiếu câu hỏi check list iso 9001 nqa viet nam
Phiếu câu hỏi check list iso 9001 nqa viet nam
 
Tài liệu đào tạo Covid-19 Secure của NQA Việt Nam
Tài liệu đào tạo Covid-19 Secure của NQA Việt NamTài liệu đào tạo Covid-19 Secure của NQA Việt Nam
Tài liệu đào tạo Covid-19 Secure của NQA Việt Nam
 
Phương pháp quản lý thời gian Eisenhower
Phương pháp quản lý thời gian EisenhowerPhương pháp quản lý thời gian Eisenhower
Phương pháp quản lý thời gian Eisenhower
 
Cost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bc
Cost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bcCost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bc
Cost of Poor Quality (COPQ) - Chi phí chất lượng kém - 5S Office bc
 
MTBF - Thời gian trung bình giữa các lần hỏng hóc
MTBF - Thời gian trung bình giữa các lần hỏng hócMTBF - Thời gian trung bình giữa các lần hỏng hóc
MTBF - Thời gian trung bình giữa các lần hỏng hóc
 
CTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng Điểm
CTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng ĐiểmCTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng Điểm
CTQ tree - Sơ đồ cây Chỉ Tiêu Chất Lượng Trọng Điểm
 
Gemba Walk level 2 checklist - manager to team leaders
Gemba Walk level 2 checklist - manager to team leadersGemba Walk level 2 checklist - manager to team leaders
Gemba Walk level 2 checklist - manager to team leaders
 
Gemba Walk level 1 checklist - team leader to operators
Gemba Walk level 1 checklist - team leader to operatorsGemba Walk level 1 checklist - team leader to operators
Gemba Walk level 1 checklist - team leader to operators
 

Kürzlich hochgeladen

From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsCIToolkit
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Giuseppe De Simone
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sectorthomas851723
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentationmintusiprd
 
Management and managerial skills training manual.pdf
Management and managerial skills training manual.pdfManagement and managerial skills training manual.pdf
Management and managerial skills training manual.pdffillmonipdc
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramCIToolkit
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)jennyeacort
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchRashtriya Kisan Manch
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsCIToolkit
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingGiuseppe De Simone
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Reviewthomas851723
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证jdkhjh
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...CIToolkit
 
Motivational theories an leadership skills
Motivational theories an leadership skillsMotivational theories an leadership skills
Motivational theories an leadership skillskristinalimarenko7
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insightWayne Abrahams
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionCIToolkit
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineeringthomas851723
 

Kürzlich hochgeladen (20)

From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement RoadmapsFrom Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
From Goals to Actions: Uncovering the Key Components of Improvement Roadmaps
 
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
Effective learning in the Age of Hybrid Work - Agile Saturday Tallinn 2024
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sector
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentation
 
Management and managerial skills training manual.pdf
Management and managerial skills training manual.pdfManagement and managerial skills training manual.pdf
Management and managerial skills training manual.pdf
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
 
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield Metrics
 
Shaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful ThinkingShaping Organizational Culture Beyond Wishful Thinking
Shaping Organizational Culture Beyond Wishful Thinking
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Review
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
 
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
Paired Comparison Analysis: A Practical Tool for Evaluating Options and Prior...
 
Motivational theories an leadership skills
Motivational theories an leadership skillsMotivational theories an leadership skills
Motivational theories an leadership skills
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insight
 
How-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem ResolutionHow-How Diagram: A Practical Approach to Problem Resolution
How-How Diagram: A Practical Approach to Problem Resolution
 
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Servicesauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineering
 

Tư vấn và đào tạo ISO 27001:2022 phiên bản mới bởi HQC Consulting

  • 1. 3/10/2023 1 Transition To ISO27001:2022 Tien Duong (Principal consultant) HCM, 10.03.2023 Welcome and introduction 2 Duong Dung Tien (B.S, PMP ®, Scrum Master, ISO27001:2013 Lead Auditor, ISO9001:2015 Lead Auditor, ITIL4 Managing Professional) • 27+ years working for ICT firms in Vietnam • Outsourcing, product, service operations in software industries • Developer, Tester, Architect, Technical Director, Project Manager, Program/Senior Manager, Quality Director, PMO • University lecturer (freelance), trainer and consultant in Software Engineering, PMBOK, ISO9001:2015, ISO27001:2013, ISO22301:2019, CMMI, Scrum/Agile, ITIL4 HQC CO. Ltd
  • 2. 3/10/2023 2 Welcome and introduction Mr. Nguyen Dang Quang (ISO/IEC27001:2022 Lead Auditor by NQA Global) • 15+ years for ISMS Consultant (VNA, VCN, P&Q, AMSs, ….) • 10+ years for ISMS Lead Auditor (NQA, ….) • 20+ IT Manager for 5S Office - Business Center • Lead Auditor ISO9001-14001-45001-50001, ISO22301-27001, … Đào tạo và Đánh giá Tư vấn và Huấn luyện Nghiên cứu & Chia sẻ LĨNH VỰC HOẠT ĐỘNG CÁC LĨNH VỰC ĐÀO TẠO Lãnh đạo Quản lý Quản lý sản xuất Năng suất Chất lượng An toàn Thông tin Kỹ năng mềm Văn hóa doanh nghiệp Quản lý dịch vụ
  • 3. 3/10/2023 3 Agenda HQC CO. Ltd 5 Overview HQC CO. Ltd 6
  • 4. 3/10/2023 4 Goals of 2022 Update Higher Effectiveness Higher Effectiveness Embracing Latest Context Embracing Latest Context Aligned to Technology Aligned to Technology ISO commitment to continuous improvement ISO/IEC 27001:2005  ISO/IEC 27001:2013  ISO/IEC 2701:2022 Over 25% of the workforce worked remotely during 2021, & may still work remotely in 2025 Majority of enterprises rely on cloud services Using mobile devices at work Higher support for business needs HQC CO. Ltd 7 Transition Timeline July 2025 is deadline for Upgrade Audit ISO 27001 Information Security | US | TÜV Rheinland (tuv.com) HQC CO. Ltd 8
  • 5. 3/10/2023 5 New/ First-time Certification  May begin during 2nd half of 2023  After Oct 2023, not new certification for 2013 version is issued! HQC CO. Ltd 9 ISO 27001:2022 vs ISO 27002:2022 10 ISO 27001 and ISO 27002 are seen as a “consistent” pair • Requirements for establishing, operating, monitoring, reviewing and improving ISMS • Requirements of implementing Security Controls (ISO27002) • Strictly used for certification! • Code of Practice for Information Security Controls • Guidance for best practices • Not used for certification HQC CO. Ltd
  • 6. 3/10/2023 6 What is the relationship between ISO 27001 & ISO 27002? 11 ISO 27001 ISO 27002 Information Security Management System (ISMS) It is fundamentally about information security risk management - Identify - Assess - Treat Identify information-related risks to determine which ISO 27002 controls are needed The impact of risks are mitigated HQC CO. Ltd Changes In 27001:2022 12
  • 7. 3/10/2023 7 27001:2022 Changes High Level Structure unchanged Changes in subclause structure Changes in clause details HQC CO. Ltd 13 HQC CO. Ltd 14
  • 8. 3/10/2023 8 15 ISO 27001:2022 Structure PLAN DO CHECK ACT 4. Context of the organization Needs & Expectations of interested party Understanding the organization and its context Scope of ISMS ISMS 5. Leadership Leadership & commitment Policy Roles, responsibilities and authorities 6. Planning Actions to address risks & opportunities Objectives and planning to achieve Planning of changes 7. Support Resources Competence Awareness Communicatio n Documented information 8. Operation Operational planning & control Risk assessment Risk treatment 9. Performance evaluation Monitoring Measurement Analysis evaluation Internal audit Management review 10. Improvement Continual improvement NC & corrective action HQC CO. Ltd Clause 4.2 (Changed) HQC CO. Ltd 16
  • 9. 3/10/2023 9 Clause 4.4 (Changed) HQC CO. Ltd 17 Clause 6.2 HQC CO. Ltd 18
  • 10. 3/10/2023 10 Clause 6.3 (Added) HQC CO. Ltd 19 Clause 7.4 (Changed) HQC CO. Ltd 20
  • 11. 3/10/2023 11 Clause 8.1 (Changed) HQC CO. Ltd 21 Clause 9.1 (Changed) HQC CO. Ltd 22
  • 12. 3/10/2023 12 Clause 9.2 (Subclause Added) HQC CO. Ltd 23 Clause 9.3 (Subclauses Added) HQC CO. Ltd 24
  • 13. 3/10/2023 13 Changes In 27002:2022 HQC CO. Ltd 25 26 ISO 27002:2022 • ISO 27002 specials control techniques that are intended to address specific issues discovered during the risk assessment process. • It also serves as a roadmap for creating and implementing effective Information security/ Cyber security/ Privacy protection management procedures HQC CO. Ltd
  • 14. 3/10/2023 14 27 ISO 27002:2022 Structure – 93 controls ISO27002 5. Organizational controls 37 controls 8. Technological controls 34 controls 7. Physical controls 14 controls 6. People controls 8 controls 0. Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this standard HQC CO. Ltd 28 ISO27001:2013 Structure Ref Domains Sub-domains Control 5 Information security policies 1 2 6 Organization of information security 2 6 7 Human resource security 3 6 8 Asset management 3 10 9 Access control 4 14 10 Cryptography 1 2 11 Physical and environmental security 2 15 12 Operations security 7 14 13 Communications security 2 7 14 System acquisition, development and maintenance 3 13 15 Supplier relationships 2 5 16 Information security incident management 1 7 17 Information security aspects of business continuity management 2 4 18 Compliance 2 8 Total 14 35 114 HQC CO. Ltd
  • 15. 3/10/2023 15 29 Going from 114 to 93 (1/4) 27001:2013 27001:2022 5.1.1 Policies for information security 5.1 Policies for information security 5.1.2 Review of the policies for information security 6.2.1 Mobile device policy 8.1 User end point devices 11.2.8 Unattended user equipment 8.1.1 Inventory of assets 5.9 Inventory of information and other associated assets 8.1.2 Ownership of assets 8.1.3 Acceptable use of assets 5.10 Acceptable use of information and other associated assets 8.2.3 Handling of assets 8.3.1 Management of removable media 7.10 Storage media 8.3.2 Disposal of media 8.3.3 Physical media transfer 9.1.1 Access control policy 5.15 Access control 9.1.2 Access to networks and network services HQC CO. Ltd 30 Going from 114 to 93 (2/4) 27001:2013 27001:2022 9.2.4 Management of secret authentication information of user 5.17 Authentication information 9.3.1 Use of secret authentication information 9.4.3 Password management system 9.2.5 Review of user access rights 5.18 Access rights 9.2.6 Removal or adjustment of access rights 10.1.1 Policy on the use of cryptographic controls 8.24 Use of cryptography 10.1.2 Key management 12.4.1 Event logging 8.15 Logging 12.4.2 Protection of log information 12.4.3 Administrator and operator logs 13.2.1 Information transfer policies and procedures 5.14 Information transfer 13.2.2 Agreements on information transfer 13.2.3 Electronic messaging HQC CO. Ltd
  • 16. 3/10/2023 16 31 Going from 114 to 93 (3/4) 27001:2013 27001:2022 12.1.2 Change management 8.32 Change management 14.2.2 System change control procedures 14.2.3 Technical review of applications after operating platform changes 14.2.4 Restrictions on changes to software packages 14.2.8 System security testing 8.29 Security testing in development and acceptance 14.2.9 System acceptance testing 15.2.1 Monitoring and review of supplier services 5.22 Monitoring, review and change management of supplier services 15.2.2 Managing changes to supplier services 16.1.2 Reporting information security events 6.8 Information security event reporting 16.1.3 Reporting information security weaknesses 17.1.1 Planning information security continuity 5.29 Information security during disruption 17.1.2 Implementing information security continuity 17.1.3 Verify, review and evaluate information security continuity HQC CO. Ltd 32 Going from 114 to 93 (4/4) 27001:2013 27001:2022 18.1.1 Identification of applicable legislation and contractual requirement 5.31 Legal, statutory, regulatory and contractual requirements. 18.1.5 Regulation of cryptographic controls 18.2.2 Compliance with security policies and standards 5.36 Compliance with policies, rules and standards for information security 18.2.3 Technical compliance review 12.5.1 Installation of software on operational systems 8.19 Installation of software on operational systems 12.6.2 Restrictions on software installation 14.1.2 Securing application services on public networks 8.26 Application security requirements 14.1.3 Protecting application services transactions 12.1.4 Separation of development, testing and operational environments 8.31 Separation of development, test and production environments 14.2.6 Secure development environment HQC CO. Ltd
  • 17. 3/10/2023 17 The New 11 Controls • To keep ISMS synergized with other cybersecurity best practices and standards:  Cloud Security  Business Continuity Management (BCM)  Data Leakage Prevention (DLP)  PII Protection Control ID Control Name 5.7 Threat Intelligence 5.23 Information security for use of cloud services 5.30 ICT readiness for business continuity 7.4 Physical security monitoring 8.9 Configuration management 8.10 Information deletion 8.11 Data masking 8.12 Data leakage prevention 8.16 Monitoring activities 8.23 Web filtering 8.28 Secure coding HQC CO. Ltd 33 34 Control Measures Structure • Addition of selectable and searchable Attributes o Attributes are optional o An organization can create its own attributes to meet its needs • Use "Purpose" instead of the “Objective" control HQC CO. Ltd
  • 18. 3/10/2023 18 35 Control attributes (Annex A.1) Control Attributes Attribute Value Control type #Preventive #Detective #Corrective Information Security Property #Confidentiality #Integrity #Availability Cybersecurity Concepts #Identify #Protect #Detect #Respond #Recover Operational Capabilities #Governance #Asset_management #Information_protection #Human_resource_security #Physical_security #System_and_network_security #Application_security #Secure_configuration #Identity_and_access_management #Threat_and_vulnerability_management #Continuity #Supplier_relationships_security #Legal_and_compliance #Information_security_event_management #Information_security_assurance Security Domains #Governance_and_Ecosystem #Protection #Defence #Resilience HQC CO. Ltd 5. Organizational controls – 5.7 36 HQC CO. Ltd
  • 19. 3/10/2023 19 Relationship of Threat Intelligent HQC CO. Ltd 37 A Sample Data Flow of Threat Intelligence HQC CO. Ltd 38
  • 20. 3/10/2023 20 39 5. Organizational controls – 5.23 HQC CO. Ltd Processes with Cloud Services • Procurement selection criteria • Associated risks of acquisition Acquisition Acquisition • Acceptable use (per user class, per application, …) Usage Usage • Permission control • Data control Management Management • Control of backup performed by Cloud service • Recovery test Backup & Recovery Backup & Recovery • Data Export • Data Deletion Exit Exit HQC CO. Ltd 40
  • 21. 3/10/2023 21 41 5. Organizational controls – 5.30 HQC CO. Ltd Relationship with BIA ICT DRP Business Impact Analysis (BIA) Categories & Criteria of Continuity Impact Prioritized activities Minimum Business Scale for Recovery RTOs, RPOs Constraints to 3rd parties & vendors Prioritized and critical resources Redundant resources Recovery procedures Tests and exercises criteria HQC CO. Ltd 42
  • 22. 3/10/2023 22 43 7. Physical controls - 7.4 HQC CO. Ltd Physical Access Control  Priorities of physical controls are dependent to business operations.  Functionality of physical controls should be appropriate to risk level at security perimeter where they are implemented. HQC CO. Ltd 44
  • 23. 3/10/2023 23 45 8. Technological controls – 8.9 HQC CO. Ltd CMDB • Configuration Management Database (CMDB) offers centralized management of configuration data across all operational components – where their functionality are dependent together. HQC CO. Ltd 46
  • 24. 3/10/2023 24 Configuration Management Sample HQC CO. Ltd 47 Configuration management is crucial in change management: • Determine spreading of change impact across system components • Ensure successful fallback of impacted system components when change is failed. Data Governance Model Operational Data Unused data remains uncontrolled Disposing sensitive information Inaccessible when being needed Data owner Data owner Data owner Recovery after disastrous events HQC CO. Ltd 48 Quality of data
  • 25. 3/10/2023 25 Data Management Plan (Sample) HQC CO. Ltd 49 Data Created in Function Endpoints Data Owner Permitted Authors Retention policy Masking requirement Employee social insurance Employment management • Social insurance bookkeeper • External contacts of tax • labor committees HR HR CnB Executive 10 years after employment ends • Social Insurance No. • Past companies & salaries 50 8. Technological controls – 8.10 HQC CO. Ltd
  • 26. 3/10/2023 26 Situations for information deletion  Offboarding  Work reallocation  User deregistration  Equipment reuse / discarding  Disposal of records  Constraints from contracts, regulation, laws,…  Etc. Challenges in deletion information controlled by external parties (e.g., cloud, 3rd party vendors, etc.) HQC CO. Ltd 51 52 8. Technological controls – 8.11 HQC CO. Ltd
  • 27. 3/10/2023 27 Data Encryption vs Data Masking Data encryption ❑ Always unreadable ❑ Reversable ❑ Performance impact ❑ Topic independent ❑ High cost ❑ Heavy key management Data masking ❑ Readable ❑ Irreversible ❑ No performance impact ❑ Topic dependent ❑ Medium or low cost ❑ Light key management PII PII PHI PHI Payment Card Information (PCI DSS) Payment Card Information (PCI DSS) IP IP Static data masking Static data masking Dynamic data masking Dynamic data masking On-the-fly data masking On-the-fly data masking HQC CO. Ltd 53 Example of Auto-Data Masking Ref: https://docs.cossacklabs.com/acra/ HQC CO. Ltd 54
  • 28. 3/10/2023 28 8. Technological controls – 8.12 55 HQC CO. Ltd Concerns for DLP Prioritized data and information Prioritized data and information Costs of data leakage Costs of data leakage DLP threats at users’ endpoint devices DLP threats at users’ endpoint devices DLP threats from external endpoints DLP threats from external endpoints DLP threats from internal operations DLP threats from internal operations Needs Cost Effort Effort System System Internal Internal External External HQC CO. Ltd 56
  • 29. 3/10/2023 29 57 8. Technological controls – 8.16 8.16 is for monitoring of ICT assets 7.4 is for monitoring of physical assets HQC CO. Ltd Purposes of Monitoring Availability Availability • Detect symptom of potential interruption Performance Performance • Evaluate performance vs load Breaching Breaching • Detect/ prevent initial breaching/ attacking actions Discover Respond Detect Prevent HQC CO. Ltd 58
  • 30. 3/10/2023 30 59 8. Technological controls – 8.23 HQC CO. Ltd 60 8. Technological controls – 8.28 HQC CO. Ltd
  • 31. 3/10/2023 31 The Three Pillars of Secure Coding People • Fostering security culture enables design secure software from ground up, and threat model to sustain People • Fostering security culture enables design secure software from ground up, and threat model to sustain Process • Secure Software Development life cycle (SSDLC) implement measures throughout all stages of software development Process • Secure Software Development life cycle (SSDLC) implement measures throughout all stages of software development Tools • Tools ensure adoption and improvement of developers’ productivity Tools • Tools ensure adoption and improvement of developers’ productivity HQC CO. Ltd 61 Planning and analysis Design Implementa tion Testing & Deployment Maintenanc e Secure Coding in all Stages of Software Lifecycle HQC CO. Ltd 62
  • 32. 3/10/2023 32 Approach for Transition HQC CO. Ltd 63 Typical Annual ISMS Program Step 2 Step 2 Determine Scope Step 1 Step 1 Management Support Step 3 Step 3 InfoSec Policy Step 4 Step 4 Asset Inventory Step 5 Step 5 Risk Management Methodology Step 6 Step 6 Risk Assessment Step 7 Step 7 Risk Treatment Step 8 Step 8 Performance Evaluation Step 9 Step 9 Improvement Step 10 Step 10 Certification Audit HQC CO. Ltd 64
  • 33. 3/10/2023 33 Transition Approach Step 1 – Understanding the Changes • Skill Updates Step 1 – Understanding the Changes • Skill Updates Step 2 – Identifying changes to existing ISMS • Changed/new processes • Changed/new controls Step 2 – Identifying changes to existing ISMS • Changed/new processes • Changed/new controls Step 3 – Implement changes • Control setup • Process rollouts Step 3 – Implement changes • Control setup • Process rollouts Step 4 – Assess effectiveness • Internal audits • External assessments Step 4 – Assess effectiveness • Internal audits • External assessments Step 5 – Correct discrepancies • Correction plans & actions Step 5 – Correct discrepancies • Correction plans & actions HQC CO. Ltd 65 Key Changes to Existing ISMS Updating Organization Context • 4.2 Risk assessment • Integrate threat intelligence Risk treatment process & SOA • Annex 1 ISO27001:2022 Monitoring • Processes, Sec Objectives, performance of controls, threats evaluation ISMS Change Management Process • 6.3 Process for Internal Audit Program • 9.2.2 Process for Management Review • 9.3.2, 9.3.3 ISO27001:2022 ISO27002:2022 Address operational responsibilities • #Operational Capabilities Balancing of controls • #Information Security Property • #Control type Implement new controls • People, Process, Technology HQC CO. Ltd 66
  • 34. 3/10/2023 34 Upgrade Audit • Include verification of:  Gap analysis of ISO27001:2022  Changes to client’s ISMS  SOA Update  Risk Treatment  Effectiveness of implementation the new and changed clauses and controls HQC CO. Ltd 67 HQC Training Consultant Ltd. Trụ sở : Tầng 3, 96 Cao Thắng, P.4, Q.3, HCM Phone : (84) 777 174 471 Email : admin@hqc-company.com Website : https://hqc-company.com HQC CO. Ltd 68