www.slideshare.net
Open in
urlscan Pro
151.101.2.152
Public Scan
URL:
https://www.slideshare.net/AndreyProzorov/iso-270052022-overview-221028pdf
Submission: On October 04 via manual from US — Scanned from US
Submission: On October 04 via manual from US — Scanned from US
Form analysis 1 forms found in the DOM
GET /search
<form class="SearchForm_form__KLQKV" method="get" action="/search" data-testid="search-form">
<div class="input-box"><input type="hidden" name="searchfrom" value="header"><input type="text" id="nav-search-query" aria-label="Search SlideShare" placeholder="Search" name="q" autocomplete="off" value=""><button type="submit"
class="SearchForm_submit__YjszT" id="search-submit"><svg class="" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24" fill="#868dab66">
<path d="M21.71,20.29,18,16.61A9,9,0,1,0,16.61,18l3.68,3.68a1,1,0,0,0,1.42,0A1,1,0,0,0,21.71,20.29ZM11,18a7,7,0,1,1,7-7A7,7,0,0,1,11,18Z"></path>
</svg><span class="VisuallyHidden_root__hD4yb">Submit Search</span></button></div>
</form>Text Content
SlideShare a Scribd company logo Submit Search UploadLoginSignup ISO 27005:2022 OVERVIEW 221028.PDF Report Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001Follow Cybersecurity and Privacy Expert at RAOS Project Oy Oct. 29, 2022•4 likes•7,352 views Ad Go ad-free on SlideShare 1 of 33 2 ISO 27005:2022 OVERVIEW 221028.PDF Oct. 29, 2022•4 likes•7,352 views Download NowDownload to read offline Report Technology ISO 27005:2022 Overview Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001Follow Cybersecurity and Privacy Expert at RAOS Project Oy RECOMMENDED ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 270014.7K views•40 slides ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 270011.3K views•58 slides ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma903 views•44 slides ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil197 views•67 slides ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 2700112.7K views•26 slides ISO/IEC 27001:2022 – What are the changes?PECB 4.9K views•66 slides MORE RELATED CONTENT WHAT'S HOT Basic introduction to iso27001Imran Ahmed10.5K views•8 slides ISO 27001n|u - The Open Security Community29.7K views•17 slides ISO 27001 2013 isms final overviewNaresh Rao1.9K views•34 slides 27001 awareness TrainingDr Madhu Aman Sharma337 views•28 slides Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar2.4K views•90 slides ISO 27001 Certification - The Benefits and ChallengesCertification Europe5.7K views•11 slides WHAT'S HOT(20) Basic introduction to iso27001 Imran Ahmed•10.5K views ISO 27001 n|u - The Open Security Community•29.7K views ISO 27001 2013 isms final overview Naresh Rao•1.9K views 27001 awareness Training Dr Madhu Aman Sharma•337 views Information Security Management System with ISO/IEC 27000:2018 Goutama Bachtiar•2.4K views ISO 27001 Certification - The Benefits and Challenges Certification Europe•5.7K views Best Practices in Auditing ISO/IEC 27001 PECB •3.6K views ISO 27001 2002 Update Webinar.pdf ControlCase•1.5K views ISO 27001 How to accelerate the implementation.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•113 views Iso 27001 isms presentation Midhun Nirmal•17K views ISO 27001 - Information Security Management System Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master•11.5K views ISO 27001:2013 Mandatory documents and records Manoj Vakekattil•3K views Integrating ISO 27001, ISO 20000, and Project Management – From Theory to Pra... PECB •2.6K views ISO 27001 - IMPLEMENTATION CONSULTING Arul Nambi•873 views ISO 27001 - Information security user awareness training presentation - part 3 Tanmay Shinde•24.8K views Project plan for ISO 27001 technakama•4.4K views ISO 27001:2013 Implementation procedure Uppala Anand•20K views 2022 Webinar - ISO 27001 Certification.pdf ControlCase•1.1K views Supply management 1.1.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•3.7K views ISO Survey 2021: ISO 27001.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•2.9K views SIMILAR TO ISO 27005:2022 OVERVIEW 221028.PDF ISO 27005 - Digital Trust FrameworkMaganathin Veeraragaloo255 views•62 slides CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB 2.2K views•14 slides 20CS024 Ethics in Information TechnologyKathirvel Ayyaswamy127 views•57 slides PECB Webinar: Risk-management in IT intensive SMEsPECB 1.1K views•23 slides Iso 27001 awarenessÃsħâr Ãâlâm1.3K views•20 slides 2023 ITM Short Course - Week 1.pdfDorcusSitali7 views•29 slides SIMILAR TO ISO 27005:2022 OVERVIEW 221028.PDF(20) ISO 27005 - Digital Trust Framework Maganathin Veeraragaloo•255 views CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know PECB •2.2K views 20CS024 Ethics in Information Technology Kathirvel Ayyaswamy•127 views PECB Webinar: Risk-management in IT intensive SMEs PECB •1.1K views Iso 27001 awareness Ãsħâr Ãâlâm•1.3K views 2023 ITM Short Course - Week 1.pdf DorcusSitali•7 views ISO/IEC 27001:2013 An Overview Ahmed Riad .•40K views Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001 PECB •2.8K views ISO/IEC 27001 as a Starting Point for GRC PECB •2.4K views Master thesis defence Shu Pei Oei MIPLM•384 views INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx bagotjesusa•4 views INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Walid.docx MargenePurnell14•8 views CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t... Cohesive Networks•1.2K views Whitepaper iso 27001_isms | All about ISO 27001 Chandan Singh Ghodela•97 views Iso iec 27001 foundation training course by interprom Mart Rovers•383 views 12 Best Privacy Frameworks Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•22 views Planning for-and implementing ISO 27001 Yerlin Sturdivant•952 views 20220911-ISO27000-SecurityStandards.pptx Suman Garai•18 views Iso 27001 certification ramya119•180 views Visió holística de la gestio de riscos de les TIC CSUC - Consorci de Serveis Universitaris de Catalunya•1K views SLIDESHOWS FOR YOU Personal Branding Presentationchrisgambino59.5K views•27 slides RACI MatrixAnand Subramaniam46.6K views•10 slides 24 Time Management Hacks to Develop for Increased ProductivityIulian Olariu1.9M views•26 slides Problem SolvingAtiqul Haq Mazumder3.5K views•74 slides PROBLEM SOLVING POWERPOINT Andrew Schwartz282.3K views•13 slides Critical thinking skills pptTauqeer Abbas18.3K views•18 slides SLIDESHOWS FOR YOU(20) Personal Branding Presentation chrisgambino•59.5K views RACI Matrix Anand Subramaniam•46.6K views 24 Time Management Hacks to Develop for Increased Productivity Iulian Olariu•1.9M views Problem Solving Atiqul Haq Mazumder•3.5K views PROBLEM SOLVING POWERPOINT Andrew Schwartz•282.3K views Critical thinking skills ppt Tauqeer Abbas•18.3K views Customer Research & Persona Development William Evans•11.6K views Inspired Storytelling: Engaging People & Moving Them To Action Kelsey Ruger•70.9K views An example of a successful proof of concept ETLSolutions•145.2K views The Future Series by Academy Xi Charbel Zeaiter•375.4K views 5 Tips for Presenting to Executives speakingppt•196.7K views GO BRAND YOURSELF. How to land a job with personal branding in 5 steps Lorenzo Galbiati•196.2K views The Future Of Work & The Work Of The Future Arturo Pelayo•442.5K views Kt Intro Master V7 TedLemmers•4.1K views Voice of Customer Planning Guide Kampyle•6.4K views Happier Teams Through Tools Laura Frank Tacho•55.5K views The Build Trap Melissa Perri•565.3K views 20 Presentation Secrets You Won't Find Elsewhere NFN Labs•98.7K views Data Design: Where Math and Art Collide Trina Chiasson•90K views Build vs Buy Strategy Chris Halton•24.2K views MORE FROM ANDREY PROZOROV, CISM, CIPP/E, CDPSE. LA 27001 ISO Survey 2022: ISO 27001 certificates (ISMS)Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001146 views•10 slides Cybersecurity Frameworks for DMZCON23 230905.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001283 views•22 slides My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001335 views•22 slides From NIST CSF 1.1 to 2.0.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001320 views•22 slides ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001101 views•60 slides How to use ChatGPT for an ISMS implementation.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 270011.1K views•32 slides MORE FROM ANDREY PROZOROV, CISM, CIPP/E, CDPSE. LA 27001(20) ISO Survey 2022: ISO 27001 certificates (ISMS) Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•146 views Cybersecurity Frameworks for DMZCON23 230905.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•283 views My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•335 views From NIST CSF 1.1 to 2.0.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•320 views ISO 27001 How to use the ISMS Implementation Toolkit.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•101 views How to use ChatGPT for an ISMS implementation.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•1.1K views pr Privacy Principles 230405 small.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•14 views All about a DPIA by Andrey Prozorov 2.0, 220518.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•498 views Employee Monitoring and Privacy.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•278 views GDPR RACI.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•756 views GDPR and Personal Data Transfers 1.1.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•178 views GDPR and Security.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•506 views GDPR EU Institutions and bodies.pdf Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•257 views Data protection RU vs EU Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•17.7K views IS Awareness in practice, isaca moscow 2019 10 Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•5K views Про работу на Западе (Прозоров) Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•6.2K views About TM for CISO (rus) Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•5.4K views IAPP certification programs overview Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•10.2K views The security rules for protecting EU classified information Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•12.4K views GDPR and information security (ru) Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001•1.1K views RECENTLY UPLOADED GDSC INFO SESSION 2023.pdfMustabshira14 views•24 slides RemeOs science and clinical data 20230926_PViv2 (4).pptxPetrusViitanen186 views•14 slides CamundaCon NYC 2023 Keynote - Shifting into overdrive with process orchestrationBernd Ruecker76 views•63 slides THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHSteve Poole10 views•44 slides Omada Pitch Decksjcobrien41 views•9 slides roomos_webinar_280923_v2.pptxThousandEyes42 views•29 slides RECENTLY UPLOADED(20) GDSC INFO SESSION 2023.pdf Mustabshira•14 views RemeOs science and clinical data 20230926_PViv2 (4).pptx PetrusViitanen1•86 views CamundaCon NYC 2023 Keynote - Shifting into overdrive with process orchestration Bernd Ruecker•76 views THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH Steve Poole•10 views Omada Pitch Deck sjcobrien•41 views roomos_webinar_280923_v2.pptx ThousandEyes•42 views Webinar : L&H Insurance in the 21st Century: Navigating Antimicrobial Resista... The Digital Insurer•25 views Product Research Presentation DeahJadeArellano•42 views Brisbane MuleSoft Meetup 13 MuleSoft Maven and Managing Dependencies Part 1.pptx BrianFraser29•26 views GDSC ZHCET Google Study Jams 23.pdf AbhishekSingh313342•32 views Empowering City Clerks OnBoard•120 views From Project to Product - The Need for Speed Cprime•14 views Project Euler in Python Tetsuo Koyama•31 views Salesforce Miami User Group Event - 3rd Quarter SkyPlanner•45 views Connecting the Dots: Early Insights from Customer Journey Mapping with Graphs... Neo4j•9 views Cloud Native Application Development Guide – 2023 Lucy Zeniffer•10 views Dennis Wendland_The i4Trust Collaboration Programme.pptx FIWARE•19 views Edge Computing - A Future Fuel of 21st Century.pptx NidhiShingade•10 views MEANING & SCOPE of Crop science.ppt JenniferCelades•20 views Enhancing academic work using AI-Powered resources.pptx frank yeboah•20 views RELATED BOOKS Free with a 30 day trial from ScribdView All EbookISO/IEC 27001:2022: An introduction to information security and the ISMS standardSteve Watkins 5 / 5 EbookISO 27001 Controls – A guide to implementing and auditingBridget Kenyon 5 / 5 EbookISO 31000: 2018 Enterprise Risk ManagementGreg Hutchins 5 / 5 EbookGuide to effective risk management 3.0Alex Sidorenko 0 / 5 EbookISO27001/ISO27002:2013: A Pocket GuideAlan Calder 4 / 5 EbookInformation Security Risk Management for ISO27001/ISO27002Steve Watkins 4.5 / 5 EbookInformation Security Risk Management for ISO 27001/ISO 27002, third editionAlan Calder 4 / 5 EbookInformation security - Edition 2022: Risk management. Management systems. The ISO/IEC 27001:2022 standard. The ISO/IEC 27002:2022 controls.Cesare Gallotti 0 / 5 EbookISO/IEC 27701:2019: An introduction to privacy information managementAlan Shipman 4.5 / 5 EbookSecure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own: The Plain English, Step-by-Step Handbook for Information Security PractitionersDejan Kosutic 0 / 5 EbookRisk Based Auditing: Using ISO 19011: 2018Greg Hutchins 5 / 5 EbookCompTIA CASP+ CAS-004 Exam Guide: A-Z of Advanced Cybersecurity Concepts, Mock Exams, Real-world Scenarios with Expert Tips (English Edition)Dr. Akashdeep Bhardwaj 0 / 5 EbookIntroduction to Enterprise Risk Management: A Guide to Risk Analysis and Control for Small and Medium EnterprisesN. Krishnamurthy 0 / 5 EbookSafety Risk Management for Medical DevicesBijan Elahi 5 / 5 EbookGuidelines for Risk Based Process SafetyCCPS (Center for Chemical Process Safety) 0 / 5 EbookApplication security in the ISO27001:2013 EnvironmentVinod Vasudevan 4 / 5 EbookGuidelines for Hazard Evaluation ProceduresCCPS (Center for Chemical Process Safety) 5 / 5 EbookRisk Assessment for Asset OwnersAlan Calder 4.5 / 5 EbookRisk Management and ISO 31000: A pocket guideAlan Field 0 / 5 EbookISO27001 in a Windows Environment: The best practice implementation handbook for a Microsoft Windows environmentBrian Honan 0 / 5 EbookRisk Management Applications in Pharmaceutical and Biopharmaceutical Manufacturing- 0 / 5 EbookIoannis Tsiouras - The risk management according to the standard ISO 31000Ioannis Tsiouras 3 / 5 EbookConcise Guide to CompTIA Security +alasdair gilchrist 3 / 5 EbookData Governance: Governing data for sustainable businessBenoit Aubert 0 / 5 EbookOperational Risk Management in Financial ServicesAnthony Tarantino 0 / 5 EbookThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to complianceAlan Calder 0 / 5 EbookProcess Safety and Big DataSagit Valeev 0 / 5 EbookBusiness Practical SecurityJ. Brantley Briegel CISSP CISM CHSP 0 / 5 EbookApplication Security in the ISO27001 EnvironmentVinod Vasudevan 0 / 5 EbookStatistical Monitoring of Complex Multivatiate Processes: With Applications in Industrial Process ControlUwe Kruger 0 / 5 EbookComparative Risk Assessment: Concepts, Problems and ApplicationsHolger Schütz 0 / 5 EbookInformation Security Governance: A Practical Development and Implementation ApproachKrag Brotby 0 / 5 EbookUnderstanding Cybersecurity Management in FinTech: Challenges, Strategies, and TrendsGurdip Kaur 0 / 5 EbookA Practical Field Guide for ISO 14001:2015Erik V. Myhrberg 0 / 5 EbookFinancial Analysis and Risk Management: Data Governance, Analytics and Life Cycle Management- 0 / 5 EbookOperational Risk Management: A Practical Approach to Intelligent Data Analysis- 0 / 5 EbookRisk Management: Lever for SME Development and Stakeholder Value Creation- 0 / 5 EbookSystem Safety for the 21st Century: The Updated and Revised Edition of System Safety 2000Richard A. Stephans 0 / 5 EbookSafe and Reliable Plant Operations: Operations Management for Hazardous FacilitiesDietrich Roeben 0 / 5 EbookRisk Modeling for Appraising Named Peril Index Insurance Products: A Guide for PractitionersShadreck Mapfumo 0 / 5 RELATED AUDIOBOOKS Free with a 30 day trial from ScribdView All AudiobookThe Risk of Trading: Mastering the Most Important Element in Financial SpeculationMichael Toma 4.5 / 5 Audiobook(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide 9th EditionMike Chapple 4 / 5 AudiobookISO 9001:2015: A Pocket GuideSteve Watkins 4.5 / 5 AudiobookProject Management for Small Projects, Third EditionSandra F. Rowe 5 / 5 AudiobookBig Data: A Complete Guide to the Basic Concepts in Data Science, Cyber Security, Analytics and MetricsHans Weber 4 / 5 AudiobookPRINCE2 in Action: Project management in real termsSusan Tuttle 4.5 / 5 AudiobookThe Essentials of Risk Management: Second EditionMichel Crouhy 2.5 / 5 AudiobookCISSP All-in-One Exam Guide, Ninth EditionFernando Maymi 0 / 5 AudiobookNine Steps to Success: An ISO27001:2013 Implementation OverviewAlan Calder 5 / 5 AudiobookISO 14001 Step by Step: A practical guide - Second editionNaeem Sadiq 0 / 5 AudiobookISO27001/ISO27002:2013: A Pocket GuideAlan Calder 4.5 / 5 AudiobookPractical Project Risk Management, Third Edition: The ATOM MethodologyDavid Hillson 5 / 5 AudiobookKey Performance Indicators (KPI): Developing, Implementing, and Using Winning KPIsDavid Parmenter 3.5 / 5 AudiobookThe CISO Evolution: Business Knowledge for Cybersecurity ExecutivesMatthew K. Sharp 5 / 5 AudiobookWhat's Your Digital Business Model?: Six Questions to Help You Build the Next-Generation EnterprisePeter Weill 4.5 / 5 AudiobookAlice and Bob Learn Application Security- 5 / 5 AudiobookAn Introduction to Information Security and ISO27001:2013: A Pocket GuideSteve Watkins 5 / 5 AudiobookTransformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure BehaviorsPerry Carpenter 5 / 5 AudiobookCyber Essentials: A Pocket GuideAlan Calder 5 / 5 AudiobookISO 22301: 2019 - An introduction to a business continuity management system (BCMS)Alan Calder 0 / 5 AudiobookISO/IEC 27701:2019: An introduction to privacy information managementAlan Shipman 0 / 5 AudiobookThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviourLeron Zinatullin 4.5 / 5 AudiobookIntroduction to Risk AnalysisIntrobooks Team 4 / 5 AudiobookChanging the Game: The Playbook for Leading Business TransformationGraham Christie 5 / 5 AudiobookManaging Your Nonprofit for Resilience: Use Lean Risk Management To Improve Performance and Increase Employee EngagementTed Bilich 0 / 5 AudiobookCyber Security: Essential principles to secure your organisationAlan Calder 0 / 5 AudiobookHow to Measure Anything in Cybersecurity Risk, 2nd EditionDouglas W. Hubbard 0 / 5 AudiobookISO22301: A Pocket GuideTony Drewitt 4.5 / 5 AudiobookIT-Driven Business Models: Global Case Studies in TransformationJohn M. Jordan 0 / 5 AudiobookZero Harm: How to Achieve Patient and Workforce Safety in HealthcareCraig Clapper 5 / 5 AudiobookISO/IEC 38500: A pocket guide, second editionAlan Calder 5 / 5 AudiobookHow Cyber Security Can Protect Your Business - A guide for all stakeholdersChristopher Wright 0 / 5 AudiobookISO 50001: A strategic guide to establishing an energy management systemAlan Field 0 / 5 AudiobookStart-Up Secure: Baking Cybersecurity into Your Company from Founding to ExitChris Castaldo 0 / 5 AudiobookSIAM/MSI: An Introduction to Service Integration and Management/ Multi-Sourcing Integration for IT Service ManagementDavid Clifford 5 / 5 AudiobookThe New Normal in IT: How the Global Pandemic Changed Information Technology ForeverGregory S. Smith 0 / 5 AudiobookProject Decisions, 2nd Edition: The Art and ScienceLev Virine 0 / 5 AudiobookGlobal Business Ethics: Responsible Decision Making in an International ContextRonald D. Francis 0 / 5 AudiobookThe Cybersecurity Maturity Model Certification (CMMC) – A pocket guideWilliam Gamble 0 / 5 ISO 27005:2022 OVERVIEW 221028.PDF * 1. ISO 27005:2022 Overview by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 1.0, 28.10.2022 * 2. Agenda 2 1. Purchasing 2. Life cycle 3. New Name 4. Main changes 5. Abstract 6. Number of pages 7. Contents 8. Introduction 9. 1. Scope 10. 3. Terms and definitions 11. 4. Structure of this document 12. 5. IS risk management 13. 6 Context establishment 14. 7. Information security risk assessment process 15. Approaches to perform risk identification 16. 8. Information security risk treatment process 17. 9. Operations 18. 10. Leveraging related ISMS processes 19. Annexes 20. Annexes. Tables 21. New examples of typical threats 22. New risk sources 23. Qualitative approach (new matrix and scales) 24. Quantitative approach (examples), 2022 25. Annexes. New figures 26. Conclusion * 3. 3 www.iso.org/standard/80585.html ≈180 Euro * 4. Life cycle 4 * 5. New Name 5 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Information technology — Security techniques — Information security risk management Information security, cybersecurity and privacy protection — Guidance on managing information security risks * 6. Main changes 1. All guidance text has been aligned with ISO/IEC 27001:2022, and ISO 31000:2018 2. The terminology has been aligned with the terminology in ISO 31000:2018 3. The structure of the clauses has been adjusted to the layout of ISO/IEC 27001:2022 4. Risk scenario concepts have been introduced 5. The event-based approach is contrasted with the asset-based approach to risk identification 6. The content of the annexes has been revised and restructured into a single annex. + More examples and models * 7. Abstract 7 ISO/IEC 27005:2018 ISO/IEC 27005:2022 This document provides guidelines for information security risk management. This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security. This document provides guidance to assist organizations to: • fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; • perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector. * 8. Number of pages 8 ISO/IEC 27005:2018 ISO/IEC 27005:2022 56 62 * 9. Contents 9 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Background 6. Overview of the information security risk management process 7. Context establishment 8. Information security risk assessment 9. Information security risk treatment 10. Information security risk acceptance 11. Information security risk communication and consultation 12. Information security risk monitoring and review Annex A. Defining the scope and boundaries of the information security risk management process Annex B. Identification and valuation of assets and impact assessment Annex C. Examples of typical threats Annex D. Vulnerabilities and methods for vulnerability assessment Annex E. Information security risk assessment approaches Annex F. Constraints for risk modification Bibliography Foreword Introduction 1. Scope 2. Normative references 3. Terms and definitions 4. Structure of this document 5. Information security risk management 6. Context establishment 7. Information security risk assessment process 8. Information security risk treatment process 9. Operation 10. Leveraging related ISMS processes Annex A. (informative) Examples of techniques in support of the risk assessment process Bibliography * 10. Introduction This document provides guidance on: • implementation of the information security risk requirements specified in ISO/IEC 27001; • essential references within the standards developed by ISO/IEC JTC 1/SC 27 to support information security risk management activities; • actions that address risks related to information security (see ISO/IEC 27001:2022, 6.1 and Clause 8); • implementation of risk management guidance in ISO 31000 in the context of information security. This document contains detailed guidance on risk management and supplements the guidance in ISO/IEC 27003. This document is intended to be used by: • organizations that intend to establish and implement an information security management system (ISMS) in accordance with ISO/IEC 27001; • persons that perform or are involved in information security risk management (e.g. ISMS professionals, risk owners and other interested parties); • organizations that intend to improve their information security risk management process. 10 * 11. 1. Scope 11 ISO/IEC 27005:2018 ISO/IEC 27005:2022 This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/ IEC 27002 is important for a complete understanding of this document. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization’s information security. This document provides guidance to assist organizations to: • fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; • perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector. * 12. 3. Terms and definitions 12 ISO/IEC 27005:2018 ISO/IEC 27005:2022 N/A, just a reference to ISO 27000 and databases: • ISO Online browsing platform: www.iso.org/obp • IEC Electropedia: www.electropedia.org 3.1 Terms related to information security risk (17): external context, internal context, risk, risk scenario, risk owner, risk source, risk criteria, risk appetite, threat, vulnerability, event, information security incident, likelihood, consequence, level of risk, control, residual risk 3.2 Terms related to information security risk management (10): risk management process, risk communication and consultation, risk assessment, risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, risk sharing, risk retention ”Risk scenario - sequence or combination of events leading from the initial cause to the unwanted consequence.” * 13. 4. Structure of this document This document is structured as follows: • Clause 5: Information security risk management; • Clause 6: Context establishment; • Clause 7: Information security risk assessment process; • Clause 8: Information security risk treatment process; • Clause 9: Operation; • Clause 10: Leveraging related ISMS processes. Except for the descriptions given in general subclauses, all risk management activities as presented from Clause 7 to Clause 10 are structured as follows: • Input: Identifies any required information to perform the activity. Action: Describes the activity. • Trigger: Provides guidance on when to start the activity, for example because of a change within the organization or according to a plan or a change in the external context of the organization. • Output: Identifies any information derived after performing the activity, as well as any criteria that such output should satisfy. • Guidance: Provides guidance on performing the activity, keyword and key concept. 13 * 14. 5. IS risk management Risk management process - systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. • Classic scheme (2018) + Documented Information (2022) • Risk treatment cyclical process (2018) -> Risk treatment iterative process (2022): — formulating and selecting risk treatment options; — planning and implementing risk treatment; — assessing the effectiveness of that treatment; — deciding whether the remaining risk is acceptable; — taking further treatment if not acceptable. • Added IS risk management cycles: strategic (overall context) and operational (scenarios) • Many changes in the activity descriptions, additional recommendations. See further… 14 * 15. 6 Context establishment 15 ISO/IEC 27005:2018, pages 5-8 ISO/IEC 27005:2022, pages 9-16 7.1 General considerations 7.2 Basic criteria • 7.2.1 Risk management approach • 7.2.2 Risk evaluation criteria • 7.2.3 Impact criteria • 7.2.4 Risk acceptance criteria 7.3 Scope and boundaries 7.4 Organization for information security risk management 6.1 Organizational considerations 6.2 Identifying basic requirements of interested parties 6.3 Applying risk assessment 6.4 Establishing and maintaining information security risk criteria • 6.4.1 General • 6.4.2 Risk acceptance criteria • 6.4.3 Criteria for performing information security risk assessments • 6.4.3.1 General • 6.4.3.2 Consequence criteria • 6.4.3.3 Likelihood criteria • 6.4.3.4 Criteria for determining the level of risk 6.5 Choosing an appropriate method * 16. 7. Information security risk assessment process 16 ISO/IEC 27005:2018, pages 8-16 ISO/IEC 27005:2022, pages 16-23 8.1 General description of information security risk assessment • 8.2 Risk identification 8.2.1 Introduction to risk identification • 8.2.2 Identification of assets • 8.2.3 Identification of threats • 8.2.4 Identification of existing controls • 8.2.5 Identification of vulnerabilities • 8.2.6 Identification of consequences 8.3 Risk analysis • 8.3.1 Risk analysis methodologies • 8.3.2 Assessment of consequences • 8.3.3 Assessment of incident likelihood • 8.3.4 Level of risk determination 8.4 Risk evaluation 7.1 General 7.2 Identifying information security risks • 7.2.1 Identifying and describing information security risks • 7.2.2 Identifying risk owners 7.3 Analysing information security risks • 7.3.1 General • 7.3.2 Assessing potential consequences • 7.3.3 Assessing likelihood • 7.3.4 Determining the levels of risk 7.4 Evaluating the information security risks • 7.4.1 Comparing the results of risk analysis with the risk criteria • 7.4.2 Prioritizing the analysed risks for risk treatment * 17. 17 * 18. Approaches to perform risk identification 18 Event-based (scenarios) Asset-based Identify strategic scenarios through a consideration of risk sources, and how they use or impact interested parties to reach those risk’s desired objective. Identify operational scenarios, which are detailed in terms of assets, threats and vulnerabilities. The underlying concept is that risks can be identified and assessed through an evaluation of events and consequences. The underlying concept is that risks can be identified and assessed through an inspection of assets, threats and vulnerabilities. • An event-based approach can establish high level or strategic scenarios without spending a considerable amount of time in identification of assets on a detailed level. • This allows the organization to focus its risk treatment efforts on the critical risks. • Interviews with top management • Top-down • An asset is anything that has value to the organization and therefore requires protection. • If all valid combinations of assets, threats and vulnerabilities can be enumerated within the scope of the ISMS, then, in theory, all the risks would be identified. • The asset-based approach can identify asset- specific threats and vulnerabilities and allows the organization to determine specific risk treatment on a detailed level. • Bottom-up * 19. 8. Information security risk treatment process 19 ISO/IEC 27005:2018, pages 16-20 ISO/IEC 27005:2022, pages 23-30 9.1 General description of risk treatment 9.2 Risk modification 9.3 Risk retention 9.4 Risk avoidance 9.5 Risk sharing 10 Information security risk acceptance 8.1 General 8.2 Selecting appropriate information security risk treatment options 8.3 Determining all controls that are necessary to implement the information security risk treatment options 8.4 Comparing the controls determined with those in ISO/IEC 27001:2022, Annex A 8.5 Producing a Statement of Applicability 8.6 Information security risk treatment plan 8.6.1 Formulation of the risk treatment plan 8.6.2 Approval by risk owners 8.6.3 Acceptance of the residual information security risks * 20. 20 * 21. 9. Operations, page 31 21 9.1 Performing information security risk assessment process 9.2 Performing information security risk treatment process Input: Documents about the information security risk assessment process including risk assessment and risk acceptance criteria. Action: The risk assessment process should be performed in accordance with Clause 7. Trigger: The need of the organization to assess risks, at planned intervals or based on events. Output: Evaluated risks. Implementation guidance: … Input: Evaluated risk(s). Action: The risk treatment process should be performed in accordance with Clause 8. Trigger: The need of the organization to treat risks, at planned intervals or based on events. Output: Retained or accepted residual risks. Implementation guidance: … * 22. 10. Leveraging related ISMS processes, pages 32-40 22 ISMS Actions 10.1 Context of the organization All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. 10.2 Leadership and commitment Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. 10.3 Communication and consultation Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. 10.4 Documented information Information about the information security risk assessment and treatment processes and results should be documented and retained. 10.5 Monitoring and review Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. 10.6 Management review The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. 10.7 Corrective action Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. 10.8 Continual improvement The information security risk management process should be continually monitored, reviewed and improved as necessary. +Inputs/Outputs, Triggers, Implementation guidance * 23. Annexes 23 ISO/IEC 27005:2018, pages 24-52 ISO/IEC 27005:2022, pages 41-61 Annex A. Defining the scope and boundaries of the information security risk management process • A.1 Study of the organization • A.2 List of the constraints affecting the organization • A.3 List of the constraints affecting the scope Annex B. Identification and valuation of assets and impact assessment • B.1 Examples of asset identification (primary and supporting) • B.2 Asset valuation • B.3 Impact assessment Annex C. Examples of typical threats (+ Origin of threat) Annex D. Vulnerabilities and methods for vulnerability assessment • D.1 Examples of vulnerabilities • D.2 Methods for assessment of technical vulnerabilities Annex E. Information security risk assessment approaches • E.1 High-level information security risk assessment • E.2 Detailed information security risk assessment Annex F. Constraints for risk modification Annex A. (informative) Examples of techniques in support of the risk assessment process A.1 Information security risk criteria • A.1.1 Criteria related to risk assessment • A.1.2 Risk acceptance criteria A.2 Practical techniques • A.2.1 Information security risk components • A.2.2 Assets • A.2.3 Risk sources and desired end state • A.2.4 Event-based approach • A.2.5 Asset-based approach • A.2.6 Examples of scenarios applicable in both approaches • A.2.7 Monitoring risk-related events * 24. Annexes. Tables 24 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Examples of typical threats Origin of threats Examples of typical vulnerabilities Table E.1 — The asset values, and the threat and vulnerability levels Table E.2 — Results from the consideration of the likelihood of an incident scenario, mapped against the estimated business impact Table E.3 — The factors of consequences (asset value) and likelihood of threat occurrence (taking account of vulnerability aspects) Table E.3 — Combination of the likelihood of the threat occurring and the ease of exploitation of the vulnerability Table E.4 — The intersection of asset value and likelihood value Table A.1 — Example of consequence scale Table A.2 — Example of likelihood scale Table A.3 — Example of qualitative approach to risk criteria Table A.4 — Example logarithmic likelihood scale Table A.5 — Example logarithmic consequence scale Table A.6 — Example of evaluation scale combined with three-colour risk matrix Table A.7 — Examples and usual methods of attack Table A.8 — Example classification of motivations to express the DES Table A.9 — Examples of target objectives Table A.10 — Examples of typical threats Table A.11 — Examples of typical vulnerabilities Table A.12 — Examples of risk scenarios in both approaches Table A.13 — Example of risk scenario and monitoring risk- related events relationship * 25. New examples of typical threats 25 ISO/IEC 27005:2018 ISO/IEC 27005:2022 1. Physical damage (6) 2. Natural events (5) 3. Loss of essential services (3) 4. Disturbance due to radiation (3) 5. Compromise of information (11) 6. Technical failures (5) 7. Unauthorized actions (5) 8. Compromise of functions (5) Total: 43 1. Physical threats (6) 2. Natural threats (6) 3. Infrastructure failures (8) 4. Technical failures (3) 5. Human actions (26) 6. Compromise of functions or services (4) 7. Organizational threats (4) Total: 56 * 26. New risk sources 26 ISO/IEC 27005:2018 ISO/IEC 27005:2022 Annex C, part of threat examples Human threat sources: 1. Hacker, cracker 2. Computer criminal 3. Terrorist 4. Industrial espionage (Intelligence, companies, foreign governments, other government interests) 5. Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees) Table with Motivation and Possible consequences Table A.7 Examples and usual methods of attack Risk source: 1. State-related (States, Intelligence agencies) 2. Organized crime (Cybercriminal organizations (mafias, gangs, criminal outfits)) 3. Terrorist (Cyber-terrorists, cyber-militias) 4. Ideological activist (Cyber-hacktivists, interest groups, sects) 5. Specialized outfits (“Cyber-mercenary”) 6. Amateur 7. Avenger 8. Pathological attacker * 27. Qualitative approach (new matrix and scales) 27 ISO/IEC 27005:2018 ISO/IEC 27005:2022 * 28. Quantitative approach (examples), 2022 28 * 29. Annexes. New figures 29 * 30. 30 Instead of a conclusion: 1. General procedures (Assessment and Treatment) are OK, as usual. J J 2. Two approaches: asset-based and event-based (scenarios), finally J 3. «9.Operation» and «10.Leveraging related ISMS processes» are useful for the ISMS implementation. J J 4. Tables «A.10 Examples of typical threats», and «A.11 Examples of typical vulnerabilities», likelihood and consequence scales can be used for inspiration. J 5. «A.2 Practical techniques» are poorly designed and described. New figures and the examples of scenarios are useless. L L 6. ISO 27005:2022 is a very complicated standard and every new version makes it more difficult. L In my opinion, the ISACA IT Risk and IRAM2 are much more useful and practical. I recommend using them. * 31. Thanks! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov 31 * 32. Have you seen my previous presentation? 32 www.patreon.com/posts/my-presentation-73750394 * 33. My ISMS Implementation Toolkit (ISO 27001) 33 www.patreon.com/posts/47806655 AboutSupportTermsPrivacyCopyrightCookie PreferencesDo not sell or share my personal information English Current LanguageEnglish Español Portugues Français Deutsche -------------------------------------------------------------------------------- © 2023 SlideShare from Scribd × SlideShare a Scribd company logo Upload LoginSignup Favorite Share More Options Favorite Share More Options