Information Security, Data and Compliance

Email

PART 1 - NEW CONCEPTS

1.) Identification of interested parties relevant to the ISMS - including relevant requirements which will be addressed by the ISMS

Phase: Identify Clause(s): 4.2.a.b.c New Requirement: A more explicit requirement for validating that interested parties, their needs and expectations relevant to the ISMS have been identified.

Comments if required

2.) Planning for the ISMS has determined organizational processes and interactions with the ISMS?

Phase: Identify Clause(s) 4.4 New Requirement: New explicit requirement for the adoption of a process approach

Comments if required

3.) Executive management has established and supported a way for communicating responsibilities and authorities for roles relevant to IS within the organization?

Phase: Action Clause(s) 5.3 New Requirement: Explicit requirement for top management to ensure that IS roles, responsibilities and authorities are communicated within the organization.

Comments if required

4.) Establishment of IS objectives are monitored including responsibility

Phase: Assess Clause(s) 6.2.d) New Requirement: IS objectives are to be monitored.

Comments if required

5.) There is an established process for managing changes to the ISMS and these changes are authorised

Phase: Plan Clause(s) 6.3 Changes to the ISMS are to be planned.

Comments if required

6.) Are the needs and expectations of interested parties relevant to the ISMS reviewed during the management review?

Phase: Action Clause(s) 9.3.2.c) Changes in the needs and expectations of interested parties are to addressed during management review.

Comments if required

7.) Identified threat intelligence requirements based upon a risk assessment of information, information storage and information processing assets - what information is recieved, who is analysing this, etc

Phase: Plan Clause(s) 5.7 Threat intelligence

Comments if required

8.) Cloud assessment are made based on organizational requirements, determining which model is best. It is known what controls are in place to monitor the performance/effectiveness of the CSP? Lifecycle (deregistration) are taking into account via a process.

Phase: Plan Clause(s) 5.23 Security considerations and controls for cloud services.

Comments if required

9.) BCP include requirements to ensure the CIA of information in BC. IT requirements for BC are tested. RTO/RPOs for your IT in BC situations established and documented.

Phase: Plan Clause(s) 5.30 Business continuity and IT readiness

Comments if required

10.) Physical premises are continuously monitored for unauthorised access

Phase: Action Clause(s) 7.4 Physical security monitoring

Comments if required

11.) Process for configuring/hardening system in place. It is ensure that this process is being followed and that system configuration is monitored and reviewed?

Phase: Action Clause(s) 8.9 Configuration management

Comments if required

12.) Information identified, rules established governing date retention and deletion. When information is no longer required it is deleted from information systems, devices or other storage media.

Phase: Plan, Action Clause(s) 8.10, 8.10 Information deletion

Comments if required

13.) Sensitive data has been identified, rules established governing the need to mask this data. Access to raw, sensitive data is controlled. There is a process for masking data. Applicable legislation regarding data and data masking?

Phase: Plan, Plan, Action, Plan Clause(s) 8.11, 8.11, 8.11, 8.11 Data masking

Comments if required

14.) Sensitive information is identified - information that is stored, processed and/or transmitted. Systems, apps, tools that are used to store, process and/or transmit this sensitive information are identified. DLP risks assessed. There are processes/tools in place to prevent data leakage

Phase: Action Clause(s) 8.12 Data leakage prevention

Comments if required

15.) Networks monitored for anomalous behaviour. Upon detection, the anomalous behaviour is evaluated and reported

Phase: Action, Plan Clause(s) 8.16, 8.16 Monitoring activities

Comments if required

16.) Access to external websites have reduced exposure to malicious content. Employees are aware of the information security risks that unmanaged web browsing poses.

Phase: Action Clause(s) 8.23 Web filtering

Comments if required

17.) Secure coding principles and practices are implemented. The competence of developers are assessed.

Phase: Plan Clause(s) 8.28 Secure coding

Comments if required

Part 2: ISO 27001:2022 Requirements

Tip: Ensure that you can demonstrate that each requirement of ISO 27001:2022 has been addressed within the ISMS. ISO 27001:2022 cross reference and the significant changes from the 2013 version:

18.) No change: External and internal issues relevant to and affect the ISMS are identified

4.1 Understanding the organization and its context

Comments if required

19.) External and internal issues and interested parties are identified. Interfaces and dependencies are identified and considered

4.3 Determining the scope of the quality of the ISMS

Comments if required

20.) Can top management display their degree of leadership and commitment to the ISMS.

5.1 Leadership and commitment

Comments if required

21.) Is an information security policy available and appropriate to the purpose and context of the organization and does it support the strategic direction of the company?

5.2 Policy

Comments if required

22.) 6.1.2 There is a risk assessment process. Risk assessments of information and information storage/ processing assets are made. 6.1.3 Have you created a Statement of Applicability (SOA) and is it aligned to the new control groups and numbering system? Is the SOA version controlled and dated?

6.1 Actions to address risks and opportunities

Comments if required

23.) Have resource needs to the ISMS been identified?

7.1 Resources

Comments if required

24.) 7.4.d) Have you determined how to communicate the ISMS?

7.4 Communication

Comments if required

25.) Have criteria been set for the processes identified in Clause 6 and implemented control of those processes? There processes and controls are documented.

8.1 Operational planning and control

Comments if required

26.) Monitoring and measuring produces valid, comparable and reproductive results. The ISMS information security performance and the effectiveness must also be evaluated.

9.1 Monitoring, measurement, analysis and evaluation

Comments if required

27.) This is broken into sub clauses though no significant change to requirements.

9.2 Internal audit

Comments if required

Annex A Controls - 5. Organizational controls

ISO 27001:2022 cross reference and the significant changes from the 2013 version

28.) Merging of 5.1.1 and 5.1.2 – no big change.

5.1 Policies for information security

Comments if required

29.) Merging of 6.1.5 and 14.1.1 - more detailed requirement added.

5.8 Information security in project management

Comments if required

30.) Merging of 8.1.1 and 8.1.2 - No big change.

5.9 Inventory of information and other associated assets

Comments if required

31.) Merging of 8.1.3 and 8.2.3 highlights on procedures for managing information and other assets.

5.10 Acceptable use of information and other associated assets

Comments if required

32.) 8.2.1 – The update introduces ‘transfer facilities’

5.14 Information transfer

Comments if required

33.) Merging of 9.1.1 and 9.1.2 - no need for an Access Control Policy, but rules governing access must be established and implemented.

5.15 Access control

Comments if required

34.) 9.2.1 – Now details states ‘full lifecycle’ and includes registration, de-registration and change.

5.16 Identity management

Comments if required

35.) Merging of 9.2.4, 9.3.1, 9.4.3 has a reference to handling authentication information by employees.

5.17 Authentication information

Comments if required

36.) Merging 9.2.2, 9.2.5, 9.2.6 – No big change.

5.18 Access rights

Comments if required

37.) 15.1.1 – Centers on the organization’s use of suppliers’ products/services and access to organizational assets including information.

5.19 Information security in supplier relationships

Comments if required

38.) Merging of 15.2.1 and 15.2.2 – No big change.

5.22 Monitoring, review and change management of supplier services

Comments if required

39.) 16.1.6 – Focus is now on enhancing and optimizing IS controls.

5.27 Learning from information security incidents

Comments if required

40.) Merging of 17.1.1, 17.1.2, 17.1.3 – Clarifies previous requirements.

5.29 Information security during disruption

Comments if required

41.) Merging of 18.1.1 and 18.1.5 – No big change.

5.31 Legal, statutory, regulatory and contractual requirements

Comments if required

42.) Merging of 18.2.2 and 18.2.3 – No big change.

5.36 Compliance with policies, rules and standards for information security

Comments if required

Annex A Controls - 6. People controls

ISO 27001:2022 cross reference and the significant changes from the 2013 version

43.) 7.2.3 – Emphasis on IS violation and not just breach.

6.4 Disciplinary process

Comments if required

44.) 13.2.4 – It is required that NDAs and CAs are signed.

6.6 Confidentiality or non-disclosure agreements (NDAs)

Comments if required

45.) 16.2.2 – Focuses on remote workers.

6.7 Remote working

Comments if required

46.) 16.1.2 and 16.1.3 – No difference between events and weaknesses - events either observed or suspected are reported.

6.8 Information security event reporting

Comments if required

Annex A Controls - 7. Physical controls

ISO 27001:2022 cross reference and the significant changes from the 2013 version

47.) Merging of 11.1.2 and 11.1.6 – No big change.

7.2 Physical entry

Comments if required

48.) 8.3.1, 8.3.2, 8.3.3, 11.2.5 – Lifecycle management must be introduced

7.10 Storage media

Comments if required

49.) 11.2.3 – Cables carrying power (but not data) are mentioned.

7.12 Cabling security

Comments if required

Annex A Controls - 8. Technological controls

ISO 27001:2022 cross reference and the significant changes from the 2013 version

50.) 11.2.8 – The emphasis is now on protection of information uccessible by the user end-point.

8.1 User end point devices

Comments if required

51.) 9.4.5 – Includes development tools and software/coding libraries.

8.4 Access to source code

Comments if required

52.) Merging of 12.4.1, 12.4.2, 12.4.3 – No big change.

8.15 Logging

Comments if required

53.) Merging of 10.1.1 and 10.1.2 – No big change.

8.24 Use of cryptography

Comments if required

54.) Merging of 14.1.2 and 14.1.3 – Simplification of the existing controls.

8.26 Application security requirements

Comments if required

55.) 14.2.5 – Introduces the requirement for secure system architecture.

8.27 Secure system architecture and engineering principles

Comments if required

56.) Merging of 14.2.8 and 14.2.9 – No big change.

8.29 Security testing in development and acceptance

Comments if required

57.) 12.1.2, 14.2.2, 14.2.3, 14.2.4 – The combinations of these controls are less prescriptive.

8.32 Change management

Comments if required

Areas for further investigation:

- By continuing to submit this form, you have read and confirm that the information you provide will be processed by Superuser OÜ as described in the Privacy Policy. If you do not consent, please do not access or use the tool.

ISO 27001:2022
GAP ANALYSIS TOOL

This gap analysis form provides us with a simple framework to evaluate your information security management system against ISO 27001:2022.

• Part 1: new concepts – these are the new concepts introduced in ISO 27001:2022

• Part 2: requirements – these include the amended clauses, processes and functional activities between ISO 27001:2013 and ISO 27001:2022.

ISO 27001:2022GAP ANALYSIS TOOL

This gap analysis form provides us with a simple framework to evaluate your information security management system against ISO 27001:2022.

• Part 1: new concepts – these are the new concepts introduced in ISO 27001:2022• Part 2: requirements – these include the amended clauses, processes and functional activities between ISO 27001:2013 and ISO 27001:2022.

ISO 27001:2022
GAP ANALYSIS TOOL

• Part 1: new concepts – these are the new concepts introduced in ISO 27001:2022

• Part 2: requirements – these include the amended clauses, processes and functional activities between ISO 27001:2013 and ISO 27001:2022.