ISO / IEC 27001:2022

Lead Implementer
Training Course

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022
 Welcome to the
Lead Implementer Training Course
on
Information Security, Cybersecurity and Privacy Protection –
Information Security Management Systems
based on ISO / IEC 27001:2022

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 2
 Introduction

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 3
TÜV SÜD at a glance
150+ 1,000+ €2.5
YEARS OF LOCATIONS BILLION
SAFETY, SECURITY WORLDWIDE IN ANNUAL
& SUSTAINABILITY REVENUE

24,500+ 41%
OF REVENUE
EMPLOYEES* OUTSIDE GERMANY^

574,000 100% 1 -STOP

CERTIFICATES INDEPENDENT SOLUTIONS
*As of 2018-12-31
& IMPARTIAL PROVIDER
^Based on clients‘ locations
Note: Figures have been rounded off.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 2
Adding value across
the business lifecycle AUDITING AND
SYSTEM CERTIFICATION

CHEMICAL & PROCESS

CONSUMER PRODUCTS & RETAIL

ENERGY
TRAINING HEALTHCARE & MEDICAL DEVICES INSPECTION
INFRASTRUCTURE & RAIL

MANUFACTURING

MOBILITY & AUTOMOTIVE

REAL ESTATE
TESTING AND
ADVISORY PRODUCT CERTIFICATION

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 4
 The sure sign of trust

500,000 54,000 20,000

product certificates system certificates personnel certificates

TÜV SÜD: A brand synonymous with quality and safety. Our certification marks certificates are excellent marketing tools for our customers. Our test reports
provide customers with the confidence to market their products’ safety, quality and sustainability attributes. Our personnel certificates provide our customers with
greater market opportunity.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 7
TÜV SÜD Group – Corporate logo

▪ The octagonal logo – a distinctive and established trademark.

▪ The corporate logo echoes the globally recognized certification mark of

TÜV SÜD group.

▪ The 3D effect underpins the claim to premium status.

▪ The logo expresses the value added of TÜV SÜD services.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 7
Your Lead Trainer
Introduction:
▪ Name: ____________________________

▪ Qualification: ______________________

▪ Experience: _______________________

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 8
General Instructions
▪ Training will begin at 9:30 am sharp every day for the next five days.
▪ Smoking is prohibited in this venue.
▪ Kindly switch off or keep your mobile phones on silent mode to maintain focus and
concentration during the sessions. Use of mobile phones is permitted during lunch
and tea breaks only.
▪ Tea and Lunch Breaks will be provided at stipulated times. Time period during
breaks will strictly follow the schedule.
▪ Participants are requested to be aware and understand fire safety plan, safety
rules and evacuation route.
▪ Participants are requested to be punctual, maintain discipline and decorum during
the training sessions.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 9
Participant Kit
▪ Course Material which includes the following components

a. Timetable

b. Presentation Slides

c. Workbook

d. Sample ISMS Manual

▪ Specimen Examination Paper.

▪ Training feedback form (Will be given on last day of training)

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 10
Course Objectives
▪ Gain knowledge and skill for implementing the requirements of the ISO/IEC 27001:2022 international standard.

▪ Understand the purpose of Information Security Management System and the process involved in establishing,
implementing, operating, monitoring, reviewing and improving ISMS as defined in ISO/IEC 27001:2022

▪ Understand the purpose, content and inter-relationships of ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27003

▪ Understanding the changes in the 3rd edition of ISO/IEC 27001:2022 as compared to the 2nd edition of ISO/IEC
27001:2013

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 11
Course Based On

ISO/IEC 27001:2022, ISO/IEC 27002:2022 and ISO/IEC 27003:2017

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 12
Course Completion Benefits and Course Duration
Benefits:
▪ Successful completion of this course will get a participant, ISMS Lead Implementer qualification.
▪ Participants will be equipped with the knowledge and appropriate skills to implement an ISMS within an organization.

Duration:
▪ The total course time devoted for training, exercises and examination is at 40 hours.
▪ The course will be presented for five consecutive days OR on non-consecutive days.
▪ Time devoted to meals, breaks etc. is not included in 40 hours.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 13
Course Approach
▪ Tutorials

▪ Skill based exercises.

▪ Case studies.

▪ Group discussions and presentations.

For better understanding:

▪ Interact with tutor and colleagues.

▪ Ask for clarifications on topics or concepts, if in doubt.

▪ Make notes wherever necessary.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 14
Evaluation of Students
▪ Final examination will assess participant’s

• Ability to apply the requirements of ISO/IEC 27001:2022

• Skills.
• Knowledge gained.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 15
Online/Written Examination
▪ Online / Written examination duration is of 2 hours.

▪ The instructor would allow participants with additional time of 30 mins to complete the examination in case the participant
has any physical disability.

▪ The minimum passing criteria is 70%.

▪ The reference materials allowed during the examination is a copy of ISO/IEC 27001:2022 standard, course material and
any notes taken during the course.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 16
Complaints and/or Appeals
▪ Participants have the right to make a complaint and appeal.

▪ Student may request the trainer to provide a copy of written process for appeal / complaints.

▪ TÜV SÜD South Asia shall inform each complainant or appellant in writing of the results of the complaints or appeal.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 17
Participant Introduction
▪ Interview each other in pairs.

▪ 5 minutes for each interview.

▪ 10 minutes for a pair.

▪ Presentation up to 2 minutes.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 18
 ISMS Concepts and Benefits

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 19
Current Scenario
▪ Present day organizations are highly dependent on information security systems to
• Manage business and deliver products / services
• Manage cyber threats and
• Protect personal information of relevant interested parties.
• Manage potential risks when using third parties and outsourced suppliers.

▪ Dependence on internal IT applications for development, production and delivery may also influence the information
security posture of an organization. Few examples of internal application are
• Financial applications with databases.
• Employee time booking.
• Helpdesk and other services.
• Remote access to customers/employees and remote access of client systems.
• Interactions with the outside world through e-mail, internet.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 20
Business Requirements
▪ Security Incidents - Number of security incidents are growing and nature of threats is changing.

▪ Personally Identifiable Information (PII) – Protecting privacy of interested parties is now important considering data
privacy laws prevailing in many countries.

▪ Client/Customer/Stakeholder – A requirement of contract/condition for RFP.

▪ Marketing – Seen as giving a competitive edge in marketing of product/service.

▪ Senior Management – They want to know the status of information security in their organization.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 21
Legal Requirements (Examples)
▪ Indian Patents Regulation

▪ India Copyright Act

▪ India Design Act

▪ India - IT Act and Amendments

▪ EU GDPR

▪ Cybersecurity Disclosure Act

▪ USA – SOX, HIPAA, FISMA, Gramm-Leach-Billey Act

▪ Data Protection Acts

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 22
Why Is Compliance Important?
▪ Avoid breaches: Every business relies on the security of their information. This is where your company secrets, client data and personally
identifiable information lies. If any of that is leaked, it can mean catastrophic consequences. Information security management systems are an
excellent way to mitigate and prevent data breaches, and ISO 27001 ensures your ISMS is as effective as possible by using a systematic
approach.
▪ Avoid legal penalties: An infringement of a law will have legal repercussions and the company may be liable to pay huge fines along with
brand reputation getting eroded. Data breaches are costly when they happen. Between legal penalties, reparation costs and lost sales, most
estimates place breach costs near $3 million at least. By preventing breaches from happening in the first place, your business can avoid these
costs by implementing an effective ISMS which will in turn facilitate the company to have a good compliance management program.
▪ Reassure customers: Not every company complies with ISO 27001 because it is a challenging standard covering a broad scope of
requirements. However, this also means businesses that have achieved certification take cyber security seriously enough to have undergone
thorough testing for their safety practices. This can be a huge reassurance for existing and potential customers alike, considering the rise in
cyber attacks in recent years.
▪ Gain an edge: ISO 27001 certification also benefits your business by giving you a certification to add to your marketing material. ISO
certification is internationally recognized and can give you an edge against competitors.
▪ Access new markets: ISO 27001 is internationally recognized, and some markets even require its implementation. For example, many supply
chain businesses require ISO 27001 certification to be taken seriously and some countries may legally require all businesses to employ ISO
27001 standards. Certification can, therefore, help businesses looking to expand into these markets.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 23
Threats
If Information Security is not addressed, then there are chances of various threats occurring like:

▪ Fraud

▪ Identity Theft

▪ Espionage
High User Knowledge Theft, Sabotage, Virus Attacks
of IT Systems
▪ Sabotage Misuse

▪ Vandalism

▪ Fire

▪ Flood Natural
Systems and Lack Of Lapse in Physical Calamities
Network Failure Documentation Security and Fire

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 24
Business Impacts
▪ Exploitation of threats can result in following losses

• Financial loss.

• Loss of sales / market share.

• Service unavailability and disruption to operations.

• Loss of processing capability and productivity.

• Damage to image and reputation.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 25
Information - Definition
▪ As per ISO/IEC 27000, “Information is an asset that, like other important business assets, is essential to an
organization’s business and, consequently needs to be suitably protected.”

▪ Whatever form the information takes, or means by which it is transmitted, it always needs to be appropriately protected.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 26
What is Information?
Information is a basic building block of any organization. Information is more than electronically stored or processed data.
Information can be:

DLP • Encryption • Shredding

• Classify information • Access control • Activity monitoring and •
Encryption • Asset management • Secure deletion
• Assign rights • Encryption enforcement •
Logical controls • Degaussing
• Rights management • Logical controls •

• Rights management • Rights management

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 27
Forms and Transmission of Information

Stored on electric media Stored on optical media like Stored on magnetic media Printed on paper Knowledge
like HDD (Digital form) CDs (Digital form) like tapes (Digital form) (Material form) (Unrepresented information)

Transmitted verbally
Transmitted digitally via Transmitted via couriers
networks
TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 28
Terms and Definitions
▪ Confidentiality
• The property that information is not made available or disclosed to unauthorized individuals, entities, or processes

▪ Integrity
• The property of safeguarding the accuracy and completeness of assets.

▪ Availability
• The property of being accessible and usable upon demand by an authorized entity.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 29
What is Information Security?

▪ In business, having the correct information to the

authorized person at the right time can make the
difference between profit and loss, success and failure.
▪ There are three main aspects of information security:
• Confidentiality: Protecting information from
unauthorized disclosure, perhaps to a competitor or to
press
• Integrity: Protecting information from unauthorized
modification, and ensuring that information, such as
price list, is accurate and complete ▪ As per ISO/IEC 27000, information security is
“Preservation of confidentiality, integrity and
• Availability: Ensuring information is available when
availability of information; in addition, other
you need it.
properties such as authenticity, accountability, non-
repudiation and reliability can also be involved.”

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 30
What is Information Security?
80% Management
IS-Policy, IS-
Responsibilities, Management challenge or technical issue?
IS-Awareness / Training,
Reporting, Business Information security must be seen as a management and
Continuity Planning, business challenge, not simply as a technical issue to be
Processes, etc.
handed over to experts. To keep your business secure,
you must understand both the problems and the solutions.

20% Technology
Systems, Tools,
Architecture etc.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 31
What is ISMS?
ISMS is an abbreviation for Information Security Management System

Definition:
Part of the overall Management System, based on a business risk approach, to establish, implement, operate, monitor,
review, maintain and improve information security

Note:
The management system includes organizational structure, policies, planning activities, responsibilities, practices,
procedures, processes and resources.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 32
Advantages of Information Security
▪ Systematic / Structured approach.
▪ Improved understanding of business aspects.
▪ Protects information from a range of threats including cyber threats.
▪ Better privacy protection of personal information.
▪ Opportunity to identify and find weaknesses.
▪ Better incident management.
▪ Ensures business continuity.
▪ Minimizes financial losses.
▪ Reduces reputational risk.
▪ Maximizes return on investments.
▪ Increases business opportunities.
▪ Provides confidence to trading partners.
▪ Enhances the knowledge and importance of security related issues at company level.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 33
Why go for ISO/IEC 27001?
▪ ISO/IEC 27001 defines best practice for Information Security Management based on experienced feedback from
thousands of users.

▪ It demands for a risk assessment to be conducted and a process for treating risk in order to mitigate them.

▪ The risk assessment and the risk treatment process in this standard aligns with the principles and generic guidelines
provided in ISO 31000 (Risk Management – Principles and Guidelines

▪ It has similar structure to other standards like ISO 9001, ISO 14001 and ISO 45001. So it can be easily adopted,
implemented and integrated.

▪ An internationally recognized structured methodology.

▪ Facilitation of trading in trusted environment.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 34
ISMS Standard - History
First published as department of Trade and Industry (DTI) Code of Practice in UK. Version 1 of BS 7799
Feb 1995
(BS 7799 Part 1) reviewed and published

Feb 1998 Version 2 of BS 7799 published (BS 7799 Part 2)

May 1999 Major revision of BS 7799 version 2 published

Dec 2000 ISO adopted BS Standard 7799 as ISO 17799:2000

Sep 2002 BS7799-2 was revised to match with P-D-C-A structure of other management standards which is base
standard for ISO 27001

Oct 2005 ISO/IEC 27001:2005 was published

Oct 2013 ISO/IEC 27001:2013 was published

Oct 2022 ISO/IEC 27001:2022 was published

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 35
Standard and Guidelines
▪ Standards ▪ Requirements
• Specify the requirements against which a ▪ Auditable
company gets certified.
• Certification possible only against a ▪ Certification
requirement standard.

▪ Guidelines ▪ Code of Practice

• They are advisory in nature. ▪ Advisory
• They are mainly used as Code of Practice.
• Guidance documents are referred for ▪ Elaborate explanation of the
understanding the associated requirement in associated requirement for
elaborated context. better understanding

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 36
Comparison of ISO/IEC 27001 and ISO/IEC 27002
▪ ISO/IEC 27001:2022
• A specification (specifies requirements for implementing, operating, monitoring, reviewing, maintaining and
improving a documented ISMS (Within the context of organisation’s overall business risks)
• Specifies the requirements of implementing of security control, customised to the needs of individual organisation or
part thereof.
• Used as a basis for certification

▪ ISO/IEC 27002:2022
• A code of practice for Information Security Management
• Provides best practice and implementation guidance to implement controls specified in ISO/IEC 27001
• Not used as a basis for certification.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 37
ISO 27001 and ISO 27002 Comparison
ISO/IEC 27001:2013 ISO/IEC 27002:2013
0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Normative references
3 Terms and definitions 3 Terms, definitions and abbreviated terms

4 Structure of this document

5 Organizational controls
Clauses 4 to 10 6 People controls
7 Physical controls
8 Technological controls
Annex A – Information security controls reference Annex A – (informative) Using attributes
Annex B (informative) – Correspondence of ISO/IEC
27002:2022 with ISO/IEC 27002:2013
Bibliography Bibliography

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 38
ISO/IEC 27003
▪ The purpose of this International Standard is to provide practical guidance in developing the implementation plan for an
Information Security Management System (ISMS) within an organization in accordance with ISO/IEC 27001. The actual
implementation of an ISMS is generally executed as a project.

▪ The process described within this International Standard has been designed to provide support of the implementation of
ISO/IEC 27001:
a) The preparation of beginning an ISMS implementation plan in an organization, defining the organizational structure for
the project, and gaining management approval,
b) The critical activities for the ISMS project and,
c) Examples to achieve the requirements in ISO/IEC 27001.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 39
Other ISO/IEC 27000 Series
▪ ISO/IEC 27000:2018 – Information technology – Security techniques – ISMS - Overview and vocabulary.

▪ ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - ISMS requirements.

▪ ISO/IEC 27002:2013 - Information security, cybersecurity and privacy protection – Information security controls.

▪ ISO/IEC 27003:2017 - Information technology – Security techniques – ISMS - Guidance.

▪ ISO/IEC 27004:2016 - Information technology – Security techniques – ISMS - Monitoring, measurement, analysis and
evaluation.

▪ ISO/IEC 27005:2022 - Information security, cybersecurity and privacy protection – Guidance on managing information
security risks.

▪ ISO/IEC 27006:2015 - Information technology – Security techniques - Requirements for bodies providing audit and
certification of ISMS.

▪ ISO/IEC 27007:2020 - Information security, cybersecurity and privacy protection - Guidelines for Information security
management systems auditing.
TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 40
Incident and BCP Management Related Standards
▪ ISO/IEC 27035 – Information technology – Information security incident management
• Provides guidance on information security incident management.
• Part 1: Principles and process.
• Part 2: Guidelines to plan and prepare for incident response.
• Part 3: Guidelines for ICT incident response operations.
• Part 4: Coordination.

▪ ISO 22301:2019 - Security and resilience – BCMS - Requirements

• Specifies requirements to implement, maintain and improve a management system to protect against, reduce the
likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

▪ ISO 22313:2020 – Security and resilience – BCMS – Guidance on the use of ISO 22301
• Provides guidance to apply the requirements of BCMS specified in ISO 22301
• The guidance and recommendations are based on good international practice.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 41
Any Questions?

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 42