ISO / IEC 27001:2022

Lead Implementer
Training Course

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022
 Information Security Management System
Framework Requirements

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 2
ISO/IEC 27001:2022 Structure
Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement

IEEE/EIA Standard
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)

1) Scope
Industry Implementation of

2) Normative references
International Standard
ISO/IEC 12207 : 1995

(ISO/IEC 12207) Standard for Information

Technology-

Software life cycle processes

March 1998

3) Terms & definitions

THE INSTITUTE OF ELECTRICAL ELECTRONIC INDUSTRIES ASSOCIATION
AND ELECTRONICS ENGINEERING DEPARTMENT
ENGINEERS, INC.

4) Context of the organization

4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management
system
4.4 Information security management system

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 3
ISO/IEC 27001:2022 Structure
Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement

IEEE/EIA Standard
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)

5. Leadership
Industry Implementation of

5.1 Leadership and commitment

International Standard
ISO/IEC 12207 : 1995

(ISO/IEC 12207) Standard for Information

Technology-

Software life cycle processes

March 1998

5.2 Policy
THE INSTITUTE OF ELECTRICAL ELECTRONIC INDUSTRIES ASSOCIATION
AND ELECTRONICS ENGINEERING DEPARTMENT
ENGINEERS, INC.

5.3 Organizational roles, responsibilities and authorities

6. Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
6.3 Planning of changes

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 4
ISO/IEC 27001:2022 Structure
Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement

IEEE/EIA Standard
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)

7. Support
Industry Implementation of

7.1 Resource
International Standard
ISO/IEC 12207 : 1995

(ISO/IEC 12207) Standard for Information

Technology-

Software life cycle processes

March 1998

7.2 Competence
THE INSTITUTE OF ELECTRICAL ELECTRONIC INDUSTRIES ASSOCIATION
AND ELECTRONICS ENGINEERING DEPARTMENT
ENGINEERS, INC.

7.3 Awareness
7.4 Communication
7.5 Documented information
8. Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 5
ISO/IEC 27001:2022 Structure
Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement

IEEE/EIA Standard
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)

9. Performance evaluation
Industry Implementation of

9.1 Monitoring, measurement, analysis and evaluation

International Standard
ISO/IEC 12207 : 1995

(ISO/IEC 12207) Standard for Information

Technology-

Software life cycle processes

March 1998

9.2 Internal audit

THE INSTITUTE OF ELECTRICAL ELECTRONIC INDUSTRIES ASSOCIATION
AND ELECTRONICS ENGINEERING DEPARTMENT
ENGINEERS, INC.

9.3 Management review

10. Improvement
10.1 Continual improvement
10.2 Non conformity and corrective action

Annex A (normative): Information security controls reference

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 6
Scope and Applicability
▪ Applicable to all organizations
• Commercial
• Government
• Not-for profit organizations

▪ Coverage - Specifies the requirements for

• Establishing, implementing, maintaining and continually improving an information security management system
(ISMS) within the context of the organization.
• This document (International Standard) also include requirements for the assessment and treatment of information
security risks tailored to the needs of the organization.
• The requirements set out in the document are generic and are intended to be applicable to all organizations
regardless of the type, size or nature

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 7
ISO/IEC 27001:2013 Requirements
▪ Requirements contained in the ISMS Framework (Sections 4-10).
• Excluding any of the requirements specified in these clauses (4 to 10) is not acceptable when an organization claims
conformity to this document.

▪ Information security controls reference [Annex A]

• Justify exclusions

Note: Controls means counter measures to modify a risk.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 8
Hierarchical Structure

Policy Manual
Level 1 Policies, Objectives, Scope, Risk Assessment Report, Risk
Treatment Plan, Statement of Applicability

Level 2 Procedures
Describes processes, Who?, What?, When? Where?, How?

Guidelines, instructions, Operational docs, checklists,

Information Security
Level 3 forms etc.
Requirements Describes how tasks and specific activities are done
and
Expectations Records
Level 4 Provides objective evidence of compliance with ISMS
requirements

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 9
ISMS Documentation
▪ Security Policy Manual
• Summary of management framework including the information security policy and the control objectives and
implemented controls given in the statement of applicability.

▪ Procedures
• Procedures adopted to implement the controls required.

▪ Operational Documents
• Explains details of specific tasks or activities.

▪ Records
• Evidence of activities carried out.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 10
 Clause 4
Context of the Organization

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 11
Context of the Organization
4.1 Understanding the organization and its context
EXTERNAL ISSUES
▪ The organization is required to determine external and internal issues relevant to its
purpose of existence, sustenance and that may affect (either positively or negatively) POLITICAL ENVIRONMENTAL
its long-term strategic goals, intended outcomes and the overall business (e.g. vision
mission, policies, business plans, goals etc). CULTURE RESOURCES

▪ The organization should analyze the “business environment” in which it operates INTERNAL
MARKET LEGAL
which means it should understand its own business. This environment can be PERFORMANCE KNOWLEDGE

influenced by internal and external factors (or environments) which are also known as ISSUES
issues. VALUES MANAGEMENT

▪ These issues are subject to change over time which in turn will influence the planned SOCIAL ECONOMIC

outcomes in ISMS. Therefore, these issues need to be reviewed regularly.

TECHNOLOGICAL
Note: There is no requirement explicitly stated to document the internal and external
issues. However, the organization can decide to document these issues in the form and
the extent necessary to ensure that the ISMS is effective.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 12
Context of the Organization
EXTERNAL Competitors INTERNAL
4.2 Understanding the needs and expectations of interested parties STAKEHOLDERS STAKEHOLDERS

▪ The organization is required to identify the relevant interested parties who are Customers
Internal
Depts.
internal to the organization as well as external to the organization.
▪ The relevant interested parties are those who may face significant risks if
their specific needs and expectations are not met, hence it is important to
Media Employees
know what their specific requirements and expectations are and how can they
be fulfilled by the organization. INTERESTED
PARTIES
▪ This is an important step to ensure that the management system is designed
Top Mgmt.
to meet the purpose and achieve objectives. Suppliers

▪ These requirements can change over time and subsequently may influence
the information security of an organization and affect intended outcomes, so
Legislators Process
these requirements need to be reviewed regularly to address any changing and owners
aspect. Regulators

Note: The requirements of interested parties may include legal and Shareholders
regulatory requirements and contractual obligations

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 13
Context of the Organization
4.3 Determining the scope of the information security management system

Locations
▪ The scope defines what needs protection and what gets covered and what does not get
covered within the organization. This comprises the boundaries and applicability of Geographical
Boundary
ISMS.
▪ A key step before writing the scope statement is to understand the internal and external
interfaces and dependencies, as these factors have an influence on information Departments Organizational
security posture within an organization. For example, IT services and applications are Boundary
required to support core business activities whereas some process is outsourced to
another supplier.
Applicability
▪ When determining the scope, we need to gather insights from internal and external Based on
organization
issues that we had identified earlier, ensure all the interested parties needs and context
expectations are considered, and dependencies are understood.
▪ The organization is required to document the ISMS scope statement.
▪ ISMS scope should be formally approved by the management.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 14
Context of the Organization
4.4 Information security management system

▪ The organization is required to establish, implement, maintain

and continually improve an information security management
system, in accordance with the requirements prescribed in the
document (international standard).
▪ The other sections of the standard sets out what is required to
achieve this.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 15
Implementing Clause 4
▪ Determination of external and internal issues relevant to ISMS.

▪ Interested parties and their requirements relevant to ISMS.

▪ Interfaces and dependencies between activities of the organization.

▪ Determination of boundaries and applicability to establish scope of ISMS.

▪ Documented information of scope.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 16
 Clause 5
Leadership

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 17
Leadership
5.1 Leadership and commitment
▪ Top management does not only represent the CEO but can also
represent a group of people working at the highest level who are
Alignment of ISMS
responsible to take strategic decisions, give direction and control CEO
and company
strategic direction
the organization in achieving intended outcomes.
Top Management
▪ ISMS should be driven top-down by the top management of an Team

organization. The intent of involving the top management is to Employees Achieve the desired
ensure that the information security governance framework or the outcomes
ISMS is aligned with the enterprise strategic direction and goals.
▪ The difference between success and failure of implementing ISMS
effectively lies in the level of commitment displayed by the top
management of an organization.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 18
Leadership
5.1 Leadership and commitment contd.
▪ Top management is required to ensure the following
a. IS policy and the IS objectives are aligned.
b. Integrate ISMS requirements in core business processes.
c. Plan for adequate resources including budget to ensure
ISMS is effective.
d. Communicate importance of ISMS to everyone.
e. Intended outcomes are achieved.
f. Direct, support and motivate everyone involved working
towards improving the ISMS.
g. Provide timely feedback and correct actions
h. No exceptions for security breach.
i. Promote continual improvement of ISMS

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 19
Leadership
5.2 Policy
▪ Top management is required to establish an information security policy
which includes the information security objectives or act as a framework
IS POLICY DOCUMENT
for setting information security objectives within the scope of ISMS. The management is committed to ensure that
▪
▪ The policy should include a commitment statement from top
Customer related information is handled with
utmost confidentiality
▪ Information security risks are managed
management to meet business, regulatory, statutory and contractual effectively.
▪ Information security principles are established
obligations requirements and continually improve the ISMS. ▪
and adopted within the company.
Roles and responsibilities of ICT users,
systems administrators, and other stakeholders
▪ The policy is required to be communicated to all employees (e.g. emails, are established.
▪ Information security objectives are aligned with
posters, intranet, notice boards, website etc). Ensure that confidentiality ▪
the organization objectives.
Awareness is provided to all employees related
is not compromised when communicated to external parties. to security risks to information and ICT
infrastructure used by everyone.
▪ All relevant statutory, regulatory and contractual
▪ It is required that the policy be documented in any form. obligations are met.
▪ ISMS is improved, and decisions on the same
are taken in management review.
Note: Information Security Policy is a high-level statement formally
expressed by the top management on the overall intention and direction
towards information security in accordance with business requirements
and legal requirements (relevant laws and regulations).
TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 20
Leadership
5.3 Organizational roles, responsibility and authority
▪ It is required for the top management to assign responsibilities Role: Position in an organization,
E.g. User, IT Manager, CISO, Information Security Manager etc,
and authorities for information security relevant roles within the
organization.
▪ The purpose of this is to ensure that the ISMS requirements
Responsibility: Duties to be carried out or tasks to be executed or
are fulfilled and to get an update on the performance of performed as assigned by the superior
information security management system periodically. e.g. Information Security Manager has the responsibility to manage
smooth execution of ISMS.

Authority: Power to enforce rules and take decisions. Can be

delegated to the subordinates.
e.g. Information Security Manager has the authority to make changes
in ISMS to improve the same.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 21
Implementing Clause 5
▪ Documented statement of information security policy.

▪ Policy should include the points that are mentioned in the international standard.

▪ Communicate security policy within the organization and should be available to interested parties, as appropriate.

▪ Establish roles, responsibilities and authorities relevant to ISMS and to report performance of ISMS to top management.

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 22
Establishing Management Framework
Scope of ISMS
Step 1 Define Scope

Policy Document
Step 2 Define Policy

Identify, Analyse and Undertake Risk Assessment

Step 3 Evaluate security risks
Risk Assessment
Organizations approach to
Risk Treatment
Step 4 risk management
Manage Risk
Degree of assurance required

Select Control Approval from Risk Owners

Appendix “A”
Step 5 Additional Controls, if needed Objectives and
Controls

Step 6 Statement of Applicability

Prepare SOA

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 23
Any Questions?

TUV SUD South Asia Pvt. Ltd. | ISO/IEC 27001:2013 ISMS Lead Implementer - Ed 2022 Rev 1 12 December 2022 24