Training Awareness ISO27001 TUV Nord

Training
Awareness
ISO 27001:2022
Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023
Your Trainer
Iwan Fitriana, S. Kom
1. CQI and IRCA Certified ISO/IEC 7. Alibaba Cloud Associate (ACA) Database,
27001:2022 Information Security Alibaba Cloud.
Management Systems Lead Auditor 8. Remote Work and Virtual Collaboration
Training Course (PR373), BSI. Professional Certificate, CertiProf.
2. Certified Ethical Hacker v12 (CEH), EC- 9. ISO/IEC 27001 Information Security
Council. Associate, SkillFront.
3. Certified ITIL Foundation v4 (ITIL), 10.ISO/IEC 20000 IT Service Management
PeopleCert, Axelos. Associate, SkillFront.
4. The Aviatrix Certified Engineer (ACE) 11. ISO 9001 Quality Management Systems
Multicloud Network Associate, Aviatrix. Associate, SkillFront.
5. Alibaba Cloud Associate (ACA) Cloud 12. Certified Associate in Scrum
Computing, Alibaba Cloud. Fundamentals (CASF), SkillFront.
6. Alibaba Cloud Associate (ACA) Cloud 13. Cyber Security Foundation Professional
Security, Alibaba Cloud. Certificate (CSFPC), CertiProf. Exp. 2023
2 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023
Your Trainer
Iwan Fitriana, S. Kom
Badge
iwanfitriana@gmail.com
(+62) 811-8967-237
https://www.linkedin.com/in/iwanfitriana/

Agenda
Training Awareness ISO 27001:2022
1. ISO/IEC 27001
2. Information Security Management System
3. The Requirements of ISO/IEC 27001:2022
4. Annex A (Normative) Information Security Controls Reference
5. Study Case 1
6. Differences between ISO/IEC 27001:2013 and ISO/IEC 27001:2022
7. Implementation of ISO/IEC 27001:2022
8. The Next Action Plan
9. Study Case 2
10. Post Training Awareness

1. ISO/IEC 27001

ISO/IEC 27001
 ISO/IEC 27001 adalah sebuah standar yang diterbitkan oleh lembaga International Organization for
Standardization (ISO) bekerja sama dengan International Electrotechnical Commision (IEC), berfokus
pada sistem keamanan informasi atau lebih dikenal dengan sebutan Information Security
Management Systems (ISMS)
 Standar ini mencakup untuk semua jenis organisasi mulai dari Perusahaan komersial, instansi
pemerintah, non-profit, serta semua jenis ukuran bisnis dari mikro hingga untuk perusahaan
multinasional, termasuk di dalamnya semua industri atau pasar (retail, perbankan, pertahanan,
kesehatan, pendidikan, serta pemerintahan).

ISO 27000 Family

Structure ISO 27001
1. Scope
2. Normative references
3. Terms and definitions
P 4. Context of the
organization
5. Leadership
Annex A: 93 Controls in 4 Theme
5. Organizational controls (37 controls)
6. Planning 6. People controls (8 controls)
7. Physical controls (14 controls)
8. Technological controls (34 controls)
7. Support
D
8. Operation C
9. Performance
evaluation A
10. Improvement

2. Information Security
Management System

ISMS (information security management system) atau sistem manajemen
keamanan informasi adalah istilah yang muncul terutama dari ISO/IEC 27001
yang merujuk pada suatu sistem manajemen yang berhubungan
dengan keamanan informasi. Konsep utama ISMS untuk suatu organisasi adalah
untuk merancang, menerapkan, dan memelihara suatu rangkaian
terpadu proses dan sistem untuk secara efektif mengelola keamanan informasi
dan menjamin kerahasiaan, integritas, serta ketersediaan aset-aset informasi
serta meminimalkan risiko keamanan informasi.

Princip Information Security

3. Requirement of
ISO/IEC 27001:2022

 Clause 4-Clause 10
 Clause 4 : Context of the organization

 Clause 4.1 : Understanding the organization and its context
 Clause 4.2 : Understanding the need expectations interested parties
 Clause 4.3 : Determining the scope of the information security management system
 Clause 4.4 : Information security management system
 Clause 5 : Leadership
 Clause 5.1 : Leadership and commitment
 Clause 5.2 : Policy
 Clause 5.3 : Organizational roles, responsibilities and authorities
 Clause 6 : Planning
 Clause 6.1 : Action to address risk and opportunities
 Clause 6.2 : Information security objectives and planning to achieve them
 Clause 6.3 : Planning of changes

 Clause 7 : Support
 Clause 7.1 : Resources
 Clause 7.2 : Competence
 Clause 7.3 : Awareness
 Clause 7.4 : Communication
 Clause 7.5 : Documented Information
 Clause 8 : Operation
 Clause 8.1 : Operation planning and control
 Clause 8.2 : Information security risk assessment
 Clause 8.3 : Information security risk treatment

 Clause 9 : Performance evaluation

 Clause 9.1 : Monitoring, measurement, analysis and evaluation
 Clause 9.2 : Internal Audit
 Clause 9.3 : Management Review
 Clause 10 : Improvement
 Clause 10.1 : Continual improvement
 Clause 10.2 : Nonconformity and corrective action
 Organisasi tidak dapat mengklaim kesesuaian dengan 27001 jika mereka

mengecualikan salah satu persyaratan yang ditetapkan dalam klausul 4
hingga 10 persyaratan standar.

Do you have questions?
Iwan Fitriana
T.: +62-811-8967-237
M.: iwanfitriana@gmail.com
tuev-nord.de
4. Annex of ISO/IEC
27001:2022

Annex A 5,6,7 dan 8

 Annex A.5 Organizational controls

 A.5 Organizational controls
A.5.1 Policies for information security
Kebijakan keamanan informasi dan kebijakan topik khusus harus ditetapkan, disetujui oleh manajemen, diterbitkan,
dikomunikasikan dan diketahui oleh personel dan pihak berkepentingan yang relevan serta ditinjau pada selang waktu
terencana dan jika terjadi perubahan yang signifikan.
A.5.2 Information security roles and responsibilities
Peran dan tanggung jawab keamanan informasi harus ditentukan dan dialokasikan sesuai dengan kebutuhan organisasi.
A.5.3 Segregation of duties
Tugas yang saling bertentangan dan area yang saling bertentangan harus dipisahkan
A.5.4 Management responsibilities
Manajemen harus mewajibkan semua personel untuk menerapkan keamanan informasi sesuai dengan kebijakan
keamanan informasi yang ditetapkan, kebijakan dan prosedur topik spesifik organisasi
 Kebijakan, sumber daya, keahlian dan keterampilan personel,kepatuhan hukum dan persyaratan kontrak,
A.5.5 Contact with authorities
Organisasi harus menentukan dan memelihara kontak dengan pihak berwenang yang relevan.
Regulator, Layanan darurat (PLN, Kepolisian, Rumah Sakit), Asuransi, dll
A.5.6 Contact with special interest groups
Organisasi harus menetapkan dan memelihara kontak dengan kelompok minat khusus atau forum keamanan khusus
lainnya dan asosiasi profesional.
IDSIRTI, www.cvedetil.com, OWASP, Indonesia Cyber Security Forum

A.5.7 Threat intelligence
Informasi yang berkaitan dengan ancaman keamanan informasi harus dikumpulkan dan dianalisis untuk menghasilkan
intelijen ancaman.
a) intelijen ancaman strategis: jenis penyerang atau jenis serangan
b) intelijen ancaman taktis: metodologi, alat, dan teknologi penyerang
c) intelijen ancaman operasional: perincian tentang serangan spesifik, termasuk indikator teknis.
Dianalisa dan dilaporkan untuk perbaikan control
A.5.8 Information security in project management.
Keamanan informasi harus diintegrasikan ke dalam manajemen proyek.
A.5.9 Inventory of information and other associated assets
Inventarisasi informasi dan aset terkait lainnya, termasuk pemilik, harus dikembangkan dan dipelihara.
Information, people, software, paper, physical
A.5.10 Acceptable use of information and other associated assets
Aturan untuk penggunaan yang dapat diterima dan prosedur untuk menangani informasi dan aset terkait lainnya harus
diidentifikasi, didokumentasikan, dan diterapkan.
 permitted and prohibited use of information and other associated assets : computer use, internet & email
 penggunaan informasi dan aset terkait lainnya yang diizinkan dan dilarang : penggunaan komputer, internet & email
A.5.11 Return of assets
Personel dan pihak berkepentingan lainnya yang sesuai harus mengembalikan semua aset organisasi yang mereka miliki
setelah perubahan atau pemutusan hubungan kerja, kontrak atau perjanjian berakhir
A.5.12 Classification of information
Informasi harus diklasifikasikan menurut kebutuhan keamanan informasi organisasi berdasarkan kerahasiaan, integritas,
ketersediaan, dan persyaratan pihak berkepentingan yang relevan.
A.5.13 Labelling of information
Serangkaian prosedur yang sesuai untuk pelabelan informasi harus dikembangkan dan diterapkan sesuai dengan skema
klasifikasi informasi yang diadopsi oleh organisasi.
metadata, rubber stamp, watermaking, header footer, fisik
A.5.14 Information transfer
Aturan, prosedur, atau perjanjian transfer informasi harus ada untuk semua jenis fasilitas transfer di dalam organisasi dan
antara organisasi dan pihak lain.
 electronic transfer, physical storage media transfer and verbal transfer.
A.5.15 Access control
Aturan untuk mengontrol akses fisik dan logis ke informasi dan aset terkait lainnya harus dibuat dan diterapkan
berdasarkan persyaratan bisnis dan keamanan informasi.
 Need to know principle , need to use, segregation of duty, formal process, information classification
A.5.16 Identity management
Siklus pengelolaan identitas pengguna
identities assigned to persons, multiple persons, non human
A.5.17 Authentication information
Alokasi dan pengelolaan informasi autentikasi harus dikendalikan oleh proses manajemen, termasuk menasihati personel
tentang penanganan informasi autentikasi yang tepat untuk memastikan autentikasi entitas yang tepat dan mencegah
kegagalan proses autentikasi.
 Password, user responsibility
A.5.18 Access rights
Hak akses ke informasi dan aset terkait lainnya harus disediakan, ditinjau, dimodifikasi, dan dihapus sesuai dengan
kebijakan khusus topik organisasi dan aturan untuk kontrol akses.
Penyediaan, perubahan, penonaktifan dan review hak akses
A.5.19 Information security in supplier relationships
Proses dan prosedur harus ditetapkan dan diterapkan untuk mengelola risiko keamanan informasi yang terkait dengan
penggunaan produk atau layanan pemasok.
 Daftar pemasok, pemilihan pemasok, incident, produk pemasok, pengendalian akses
A.5.20 Addressing information security within supplier agreements
Persyaratan keamanan informasi yang relevan harus ditetapkan dan disepakati dengan masing-masing pemasok
berdasarkan jenis hubungan pemasok.
A.5.21 Managing information security in the information and communication technology (ICT) supply chain
Proses dan prosedur harus ditetapkan dan diterapkan untuk mengelola risiko keamanan informasi yang terkait dengan
rantai pasokan produk dan layanan TIK.
 Informasi s/w di produk, akuisisi, subcont ke pihak lain, validasi produk (pentest), jaminan (sertifikat)
A.5.22 Monitoring, review and change management of supplier services
Organisasi harus secara teratur memantau, meninjau, mengevaluasi, dan mengelola perubahan dalam praktik keamanan
informasi pemasok dan penyampaian layanan.
A.5.23 Information security for use of cloud services
Proses untuk memperoleh, menggunakan, mengelola, dan pemberhentian dari layanan cloud harus ditetapkan sesuai
dengan persyaratan keamanan informasi organisasi.
 Kriteria pemilihan vendor, PKS/SLA, control kemanan informasi, NDA, interface, incident, penghentian layanan

A.5.24 Information security incident management planning and preparation
Organisasi harus merencanakan dan mempersiapkan pengelolaan insiden keamanan informasi dengan mendefinisikan,
menetapkan dan mengkomunikasikan proses, peran dan tanggung jawab manajemen insiden keamanan informasi.
 SOP Incident, Tim Incident
A.5.25 Assessment and decision on information security events
Organisasi harus menilai peristiwa keamanan informasi dan memutuskan apakah akan dimasukkan sebagai insiden
keamanan informasi.
DoS, port scanning, wire tapping, malware (worm, virus, trojan, botnet, keylogger), pelanggaran kebijakan, un-patch
vulnerability
A.5.26 Response to information security incidents
Insiden keamanan informasi harus ditanggapi sesuai dengan prosedur yang terdokumentasi
 Incident team,
 Preparation, identification, containment, eradiction, recovery
A.5.27 Learning from information security incidents
Pengetahuan yang diperoleh dari insiden keamanan informasi harus digunakan untuk memperkuat dan meningkatkan
kontrol keamanan informasi.
A.5.28 Collection of evidence
Organisasi harus menetapkan dan menerapkan prosedur untuk identifikasi, pengumpulan, perolehan dan penyimpanan
bukti yang berkaitan dengan kejadian keamanan informasi.
A.5.29 Information security during disruption
Organisasi harus merencanakan bagaimana menjaga keamanan informasi pada tingkat yang sesuai selama gangguan.

A.5.30 ICT readiness for business continuity
Kesiapan TIK harus direncanakan, diterapkan, dipelihara, dan diuji berdasarkan tujuan kelangsungan bisnis dan
persyaratan kelangsungan TIK.
Risk assessment, Business Impact Analysis, RTO/RPO
A.5.31 Legal, statutory, regulatory and contractual requirements
Persyaratan hukum, undang-undang, peraturan, dan kontrak yang relevan dengan keamanan informasi dan pendekatan
organisasi untuk memenuhi persyaratan ini harus diidentifikasi, didokumentasikan, dan terus diperbarui.
A.5.32 Intellectual property rights
Organisasi harus menerapkan prosedur yang sesuai untuk melindungi hak kekayaan intelektual
A.5.33 Protection of records
Rekaman harus dilindungi dari kehilangan, perusakan, pemalsuan, akses yang tidak sah dan pelepasan yang tidak sah.
A.5.34 Privacy and protection of personal identifiable information (PII)
Organisasi harus mengidentifikasi dan memenuhi persyaratan terkait pelestarian privasi dan perlindungan PII sesuai
dengan undang-undang dan peraturan yang berlaku serta persyaratan kontrak.
A.5.35 Independent review of information security
Pendekatan organisasi untuk mengelola keamanan informasi dan implementasinya termasuk orang, proses dan teknologi
harus ditinjau secara independen pada selang waktu terencana, atau ketika terjadi perubahan signifikan.
A.5.36 Compliance with policies, rules and standards for information security
Kepatuhan terhadap kebijakan keamanan informasi organisasi, kebijakan topik khusus, aturan dan standar harus ditinjau
secara berkala.
A.5.37 Documented operating procedures
Prosedur pengoperasian untuk fasilitas pemrosesan informasi harus didokumentasikan dan tersedia bagi personel yang
membutuhkannya.
A.5.30 ICT readiness for business continuity
Kesiapan TIK harus direncanakan, diterapkan, dipelihara, dan diuji berdasarkan tujuan kelangsungan bisnis dan
persyaratan kelangsungan TIK.
Risk assessment, Business Impact Analysis, RTO/RPO
A.5.31 Legal, statutory, regulatory and contractual requirements
Persyaratan hukum, undang-undang, peraturan, dan kontrak yang relevan dengan keamanan informasi dan pendekatan
organisasi untuk memenuhi persyaratan ini harus diidentifikasi, didokumentasikan, dan terus diperbarui.
A.5.32 Intellectual property rights
Organisasi harus menerapkan prosedur yang sesuai untuk melindungi hak kekayaan intelektual
A.5.33 Protection of records
Rekaman harus dilindungi dari kehilangan, perusakan, pemalsuan, akses yang tidak sah dan pelepasan yang tidak sah.
A.5.34 Privacy and protection of personal identifiable information (PII)
Organisasi harus mengidentifikasi dan memenuhi persyaratan terkait pelestarian privasi dan perlindungan PII sesuai
dengan undang-undang dan peraturan yang berlaku serta persyaratan kontrak.
A.5.35 Independent review of information security
Pendekatan organisasi untuk mengelola keamanan informasi dan implementasinya termasuk orang, proses dan teknologi
harus ditinjau secara independen pada selang waktu terencana, atau ketika terjadi perubahan signifikan.
A.5.36 Compliance with policies, rules and standards for information security
Kepatuhan terhadap kebijakan keamanan informasi organisasi, kebijakan topik khusus, aturan dan standar harus ditinjau
secara berkala.
A.5.37 Documented operating procedures
Prosedur pengoperasian untuk fasilitas pemrosesan informasi harus didokumentasikan dan tersedia bagi personel yang
membutuhkannya.
 Annex A.6 People controls

 A.6 People controls
A.6.1 Screening
Pemeriksaan verifikasi latar belakang terhadap semua calon untuk menjadi personil dilakukan sebelum bergabung dengan
organisasi dan secara berkelanjutan dengan memperhatikan hukum, peraturan dan etika yang berlaku dan proporsional
dengan kebutuhan bisnis, klasifikasi informasi yang akan diakses dan risiko yang terkait.
A.6.2 Terms and conditions of employment
Perjanjian kontrak kerja harus menyatakan tanggung jawab personel dan organisasi untuk keamanan informasi.
A.6.3 Information security awareness, education and training
Personel organisasi dan pihak terkait yang berkepentingan harus menerima awareness, pendidikan dan pelatihan
keamanan informasi yang sesuai dan pembaruan rutin kebijakan keamanan informasi organisasi, kebijakan dan prosedur
topik khusus, yang relevan dengan fungsi pekerjaan mereka.
A.6.4 Disciplinary process
Proses pendisiplinan harus diformalkan dan dikomunikasikan untuk mengambil tindakan terhadap personel dan pihak
terkait lainnya yang telah melakukan pelanggaran kebijakan keamanan informasi.
A.6.5 Responsibilities after termination or change of employment
Tanggung jawab dan kewajiban keamanan informasi etap berlaku setelah penghentian atau perubahan pekerjaan harus
ditetapkan, ditegakkan dan dikomunikasikan kepada personel terkait dan pihak berkepentingan lainnya.
A.6.6 Confidentiality or non-disclosure agreements
Perjanjian kerahasiaan atau non-pengungkapan yang mencerminkan kebutuhan organisasi untuk perlindungan informasi
harus diidentifikasi, didokumentasikan, ditinjau secara teratur dan ditandatangani oleh personel dan pihak terkait lainnya
yang berkepentingan.

 A.6 People controls
A.6.7 Remote working
Langkah-langkah keamanan harus diterapkan ketika personel bekerja dari jarak jauh untuk melindungi informasi yang
diakses, diproses, atau disimpan di luar lokasi organisasi.
A.6.8 Information security event reporting
Organisasi harus menyediakan mekanisme bagi personel untuk melaporkan peristiwa keamanan informasi yang diamati
atau dicurigai melalui saluran yang sesuai secara tepat waktu.

 Annex A.7 Physical controls

 A.7 Physical controls
A.7.1 Physical security perimeters

Perimeter keamanan harus ditentukan dan digunakan untuk melindungi area yang berisi informasi dan aset terkait lainnya.
A.7.2 Physical entry
Area aman (secure area) harus dilindungi oleh kontrol masuk dan titik akses yang sesuai.
A.7.3 Securing offices, rooms and facilities
Pengamanan fisik untuk kantor, ruangan dan fasilitas harus dirancang dan dilaksanakan.
Tidak ada petunjuk, dilokasi yang aman tidak mudah diakses
A.7.4 Physical security monitoring
Tempat harus terus dipantau untuk akses fisik yang tidak sah.
CCTV, alarm buzzer, alarm, area kosong
A.7.5 Protecting against physical and environmental threats
Perlindungan terhadap ancaman fisik dan lingkungan, seperti bencana alam dan ancaman fisik lain yang disengaja atau
tidak disengaja terhadap infrastruktur harus dirancang dan dilaksanakan.
Kebakaran, banjir, petir, lonjakan listrik
A.7.6 Working in secure area
Langkah-langkah keamanan untuk bekerja di area aman harus dirancang dan diterapkan.
Pendampingan, rak dalam keadaan terkunci, dilarang membawa kamera

A.7.7 Clear desk and clear screen

Aturan clear desk untuk kertas dan media penyimpanan yang dapat dilepas dan aturan clear screen untuk fasilitas
pemrosesan informasi harus ditetapkan dan ditegakkan dengan tepat.
A.7.8 Equipment siting and protection
Peralatan harus ditempatkan dengan aman dan terlindungi.
Penempatan (getaran, debu), temperatur, dilarang membawa makanan, minuman
A.7.9 Security of assets off-premises
Aset yang ditempatkan di luar lokasi harus dilindungi
A.7.10 Storage media
Media penyimpanan harus dikelola melalui siklus hidup perolehan, penggunaan, pengangkutan dan pembuangannya
sesuai dengan skema klasifikasi organisasi dan persyaratan penanganannya
A.7.11 Supporting utilities
Fasilitas pemrosesan informasi harus dilindungi dari gangguan listrik dan gangguan lain yang disebabkan oleh kegagalan
utilitas pendukung.
A.7.12 Cabling security
Kabel yang membawa daya, data atau layanan informasi pendukung harus dilindungi dari penyadapan, interferensi atau
kerusakan.

A.7.13 Equipment maintenance

Peralatan harus dipelihara dengan benar untuk memastikan ketersediaan, integritas dan kerahasiaan informasi.
A.7.14 Secure disposal or re-use of equipment
Item peralatan yang berisi media penyimpanan harus diverifikasi untuk memastikan bahwa setiap data sensitif dan
perangkat lunak berlisensi telah dihapus atau ditimpa dengan aman sebelum dibuang atau digunakan kembali.

 Annex A.8 Technological controls

 A.8 Technological controls
A.8.1 User end point devices
Informasi yang disimpan, diproses oleh, atau dapat diakses melalui perangkat endpoint pengguna harus dilindungi.
 Pendaftaran, perlindungan fisik, anti virus, enkripsi, backup, penguncian, wireless
A.8.2 Privileged access rights
Alokasi dan penggunaan hak akses istimewa harus dibatasi dan dikelola.
A.8.3 Information access restriction
Akses ke informasi dan aset terkait lainnya harus dibatasi sesuai dengan kebijakan khusus topik yang ditetapkan tentang
akses kontrol.
A.8.4 Access to source code
Akses read dan write ke kode sumber, alat pengembangan, dan library perangkat lunak harus dikelola dengan tepat
 Version Control Software (VCS) : Git, CVS, SVN
A.8.5 Secure authentication
Teknologi dan prosedur autentikasi yang aman harus diterapkan berdasarkan pembatasan akses informasi dan kebijakan
topik khusus tentang kontrol akses.
 SSO (SAML, Open ID, Kerebros)), AD (Windows), LDAP (linux), MFA, test turing public (CAPTCHA)
A.8.6 Capacity management
Penggunaan sumber daya harus dipantau dan disesuaikan sejalan dengan persyaratan kapasitas saat ini dan yang
diharapkan.
A.8.7 Protection against malware
Perlindungan terhadap malware harus diterapkan dan didukung oleh kesadaran pengguna yang tepat
 Malware : virus, worm, trojan, rootkit, ransomeware, keylogger
 Virus detection, identifikasi dan penghapusan
 Udate database virus signature dari prinsipel
 Proteksi menyeluruh : trojan, worm, spyware, ransomware dan jaringan
A.8.8 Management of technical vulnerabilities
Informasi tentang kerentanan teknis sistem informasi yang digunakan harus diperoleh, keterpaparan organisasi terhadap kerentanan
tersebut harus dievaluasi dan tindakan yang tepat harus diambil.
 Vulnerability assessment, Penetration testing
A.8.9 Configuration management
Konfigurasi, termasuk konfigurasi keamanan, perangkat keras, perangkat lunak, layanan, dan jaringan harus ditetapkan, didokumentasikan,
diterapkan, dipantau, dan ditinjau.
 penghapusan service non essensial, security patch, password, penonaktifan akun guest, access controllist, file dan file system enkripsi,
pengaktifan log
 CIS Benchmarking, NIST, SANS
A.8.10 Information deletion
Informasi yang disimpan dalam sistem informasi, perangkat, atau media penyimpanan lainnya harus dihapus jika tidak diperlukan lagi
A.8.11 Data masking
Penyembunyian data (data masking) harus digunakan sesuai dengan kebijakan khusus topik organisasi tentang kontrol akses dan kebijakan
khusus topik terkait lainnya, dan persyaratan bisnis, dengan mempertimbangkan undang-undang yang berlaku.
 Pseudonymization (ghf#@Jk) dan Anonymazion (xxxxxxxxx)
A.8.12 Data leakage prevention
Tindakan pencegahan kebocoran data harus diterapkan pada sistem, jaringan, dan perangkat lain apa pun yang memproses, menyimpan,
atau mengirimkan informasi sensitif.
 Google Cloud Data Loss Prevention, SolarWind DLP, CrowdStrike DLP, Sophos DLP
A.8.13 Information backup
Salinan cadangan informasi, perangkat lunak, dan sistem harus dipelihara dan diuji secara teratur sesuai dengan kebijakan khusus topik
yang disepakati tentang pencadangan.
 Incremental backup, full backup dan differential backup
A.8.14 Redundancy of information processing facilities
Fasilitas pemrosesan informasi harus diterapkan dengan redundansi yang cukup untuk memenuhi persyaratan ketersediaan.
 Cloud : setting high-availability atau multi-region setup.
 Premises : communication, power supply, firewall, facilities
A.8.15 Logging
Log yang merekam aktivitas user, pengecualian, kesalahan, dan kejadian relevan lainnya harus dibuat, disimpan, dilindungi, dan dianalisis.
 Event log (User ID, kegiatan, timestamp, identitas system, IP Adress) : success, fault, user admin, perubahan
 Peyimpanan dan perlindungan
 Analisa log (Kibana, Elastic, SIEM)
A.8.16 Monitoring activites
Jaringan, sistem, dan aplikasi harus dipantau untuk perilaku anomali dan tindakan yang tepat diambil untuk mengevaluasi potensi insiden
keamanan informasi.
 Network Operation Control
A.8.17 Clock synchronization
Waktu dalam sistem pemrosesan informasi yang digunakan oleh organisasi harus disinkronkan dengan sumber waktu yang disetujui.
 NTP Server
A.8.18 Use of privileged utility programs
Penggunaan program utilitas yang dapat mengesampingkan kontrol sistem dan aplikasi harus dibatasi dan dikontrol dengan ketat.
 Utility software adalah sistem software yang membantu fungsi dari sistem komputer (hardware, sistem operasi atau software) agar dapat
berjalan dengan benar dan lancar : antivirus, file management, backup utilities, data synchronization, disk clean up, debugger, screen
saver, clipboard manager, system monitor, system profiler, registry cleaner

A.8.19 Installation of software on operational systems

Prosedur dan tindakan harus diterapkan untuk mengelola instalasi perangkat lunak dengan aman pada sistem
operasional.
A.8.20 Networks security
Jaringan dan perangkat jaringan harus diamankan, dikelola, dan dikendalikan untuk melindungi informasi dalam sistem
dan aplikasi.
 Firewall/IDS/IPS, secure network protocol (TLS), topologi, authentikasi
A.8.21 Security of network services
Mekanisme keamanan, tingkat layanan, dan persyaratan layanan layanan jaringan harus diidentifikasi, diterapkan, dan
dipantau.
VPN, Wireless (SSID, WPA2, Guest), authentikasi
A.8.22 Segregation of networks
Kelompok layanan informasi, pengguna dan sistem informasi harus dipisahkan dalam jaringan organisasi.
A.8.23 Web filtering
Akses ke situs web eksternal harus dikelola untuk mengurangi paparan konten berbahaya.
A.8.24 Use of cryptography
Aturan untuk penggunaan kriptografi yang efektif, termasuk manajemen kunci kriptografi, harus ditetapkan dan diterapkan.
 Simetrik Kriptografi : Blowfish, DES, Skipjack, AES , dll.
 Asimetrik Kriptografi : RSA, Diffie-Hellman, ElGamal , dll.
 One-way encryption : hash function (MD5, SHA-1)

A.8.25 Secure development life cycle
Aturan untuk pengembangan perangkat lunak dan sistem yang aman harus ditetapkan dan diterapkan.
A.8.26 Application security requirements
Persyaratan keamanan informasi harus diidentifikasi, ditentukan dan disetujui saat mengembangkan atau memperoleh
aplikasi.
Secure otentikasi, sql injection, XSS, buffer overflow
A.8.27 Secure system architecture and engineering principles
Prinsip-prinsip untuk rekayasa sistem yang aman harus ditetapkan, didokumentasikan, dipelihara, dan diterapkan pada
setiap aktivitas pengembangan sistem informasi.
 Least Privilege and Separation of Duties, Defense-in-Depth, Zero Trust, Security-in-the-Open
A.8.28 Secure coding
Prinsip pengkodean yang aman harus diterapkan pada pengembangan perangkat lunak.
 Input validation, error handling, authentication & authorization, Use cryptographic functions and protocols to protect data,
Least privilege, secure memory management, avoiding hardcoded secrets, security testing, review code, Keeping up-to-
date
A.8.29 Security testing in development and acceptance
Proses pengujian keamanan harus ditentukan dan diterapkan dalam siklus hidup pengembangan
A.8.30 Outsourced development
Organisasi harus mengarahkan, memantau dan meninjau kegiatan yang terkait dengan pengembangan sistem yang
dialihdayakan.
 Escrow agreement
A.8.31 Separation of development, test and production environments
Lingkungan pengembangan, pengujian dan produksi harus terpisah dan aman.
A.8.32 Change management
Perubahan pada fasilitas pemrosesan informasi dan sistem informasi tunduk pada perubahan prosedur manajemen.
 Routine change : patch, update, maintenance
 Normal change : upgrade
 Emergency change: security patch
A.8.33 Test information
Informasi pengujian harus dipilih, dilindungi, dan dikelola dengan tepat.
 Dummy data
A.8.34 Protection of information systems during audit testing
Pengujian audit dan aktivitas penjaminan lainnya yang melibatkan penilaian sistem operasional harus direncanakan dan
disepakati antara penguji dan manajemen yang tepat.

Iwan Fitriana
T.: +62-811-8967-237
tuev-nord.de
5. Study Case 1

 Study Case 1
PT. XYZ bergerak dibidang financial technology mengembangkan

sistem dan aplikasi berbasis web dan mobile app. Seiring dengan
kemajuan teknologi maka PT. XYZ memakai cloud computing untuk
infrastruktur dan sistemnya. Bentuk kelompok diskusi dengan
masing-masing anggota sebanyak 6 orang. Susun dokumen yang
dibutuhkan terkait Statement of Applicability terkait kasus di atas.
Setelah masing-masing kelompok menyusun dokumen, silahkan
presentasikan hasil dokumen yang disusun tersebut.

6. Differences between
ISO/IEC 27001:2013
and
ISO/IEC 27001:2022
 What Has Changed in ISO/IEC 27001:2022?
The title of the standard

Changes in the Main Clauses of ISO/IEC 27001:2022
Clauses 4 to 10 of ISO/IEC 27001:2022 that provide the main requirements for an ISMS have
changed slightly. A brief overview of those changes is provided below:
•Clause 4.2 Understanding the needs and expectations of interested

parties added a requirement which states that organizations must determine the
requirements of interested parties that need to be addressed through the ISMS.
•Clause 4.4 Information security management system, besides requiring
organizations to establish, implement, maintain, and continually improve their ISMS,
it requires to do the same for the processes related to the ISMS and their interactions.
•Clause 5.1 Leadership and commitment provides a clarification regarding the term
“business” used in the standard, which is used to refer to “those activities that are core
to the purposes of the organization’s existence.”
•Clause 5.3 Organizational roles, responsibilities and authorities has some minor
changes and specifies that the roles and responsibilities regarding information
security should be communicated within the organization.

•Clause 6.2 Information security objectives and planning to achieve
them introduces two new requirements. Item d) of this clause requires to monitor
information security objectives, whereas item g) requires to ensure they are available
as documented information.
•Clause 6.3 Planning of changes is a new requirement of ISO/IEC 27001:2022. It
requires organizations to carry out the changes to the ISMS in a planned manner.
•Clause 7.4 Communication has minor changes. Item (d) who shall
communicate and item (e) the processes by which communication shall be
effected have been merged to a new requirement: (d) how to communicate.
•Clause 8.1 Operational planning and control has been simplified and additional
information has been provided on how to achieve the intended outcomes. This clause
requires organizations to plan, carry out, and oversee processes that are essential to
meet requirements by establishing criteria for the processes and implementing
control of the processes in accordance with the criteria. The establishment of such
criteria for ISMS processes allows organizations to evaluate the performance of the
implemented processes and determine whether they conform to the established
criteria.
•Clause 9.2 Internal audit has been divided into two subclauses: clause
9.2.1 General and clause 9.2.2 Internal audit programme to align with other
management system standards; however, the requirements of this clause remain the
same.
•Clause 9.3 Management review has been divided into three subclauses: clause
9.3.1 General, clause 9.3.2 Management review inputs, and clause 9.3.3 Management
review results. This clause introduces a new requirement which states that the
changes in needs and expectations of the interested parties that are relevant to the
ISMS should be taken into account during management reviews. In addition, the new
version of the standard refers to the outcomes of the management reviews as
“results,” and requires organizations to assure that evidence of such results is
available as documented information.
•Clause 10 Improvement has been rearranged but its content remains unchanged.

What Has Changed in Annex A of ISO/IEC 27001:2022?
Annex A of ISO/IEC 27001:2022 is a list of information security controls that aim to

ensure the confidentiality, integrity, and availability of information and information
assets. However, it should be noted that the information security controls listed in
Annex A are not exhaustive and additional controls may be added as necessary by the
organization. Annex A of ISO/IEC 27001:2022 has been updated and aligned with
ISO/IEC 27002:2022.
The number of controls in ISO/IEC 27001:2022 has been reduced from 114 that were
in the previous version to 93.
•35 controls remained exactly as they were
•23 controls were renamed
•57 controls were merged into 24
•11 new controls were introduced

57 controls were merged into 24

23 controls were renamed

11 New Controls

11 New Controls

Iwan Fitriana
T.: +62-811-8967-237
tuev-nord.de
7. Implementation of
ISO 27001:2022

 Implementation of ISO/IEC 27001:2022?

 Certification ISO/IEC 27001:2022 Timeline
Entities that hold an ISO 27001:2013 will have to complete transition within
36 months.
• During transition, existing ISO 27001:2013 certificates will remain valid.
• ISO 27001:2022 certificates will be issued based on the 3-year re-certificate cycle.
Transition audits to the ISO 27001:2022 are based on any one of the
following:
• Surveillance audit.
• Recertification audit.
• Special audit.
• Initial certification does not require a transition audit.

 Steps to implementation ISO/IEC 27001:2022
1. Getting management support

2. Definition of the ISMS scope
3. Definition of a security policy
4. Risk assessment
5. Risk management
6. Selection of controls
7. Statement of applicability (SOA)
8. Policies/procedures
9. Internal audit
10. Continuous improvement

8. The Next Action Plan

 The Next Action Plan to Achieve Certification ISO/IEC 27001:2022
Transition audits must consider and include:

•Gap analysis against ISO 27001:2002, and any needed changes to the auditee’s ISMS.
•Update of the Statement of Applicability (SoA).
•Update of the risk treatment plan, as applicable.
•Update all document/policy/procedure, etc.

Iwan Fitriana
T.: +62-811-8967-237
tuev-nord.de
9. Study Case 2

 Study Case 2
First and foremost, Isabella agreed for the interview to be recorded. The interview
with Isabella happened on time as agreed and was full of fantastic insights to the
topic of implementation of the ISO 27001 standard in startups. Isabella
demonstrated that they understand and have the knowledge of many
implementations of the standard in multiple environments and highlighted a
couple of potential shortcomings when it comes to startups implementing security
either on their own, or with help from a consultant or other external party. These
highlights are talked about in detail in this case report, and the findings from this
report are taken further on to the cross-case report.
Understanding of the implementation
The interview started with an introduction to the topic of the thesis and what steps
Isabella understands fall under the implementation part of the ISO 27001
standard. After a short discussion, it was agreed with Isabella that the
implementation phase starts right after the project kickoff phase is finished and
the scope of the ISO 27001 implementation is being decided on. For them, the
project is finished, and the company is compliant as the policies and procedures
are written. This directly reflects the first and last step of the implementation
process presented in the literature review.
 Study Case 2
Isabella underlined that management support is vital for a project like this, but it can be
quite challenging to receive it throughout the implementation of the ISO 27001 standard.
Isabella thinks that the ISO 27001 itself explains well that the management support is
required. They highlighted that it can be difficult for management to support such a project
in general, as they don’t necessarily see the benefits of having the ISO 27001
implemented. Isabella directly compared this to the perception of insurance, as it is
something you should have, but you can theoretically live without it.
In her experience, it is usually a single person from the management team that is the
project owner, and the other members of the management team are not so interested in
how the project runs. She highlighted that this can be a huge pitfall of the project and
suggested that the entire management team is in fact a part of the implementation
process. Quantitative metrics such as number of breaches happening, weak password,
fines that could be imposed if a breach happens, more awareness about security should
be raised to the management team from the beginning of the implementation process and
why the organization needs the ISO 27001 standard in general. Moreover, if there is a
customer demand, Isabella thinks that that is the easiest way of getting management
support to the project, as they can see quantitative metrics such as revenue as a reason to
run the project at all.

 Study Case 2
Regulations is another keyword that was mentioned by Isabella quite often. They
mentioned that if there are regulations that are enforced, it can help companies to
understand the need of projects like implementation of the ISO 27001 standard better.
That could in turn help with management support, which greatly improves the chances of
the project being a success in an organization.
Isabella underlines that it is vital that startups treat this as a project. They clarify that the
startups must have the resources allocated to run the project. Moreover, the employees
should be informed that such a project is being run in the company and understand what
the project requires and what people need to do in order for this project to be successfully
delivered.
After the recording was finished, the case also highlighted that it is in their opinion vital to
have a method that you use to run the implementation project. They said that if the
companies do not have a method, it is very likely that the project will result in a failure.

 Study Case 2
Isabella mentions that startups usually don’t have a person really having the ownership of
the ISO 27001 implementation project, which can lead to the consequence of putting the
project aside and not having the time to run it. The risk management side of the project
suffers in that regard, as the risks that have been identified do not get enough attention,
and the company is in a threat of failing the project. This can also have a profound effect
on the treatments that are selected to mitigate the security issues. If there is no owner of
the issues, the controls might never be implemented.
In Isabella's opinion, while the ISO 27001 standard is nice because it is really brief, it is
also one of its weak points. They think that because the standard is brief and abstract, it
leaves a lot of room and a gap from description to reality. That is why startups usually
contact her, because she fills in that gap.
They also say that if there was a version of the standard that would zoom in on a smaller
segment, or on a special type of company, it would be more relevant and less abstract for
startups, which would definitely help the startups a lot.

 Study Case 2
Isabella mentions that a lot of companies do not have prior knowledge, and they only know
about the ISO 27001 standard because their customers are requesting some tangible
proof of security. This is why they start the implementation process and can later struggle if
no external help is provided. The biggest reason why they usually cannot run the
implementation process alone is the fact that they don’t know where to go, and what steps
to take next. Isabella thinks that startups, with a little bit of knowledge and interest in
security could actually successfully run the implementation project alone, but the lack of
support on what steps should be taken next is missing.
Isabella supports that fact by stating that in their experience, there were startups that did
have some prior knowledge of the ISO 27001 and they either knew what to do, but only to
a certain degree, or they got stuck somewhere and needed guidance with what steps
should be taken next. She highlighted that startups tend to over complicate the project,
and that usually one of the reasons they are called in to a project like this. She mentions
that it is important for startups to have a methodology, which they often lack, and she
brings that knowledge in.

 Study Case 2
Isabella says that people understand why the risk assessment is a part of the ISO 27001
implementation, but they have trouble figuring out what are the actual assets they have in
an organization and the dependencies of those assets on one another. It was clear for
Isabella that the ISO 27001 standard doesn’t provide enough support for this problem, and
it could be easily solved by providing startups with explanations of what an asset is and
how it can be coupled with other assets in an organization.

 Study Case 2
Isabella disclosed that there is usually a big gap between the people that are running the implementation
of the ISO 27001 standard and are interested in the project, and the rest of the organization. In their
experience, it happens very often that employees refuse to accept the change in the way they work and
more importantly the change in culture which the implementation of the ISO 27001 standard inherently
brings into the organization. She thinks that in general, it is very hard for people to change behavior.
When asked if she thinks this is something that is a part of the training stage, which in the understanding
of the thesis comes after the implementation, Isabella said that it is possible, but change management
should be taken into consideration when the scope is being set. She says that this is something that is
not highlighted in the ISO 27001 standard itself, and the people running the project usually don’t realize
how big of a cultural change the implementation of the ISO 27001 standard can bring into the
organization.
She also thinks that including more people in the implementation phase could help with the culture
change that the ISO 27001 standard brings, but the availability of those people might vary. When asked
about how many people are usually involved in the implementation process, the answer wasn’t quite
straightforward. They generalized that it is usually the project owner and one person per each
department.
A potential solution for this problem, according to Isabella, is to implement the ISO 27001 into the
organization with the goal of implementing as many technical controls as possible. While this reduces the
number of things employees have to remember to do when later on working according to the new security
standards set by the ISO 27001, it doesn’t solve the problem of culture change in an organization.
 Study Case 2
When asked about the quality of implementation of the ISO 27001 standard, Isabella
thinks that once the company is done with the implementation process, the quality of the
outcome is usually good, because once the ISO 27001 standard is understood, it is written
well enough that the quality of the product resulting from the implementation phase is
good. Another reason is that the startups understand that if the ISO 27001 compliance is
requested by their customers, they must deliver a project outcome that will be satisfactory
for them, otherwise they would have to re-do the project, or at least parts of the
implementation again.

 Study Case 2
Whenever Isabella is working with a company on writing policies and procedures, she
comes with a set of templates that she uses for all companies she is working with. She
says that this is something that could definitely be standardized, because while there are
some changes to the templates in wording, and some specifics when it comes to the
content of the policies, it would be very advantageous to have such templates available for
all startups that want to go through the implementation of the ISO 27001 standard.
When asked if a system or a platform would exist which would guide the startups through
the implementation process, her opinion is that it would obviously be a great help and
could solve most of the problems, it doesn’t solve the biggest issue startups have that they
just don’t have enough time. She suggests that an employee should still be dedicated to
this project, if not full time than at least 20 hours a week. That would solve the problems of
time, which would ultimately allow the startups to focus on other things.

 Study Case 2
The table below provides an overview of the keywords identified by case with reference to
implementation steps. Fill in the keywords based on the case study above.
Implementation step Keyword

Getting management support
Definition of the ISMS scope
Definition of a security policy
Risk assessment
Risk management
Selection of controls
Statement of applicability (SoA)
Policies / procedures
Thank You
Iwan Fitriana
T.: +62-811-8967-237
tuev-nord.de

Training Awareness ISO27001 TUV Nord

Uploaded by

Copyright:

Available Formats

You might also like

Training Awareness ISO27001 TUV Nord

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Training Awareness ISO27001 TUV Nord

Uploaded by

Copyright:

Available Formats

Training

3 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

4 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

5 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

6 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

7 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

8 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

9 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

10 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

11 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

12 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

 Clause 4 : Context of the organization

13 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

14 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

 Clause 9 : Performance evaluation

 Organisasi tidak dapat mengklaim kesesuaian dengan 27001 jika mereka

15 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

17 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

18 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

19 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

20 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

23 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

24 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

27 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

28 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

29 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

30 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

A.7.1 Physical security perimeters

31 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

A.7.7 Clear desk and clear screen

32 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

A.7.13 Equipment maintenance

33 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

34 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

37 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

A.8.19 Installation of software on operational systems

38 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

40 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

42 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

PT. XYZ bergerak dibidang financial technology mengembangkan

43 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

45 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

•Clause 4.2 Understanding the needs and expectations of interested

46 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

48 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

What Has Changed in Annex A of ISO/IEC 27001:2022?

Annex A of ISO/IEC 27001:2022 is a list of information security controls that aim to

49 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

57 controls were merged into 24

50 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

23 controls were renamed

51 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

52 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

53 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

55 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

56 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

57 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023

1. Getting management support