Professional Documents
Culture Documents
Training Awareness ISO27001 TUV Nord
Training Awareness ISO27001 TUV Nord
Training Awareness ISO27001 TUV Nord
Awareness
ISO 27001:2022
Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023
Your Trainer
Iwan Fitriana, S. Kom
1. CQI and IRCA Certified ISO/IEC 7. Alibaba Cloud Associate (ACA) Database,
27001:2022 Information Security Alibaba Cloud.
Management Systems Lead Auditor 8. Remote Work and Virtual Collaboration
Training Course (PR373), BSI. Professional Certificate, CertiProf.
2. Certified Ethical Hacker v12 (CEH), EC- 9. ISO/IEC 27001 Information Security
Council. Associate, SkillFront.
3. Certified ITIL Foundation v4 (ITIL), 10.ISO/IEC 20000 IT Service Management
PeopleCert, Axelos. Associate, SkillFront.
4. The Aviatrix Certified Engineer (ACE) 11. ISO 9001 Quality Management Systems
Multicloud Network Associate, Aviatrix. Associate, SkillFront.
5. Alibaba Cloud Associate (ACA) Cloud 12. Certified Associate in Scrum
Computing, Alibaba Cloud. Fundamentals (CASF), SkillFront.
6. Alibaba Cloud Associate (ACA) Cloud 13. Cyber Security Foundation Professional
Security, Alibaba Cloud. Certificate (CSFPC), CertiProf. Exp. 2023
2 Iwan Fitriana | Training Awareness ISO 27001:2022 | 11-12.10.2023
Your Trainer
Iwan Fitriana, S. Kom
Badge
iwanfitriana@gmail.com
(+62) 811-8967-237
https://www.linkedin.com/in/iwanfitriana/
1. ISO/IEC 27001
2. Information Security Management System
3. The Requirements of ISO/IEC 27001:2022
4. Annex A (Normative) Information Security Controls Reference
5. Study Case 1
6. Differences between ISO/IEC 27001:2013 and ISO/IEC 27001:2022
7. Implementation of ISO/IEC 27001:2022
8. The Next Action Plan
9. Study Case 2
10. Post Training Awareness
Standar ini mencakup untuk semua jenis organisasi mulai dari Perusahaan komersial, instansi
pemerintah, non-profit, serta semua jenis ukuran bisnis dari mikro hingga untuk perusahaan
multinasional, termasuk di dalamnya semua industri atau pasar (retail, perbankan, pertahanan,
kesehatan, pendidikan, serta pemerintahan).
5. Leadership
Annex A: 93 Controls in 4 Theme
5. Organizational controls (37 controls)
6. Planning 6. People controls (8 controls)
7. Physical controls (14 controls)
8. Technological controls (34 controls)
7. Support
D
8. Operation C
9. Performance
evaluation A
10. Improvement
Clause 7 : Support
Clause 7.1 : Resources
Clause 7.2 : Competence
Clause 7.3 : Awareness
Clause 7.4 : Communication
Clause 7.5 : Documented Information
Clause 8 : Operation
Clause 8.1 : Operation planning and control
Clause 8.2 : Information security risk assessment
Clause 8.3 : Information security risk treatment
tuev-nord.de
4. Annex of ISO/IEC
27001:2022
tuev-nord.de
5. Study Case 1
•Clause 9.2 Internal audit has been divided into two subclauses: clause
9.2.1 General and clause 9.2.2 Internal audit programme to align with other
management system standards; however, the requirements of this clause remain the
same.
•Clause 9.3 Management review has been divided into three subclauses: clause
9.3.1 General, clause 9.3.2 Management review inputs, and clause 9.3.3 Management
review results. This clause introduces a new requirement which states that the
changes in needs and expectations of the interested parties that are relevant to the
ISMS should be taken into account during management reviews. In addition, the new
version of the standard refers to the outcomes of the management reviews as
“results,” and requires organizations to assure that evidence of such results is
available as documented information.
•Clause 10 Improvement has been rearranged but its content remains unchanged.
The number of controls in ISO/IEC 27001:2022 has been reduced from 114 that were
in the previous version to 93.
•35 controls remained exactly as they were
•23 controls were renamed
•57 controls were merged into 24
•11 new controls were introduced
11 New Controls
11 New Controls
tuev-nord.de
7. Implementation of
ISO 27001:2022
Entities that hold an ISO 27001:2013 will have to complete transition within
36 months.
• During transition, existing ISO 27001:2013 certificates will remain valid.
• ISO 27001:2022 certificates will be issued based on the 3-year re-certificate cycle.
Transition audits to the ISO 27001:2022 are based on any one of the
following:
• Surveillance audit.
• Recertification audit.
• Special audit.
• Initial certification does not require a transition audit.
tuev-nord.de
9. Study Case 2
Isabella underlines that it is vital that startups treat this as a project. They clarify that the
startups must have the resources allocated to run the project. Moreover, the employees
should be informed that such a project is being run in the company and understand what
the project requires and what people need to do in order for this project to be successfully
delivered.
After the recording was finished, the case also highlighted that it is in their opinion vital to
have a method that you use to run the implementation project. They said that if the
companies do not have a method, it is very likely that the project will result in a failure.
In Isabella's opinion, while the ISO 27001 standard is nice because it is really brief, it is
also one of its weak points. They think that because the standard is brief and abstract, it
leaves a lot of room and a gap from description to reality. That is why startups usually
contact her, because she fills in that gap.
They also say that if there was a version of the standard that would zoom in on a smaller
segment, or on a special type of company, it would be more relevant and less abstract for
startups, which would definitely help the startups a lot.
Isabella says that people understand why the risk assessment is a part of the ISO 27001
implementation, but they have trouble figuring out what are the actual assets they have in
an organization and the dependencies of those assets on one another. It was clear for
Isabella that the ISO 27001 standard doesn’t provide enough support for this problem, and
it could be easily solved by providing startups with explanations of what an asset is and
how it can be coupled with other assets in an organization.
The table below provides an overview of the keywords identified by case with reference to
implementation steps. Fill in the keywords based on the case study above.
tuev-nord.de