After the last 2020 Global Leading voices webinar, comparing ISO27001 with CCPA and NYC Shield Act, we're taking a look at the next level of information and cybersecurity management.
How can you assess your security management? The CMMI model (using the 1 to 5 grading) is a well-known system. Early 2020 the US DOD launched the CMMC, Cybersecurity Maturity Model Certification which matches the same levels for cybersecurity. This session we'll discuss the maturity evaluation principles for information security, cybersecurity and application security and how you can use it in practice.
The webinar covers:
- What's the CMMI?
- What's the CMMC?
- Maturity in security governance (ISMS, cyber, application)
- Security maturity vs audit cycles
Recorded Webinar: https://youtu.be/9BpETh_nAOw
5. 1. Quick Guide to ISO/IEC 27701 - The Newest Privacy Information
Standard - (2019-12-09)
2. ISO/IEC 27701 vs GDPR - What you need to know (2020-01-29)
3. Privacy Trends: Key practical steps on ISO/IEC 27701:2019
implementation (2020-04-15)
4. Key Data Privacy Roles Explained: Data Protection Officer,
Information Security Manager, and Information Security Auditor
(2020-06-24)
5. Session 5: PECB Webinar: ISO/IEC 27701 vs. ISO/IEC 27001 vs.
NIST: Essential Things You Need to Know (2020-10-14)
Previous sessions
6. Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Find all sessions with Q&A + collaterals (decks, recording) at:
http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page)
Previous sessions
7. • ISO27001 = ISMS
• ISO27701 = PIMS
For today also:
• NIST = (US) National Institute of Standards and
Technology (= Dept. of Commerce)
Quick Recap
8. ISO or NIST deep dive
• Course material reference see later
• NIST document reference see later
The nuts and bolts of ISMS
Just know that it has
• 10 chapters, 7 clauses (Clause 4..10, built on PDCA)
• Annex with
• 14 main categories (A5..A18)
• 35 subcategories
• 114 controls / measures
• Course material reference, see later
What this session is not about
9. ISO/IEC 27000 series
• ISO27001 and ISO27701 = certifiable
• Total 59 documents
ISO27000 series including
• Code of practices
• Guidance
• Auditing (ISO27006)
• Incident management (ISO27035)
• Cybersecurity (ISO27032)
• Business continuity, Communications security, Application Security, Supply Chain,
Storage, …
• More info: https://www.iso.org/committee/45306/x/catalogue/p/1/u/0/w/0/d/0
And also
10. The nuts and bolts of PIMS
Just know that it
• Is certifiable like ISMS
• Is Privacy & GDPR add-on to ISMS
• Add specifications to interpretation of information security
• Now including PII/personal data
• Extra requirements from GDPR & other legislation
• Interesting annex
• GDPR mapping
• ISO29100 (Privacy) mapping
What this session is not about
12. Source: https://www.acq.osd.mil/cmmc/index.html
About
• Cybersecurity standard by DoD (US Department of Defense)
• V1 released 31 Jan 2020
• Currently v1.02
Purpose
• set of standards from the DOD
• to enhance the cybersecurity capabilities of defense contractors
Focus
• Cybersecurity (not Information Security)
• USA
• Re-use of existing principles and frameworks
• Controlled Unclassified Information (CUI)
CMMC - Cybersecurity Maturity Model Certification
13. Source: Focalpoint
Timeline
• January 2020: DoD introduces Version 1.0 of the CMMC
• June 2020:The CMMC-AB released program requirements and opens
registration for C3PAOs and third-party assessors
• July 2020: DoD to create and publish a CMMC training
• Summer 2020: DoD to undergo rulemaking to implement the CMMC into the
DFARS regulation
• September 2020: DoD to incorporate CMMC requirements in Requests for
Proposals (RFPs)
• FY 2021 – 2026: Implementation of the CMMC through a phased rollout
• FY 2026: CMMC certification a requirement for all companies doing business
with the DoD
CMMC - Timeline
14. Source: https://www.acq.osd.mil/cmmc/index.html
Based on
• CERT Resilience Management Model (CERT RMM) v1.2
• CIS Controls v7.1
• Draft NIST SP 800-171B
• FAR Clause 52.204-21
• NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) v1.1
• NIST SP 800-53 Rev 4
CMMC - Reference to other sources
26. CMMC vs NIST
CMM-C
• C = Certification
CMMC vs NIST
• CMMC (DOD) - NIST (Dpt of Commerce)
• CMMC has accredited audit, NIST doesn't
• CMMC is reusing a lot of NIST practices
• CMMC = cyber only, NIST has wide range of standards
27. CMMC vs NIST vs ISO
CMMC NIST ISO27001+
Region US focus US focus International
Target technology Cybersecurity Wide range
Info sec
Cyber
Privacy
Info security+
Cyber (27032)+
DP (27701)
…
Type of best practice Operational Mix Governance
Details Practical Deep dive detail High level FrameW
Owner DoD DoC ISO
Audit Yes No Yes
Certifiable Yes No Yes
Maturity CMMI basis PRISMA CMMI
59. Practices (Situational Awareness)
• L3
• Use Information sharing forums to collect info
• L4
• Cyber Threat hunting
• Indicators of compromise
CMMC Practices - main points
70. Reference material
CMMC
• https://www.acq.osd.mil/cmmc/index.html
PECB
• PECB as CMMC-AB licensed partner publisher
CMMC audit
• https://www.cmmcaudit.org/cmmc-level-1-certification-and-preparation-how-to/
• CMMC: A Comprehensive Guide For DoD Contractors
• https://www.cmmc-compliance.com/cmmc-compliance-guide
Others, see Linkedin page:
71. Reference material
Other
• Cybersecurity Maturity Model Certification (CMMC) v1.02 & NIST 800-171 rev2
Compliance
CMMI
• https://cmmiinstitute.com/
• https://cmmiinstitute.com/cmmi
• Introduction to CMMI (by BMC)
• CMMI on Wikipedia
• What is CMMI? A model for optimizing development processes
73. Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM
76. Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda
78. Relevant Training
PECB ISO 27701 Foundation
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-foundation
PECB ISO 27701 Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-implementer
PECB ISO 27701 Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27701/iso-iec-27701-lead-auditor
79. Relevant Training
PECB ISO 27001
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
Lead Implementer
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-implementer
Lead Auditor
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27001/iso-iec-27001-lead-auditor
80. Relevant Training
PECB ISO 27002
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27002
Lead Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-
27002/iso-iec-27002-lead-manager
83. Relevant Training
PECB ISO27035 - Incident Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
Lead Incident Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27035
/iso-iec-27035-lead-incident-manager
84. Relevant Training
PECB ISO27005 - Risk Management
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
Lead Risk Manager
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
/iso-27005-lead-risk-manager
85. ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events
AC (Access Control)
IA (Identification & Authentication)
MP (Media protection)
PE (Physical Protection)
SC (System and Communication Protection)
SI (System and Information Integrity)
AC (Access Control)
IA (Identification & Authentication)
MP (Media protection)
PE (Physical Protection)
SC (System and Communication Protection)
SI (System and Information Integrity)
AC (Access Control)
IA (Identification & Authentication)
MP (Media protection)
PE (Physical Protection)
SC (System and Communication Protection)
SI (System and Information Integrity)
NOT
IA (Identification & Authentication)
MA (maintenance)
MP (Media protection)
PS (Personnel Security)
PE (Physical protection)
AC (Access Control)
IA (Identification & Authentication)
MP (Media protection)
PE (Physical Protection)
SC (System and Communication Protection)
SI (System and Information Integrity)