ISO/IEC 27002. Information security controls.
What you'll learn
- Define and establish information security controls
- Implement information security management in an organization
- Develop specific controls for different areas and domains
- Ensure compliance with ISO/IEC 27001
- Required policies and procedures for an ISMS
- Familiarity with the ISO/IEC 27000 framework is useful, but not mandatory
- An understanding of information security management principles
This course details the information security controls in ISO/IEC 27002:2022.
It is intended to provide an overview of the 93 controls required for an ISMS (Information Security Management System).
The structure of the course includes an introductory section with a presentation of the ISO/IEC 27000 family of international standards, the position and the purpose of ISO/IEC 27002. The introductory section provides definitions for concepts like information security, cybersecurity and privacy and explains what is an ISMS and what it should consist of.
The second section of the course details the 37 Organizational controls in ISO/IEC 27002 including: roles and responsibilities, duties segregation, threat intelligence, information security in project management, information classification and labelling, access control, information transfer, supplier relationships from an information security perspective, ICT continuity, privacy and protection of PII or documented operating procedures as part of an ISMS.
Section three is about security controls that refer to the individuals working for or on behalf of the organization (People controls). It covers aspects like screening, terms and conditions of employment, training and awareness, disciplinary process or remote working.
The next section includes controls that address physical security (Physical controls) including: secure areas, entry controls, clear desk and clear screen, storage media, supporting utilities or the secure re-use and disposal of equipment.
Section number four covers Technological controls that refer to aspects like: the use of endpoint devices, data masking, information deletion, backup, cryptography, logging, networks security, secure development, secure coding, the protection of test information, web filtering, secure authentication, access to source code or the use of privileged utility programs.
The final section of the course provides information on the certification to ISO/IEC 27001 and ISO/IEC 27002 for both organizations and individuals.
Who this course is for:
- Information security managers
- ISMS auditors and consultants
- Information security management practitioners and enthusiasts
- Cybersecurity and privacy practitioners
- Those interested in the ISO 27k framework
Cristian is an experienced auditor, consultant and trainer who has been working in conformity evaluation for the last 20 years,
Passionate about standards and how their use can help organizations improve, Cristian has been involved in more than 500 audits in different European countries as well as numerous consulting projects on different standards.
A certified auditor and risk assessor, Cristian is today working for RIGCERT, an accredited certification body operating in Europe and providing services for multiple disciplines and business sectors.