ISO/IEC 27002:2022. Information security controls
What you'll learn
- Define and establish information security controls
- Implement information security management in an organization
- Develop specific controls for different areas and domains
- Ensure compliance with ISO/IEC 27001
- Required policies and procedures for an ISMS
Requirements
- Familiarity with the ISO/IEC 27000 framework is useful, but not mandatory
- An understanding of information security management principles
Description
This course details the information security controls in ISO/IEC 27002:2022.
It is intended to provide an overview of the 93 controls required for an ISMS (Information Security Management System).
The structure of the course includes an introductory section with a presentation of the ISO/IEC 27000 family of international standards, the position and the purpose of ISO/IEC 27002. The introductory section provides definitions for concepts like information security, cybersecurity and privacy and explains what is an ISMS and what it should consist of.
The second section of the course details the 37 Organizational controls in ISO/IEC 27002 including: roles and responsibilities, duties segregation, threat intelligence, information security in project management, information classification and labelling, access control, information transfer, supplier relationships from an information security perspective, ICT continuity, privacy and protection of PII or documented operating procedures as part of an ISMS.
Section three is about security controls that refer to the individuals working for or on behalf of the organization (People controls). It covers aspects like screening, terms and conditions of employment, training and awareness, disciplinary process or remote working.
The next section includes controls that address physical security (Physical controls) including: secure areas, entry controls, clear desk and clear screen, storage media, supporting utilities or the secure re-use and disposal of equipment.
Section number four covers Technological controls that refer to aspects like: the use of endpoint devices, data masking, information deletion, backup, cryptography, logging, networks security, secure development, secure coding, the protection of test information, web filtering, secure authentication, access to source code or the use of privileged utility programs.
The final section of the course provides information on the certification to ISO/IEC 27001 and ISO/IEC 27002 for both organizations and individuals.
Who this course is for:
- Information security managers
- ISMS auditors and consultants
- Information security management practitioners and enthusiasts
- Cybersecurity and privacy practitioners
- Those interested in the ISO 27k framework
Instructor
What I do?
I translate the knowledge and best practice of international standards into common language, to help individuals and organizations improve.
What I like?
My interests include quality management, information security, business continuity, compliance management, occupational health & safety, environmental management, social responsibility, food safety or risk management.
Who am I?
I have started working in the field of standards, auditing and certification in the early 2000s and since then I have participated in hunderds of projects in multiple sectors and disciplines. Today I work for RIGCERT, an accredited certification body operating in Europe.
How I do things?
Since my first course, in 2016, my focus was always on providing the essential subjects and themes, so that you can get the important information in a concentrated form. For some of the subjects I teach, I collaborate with experts who help me offer value in every course that I create.