Understanding & Implementing ISO 27002: 2022 Annex A Controls – Self Paced

Course Description: ISO standards are dynamic documents and are updated to reflect technology and best practice. ISO 27001: 2022 was released in the Fall of 2022. This was significant because the ISO 27002: 2022 Controls that had previously been available since February 2022 were now officially the NEW ANNEX A!

Precision Execution, LLC courses are specifically tooled for adult learning with the introduction of the Case Study and students in real life can see what the ISMS should look like. The Implementation course covers key concepts like how the Risk Assessment is connected to the SoA and which controls may logically be bundled together.

• Module 1 – Themes & Definitions – introducing “attributes”

• Module 2 – Summary of Changes (including a crosswalk to 2013 version)

• Module 3 – Documentation, Structure & Governance – bundles a few like controls and discusses them in detail;

• Module 4 – Asset Management (formerly a stand alone domain) bundles Configuration Management and related controls;

• Module 5 – Access Control (formerly a stand alone domain) bundles the Access Control topics and controls;

• Module 6 – The ICT Supply Chain has numerous controls – we go into great depth and provide examples;

• Module 7 – Incident Management (formerly a stand alone domain) is composed of multiple controls and are bundled together for discussion purposes;

• Module 8 – Continuity Management – this includes the BIA, RPO/RTO’s, Business Continuity Plans, Backups, DR plans and intermittent testing of these plans;

• Module 9 – Legal & Compliance is a foundational concept to ISO 27001 and represents identification of customer, information security and data privacy requirements;

• Module 10 – People (or HR) Controls represent one whole stand alone chapter in ISO 27002 and are now organized as such;

• Module 11 – Physical Environment Controls have been paired way back from the 2013 standard and are left with strictly those that protect the facility and also are already in a stand alone chapter in ISO 27002;

• Module 12 – Operational Controls – are wide reaching as well but we have bundled the ones that we perceive to be similar;

• Module 13 – Systems & Network Security (formerly COMSEC and ENCRYPTION domains) are stand alone controls. We discuss them in great detail;

• Module 14 – covers the software development related controls (DEV). We will offer some examples of artifacts and evidence you nay present to the auditor;

• Module 15– Implementation of these controls – begins with official transition guidance from the IAF which we will cover. We will discuss the Gap Analysis and what you should be seeing from Certification Bodies in the coming years;

• Module 16 – Students are provided 1 hour to answer 25 questions and must pass with a 70%. Failure to do so affords them another chance – until you pass!